- Linux-stable-mirror - lists.linaro.org

+ mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm: fix uprobe pte be overwritten when expanding vma has been added to the -mm mm-unstable branch. Its filename is mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Pu Lehui <pulehui(a)huawei.com> Subject: mm: fix uprobe pte be overwritten when expanding vma Date: Thu, 29 May 2025 15:56:47 +0000 Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows: BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 And we can reproduce it with the following steps: 1. register uprobe on file at zero offset 2. mmap the file at zero offset: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); 3. mremap part of vma1 to new vma2: addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); 4. mremap back to orig addr1: mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); In step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2 with range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1 to vma2, then unmap the vma1 range [addr1, addr1 + 4096]. In step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the addr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096, addr1 + 8192] still maps the file, it will take vma_merge_new_range to expand the range, and then do uprobe_mmap in vma_complete. Since the merged vma pgoff is also zero offset, it will install uprobe anon page to the merged vma. However, the upcomming move_page_tables step, which use set_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite the newly uprobe pte in the merged vma, and lead that pte to be orphan. Since the uprobe pte will be remapped to the merged vma, we can remove the unnecessary uprobe_mmap upon merged vma. This problem was first found in linux-6.6.y and also exists in the community syzkaller: https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/ Link: https://lkml.kernel.org/r/20250529155650.4017699-1-pulehui@huaweicloud.com Link: https://lkml.kernel.org/r/20250529155650.4017699-2-pulehui@huaweicloud.com Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 20 +++++++++++++++++--- mm/vma.h | 7 +++++++ 2 files changed, 24 insertions(+), 3 deletions(-) --- a/mm/vma.c~mm-fix-uprobe-pte-be-overwritten-when-expanding-vma +++ a/mm/vma.c @@ -169,6 +169,9 @@ static void init_multi_vma_prep(struct v vp->file = vma->vm_file; if (vp->file) vp->mapping = vma->vm_file->f_mapping; + + if (vmg && vmg->skip_vma_uprobe) + vp->skip_vma_uprobe = true; } /* @@ -358,10 +361,13 @@ static void vma_complete(struct vma_prep if (vp->file) { i_mmap_unlock_write(vp->mapping); - uprobe_mmap(vp->vma); - if (vp->adj_next) - uprobe_mmap(vp->adj_next); + if (!vp->skip_vma_uprobe) { + uprobe_mmap(vp->vma); + + if (vp->adj_next) + uprobe_mmap(vp->adj_next); + } } if (vp->remove) { @@ -1830,6 +1836,14 @@ struct vm_area_struct *copy_vma(struct v faulted_in_anon_vma = false; } + /* + * If the VMA we are copying might contain a uprobe PTE, ensure + * that we do not establish one upon merge. Otherwise, when mremap() + * moves page tables, it will orphan the newly created PTE. + */ + if (vma->vm_file) + vmg.skip_vma_uprobe = true; + new_vma = find_vma_prev(mm, addr, &vmg.prev); if (new_vma && new_vma->vm_start < addr + len) return NULL; /* should never get here */ --- a/mm/vma.h~mm-fix-uprobe-pte-be-overwritten-when-expanding-vma +++ a/mm/vma.h @@ -19,6 +19,8 @@ struct vma_prepare { struct vm_area_struct *insert; struct vm_area_struct *remove; struct vm_area_struct *remove2; + + bool skip_vma_uprobe :1; }; struct unlink_vma_file_batch { @@ -120,6 +122,11 @@ struct vma_merge_struct { */ bool give_up_on_oom :1; + /* + * If set, skip uprobe_mmap upon merged vma. + */ + bool skip_vma_uprobe :1; + /* Internal flags set during merge process: */ /* _ Patches currently in -mm which might be from pulehui(a)huawei.com are mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch mm-expose-abnormal-new_pte-during-move_ptes.patch selftests-mm-extract-read_sysfs-and-write_sysfs-into-vm_util.patch selftests-mm-add-test-about-uprobe-pte-be-orphan-during-vma-merge.patch

5 months, 2 weeks

1
0
0 0

[PATCH] x86/mm: Fix paging-structure cache flush on kernel table freeing

by Jann Horn

There are several issues in pud_free_pmd_page() and pmd_free_pte_page(), which are used by vmalloc: 1. flush_tlb_kernel_range() does not flush paging-structure caches for inactive PCIDs, but we're using it when freeing kernel page tables. 2. flush_tlb_kernel_range() only flushes paging-structure cache entries that intersect with the flush range, and pud_free_pmd_page() passes in the first PAGE_SIZE bytes of the area covered by the PMD table; but pud_free_pmd_page() is actually designed to also remove PTE tables that were installed in the PMD table, so we need to also flush those. 3. [theoretical issue] invlpgb_kernel_range_flush() expects an exclusive range, it does: `nr = (info->end - addr) >> PAGE_SHIFT;` But pmd_free_pte_page() and pud_free_pmd_page() provide inclusive ranges (`addr, addr + PAGE_SIZE-1`). To fix it: 1. Add a new helper flush_tlb_kernel_pgtable_range() for flushing paging structure caches for kernel page tables, and use that. 2. Flush PUD_SIZE instead of PAGE_SIZE in pud_free_pmd_page(). 3. Remove `-1` in end address calculations. Note that since I'm not touching invlpgb_kernel_range_flush() or invlpgb_flush_addr_nosync() in this patch, the flush on PMD table deletion with INVLPGB might be a bit slow due to using PTE_STRIDE instead of PMD_STRIDE. I don't think that matters. Backport notes: Kernels before 6.16 don't have invlpgb_kernel_range_flush(); for them, kernel_tlb_flush_pgtable() should just unconditionally call flush_tlb_all(). I am marking this as fixing commit 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces"); that is technically incorrect, since back then no paging-structure cache invalidations were performed at all, but probably makes the most sense here. Cc: stable(a)vger.kernel.org Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Jann Horn <jannh(a)google.com> --- arch/x86/include/asm/tlb.h | 4 ++++ arch/x86/include/asm/tlbflush.h | 1 + arch/x86/mm/pgtable.c | 13 +++++++++---- arch/x86/mm/tlb.c | 37 +++++++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/tlb.h b/arch/x86/include/asm/tlb.h index 866ea78ba156..56a4b93a0742 100644 --- a/arch/x86/include/asm/tlb.h +++ b/arch/x86/include/asm/tlb.h @@ -153,6 +153,10 @@ static inline void invlpgb_flush_all(void) /* Flush addr, including globals, for all PCIDs. */ static inline void invlpgb_flush_addr_nosync(unsigned long addr, u16 nr) { + /* + * Don't set INVLPGB_FLAG_FINAL_ONLY here without adjusting + * kernel_tlb_flush_pgtable(). + */ __invlpgb(0, 0, addr, nr, PTE_STRIDE, INVLPGB_FLAG_INCLUDE_GLOBAL); } diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h index e9b81876ebe4..06a4a2b7a9f5 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -318,6 +318,7 @@ extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned int stride_shift, bool freed_tables); extern void flush_tlb_kernel_range(unsigned long start, unsigned long end); +void flush_tlb_kernel_pgtable_range(unsigned long start, unsigned long end); static inline void flush_tlb_page(struct vm_area_struct *vma, unsigned long a) { diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 62777ba4de1a..0779ed02226c 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -745,8 +745,13 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) pud_clear(pud); - /* INVLPG to clear all paging-structure caches */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + /* + * Clear paging-structure caches. + * Note that since this function can remove a PMD table together with the + * PTE tables it points to, we can't just flush the first PAGE_SIZE, we + * must flush PUD_SIZE! + */ + flush_tlb_kernel_pgtable_range(addr, addr + PUD_SIZE); for (i = 0; i < PTRS_PER_PMD; i++) { if (!pmd_none(pmd_sv[i])) { @@ -778,8 +783,8 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) pte = (pte_t *)pmd_page_vaddr(*pmd); pmd_clear(pmd); - /* INVLPG to clear all paging-structure caches */ - flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + /* clear paging-structure caches */ + flush_tlb_kernel_pgtable_range(addr, addr + PAGE_SIZE); free_page((unsigned long)pte); diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 39f80111e6f1..26b78451a7ed 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -1525,6 +1525,22 @@ static void kernel_tlb_flush_range(struct flush_tlb_info *info) on_each_cpu(do_kernel_range_flush, info, 1); } +static void kernel_tlb_flush_pgtable(struct flush_tlb_info *info) +{ + /* + * The special thing about removing kernel page tables is that we can't + * use a flush that just removes global TLB entries; we need one that + * flushes paging structure caches across all PCIDs. + * With INVLPGB, that's explicitly supported. + * Otherwise, there's no good way (INVLPG and INVPCID can't specifically + * target one address across all PCIDs), just throw everything away. + */ + if (cpu_feature_enabled(X86_FEATURE_INVLPGB)) + invlpgb_kernel_range_flush(info); + else + flush_tlb_all(); +} + void flush_tlb_kernel_range(unsigned long start, unsigned long end) { struct flush_tlb_info *info; @@ -1542,6 +1558,27 @@ void flush_tlb_kernel_range(unsigned long start, unsigned long end) put_flush_tlb_info(); } +/* + * Flush paging-structure cache entries for page tables covering the specified + * range and synchronize with concurrent hardware page table walks, in + * preparation for freeing page tables in the region. + * This must not be used for flushing translations to data pages. + */ +void flush_tlb_kernel_pgtable_range(unsigned long start, unsigned long end) +{ + struct flush_tlb_info *info; + + /* We don't synchronize against GUP-fast. */ + VM_WARN_ON(start < TASK_SIZE_MAX); + + guard(preempt)(); + + info = get_flush_tlb_info(NULL, start, end, PMD_SHIFT, true, + TLB_GENERATION_INVALID); + kernel_tlb_flush_pgtable(info); + put_flush_tlb_info(); +} + /* * This can be used from process context to figure out what the value of * CR3 is without needing to do a (slow) __read_cr3(). --- base-commit: b1456f6dc167f7f101746e495bede2bac3d0e19f change-id: 20250528-x86-fix-vmap-pt-del-flush-f9fa4f287c93 -- Jann Horn <jannh(a)google.com>

5 months, 2 weeks

2
1
0 0

[PATCH v6.6 00/26] af_unix: Align with upstream to avoid a potential UAF

by Lee Jones

From: Lee Jones <joneslee(a)google.com> This is the second attempt at achieving the same goal. This time, the submission avoids forking the current code base, ensuring it remains easier to maintain over time. The set has been tested using the SCM_RIGHTS test suite [1] using QEMU and has been seen to successfully mitigate a UAF on on a top tier handset. RESULTS: TAP version 13 1..20 # Starting 20 tests from 5 test cases. # RUN scm_rights.dgram.self_ref ... # OK scm_rights.dgram.self_ref ok 1 scm_rights.dgram.self_ref # RUN scm_rights.dgram.triangle ... # OK scm_rights.dgram.triangle ok 2 scm_rights.dgram.triangle # RUN scm_rights.dgram.cross_edge ... # OK scm_rights.dgram.cross_edge ok 3 scm_rights.dgram.cross_edge # RUN scm_rights.dgram.backtrack_from_scc ... # OK scm_rights.dgram.backtrack_from_scc ok 4 scm_rights.dgram.backtrack_from_scc # RUN scm_rights.stream.self_ref ... # OK scm_rights.stream.self_ref ok 5 scm_rights.stream.self_ref # RUN scm_rights.stream.triangle ... # OK scm_rights.stream.triangle ok 6 scm_rights.stream.triangle # RUN scm_rights.stream.cross_edge ... # OK scm_rights.stream.cross_edge ok 7 scm_rights.stream.cross_edge # RUN scm_rights.stream.backtrack_from_scc ... # OK scm_rights.stream.backtrack_from_scc ok 8 scm_rights.stream.backtrack_from_scc # RUN scm_rights.stream_oob.self_ref ... # OK scm_rights.stream_oob.self_ref ok 9 scm_rights.stream_oob.self_ref # RUN scm_rights.stream_oob.triangle ... # OK scm_rights.stream_oob.triangle ok 10 scm_rights.stream_oob.triangle # RUN scm_rights.stream_oob.cross_edge ... # OK scm_rights.stream_oob.cross_edge ok 11 scm_rights.stream_oob.cross_edge # RUN scm_rights.stream_oob.backtrack_from_scc ... # OK scm_rights.stream_oob.backtrack_from_scc ok 12 scm_rights.stream_oob.backtrack_from_scc # RUN scm_rights.stream_listener.self_ref ... # OK scm_rights.stream_listener.self_ref ok 13 scm_rights.stream_listener.self_ref # RUN scm_rights.stream_listener.triangle ... # OK scm_rights.stream_listener.triangle ok 14 scm_rights.stream_listener.triangle # RUN scm_rights.stream_listener.cross_edge ... # OK scm_rights.stream_listener.cross_edge ok 15 scm_rights.stream_listener.cross_edge # RUN scm_rights.stream_listener.backtrack_from_scc ... # OK scm_rights.stream_listener.backtrack_from_scc ok 16 scm_rights.stream_listener.backtrack_from_scc # RUN scm_rights.stream_listener_oob.self_ref ... # OK scm_rights.stream_listener_oob.self_ref ok 17 scm_rights.stream_listener_oob.self_ref # RUN scm_rights.stream_listener_oob.triangle ... # OK scm_rights.stream_listener_oob.triangle ok 18 scm_rights.stream_listener_oob.triangle # RUN scm_rights.stream_listener_oob.cross_edge ... # OK scm_rights.stream_listener_oob.cross_edge ok 19 scm_rights.stream_listener_oob.cross_edge # RUN scm_rights.stream_listener_oob.backtrack_from_scc ... # OK scm_rights.stream_listener_oob.backtrack_from_scc ok 20 scm_rights.stream_listener_oob.backtrack_from_scc # PASSED: 20 / 20 tests passed. # Totals: pass:20 fail:0 xfail:0 xpass:0 skip:0 error:0 [0] https://lore.kernel.org/all/20250304030149.82265-1-kuniyu@amazon.com/ [1] https://lore.kernel.org/all/20240325202425.60930-16-kuniyu@amazon.com/ Kuniyuki Iwashima (24): af_unix: Return struct unix_sock from unix_get_socket(). af_unix: Run GC on only one CPU. af_unix: Try to run GC async. af_unix: Replace BUG_ON() with WARN_ON_ONCE(). af_unix: Remove io_uring code for GC. af_unix: Remove CONFIG_UNIX_SCM. af_unix: Allocate struct unix_vertex for each inflight AF_UNIX fd. af_unix: Allocate struct unix_edge for each inflight AF_UNIX fd. af_unix: Link struct unix_edge when queuing skb. af_unix: Bulk update unix_tot_inflight/unix_inflight when queuing skb. af_unix: Iterate all vertices by DFS. af_unix: Detect Strongly Connected Components. af_unix: Save listener for embryo socket. af_unix: Fix up unix_edge.successor for embryo socket. af_unix: Save O(n) setup of Tarjan's algo. af_unix: Skip GC if no cycle exists. af_unix: Avoid Tarjan's algorithm if unnecessary. af_unix: Assign a unique index to SCC. af_unix: Detect dead SCC. af_unix: Replace garbage collection algorithm. af_unix: Remove lock dance in unix_peek_fds(). af_unix: Try not to hold unix_gc_lock during accept(). af_unix: Don't access successor in unix_del_edges() during GC. af_unix: Add dead flag to struct scm_fp_list. Michal Luczaj (1): af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS Shigeru Yoshida (1): af_unix: Fix uninit-value in __unix_walk_scc() include/net/af_unix.h | 49 ++- include/net/scm.h | 11 + net/Makefile | 2 +- net/core/scm.c | 17 ++ net/unix/Kconfig | 5 - net/unix/Makefile | 2 - net/unix/af_unix.c | 120 +++++--- net/unix/garbage.c | 691 +++++++++++++++++++++++++++++------------- net/unix/scm.c | 161 ---------- net/unix/scm.h | 10 - 10 files changed, 617 insertions(+), 451 deletions(-) delete mode 100644 net/unix/scm.c delete mode 100644 net/unix/scm.h -- 2.49.0.1112.g889b7c5bd8-goog

5 months, 3 weeks

3
53
0 0

Backports of 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 for 5.15 and older

by Nathan Chancellor

Hi Greg and Sasha, Please find attached backports of commit 2e43ae7dd71c ("drm/i915/gvt: fix unterminated-string-initialization warning") to address an instance of -Wunterminated-string-initialization that appears in the i915 driver with GCC 15 and Clang 21 due to its use of -Wextra. Please let me know if there are any issues. Cheers, Nathan

5 months, 3 weeks

2
1
0 0

[PATCH 6.1.y] selftests/vm: fix split huge page tests

by wndgwang4

From: Zi Yan <ziy(a)nvidia.com> [ upstream commit dd63bd7df41a8f9393a2e3ff9157a441c08eb996 ] Fix two inputs to check_anon_huge() and one if condition, so the tests work as expected. Steps to reproduce the issue. make headers make -C tools/testing/selftests/vm Before patching:test fails with a non-zero exit code ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test | echo 0 2 ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test No THP is allocated After patching: ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test | echo 0 0 ~/linux$ sudo tools/testing/selftests/vm/split_huge_page_test Split huge pages successful ... Link: https://lkml.kernel.org/r/20230306160907.16804-1-zi.yan@sent.com Fixes: c07c343cda8e ("selftests/vm: dedup THP helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Zach O'Keefe <zokeefe(a)google.com> Tested-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: wndgwang4 <guangming.wang(a)windriver.com> --- tools/testing/selftests/vm/split_huge_page_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/vm/split_huge_page_test.c b/tools/testing/selftests/vm/split_huge_page_test.c index 76e1c36dd..b8558c7f1 100644 --- a/tools/testing/selftests/vm/split_huge_page_test.c +++ b/tools/testing/selftests/vm/split_huge_page_test.c @@ -106,7 +106,7 @@ void split_pmd_thp(void) for (i = 0; i < len; i++) one_page[i] = (char)i; - if (!check_huge_anon(one_page, 1, pmd_pagesize)) { + if (!check_huge_anon(one_page, 4, pmd_pagesize)) { printf("No THP is allocated\n"); exit(EXIT_FAILURE); } @@ -122,7 +122,7 @@ void split_pmd_thp(void) } - if (check_huge_anon(one_page, 0, pmd_pagesize)) { + if (!check_huge_anon(one_page, 0, pmd_pagesize)) { printf("Still AnonHugePages not split\n"); exit(EXIT_FAILURE); } @@ -169,7 +169,7 @@ void split_pte_mapped_thp(void) for (i = 0; i < len; i++) one_page[i] = (char)i; - if (!check_huge_anon(one_page, 1, pmd_pagesize)) { + if (!check_huge_anon(one_page, 4, pmd_pagesize)) { printf("No THP is allocated\n"); exit(EXIT_FAILURE); } -- 2.34.1

5 months, 3 weeks

2
1
0 0

[PATCH net] can: kvaser_pciefd: refine error prone echo_skb_max handling logic

by Marc Kleine-Budde

From: Fedor Pchelkin <pchelkin(a)ispras.ru> echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 8256e0ca6010 ("can: kvaser_pciefd: Fix echo_skb race") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Link: https://patch.msgid.link/20250528192713.63894-1-pchelkin@ispras.ru Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/kvaser_pciefd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index 7d3066691d5d..52301511ed1b 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -966,7 +966,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) u32 status, tx_nr_packets_max; netdev = alloc_candev(sizeof(struct kvaser_pciefd_can), - KVASER_PCIEFD_CAN_TX_MAX_COUNT); + roundup_pow_of_two(KVASER_PCIEFD_CAN_TX_MAX_COUNT)); if (!netdev) return -ENOMEM; @@ -995,7 +995,6 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) can->tx_max_count = min(KVASER_PCIEFD_CAN_TX_MAX_COUNT, tx_nr_packets_max - 1); can->can.clock.freq = pcie->freq; - can->can.echo_skb_max = roundup_pow_of_two(can->tx_max_count); spin_lock_init(&can->lock); can->can.bittiming_const = &kvaser_pciefd_bittiming_const; base-commit: 271683bb2cf32e5126c592b5d5e6a756fa374fd9 -- 2.47.2

5 months, 3 weeks

2
1
0 0

[PATCH] driver: net: ethernet: mtk_star_emac: fix suspend/resume issue

by Macpaul Lin

From: Yanqing Wang <ot_yanqing.wang(a)mediatek.com> Identify the cause of the suspend/resume hang: netif_carrier_off() is called during link state changes and becomes stuck while executing linkwatch_work(). To resolve this issue, call netif_device_detach() during the Ethernet suspend process to temporarily detach the network device from the kernel and prevent the suspend/resume hang. Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver") Signed-off-by: Yanqing Wang <ot_yanqing.wang(a)mediatek.com> Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> Signed-off-by: Biao Huang <biao.huang(a)mediatek.com> --- drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c index b175119a6a7d..b83886a41121 100644 --- a/drivers/net/ethernet/mediatek/mtk_star_emac.c +++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c @@ -1463,6 +1463,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev) if (netif_running(ndev)) mtk_star_disable(ndev); + netif_device_detach(ndev); + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); return 0; @@ -1487,6 +1489,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev) clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); } + netif_device_attach(ndev); + return ret; } -- 2.45.2

5 months, 3 weeks

3
2
0 0

Re: [PATCH v3] virtio_blk: Fix disk deletion hang on device surprise removal

by Michael S. Tsirkin

On Thu, May 29, 2025 at 06:19:31AM +0000, Parav Pandit wrote: > When the PCI device is surprise removed, requests may not complete > the device as the VQ is marked as broken. Due to this, the disk > deletion hangs. > > Fix it by aborting the requests when the VQ is broken. > > With this fix now fio completes swiftly. > An alternative of IO timeout has been considered, however > when the driver knows about unresponsive block device, swiftly clearing > them enables users and upper layers to react quickly. > > Verified with multiple device unplug iterations with pending requests in > virtio used ring and some pending with the device. > > Fixes: 43bb40c5b926 ("virtio_pci: Support surprise removal of virtio pci device") > Cc: stable(a)vger.kernel.org > Reported-by: Li RongQing <lirongqing(a)baidu.com> > Closes: https://lore.kernel.org/virtualization/c45dd68698cd47238c55fb73ca9b4741@bai… > Reviewed-by: Max Gurtovoy <mgurtovoy(a)nvidia.com> > Reviewed-by: Israel Rukshin <israelr(a)nvidia.com> > Signed-off-by: Parav Pandit <parav(a)nvidia.com> > > --- > v2->v3: > - Addressed comments from Michael > - updated comment for synchronizing with callbacks > > v1->v2: > - Addressed comments from Stephan > - fixed spelling to 'waiting' > - Addressed comments from Michael > - Dropped checking broken vq from queue_rq() and queue_rqs() > because it is checked in lower layer routines in virtio core > > v0->v1: > - Fixed comments from Stefan to rename a cleanup function > - Improved logic for handling any outstanding requests > in bio layer > - improved cancel callback to sync with ongoing done() Thanks! Something else small to improve. > --- > drivers/block/virtio_blk.c | 82 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 82 insertions(+) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 7cffea01d868..d37df878f4e9 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -1554,6 +1554,86 @@ static int virtblk_probe(struct virtio_device *vdev) > return err; > } > > +static bool virtblk_request_cancel(struct request *rq, void *data) it is more virtblk_request_complete_broken_with_ioerr and maybe a comment? /* * If the vq is broken, device will not complete requests. * So we do it for the device. */ > +{ > + struct virtblk_req *vbr = blk_mq_rq_to_pdu(rq); > + struct virtio_blk *vblk = data; > + struct virtio_blk_vq *vq; > + unsigned long flags; > + > + vq = &vblk->vqs[rq->mq_hctx->queue_num]; > + > + spin_lock_irqsave(&vq->lock, flags); > + > + vbr->in_hdr.status = VIRTIO_BLK_S_IOERR; > + if (blk_mq_request_started(rq) && !blk_mq_request_completed(rq)) > + blk_mq_complete_request(rq); > + > + spin_unlock_irqrestore(&vq->lock, flags); > + return true; > +} > + > +static void virtblk_broken_device_cleanup(struct virtio_blk *vblk) and one goes okay what does it do exactly? cleanup device in a broken way? turns out no, it cleans up a broken device. And an overview would be good. Maybe, a small comment will help: /* * if the device is broken, it will not use any buffers and waiting * for that to happen is pointless. We'll do it in the driver, * completing all requests for the device. */ > +{ > + struct request_queue *q = vblk->disk->queue; > + > + if (!virtqueue_is_broken(vblk->vqs[0].vq)) > + return; so one has to read it, and understand that we did not need to call it in the 1st place on a non broken device. Moving it to the caller would be cleaner. > + > + /* Start freezing the queue, so that new requests keeps waiting at the wrong style of comment for blk. /* this is * net style */ /* * this is * rest of the linux style */ > + * door of bio_queue_enter(). We cannot fully freeze the queue because > + * freezed queue is an empty queue and there are pending requests, so a frozen queue > + * only start freezing it. > + */ > + blk_freeze_queue_start(q); > + > + /* When quiescing completes, all ongoing dispatches have completed > + * and no new dispatch will happen towards the driver. > + * This ensures that later when cancel is attempted, then are not they are not? > + * getting processed by the queue_rq() or queue_rqs() handlers. > + */ > + blk_mq_quiesce_queue(q); > + > + /* > + * Synchronize with any ongoing VQ callbacks that may have started > + * before the VQs were marked as broken. Any outstanding requests > + * will be completed by virtblk_request_cancel(). > + */ > + virtio_synchronize_cbs(vblk->vdev); > + > + /* At this point, no new requests can enter the queue_rq() and > + * completion routine will not complete any new requests either for the > + * broken vq. Hence, it is safe to cancel all requests which are > + * started. > + */ > + blk_mq_tagset_busy_iter(&vblk->tag_set, virtblk_request_cancel, vblk); > + blk_mq_tagset_wait_completed_request(&vblk->tag_set); > + > + /* All pending requests are cleaned up. Time to resume so that disk > + * deletion can be smooth. Start the HW queues so that when queue is > + * unquiesced requests can again enter the driver. > + */ > + blk_mq_start_stopped_hw_queues(q, true); > + > + /* Unquiescing will trigger dispatching any pending requests to the > + * driver which has crossed bio_queue_enter() to the driver. > + */ > + blk_mq_unquiesce_queue(q); > + > + /* Wait for all pending dispatches to terminate which may have been > + * initiated after unquiescing. > + */ > + blk_mq_freeze_queue_wait(q); > + > + /* Mark the disk dead so that once queue unfreeze, the requests ... once we unfreeze the queue > + * waiting at the door of bio_queue_enter() can be aborted right away. > + */ > + blk_mark_disk_dead(vblk->disk); > + > + /* Unfreeze the queue so that any waiting requests will be aborted. */ > + blk_mq_unfreeze_queue_nomemrestore(q); > +} > + > static void virtblk_remove(struct virtio_device *vdev) > { > struct virtio_blk *vblk = vdev->priv; > @@ -1561,6 +1641,8 @@ static void virtblk_remove(struct virtio_device *vdev) > /* Make sure no work handler is accessing the device. */ > flush_work(&vblk->config_work); > I prefer simply moving the test here: if (virtqueue_is_broken(vblk->vqs[0].vq)) virtblk_broken_device_cleanup(vblk); makes it much clearer what is going on, imho. > del_gendisk(vblk->disk); > blk_mq_free_tag_set(&vblk->tag_set); > > -- > 2.34.1

5 months, 3 weeks

2
2
0 0

Linux 6.14.9

by Greg Kroah-Hartman

I'm announcing the release of the 6.14.9 kernel. All users of the 6.14 kernel series must upgrade. The updated 6.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.14.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/kernel-parameters.txt | 2 Documentation/driver-api/pps.rst | 3 Documentation/driver-api/serial/driver.rst | 2 Documentation/hwmon/dell-smm-hwmon.rst | 14 Documentation/networking/net_cachelines/snmp.rst | 1 Makefile | 6 arch/arm/boot/dts/nvidia/tegra114.dtsi | 2 arch/arm/mach-at91/pm.c | 21 arch/arm64/boot/dts/allwinner/sun50i-h6-beelink-gs1.dts | 38 arch/arm64/boot/dts/allwinner/sun50i-h6-orangepi-3.dts | 14 arch/arm64/boot/dts/allwinner/sun50i-h6-orangepi.dtsi | 22 arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi | 2 arch/arm64/boot/dts/nvidia/tegra234-p3740-0002+p3701-0008.dts | 10 arch/arm64/boot/dts/xilinx/zynqmp-clk-ccf.dtsi | 15 arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/pgtable.h | 27 arch/arm64/kernel/proton-pack.c | 1 arch/arm64/net/bpf_jit_comp.c | 6 arch/loongarch/kernel/Makefile | 8 arch/loongarch/kvm/Makefile | 2 arch/mips/include/asm/ftrace.h | 16 arch/mips/kernel/pm-cps.c | 30 arch/powerpc/include/asm/mmzone.h | 1 arch/powerpc/kernel/prom_init.c | 4 arch/powerpc/mm/book3s64/radix_pgtable.c | 3 arch/powerpc/mm/numa.c | 2 arch/powerpc/perf/core-book3s.c | 20 arch/powerpc/perf/isa207-common.c | 4 arch/powerpc/platforms/pseries/iommu.c | 139 ++- arch/riscv/include/asm/cpufeature.h | 3 arch/riscv/include/asm/page.h | 12 arch/riscv/include/asm/pgtable.h | 2 arch/riscv/kernel/Makefile | 4 arch/riscv/kernel/cpufeature.c | 60 - arch/riscv/mm/tlbflush.c | 37 arch/s390/hypfs/hypfs_diag_fs.c | 2 arch/s390/include/asm/tlb.h | 2 arch/um/kernel/mem.c | 1 arch/x86/Kconfig | 3 arch/x86/boot/boot.h | 4 arch/x86/boot/genimage.sh | 5 arch/x86/entry/entry.S | 2 arch/x86/entry/vdso/extable.h | 2 arch/x86/events/amd/ibs.c | 20 arch/x86/events/intel/ds.c | 9 arch/x86/include/asm/alternative.h | 6 arch/x86/include/asm/asm.h | 10 arch/x86/include/asm/boot.h | 2 arch/x86/include/asm/bug.h | 5 arch/x86/include/asm/cfi.h | 11 arch/x86/include/asm/cpufeature.h | 4 arch/x86/include/asm/cpumask.h | 4 arch/x86/include/asm/current.h | 4 arch/x86/include/asm/desc_defs.h | 4 arch/x86/include/asm/dwarf2.h | 2 arch/x86/include/asm/fixmap.h | 4 arch/x86/include/asm/frame.h | 10 arch/x86/include/asm/fred.h | 4 arch/x86/include/asm/fsgsbase.h | 4 arch/x86/include/asm/ftrace.h | 8 arch/x86/include/asm/hw_irq.h | 4 arch/x86/include/asm/ibt.h | 16 arch/x86/include/asm/idtentry.h | 6 arch/x86/include/asm/inst.h | 2 arch/x86/include/asm/intel-family.h | 1 arch/x86/include/asm/irqflags.h | 10 arch/x86/include/asm/jump_label.h | 4 arch/x86/include/asm/kasan.h | 2 arch/x86/include/asm/kexec.h | 4 arch/x86/include/asm/linkage.h | 6 arch/x86/include/asm/mem_encrypt.h | 4 arch/x86/include/asm/msr.h | 4 arch/x86/include/asm/nmi.h | 2 arch/x86/include/asm/nops.h | 2 arch/x86/include/asm/nospec-branch.h | 6 arch/x86/include/asm/orc_types.h | 4 arch/x86/include/asm/page.h | 4 arch/x86/include/asm/page_32.h | 4 arch/x86/include/asm/page_32_types.h | 4 arch/x86/include/asm/page_64.h | 4 arch/x86/include/asm/page_64_types.h | 2 arch/x86/include/asm/page_types.h | 4 arch/x86/include/asm/paravirt.h | 14 arch/x86/include/asm/paravirt_types.h | 4 arch/x86/include/asm/percpu.h | 32 arch/x86/include/asm/perf_event.h | 1 arch/x86/include/asm/pgtable-2level_types.h | 4 arch/x86/include/asm/pgtable-3level_types.h | 4 arch/x86/include/asm/pgtable-invert.h | 4 arch/x86/include/asm/pgtable.h | 12 arch/x86/include/asm/pgtable_32.h | 4 arch/x86/include/asm/pgtable_32_areas.h | 2 arch/x86/include/asm/pgtable_64.h | 6 arch/x86/include/asm/pgtable_64_types.h | 4 arch/x86/include/asm/pgtable_types.h | 10 arch/x86/include/asm/prom.h | 4 arch/x86/include/asm/pti.h | 4 arch/x86/include/asm/ptrace.h | 4 arch/x86/include/asm/purgatory.h | 4 arch/x86/include/asm/pvclock-abi.h | 4 arch/x86/include/asm/realmode.h | 4 arch/x86/include/asm/segment.h | 8 arch/x86/include/asm/setup.h | 6 arch/x86/include/asm/setup_data.h | 4 arch/x86/include/asm/sev-common.h | 2 arch/x86/include/asm/shared/tdx.h | 4 arch/x86/include/asm/shstk.h | 4 arch/x86/include/asm/signal.h | 8 arch/x86/include/asm/smap.h | 6 arch/x86/include/asm/smp.h | 4 arch/x86/include/asm/tdx.h | 4 arch/x86/include/asm/thread_info.h | 12 arch/x86/include/asm/unwind_hints.h | 4 arch/x86/include/asm/vdso/getrandom.h | 4 arch/x86/include/asm/vdso/gettimeofday.h | 4 arch/x86/include/asm/vdso/processor.h | 4 arch/x86/include/asm/vdso/vsyscall.h | 4 arch/x86/include/asm/xen/interface.h | 10 arch/x86/include/asm/xen/interface_32.h | 4 arch/x86/include/asm/xen/interface_64.h | 4 arch/x86/include/uapi/asm/bootparam.h | 4 arch/x86/include/uapi/asm/e820.h | 4 arch/x86/include/uapi/asm/ldt.h | 4 arch/x86/include/uapi/asm/msr.h | 4 arch/x86/include/uapi/asm/ptrace-abi.h | 6 arch/x86/include/uapi/asm/ptrace.h | 4 arch/x86/include/uapi/asm/setup_data.h | 4 arch/x86/include/uapi/asm/signal.h | 8 arch/x86/kernel/alternative.c | 30 arch/x86/kernel/amd_node.c | 41 arch/x86/kernel/cfi.c | 22 arch/x86/kernel/cpu/bugs.c | 10 arch/x86/kernel/cpu/microcode/intel.c | 2 arch/x86/kernel/nmi.c | 42 arch/x86/kernel/paravirt.c | 17 arch/x86/kernel/reboot.c | 10 arch/x86/kernel/smpboot.c | 9 arch/x86/kernel/traps.c | 82 + arch/x86/math-emu/control_w.h | 2 arch/x86/math-emu/exception.h | 6 arch/x86/math-emu/fpu_emu.h | 6 arch/x86/math-emu/status_w.h | 6 arch/x86/mm/init.c | 9 arch/x86/mm/init_64.c | 15 arch/x86/mm/kaslr.c | 10 arch/x86/mm/pgtable.c | 27 arch/x86/power/cpu.c | 14 arch/x86/realmode/rm/realmode.h | 4 arch/x86/realmode/rm/wakeup.h | 2 arch/x86/um/os-Linux/mcontext.c | 3 block/badblocks.c | 5 block/bdev.c | 50 - block/blk-cgroup.c | 22 block/blk-settings.c | 5 block/blk-sysfs.c | 102 +- block/blk-throttle.c | 15 block/blk-zoned.c | 5 block/blk.h | 3 block/bounce.c | 2 block/fops.c | 16 block/ioctl.c | 6 crypto/ahash.c | 4 crypto/algif_hash.c | 4 crypto/lzo-rle.c | 2 crypto/lzo.c | 2 crypto/skcipher.c | 1 drivers/accel/amdxdna/aie2_ctx.c | 29 drivers/accel/amdxdna/amdxdna_ctx.c | 2 drivers/accel/amdxdna/amdxdna_ctx.h | 3 drivers/accel/amdxdna/amdxdna_mailbox.c | 17 drivers/accel/qaic/qaic_drv.c | 2 drivers/acpi/Kconfig | 2 drivers/acpi/acpi_pnp.c | 2 drivers/acpi/hed.c | 7 drivers/auxdisplay/charlcd.c | 5 drivers/auxdisplay/charlcd.h | 5 drivers/auxdisplay/hd44780.c | 2 drivers/auxdisplay/lcd2s.c | 2 drivers/auxdisplay/panel.c | 2 drivers/base/faux.c | 15 drivers/base/power/main.c | 7 drivers/block/loop.c | 25 drivers/block/null_blk/main.c | 86 + drivers/block/ublk_drv.c | 53 - drivers/bluetooth/btmtksdio.c | 15 drivers/bluetooth/btusb.c | 98 -- drivers/char/tpm/tpm2-sessions.c | 2 drivers/clk/clk-s2mps11.c | 3 drivers/clk/imx/clk-imx8mp.c | 151 +++ drivers/clk/qcom/Kconfig | 2 drivers/clk/qcom/camcc-sm8250.c | 56 - drivers/clk/qcom/clk-alpha-pll.c | 52 - drivers/clk/qcom/lpassaudiocc-sc7280.c | 23 drivers/clk/renesas/rzg2l-cpg.c | 102 +- drivers/clk/sunxi-ng/ccu-sun20i-d1.c | 44 drivers/clk/sunxi-ng/ccu-sun50i-h616.c | 36 drivers/clk/sunxi-ng/ccu_mp.h | 22 drivers/clocksource/mips-gic-timer.c | 6 drivers/clocksource/timer-riscv.c | 6 drivers/cpufreq/amd-pstate.c | 1 drivers/cpufreq/cpufreq-dt-platdev.c | 1 drivers/cpufreq/tegra186-cpufreq.c | 7 drivers/cpuidle/governors/menu.c | 13 drivers/crypto/marvell/octeontx2/otx2_cptvf_reqmgr.c | 7 drivers/crypto/mxs-dcp.c | 8 drivers/dma/fsl-edma-main.c | 2 drivers/dma/idxd/cdev.c | 9 drivers/dma/ti/k3-udma-glue.c | 15 drivers/dpll/dpll_core.c | 5 drivers/edac/ie31200_edac.c | 28 drivers/firmware/arm_ffa/bus.c | 1 drivers/firmware/arm_ffa/driver.c | 12 drivers/firmware/arm_scmi/bus.c | 19 drivers/firmware/xilinx/zynqmp.c | 6 drivers/fpga/altera-cvp.c | 2 drivers/gpio/gpiolib.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu.h | 13 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 102 -- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 18 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 143 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 31 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 30 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c | 54 - drivers/gpu/drm/amd/amdgpu/amdgpu_ih.h | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 16 drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 38 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_sync.c | 30 drivers/gpu/drm/amd/amdgpu/amdgpu_sync.h | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c | 42 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 17 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 41 drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 1 drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 14 drivers/gpu/drm/amd/amdgpu/gfx_v10_0_cleaner_shader.h | 35 drivers/gpu/drm/amd/amdgpu/gfx_v10_1_10_cleaner_shader.asm | 126 ++ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 47 - drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 48 - drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c | 10 drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c | 1 drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c | 25 drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c | 27 drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c | 31 drivers/gpu/drm/amd/amdgpu/nv.c | 16 drivers/gpu/drm/amd/amdgpu/soc15.c | 8 drivers/gpu/drm/amd/amdgpu/soc21.c | 10 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 14 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.h | 9 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 452 +++++----- drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 48 - drivers/gpu/drm/amd/amdkfd/cik_event_interrupt.c | 18 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 25 drivers/gpu/drm/amd/amdkfd/kfd_debug.c | 14 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 124 -- drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c | 69 + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v10.c | 41 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v11.c | 41 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v12.c | 41 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v9.c | 38 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c | 71 - drivers/gpu/drm/amd/amdkfd/kfd_events.c | 43 drivers/gpu/drm/amd/amdkfd/kfd_int_process_v11.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_int_process_v9.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_vi.c | 3 drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 11 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 137 +-- drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 10 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 21 drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 23 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 41 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 6 drivers/gpu/drm/amd/display/dc/basics/dc_common.c | 3 drivers/gpu/drm/amd/display/dc/bios/command_table2.c | 9 drivers/gpu/drm/amd/display/dc/bios/command_table_helper2.c | 3 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c | 22 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn316/dcn316_clk_mgr.c | 15 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 13 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 2 drivers/gpu/drm/amd/display/dc/core/dc.c | 22 drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c | 21 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 71 + drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 50 - drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 12 drivers/gpu/drm/amd/display/dc/dc_hw_types.h | 5 drivers/gpu/drm/amd/display/dc/dc_types.h | 7 drivers/gpu/drm/amd/display/dc/dce/dce_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/dce/dmub_psr.c | 4 drivers/gpu/drm/amd/display/dc/dio/dcn10/dcn10_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/dio/dcn401/dcn401_dio_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c | 6 drivers/gpu/drm/amd/display/dc/dml/dcn351/dcn351_fpu.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_utils.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 22 drivers/gpu/drm/amd/display/dc/dml2/dml21/inc/dml_top_types.h | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4.c | 30 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 33 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared_types.h | 5 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 21 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_top/dml2_top_soc15.c | 8 drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.h | 1 drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 11 drivers/gpu/drm/amd/display/dc/hpo/dcn31/dcn31_hpo_dp_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 10 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 55 - drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 22 drivers/gpu/drm/amd/display/dc/hwss/dcn31/dcn31_hwseq.c | 4 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 92 -- drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.h | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_init.c | 2 drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer.h | 6 drivers/gpu/drm/amd/display/dc/inc/core_types.h | 2 drivers/gpu/drm/amd/display/dc/inc/hw/clk_mgr_internal.h | 1 drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 6 drivers/gpu/drm/amd/display/dc/inc/resource.h | 2 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 42 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_phy.c | 8 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 5 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_8b_10b.c | 7 drivers/gpu/drm/amd/display/dc/link/protocols/link_edp_panel_control.c | 25 drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c | 42 drivers/gpu/drm/amd/display/dc/spl/dc_spl.c | 87 + drivers/gpu/drm/amd/display/dc/spl/dc_spl_types.h | 12 drivers/gpu/drm/amd/display/dc/spl/spl_fixpt31_32.c | 2 drivers/gpu/drm/amd/display/dc/spl/spl_fixpt31_32.h | 4 drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h | 6 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn31.c | 17 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c | 4 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn401.c | 47 - drivers/gpu/drm/amd/display/dmub/src/dmub_dcn401.h | 3 drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c | 4 drivers/gpu/drm/amd/include/asic_reg/mmhub/mmhub_9_4_1_offset.h | 32 drivers/gpu/drm/amd/include/asic_reg/mmhub/mmhub_9_4_1_sh_mask.h | 48 + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 1 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c | 5 drivers/gpu/drm/ast/ast_main.c | 30 drivers/gpu/drm/ast/ast_mode.c | 10 drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 2 drivers/gpu/drm/drm_atomic_helper.c | 28 drivers/gpu/drm/drm_buddy.c | 5 drivers/gpu/drm/drm_edid.c | 1 drivers/gpu/drm/drm_gem.c | 4 drivers/gpu/drm/i915/display/intel_dp_mst.c | 3 drivers/gpu/drm/mediatek/mtk_dpi.c | 5 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 32 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.h | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 7 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 2 drivers/gpu/drm/panel/panel-edp.c | 1 drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 40 drivers/gpu/drm/ttm/ttm_bo.c | 3 drivers/gpu/drm/v3d/v3d_drv.c | 25 drivers/gpu/drm/virtio/virtgpu_drv.c | 9 drivers/gpu/drm/xe/display/xe_display.c | 3 drivers/gpu/drm/xe/xe_bo.c | 22 drivers/gpu/drm/xe/xe_debugfs.c | 3 drivers/gpu/drm/xe/xe_device.c | 10 drivers/gpu/drm/xe/xe_drm_client.c | 8 drivers/gpu/drm/xe/xe_gen_wa_oob.c | 6 drivers/gpu/drm/xe/xe_gt.c | 3 drivers/gpu/drm/xe/xe_gt_idle.c | 23 drivers/gpu/drm/xe/xe_gt_idle.h | 1 drivers/gpu/drm/xe/xe_gt_idle_types.h | 3 drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 49 + drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 66 + drivers/gpu/drm/xe/xe_gt_sriov_pf_config.h | 1 drivers/gpu/drm/xe/xe_gt_sriov_pf_types.h | 10 drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 12 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 22 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h | 2 drivers/gpu/drm/xe/xe_guc_log.c | 8 drivers/gpu/drm/xe/xe_guc_pc.c | 22 drivers/gpu/drm/xe/xe_guc_relay.c | 2 drivers/gpu/drm/xe/xe_mmio.c | 10 drivers/gpu/drm/xe/xe_oa.c | 1 drivers/gpu/drm/xe/xe_pci.c | 37 drivers/gpu/drm/xe/xe_pci_sriov.c | 51 + drivers/gpu/drm/xe/xe_pci_types.h | 1 drivers/gpu/drm/xe/xe_pt.c | 14 drivers/gpu/drm/xe/xe_pt.h | 3 drivers/gpu/drm/xe/xe_sa.c | 3 drivers/gpu/drm/xe/xe_tile.c | 12 drivers/gpu/drm/xe/xe_tile.h | 1 drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 17 drivers/gpu/drm/xe/xe_ttm_stolen_mgr.h | 2 drivers/gpu/drm/xe/xe_vm.c | 32 drivers/hid/Kconfig | 1 drivers/hid/usbhid/usbkbd.c | 2 drivers/hwmon/acpi_power_meter.c | 8 drivers/hwmon/dell-smm-hwmon.c | 5 drivers/hwmon/gpio-fan.c | 16 drivers/hwmon/xgene-hwmon.c | 2 drivers/hwtracing/coresight/coresight-core.c | 2 drivers/hwtracing/coresight/coresight-etb10.c | 26 drivers/hwtracing/coresight/coresight-trace-id.c | 22 drivers/hwtracing/intel_th/Kconfig | 1 drivers/hwtracing/intel_th/msu.c | 31 drivers/i2c/busses/i2c-amd-asf-plat.c | 2 drivers/i2c/busses/i2c-pxa.c | 5 drivers/i2c/busses/i2c-qcom-geni.c | 6 drivers/i2c/busses/i2c-qup.c | 36 drivers/i3c/master/svc-i3c-master.c | 4 drivers/iio/accel/fxls8962af-core.c | 7 drivers/iio/adc/ad7606.c | 10 drivers/iio/adc/ad7944.c | 16 drivers/iio/adc/qcom-spmi-iadc.c | 4 drivers/iio/dac/ad3552r-hs.c | 29 drivers/iio/dac/ad3552r-hs.h | 8 drivers/iio/dac/adi-axi-dac.c | 22 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 7 drivers/infiniband/core/umem.c | 36 drivers/infiniband/core/uverbs_cmd.c | 144 +-- drivers/infiniband/core/verbs.c | 11 drivers/input/joystick/xpad.c | 3 drivers/iommu/amd/io_pgtable_v2.c | 2 drivers/iommu/dma-iommu.c | 28 drivers/iommu/intel/iommu.c | 37 drivers/iommu/intel/svm.c | 43 drivers/iommu/iommu-priv.h | 2 drivers/iommu/iommu.c | 2 drivers/iommu/iommufd/device.c | 34 drivers/iommu/iommufd/hw_pagetable.c | 3 drivers/iommu/of_iommu.c | 6 drivers/irqchip/irq-riscv-aplic-direct.c | 24 drivers/irqchip/irq-riscv-imsic-early.c | 8 drivers/irqchip/irq-riscv-imsic-platform.c | 16 drivers/irqchip/irq-riscv-imsic-state.c | 96 +- drivers/irqchip/irq-riscv-imsic-state.h | 7 drivers/leds/Kconfig | 1 drivers/leds/leds-st1202.c | 4 drivers/leds/rgb/leds-pwm-multicolor.c | 5 drivers/leds/trigger/ledtrig-netdev.c | 16 drivers/mailbox/mailbox.c | 7 drivers/mailbox/pcc.c | 8 drivers/md/dm-cache-target.c | 24 drivers/md/dm-table.c | 4 drivers/md/dm-vdo/indexer/index-layout.c | 5 drivers/md/dm-vdo/vdo.c | 11 drivers/md/dm.c | 8 drivers/media/cec/core/cec-pin.c | 11 drivers/media/i2c/adv7180.c | 34 drivers/media/i2c/imx219.c | 2 drivers/media/i2c/imx335.c | 21 drivers/media/i2c/ov2740.c | 4 drivers/media/i2c/tc358746.c | 19 drivers/media/platform/qcom/camss/camss-csid.c | 60 - drivers/media/platform/qcom/camss/camss-vfe.c | 4 drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c | 3 drivers/media/platform/st/stm32/stm32-csi.c | 36 drivers/media/test-drivers/vivid/vivid-kthread-cap.c | 11 drivers/media/test-drivers/vivid/vivid-kthread-out.c | 11 drivers/media/test-drivers/vivid/vivid-kthread-touch.c | 11 drivers/media/test-drivers/vivid/vivid-sdr-cap.c | 11 drivers/media/usb/cx231xx/cx231xx-417.c | 2 drivers/media/usb/uvc/uvc_ctrl.c | 77 - drivers/media/usb/uvc/uvc_v4l2.c | 6 drivers/media/v4l2-core/v4l2-subdev.c | 2 drivers/message/fusion/mptscsih.c | 4 drivers/mfd/axp20x.c | 1 drivers/mfd/syscon.c | 9 drivers/mfd/tps65219.c | 7 drivers/misc/eeprom/ee1004.c | 4 drivers/misc/mei/vsc-tp.c | 14 drivers/misc/pci_endpoint_test.c | 6 drivers/mmc/host/dw_mmc-exynos.c | 41 drivers/mmc/host/sdhci-pci-core.c | 6 drivers/mmc/host/sdhci.c | 9 drivers/mmc/host/sdhci_am654.c | 35 drivers/net/bonding/bond_main.c | 2 drivers/net/can/c_can/c_can_platform.c | 2 drivers/net/can/kvaser_pciefd.c | 101 +- drivers/net/can/slcan/slcan-core.c | 26 drivers/net/ethernet/apm/xgene-v2/main.c | 4 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 drivers/net/ethernet/freescale/fec_main.c | 52 - drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 drivers/net/ethernet/intel/ice/ice_irq.c | 25 drivers/net/ethernet/intel/ice/ice_lag.c | 6 drivers/net/ethernet/intel/ice/ice_lib.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 6 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 1 drivers/net/ethernet/intel/idpf/idpf.h | 2 drivers/net/ethernet/intel/idpf/idpf_lib.c | 10 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 18 drivers/net/ethernet/intel/igc/igc_xdp.c | 19 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 drivers/net/ethernet/intel/ixgbe/ixgbe_type_e610.h | 3 drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 14 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 2 drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c | 24 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 11 drivers/net/ethernet/marvell/octeontx2/nic/Makefile | 2 drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 7 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 114 +- drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 10 drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 34 drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 124 +- drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.h | 7 drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 21 drivers/net/ethernet/marvell/octeontx2/nic/otx2_xsk.c | 182 ++++ drivers/net/ethernet/marvell/octeontx2/nic/otx2_xsk.h | 21 drivers/net/ethernet/marvell/octeontx2/nic/qos_sq.c | 2 drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 22 drivers/net/ethernet/mellanox/mlx4/alloc.c | 6 drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 drivers/net/ethernet/mellanox/mlx5/core/en/params.c | 16 drivers/net/ethernet/mellanox/mlx5/core/en/params.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 49 - drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 28 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 40 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 5 drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c | 3 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 13 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.h | 5 drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 2 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 13 drivers/net/ethernet/mellanox/mlx5/core/events.c | 11 drivers/net/ethernet/mellanox/mlx5/core/fs_ft_pool.c | 6 drivers/net/ethernet/mellanox/mlx5/core/fs_ft_pool.h | 2 drivers/net/ethernet/mellanox/mlx5/core/health.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 3 drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 16 drivers/net/ethernet/meta/fbnic/fbnic_fw.h | 8 drivers/net/ethernet/meta/fbnic/fbnic_netdev.c | 2 drivers/net/ethernet/microchip/lan743x_main.c | 19 drivers/net/ethernet/microsoft/mana/gdma_main.c | 2 drivers/net/ethernet/realtek/r8169_main.c | 32 drivers/net/ethernet/stmicro/stmmac/common.h | 4 drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 21 drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 drivers/net/ethernet/stmicro/stmmac/stmmac.h | 7 drivers/net/ethernet/tehuti/tn40.c | 9 drivers/net/ethernet/tehuti/tn40.h | 33 drivers/net/ethernet/tehuti/tn40_mdio.c | 82 + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 drivers/net/ethernet/ti/cpsw_new.c | 1 drivers/net/ethernet/ti/icssg/icssg_common.c | 2 drivers/net/ieee802154/ca8210.c | 9 drivers/net/mctp/mctp-i2c.c | 2 drivers/net/netdevsim/netdev.c | 31 drivers/net/netdevsim/netdevsim.h | 1 drivers/net/phy/nxp-c45-tja11xx.c | 54 + drivers/net/phy/phylink.c | 2 drivers/net/usb/r8152.c | 1 drivers/net/vmxnet3/vmxnet3_drv.c | 5 drivers/net/vxlan/vxlan_core.c | 36 drivers/net/wireless/ath/ath11k/dp.h | 6 drivers/net/wireless/ath/ath11k/dp_rx.c | 117 +- drivers/net/wireless/ath/ath12k/core.c | 45 drivers/net/wireless/ath/ath12k/core.h | 4 drivers/net/wireless/ath/ath12k/dp_mon.c | 19 drivers/net/wireless/ath/ath12k/dp_rx.c | 22 drivers/net/wireless/ath/ath12k/dp_rx.h | 5 drivers/net/wireless/ath/ath12k/dp_tx.c | 145 +++ drivers/net/wireless/ath/ath12k/hal_desc.h | 2 drivers/net/wireless/ath/ath12k/hal_rx.h | 8 drivers/net/wireless/ath/ath12k/hal_tx.h | 10 drivers/net/wireless/ath/ath12k/mac.c | 102 +- drivers/net/wireless/ath/ath12k/mac.h | 5 drivers/net/wireless/ath/ath12k/pci.c | 13 drivers/net/wireless/ath/ath12k/rx_desc.h | 5 drivers/net/wireless/ath/ath12k/wmi.c | 4 drivers/net/wireless/ath/ath9k/init.c | 4 drivers/net/wireless/intel/iwlwifi/cfg/dr.c | 2 drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 4 drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 8 drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 4 drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 10 drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 8 drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 4 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 15 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 3 drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 drivers/net/wireless/marvell/mwifiex/11n.c | 6 drivers/net/wireless/mediatek/mt76/channel.c | 3 drivers/net/wireless/mediatek/mt76/mt76.h | 3 drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h | 3 drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 2 drivers/net/wireless/mediatek/mt76/mt76x0/pci.c | 3 drivers/net/wireless/mediatek/mt76/mt76x0/usb.c | 3 drivers/net/wireless/mediatek/mt76/mt76x2/pci.c | 3 drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 3 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 76 + drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 3 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 44 drivers/net/wireless/mediatek/mt76/mt7996/main.c | 30 drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 3 drivers/net/wireless/mediatek/mt76/mt7996/mmio.c | 2 drivers/net/wireless/mediatek/mt76/scan.c | 21 drivers/net/wireless/mediatek/mt76/tx.c | 3 drivers/net/wireless/realtek/rtl8xxxu/core.c | 17 drivers/net/wireless/realtek/rtw88/fw.c | 15 drivers/net/wireless/realtek/rtw88/fw.h | 1 drivers/net/wireless/realtek/rtw88/mac.c | 7 drivers/net/wireless/realtek/rtw88/main.c | 54 - drivers/net/wireless/realtek/rtw88/main.h | 1 drivers/net/wireless/realtek/rtw88/reg.h | 3 drivers/net/wireless/realtek/rtw88/rtw8822b.c | 14 drivers/net/wireless/realtek/rtw88/util.c | 3 drivers/net/wireless/realtek/rtw89/coex.c | 107 +- drivers/net/wireless/realtek/rtw89/coex.h | 2 drivers/net/wireless/realtek/rtw89/core.c | 67 + drivers/net/wireless/realtek/rtw89/core.h | 6 drivers/net/wireless/realtek/rtw89/fw.c | 101 ++ drivers/net/wireless/realtek/rtw89/fw.h | 12 drivers/net/wireless/realtek/rtw89/mac.c | 55 + drivers/net/wireless/realtek/rtw89/mac.h | 3 drivers/net/wireless/realtek/rtw89/mac80211.c | 1 drivers/net/wireless/realtek/rtw89/reg.h | 4 drivers/net/wireless/realtek/rtw89/regd.c | 2 drivers/net/wireless/realtek/rtw89/rtw8851b.c | 8 drivers/net/wireless/realtek/rtw89/rtw8852a.c | 8 drivers/net/wireless/realtek/rtw89/rtw8852b.c | 8 drivers/net/wireless/realtek/rtw89/rtw8852bt.c | 8 drivers/net/wireless/realtek/rtw89/rtw8852c.c | 8 drivers/net/wireless/realtek/rtw89/rtw8922a.c | 2 drivers/net/wireless/realtek/rtw89/ser.c | 4 drivers/net/wireless/virtual/mac80211_hwsim.c | 14 drivers/nvdimm/label.c | 3 drivers/nvme/host/pci.c | 6 drivers/nvme/target/pci-epf.c | 66 - drivers/nvme/target/tcp.c | 3 drivers/nvmem/core.c | 40 drivers/nvmem/qfprom.c | 26 drivers/nvmem/rockchip-otp.c | 17 drivers/pci/Kconfig | 6 drivers/pci/ats.c | 33 drivers/pci/controller/dwc/pcie-designware-ep.c | 2 drivers/pci/controller/dwc/pcie-designware-host.c | 2 drivers/pci/controller/pcie-brcmstb.c | 5 drivers/pci/controller/pcie-xilinx-cpm.c | 3 drivers/pci/controller/vmd.c | 20 drivers/pci/endpoint/functions/pci-epf-mhi.c | 2 drivers/pci/endpoint/functions/pci-epf-test.c | 2 drivers/pci/setup-bus.c | 6 drivers/perf/arm_pmuv3.c | 4 drivers/phy/phy-core.c | 7 drivers/phy/renesas/phy-rcar-gen3-usb2.c | 95 +- drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 4 drivers/phy/rockchip/phy-rockchip-usbdp.c | 87 + drivers/phy/samsung/phy-exynos5-usbdrd.c | 7 drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 44 drivers/pinctrl/devicetree.c | 10 drivers/pinctrl/meson/pinctrl-meson.c | 2 drivers/pinctrl/qcom/Kconfig.msm | 4 drivers/pinctrl/qcom/pinctrl-msm.c | 23 drivers/pinctrl/qcom/pinctrl-msm8917.c | 8 drivers/pinctrl/renesas/pinctrl-rzg2l.c | 19 drivers/pinctrl/sophgo/pinctrl-cv18xx.c | 33 drivers/pinctrl/tegra/pinctrl-tegra.c | 59 + drivers/pinctrl/tegra/pinctrl-tegra.h | 6 drivers/platform/x86/asus-wmi.c | 11 drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c | 2 drivers/platform/x86/ideapad-laptop.c | 16 drivers/platform/x86/intel/hid.c | 21 drivers/platform/x86/think-lmi.c | 26 drivers/platform/x86/think-lmi.h | 1 drivers/pmdomain/core.c | 2 drivers/pmdomain/imx/gpcv2.c | 2 drivers/pmdomain/renesas/rcar-gen4-sysc.c | 5 drivers/pmdomain/renesas/rcar-sysc.c | 5 drivers/power/supply/axp20x_battery.c | 21 drivers/pps/generators/pps_gen-dummy.c | 2 drivers/pps/generators/pps_gen.c | 14 drivers/pps/generators/sysfs.c | 6 drivers/ptp/ptp_ocp.c | 24 drivers/regulator/ad5398.c | 12 drivers/remoteproc/qcom_wcnss.c | 34 drivers/rtc/rtc-ds1307.c | 4 drivers/rtc/rtc-rv3032.c | 2 drivers/s390/crypto/vfio_ap_ops.c | 72 + drivers/scsi/aacraid/aachba.c | 4 drivers/scsi/arm/acornscsi.c | 2 drivers/scsi/ips.c | 8 drivers/scsi/lpfc/lpfc_els.c | 10 drivers/scsi/lpfc/lpfc_hbadisc.c | 29 drivers/scsi/lpfc/lpfc_init.c | 2 drivers/scsi/megaraid.c | 10 drivers/scsi/megaraid/megaraid_mbox.c | 10 drivers/scsi/mpi3mr/mpi3mr_fw.c | 8 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 12 drivers/scsi/scsi_debug.c | 55 + drivers/scsi/scsi_sysctl.c | 4 drivers/scsi/st.c | 29 drivers/scsi/st.h | 2 drivers/soc/apple/rtkit-internal.h | 1 drivers/soc/apple/rtkit.c | 58 - drivers/soc/mediatek/mtk-mutex.c | 6 drivers/soc/samsung/exynos-asv.c | 1 drivers/soc/samsung/exynos-chipid.c | 1 drivers/soc/samsung/exynos-pmu.c | 1 drivers/soc/samsung/exynos-usi.c | 1 drivers/soc/samsung/exynos3250-pmu.c | 1 drivers/soc/samsung/exynos5250-pmu.c | 1 drivers/soc/samsung/exynos5420-pmu.c | 1 drivers/soc/ti/k3-socinfo.c | 13 drivers/soundwire/amd_manager.c | 2 drivers/soundwire/bus.c | 9 drivers/soundwire/cadence_master.c | 22 drivers/spi/spi-fsl-dspi.c | 46 - drivers/spi/spi-mux.c | 4 drivers/spi/spi-rockchip.c | 2 drivers/spi/spi-zynqmp-gqspi.c | 20 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 69 - drivers/target/iscsi/iscsi_target.c | 2 drivers/target/target_core_device.c | 8 drivers/target/target_core_pr.c | 6 drivers/target/target_core_spc.c | 34 drivers/thermal/intel/x86_pkg_temp_thermal.c | 1 drivers/thermal/mediatek/lvts_thermal.c | 3 drivers/thermal/qoriq_thermal.c | 13 drivers/thunderbolt/retimer.c | 8 drivers/tty/serial/8250/8250_port.c | 2 drivers/tty/serial/atmel_serial.c | 2 drivers/tty/serial/imx.c | 2 drivers/tty/serial/serial_mctrl_gpio.c | 34 drivers/tty/serial/serial_mctrl_gpio.h | 17 drivers/tty/serial/sh-sci.c | 98 ++ drivers/tty/serial/stm32-usart.c | 2 drivers/ufs/core/ufshcd.c | 29 drivers/usb/gadget/function/f_mass_storage.c | 4 drivers/usb/host/xhci-mem.c | 34 drivers/usb/host/xhci-ring.c | 12 drivers/usb/host/xhci.h | 8 drivers/usb/storage/debug.c | 4 drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 drivers/vfio/pci/vfio_pci_config.c | 3 drivers/vfio/pci/vfio_pci_core.c | 10 drivers/vfio/pci/vfio_pci_intrs.c | 2 drivers/vhost/scsi.c | 23 drivers/video/fbdev/core/bitblit.c | 5 drivers/video/fbdev/core/fbcon.c | 10 drivers/video/fbdev/core/fbcon.h | 38 drivers/video/fbdev/core/fbcon_ccw.c | 5 drivers/video/fbdev/core/fbcon_cw.c | 5 drivers/video/fbdev/core/fbcon_ud.c | 5 drivers/video/fbdev/core/tileblit.c | 45 drivers/video/fbdev/fsl-diu-fb.c | 1 drivers/virtio/virtio.c | 35 drivers/virtio/virtio_ring.c | 2 drivers/watchdog/aspeed_wdt.c | 81 + drivers/watchdog/s3c2410_wdt.c | 10 drivers/xen/pci.c | 32 drivers/xen/platform-pci.c | 4 drivers/xen/xenbus/xenbus_probe.c | 14 fs/btrfs/block-group.c | 18 fs/btrfs/compression.c | 2 fs/btrfs/discard.c | 34 fs/btrfs/disk-io.c | 28 fs/btrfs/extent_io.c | 7 fs/btrfs/extent_io.h | 2 fs/btrfs/scrub.c | 4 fs/btrfs/send.c | 6 fs/btrfs/tree-checker.c | 2 fs/buffer.c | 61 - fs/dlm/lowcomms.c | 4 fs/erofs/internal.h | 4 fs/erofs/super.c | 46 - fs/erofs/zdata.c | 4 fs/exfat/inode.c | 159 +-- fs/ext4/balloc.c | 4 fs/ext4/ext4.h | 5 fs/ext4/extents.c | 19 fs/ext4/inode.c | 81 + fs/ext4/mballoc.c | 3 fs/ext4/page-io.c | 16 fs/ext4/super.c | 19 fs/f2fs/sysfs.c | 74 + fs/fuse/dir.c | 2 fs/gfs2/glock.c | 11 fs/jbd2/recovery.c | 69 + fs/jbd2/revoke.c | 23 fs/namespace.c | 6 fs/nfs/delegation.c | 3 fs/nfs/flexfilelayout/flexfilelayout.c | 1 fs/nfs/inode.c | 2 fs/nfs/internal.h | 5 fs/nfs/nfs3proc.c | 2 fs/nfs/nfs4proc.c | 9 fs/nfs/nfs4state.c | 10 fs/nilfs2/the_nilfs.c | 3 fs/ocfs2/journal.c | 2 fs/orangefs/inode.c | 7 fs/pidfs.c | 9 fs/pipe.c | 4 fs/pstore/inode.c | 2 fs/pstore/internal.h | 4 fs/pstore/platform.c | 11 fs/smb/client/cifsacl.c | 21 fs/smb/client/cifspdu.h | 5 fs/smb/client/cifsproto.h | 7 fs/smb/client/cifssmb.c | 95 +- fs/smb/client/connect.c | 30 fs/smb/client/fs_context.c | 13 fs/smb/client/fs_context.h | 3 fs/smb/client/link.c | 11 fs/smb/client/readdir.c | 7 fs/smb/client/smb1ops.c | 228 ++++- fs/smb/client/smb2file.c | 11 fs/smb/client/smb2inode.c | 8 fs/smb/client/smb2ops.c | 34 fs/smb/client/smb2pdu.c | 4 fs/smb/client/transport.c | 2 fs/smb/client/xattr.c | 15 fs/smb/common/smb2pdu.h | 3 fs/smb/server/smb2pdu.c | 9 fs/smb/server/vfs.c | 14 include/crypto/hash.h | 3 include/drm/drm_atomic.h | 23 include/drm/drm_gem.h | 13 include/linux/alloc_tag.h | 12 include/linux/blkdev.h | 1 include/linux/bpf-cgroup.h | 1 include/linux/bpf.h | 7 include/linux/buffer_head.h | 8 include/linux/codetag.h | 8 include/linux/coresight.h | 2 include/linux/device.h | 119 -- include/linux/device/devres.h | 129 ++ include/linux/dma-mapping.h | 12 include/linux/dma/k3-udma-glue.h | 3 include/linux/err.h | 3 include/linux/gpio/driver.h | 3 include/linux/highmem.h | 10 include/linux/io.h | 2 include/linux/ipv6.h | 1 include/linux/jbd2.h | 2 include/linux/lzo.h | 8 include/linux/mfd/axp20x.h | 1 include/linux/mlx4/device.h | 2 include/linux/mlx5/eswitch.h | 2 include/linux/mlx5/fs.h | 2 include/linux/mm.h | 2 include/linux/mman.h | 2 include/linux/mroute_base.h | 5 include/linux/msi.h | 33 include/linux/objtool.h | 4 include/linux/page-flags.h | 7 include/linux/pci-ats.h | 3 include/linux/percpu.h | 4 include/linux/perf_event.h | 8 include/linux/pnp.h | 2 include/linux/pps_gen_kernel.h | 4 include/linux/rcupdate.h | 2 include/linux/rcutree.h | 2 include/linux/ring_buffer.h | 3 include/linux/spi/spi.h | 5 include/linux/tcp.h | 2 include/linux/trace.h | 4 include/linux/trace_seq.h | 8 include/linux/usb/r8152.h | 1 include/linux/virtio.h | 3 include/media/v4l2-subdev.h | 4 include/net/cfg80211.h | 4 include/net/dropreason.h | 6 include/net/mac80211.h | 4 include/net/xfrm.h | 1 include/rdma/uverbs_std_types.h | 2 include/scsi/scsi_proto.h | 4 include/sound/hda_codec.h | 1 include/sound/pcm.h | 2 include/sound/soc_sdw_utils.h | 1 include/trace/events/btrfs.h | 2 include/trace/events/scsi.h | 4 include/trace/events/target.h | 4 include/uapi/linux/bpf.h | 1 include/uapi/linux/iommufd.h | 14 include/uapi/linux/nl80211.h | 52 - include/uapi/linux/snmp.h | 1 include/uapi/linux/taskstats.h | 47 - include/ufs/ufs_quirks.h | 6 io_uring/fdinfo.c | 4 io_uring/io_uring.c | 96 +- io_uring/msg_ring.c | 1 io_uring/net.c | 14 kernel/bpf/bpf_iter.c | 13 kernel/bpf/bpf_struct_ops.c | 98 -- kernel/bpf/cgroup.c | 33 kernel/bpf/disasm.c | 4 kernel/bpf/hashtab.c | 2 kernel/bpf/syscall.c | 8 kernel/bpf/verifier.c | 56 - kernel/cgroup/cgroup.c | 2 kernel/cgroup/rstat.c | 12 kernel/dma/mapping.c | 25 kernel/events/core.c | 100 +- kernel/events/hw_breakpoint.c | 5 kernel/events/ring_buffer.c | 1 kernel/exit.c | 6 kernel/fork.c | 9 kernel/module/main.c | 1 kernel/padata.c | 3 kernel/printk/printk.c | 14 kernel/rcu/rcu.h | 2 kernel/rcu/tree.c | 15 kernel/rcu/tree_plugin.h | 22 kernel/rseq.c | 60 + kernel/sched/fair.c | 6 kernel/signal.c | 3 kernel/softirq.c | 18 kernel/time/hrtimer.c | 29 kernel/time/posix-timers.c | 26 kernel/time/timer_list.c | 4 kernel/trace/ring_buffer.c | 31 kernel/trace/trace.c | 41 kernel/trace/trace.h | 25 kernel/vhost_task.c | 2 lib/alloc_tag.c | 87 + lib/codetag.c | 5 lib/dynamic_queue_limits.c | 2 lib/lzo/Makefile | 2 lib/lzo/lzo1x_compress.c | 102 +- lib/lzo/lzo1x_compress_safe.c | 18 mm/hugetlb.c | 8 mm/kasan/shadow.c | 92 +- mm/memcontrol.c | 6 mm/page_alloc.c | 8 mm/vmalloc.c | 13 net/bluetooth/hci_event.c | 3 net/bluetooth/l2cap_core.c | 15 net/bridge/br_mdb.c | 2 net/bridge/br_nf_core.c | 7 net/bridge/br_private.h | 1 net/can/bcm.c | 79 + net/core/dev.c | 12 net/core/dev.h | 12 net/core/net-sysfs.c | 5 net/core/page_pool.c | 7 net/core/pktgen.c | 13 net/core/rtnetlink.c | 10 net/dsa/tag_ksz.c | 19 net/hsr/hsr_device.c | 2 net/hsr/hsr_forward.c | 4 net/hsr/hsr_framereg.c | 95 ++ net/hsr/hsr_framereg.h | 8 net/hsr/hsr_main.h | 2 net/ipv4/esp4.c | 53 - net/ipv4/fib_frontend.c | 28 net/ipv4/fib_rules.c | 4 net/ipv4/fib_trie.c | 22 net/ipv4/inet_hashtables.c | 37 net/ipv4/ip_gre.c | 16 net/ipv4/ipmr.c | 12 net/ipv4/proc.c | 1 net/ipv4/syncookies.c | 1 net/ipv4/tcp_input.c | 57 - net/ipv4/tcp_minisocks.c | 26 net/ipv4/tcp_output.c | 6 net/ipv4/xfrm4_input.c | 18 net/ipv6/esp6.c | 53 - net/ipv6/fib6_rules.c | 4 net/ipv6/ip6_gre.c | 2 net/ipv6/ip6_output.c | 11 net/ipv6/ip6_tunnel.c | 3 net/ipv6/ip6_vti.c | 3 net/ipv6/ip6mr.c | 12 net/ipv6/sit.c | 8 net/ipv6/xfrm6_input.c | 18 net/llc/af_llc.c | 8 net/mac80211/agg-tx.c | 5 net/mac80211/cfg.c | 14 net/mac80211/driver-ops.h | 3 net/mac80211/drop.h | 21 net/mac80211/ethtool.c | 2 net/mac80211/ieee80211_i.h | 13 net/mac80211/iface.c | 60 - net/mac80211/main.c | 16 net/mac80211/mlme.c | 150 +++ net/mac80211/rx.c | 194 +--- net/mac80211/status.c | 32 net/mac80211/tx.c | 2 net/mac80211/util.c | 3 net/mptcp/pm_userspace.c | 8 net/netfilter/nf_conntrack_standalone.c | 12 net/sched/sch_hfsc.c | 6 net/smc/smc_pnet.c | 8 net/sunrpc/clnt.c | 3 net/sunrpc/rpcb_clnt.c | 5 net/sunrpc/sched.c | 2 net/tipc/crypto.c | 5 net/wireless/chan.c | 8 net/wireless/mlme.c | 4 net/wireless/nl80211.c | 4 net/wireless/reg.c | 4 net/xdp/xsk.c | 2 net/xfrm/espintcp.c | 4 net/xfrm/xfrm_policy.c | 3 net/xfrm/xfrm_state.c | 6 net/xfrm/xfrm_user.c | 12 samples/bpf/Makefile | 2 scripts/Makefile.extrawarn | 11 scripts/config | 26 scripts/kconfig/confdata.c | 19 scripts/kconfig/merge_config.sh | 4 security/integrity/ima/ima_main.c | 4 security/smack/smackfs.c | 21 sound/core/oss/pcm_oss.c | 3 sound/core/pcm_native.c | 11 sound/core/seq/seq_clientmgr.c | 5 sound/core/seq/seq_memory.c | 1 sound/pci/hda/hda_beep.c | 15 sound/pci/hda/patch_realtek.c | 77 + sound/soc/codecs/cs42l43-jack.c | 7 sound/soc/codecs/mt6359-accdet.h | 9 sound/soc/codecs/pcm3168a.c | 6 sound/soc/codecs/pcm6240.c | 28 sound/soc/codecs/pcm6240.h | 7 sound/soc/codecs/rt722-sdca-sdw.c | 49 + sound/soc/codecs/sma1307.c | 27 sound/soc/codecs/tas2764.c | 53 - sound/soc/codecs/wsa883x.c | 2 sound/soc/codecs/wsa884x.c | 2 sound/soc/fsl/imx-card.c | 2 sound/soc/intel/boards/bytcr_rt5640.c | 13 sound/soc/mediatek/mt8188/mt8188-afe-clk.c | 8 sound/soc/mediatek/mt8188/mt8188-afe-clk.h | 8 sound/soc/mediatek/mt8188/mt8188-afe-pcm.c | 4 sound/soc/qcom/sm8250.c | 3 sound/soc/sdw_utils/soc_sdw_bridge_cs35l56.c | 4 sound/soc/sdw_utils/soc_sdw_cs42l43.c | 10 sound/soc/sdw_utils/soc_sdw_cs_amp.c | 24 sound/soc/soc-dai.c | 8 sound/soc/soc-ops.c | 29 sound/soc/sof/intel/hda-bus.c | 2 sound/soc/sof/intel/hda.c | 16 sound/soc/sof/ipc4-control.c | 11 sound/soc/sof/ipc4-pcm.c | 3 sound/soc/sof/topology.c | 18 sound/soc/sunxi/sun4i-codec.c | 56 + sound/usb/midi.c | 16 tools/arch/x86/include/asm/asm.h | 8 tools/arch/x86/include/asm/nops.h | 2 tools/arch/x86/include/asm/orc_types.h | 4 tools/arch/x86/include/asm/pvclock-abi.h | 4 tools/bpf/bpftool/btf.c | 14 tools/bpf/bpftool/btf_dumper.c | 2 tools/bpf/bpftool/cgroup.c | 2 tools/bpf/bpftool/common.c | 7 tools/bpf/bpftool/jit_disasm.c | 3 tools/bpf/bpftool/map_perf_ring.c | 6 tools/bpf/bpftool/net.c | 4 tools/bpf/bpftool/netlink_dumper.c | 6 tools/bpf/bpftool/prog.c | 12 tools/bpf/bpftool/tracelog.c | 2 tools/bpf/bpftool/xlated_dumper.c | 6 tools/build/Makefile.build | 6 tools/include/uapi/linux/bpf.h | 1 tools/lib/bpf/libbpf.c | 2 tools/net/ynl/lib/ynl.c | 2 tools/net/ynl/pyynl/ynl_gen_c.py | 3 tools/objtool/check.c | 21 tools/power/x86/turbostat/turbostat.8 | 1 tools/power/x86/turbostat/turbostat.c | 13 tools/testing/kunit/kunit_parser.py | 9 tools/testing/kunit/qemu_configs/x86_64.py | 4 tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c | 1 tools/testing/selftests/iommu/iommufd.c | 4 tools/testing/selftests/net/forwarding/bridge_mdb.sh | 2 tools/testing/selftests/net/gro.sh | 3 tools/testing/selftests/net/nl_netdev.py | 18 tools/testing/selftests/pci_endpoint/pci_endpoint_test.c | 2 1081 files changed, 12343 insertions(+), 5740 deletions(-) Aaradhana Sahu (2): wifi: ath12k: Enable MLO setup ready and teardown commands for single split-phy device wifi: ath12k: Fetch regdb.bin file from board-2.bin Aaron Kling (1): cpufreq: tegra186: Share policy per cluster Aditya Kumar Singh (1): wifi: ath12k: use arvif instead of link_conf in ath12k_mac_set_key() Adrian Hunter (1): perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Ahmad Fatoum (2): clk: imx8mp: inform CCF of maximum frequency of clocks pmdomain: imx: gpcv2: use proper helper for property detection Al Viro (2): hypfs_create_cpu_files(): add missing check for hypfs_mkdir() failure __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock Alain Volmat (2): media: stm32: csi: use ARRAY_SIZE to search D-PHY table media: stm32: csi: add missing pm_runtime_put on error Aleksander Jan Bajkowski (1): r8152: add vendor/device ID pair for Dell Alienware AW1022z Alex Deucher (7): drm/amdgpu: don't free conflicting apertures for non-display devices drm/amdgpu: adjust drm_firmware_drivers_only() handling drm/amdgpu/gfx12: don't read registers in mqd init drm/amdgpu/gfx11: don't read registers in mqd init drm/amdgpu/mes11: fix set_hw_resources_1 calculation drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() drm/amdgpu/vcn4.0.5: split code along instances Alex Sierra (1): drm/amdkfd: clear F8_MODE for gfx950 Alex Williamson (1): vfio/pci: Handle INTx IRQ_NOTCONNECTED Alexander Duyck (1): eth: fbnic: set IFF_UNICAST_FLT to avoid enabling promiscuous mode when adding unicast addrs Alexander Gordeev (1): kasan: avoid sleepable page allocation from atomic context Alexander Stein (1): hwmon: (gpio-fan) Add missing mutex locks Alexander Sverdlin (1): net: ethernet: ti: cpsw_new: populate netdev of_node Alexander Wetzel (2): wifi: mac80211: Drop cooked monitor support wifi: mac80211: Add counter for all monitor interfaces Alexandre Belloni (2): rtc: rv3032: fix EERD location rtc: ds1307: stop disabling alarms on probe Alexandre Ghiti (1): riscv: Call secondary mmu notifier when flushing the tlb Alexei Lazar (2): net/mlx5: XDP, Enable TX side XDP multi-buffer support net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB Alexey Klimov (1): ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() Alexis Lothoré (1): serial: mctrl_gpio: split disable_ms into sync and no_sync APIs Alice Guo (1): thermal/drivers/qoriq: Power down TMU on system suspend Alistair Francis (1): nvmet-tcp: don't restore null sk_state_change Amber Lin (1): drm/amdkfd: Correct F8_MODE for gfx950 Amery Hung (2): bpf: Search and add kfuncs in struct_ops prologue and epilogue bpf: Make every prog keep a copy of ctx_arg_info Andre Przywara (1): clk: sunxi-ng: d1: Add missing divider for MMC mod clocks Andreas Gruenbacher (1): gfs2: Check for empty queue in run_queue Andreas Schwab (1): powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 Andrei Botila (1): net: phy: nxp-c45-tja11xx: add match_phy_device to TJA1103/TJA1104 Andrew Bresticker (1): irqchip/riscv-imsic: Start local sync timer on correct CPU Andrew Davis (1): soc: ti: k3-socinfo: Do not use syscon helper to build regmap Andrew Jones (1): irqchip/riscv-imsic: Set irq_set_affinity() for IMSIC base Andrey Vatoropin (1): hwmon: (xgene-hwmon) use appropriate type for the latency value André Draszik (2): phy: exynos5-usbdrd: fix EDS distribution tuning (gs101) clk: s2mps11: initialise clk_hw_onecell_data::num before accessing ::hws[] in probe() Andy Shevchenko (5): tracing: Mark binary printing functions with __printf() attribute auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common" ieee802154: ca8210: Use proper setters and getters for bitwise types hrtimers: Replace hrtimer_clock_to_base_table with switch-case driver core: Split devres APIs to device/devres.h Andy Yan (2): phy: rockchip: usbdp: Only verify link rates/lanes/voltage when the corresponding set flags are set drm/rockchip: vop2: Add uv swap for cluster window Angelo Dureghello (3): iio: adc: ad7606: protect register access iio: dac: ad3552r-hs: use instruction mode for configuration iio: dac: adi-axi-dac: add bus mode setup AngeloGioacchino Del Regno (2): soc: mediatek: mtk-mutex: Add DPI1 SOF/EOF to MT8188 mutex tables drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence Anjaneyulu (1): wifi: cfg80211: allow IR in 20 MHz configurations Ankur Arora (3): rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y rcu: handle unstable rdp in rcu_read_unlock_strict() rcu: fix header guard for rcu_all_qs() Anthony Krowiak (1): s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log Anup Patel (1): irqchip/riscv-imsic: Separate next and previous pointers in IMSIC vector Aric Cyr (1): drm/amd/display: Request HW cursor on DCN3.2 with SubVP Arnd Bergmann (5): soc: samsung: include linux/array_size.h where needed net: xgene-v2: remove incorrect ACPI_PTR annotation EDAC/ie31200: work around false positive build warning watchdog: aspeed: fix 64-bit division octeontx2: hide unused label Artur Weber (1): pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" Asad Kamal (1): drm/amd/pm: Skip P2S load for SMU v13.0.12 Assadian, Navid (1): drm/amd/display: Fix mismatch type comparison Athira Rajeev (1): arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src Austin Zheng (3): drm/amd/display: Account For OTO Prefetch Bandwidth When Calculating Urgent Bandwidth drm/amd/display: Use Nominal vBlank If Provided Instead Of Capping It drm/amd/display: Call FP Protect Before Mode Programming/Mode Support Avraham Stern (1): wifi: iwlwifi: mvm: fix setting the TK when associated Avula Sri Charan (1): wifi: ath12k: Avoid napi_sync() before napi_enable() Axel Forsman (2): can: kvaser_pciefd: Continue parsing DMA buf after dropped RX can: kvaser_pciefd: Fix echo_skb race Balbir Singh (4): dma/mapping.c: dev_dbg support for dma_addressing_limited dma-mapping: Fix warning reported for missing prototype x86/kaslr: Reduce KASLR entropy on most x86 systems x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers Baokun Li (2): ext4: reject the 'data_err=abort' option in nojournal mode ext4: do not convert the unwritten extents if data writeback fails Bard Liao (1): soundwire: cadence_master: set frame shape and divider based on actual clk freq Bart Van Assche (1): scsi: usb: Rename the RESERVE and RELEASE constants Bartosz Golaszewski (1): gpiolib: sanitize the return value of gpio_chip::set_config() Benjamin Berg (2): um: Store full CSGSFS and SS register from mcontext wifi: mac80211: add HT and VHT basic set verification Benjamin Lin (1): wifi: mt76: mt7996: revise TXS size Benjamin Segall (1): posix-timers: Invoke cond_resched() during exit_itimers() Bibo Mao (1): MIPS: Use arch specific syscall name match function Bitterblue Smith (9): wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 wifi: rtw88: Fix rtw_mac_power_switch() for RTL8814AU wifi: rtw88: Fix rtw_update_sta_info() for RTL8814AU wifi: rtw88: Extend rtw_fw_send_ra_info() for RTL8814AU wifi: rtw88: Fix download_firmware_validate() for RTL8814AU wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate Bogdan-Gabriel Roman (1): spi: spi-fsl-dspi: Halt the module after a new message transfer Boris Burkov (2): btrfs: make btrfs_discard_workfn() block_group ref explicit btrfs: handle empty eb->folios in num_extent_folios() Brandon Kammerdiener (1): bpf: fix possible endless loop in BPF map iteration Brandon Syu (1): Revert "drm/amd/display: Exit idle optimizations before attempt to access PHY" Brendan Jackman (1): kunit: tool: Use qboot on QEMU x86_64 Breno Leitao (3): x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 netdevsim: call napi_schedule from a timer context memcg: always call cond_resched() after fn() Caleb Sander Mateos (2): ublk: complete command synchronously on error io_uring: use IO_REQ_LINK_FLAGS more Carlos Sanchez (1): can: slcan: allow reception of short error messages Carolina Jubran (2): net/mlx5: Preserve rate settings when creating a rate node net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled Cezary Rojewski (1): ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode Chaohai Chen (1): scsi: target: spc: Fix loop traversal in spc_rsoc_get_descr() Charlene Liu (3): drm/amd/display: remove minimum Dispclk and apply oem panel timing. drm/amd/display: fix dcn4x init failed drm/amd/display: pass calculated dram_speed_mts to dml2 Charles Keepax (3): ASoC: rt722-sdca: Add some missing readable registers ASoC: cs42l43: Disable headphone clamps during type detection soundwire: bus: Fix race on the creation of the IRQ domain Chen Linxuan (1): blk-cgroup: improve policy registration error handling Chenyuan Yang (2): ASoC: sma1307: Add NULL check in sma1307_setting_loaded() ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() Chih-Kang Chang (1): wifi: rtw89: Parse channel from IE to correct invalid hardware reports during scanning Chin-Ting Kuo (1): watchdog: aspeed: Update bootstatus handling Ching-Te Ku (4): wifi: rtw89: coex: Fix coexistence report not show as expected wifi: rtw89: coex: Assign value over than 0 to avoid firmware timer hang wifi: rtw89: coex: Separated Wi-Fi connecting event from Wi-Fi scan event wifi: rtw89: coex: Add protect to avoid A2DP lag while Wi-Fi connecting Choong Yong Liang (1): net: phylink: use pl->link_interface in phylink_expects_phy() Chris Lu (2): Bluetooth: btmtksdio: Check function enabled before doing close Bluetooth: btmtksdio: Do close if SDIO card removed without close Chris Morgan (2): power: supply: axp20x_battery: Update temp sensor for AXP717 from device tree mfd: axp20x: AXP717: Add AXP717_TS_PIN_CFG to writeable regs Christian Brauner (1): pidfs: improve multi-threaded exec and premature thread-group leader exit polling Christian Bruel (1): PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Christian Göttsche (1): ext4: reorder capability check last Christian König (4): drm/amdgpu: rework how the cleaner shader is emitted v3 drm/amdgpu: rework how isolation is enforced v2 drm/amdgpu: use GFP_NOWAIT for memory allocations drm/amdgpu: remove all KFD fences from the BO on release Christoph Hellwig (3): block: mark bounce buffering as incompatible with integrity loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize loop: don't require ->write_iter for writable files in loop_configure ChunHao Lin (1): r8169: disable RTL8126 ZRX-DC timeout Chung Chung (1): dm vdo indexer: prevent unterminated string warning Claudiu Beznea (5): phy: renesas: rcar-gen3-usb2: Move IRQ request in probe phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off serial: sh-sci: Update the suspend/resume support pinctrl: renesas: rzg2l: Add suspend/resume support for pull up/down Coly Li (1): badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable < 0 Cong Wang (1): sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() Conor Dooley (1): RISC-V: add vector extension validation checks Cristian Ciocaltea (1): drm/rockchip: vop2: Improve display modes handling on RK3588 HDMI0 Csókás, Bence (1): net: fec: Refactor MAC reset to function Damien Le Moal (2): nvmet: pci-epf: Keep completion queues mapped nvmet: pci-epf: clear completion queue IRQ flag on delete Damon Ding (1): phy: phy-rockchip-samsung-hdptx: Swap the definitions of LCPLL_REF and ROPLL_REF Dan Carpenter (3): ASoC: sma1307: Fix error handling in sma1307_setting_loaded() pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Dang Huynh (1): pinctrl: qcom: msm8917: Add MSM8937 wsa_reset pin Daniel Gabay (1): wifi: iwlwifi: w/a FW SMPS mode selection Daniel Gomez (2): kconfig: merge_config: use an empty file as initfile drm/xe: xe_gen_wa_oob: replace program_invocation_short_name Daniel Hsu (1): mctp: Fix incorrect tx flow invalidation condition in mctp-i2c Danny Wang (1): drm/amd/display: Do not enable replay when vtotal update is pending. Darrick J. Wong (2): block: fix race between set_blocksize and read paths block: hoist block size validation code to a separate function Dave Ertman (1): ice: Fix LACP bonds without SRIOV environment Dave Jiang (1): dmaengine: idxd: Fix ->poll() return value David (Ming Qiang) Wu (1): drm/amdgpu: read back register after written for VCN v4.0.5 David Hildenbrand (1): kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork() David Lechner (1): iio: adc: ad7944: don't use storagebits for sizing David Plowman (1): media: i2c: imx219: Correct the minimum vblanking value David Rosca (1): drm/amdgpu: Update SRIOV video codec caps David Sterba (1): btrfs: tree-checker: adjust error code for header level check David Wang (1): module: release codetag section when module load fails David Wei (1): tools: ynl-gen: validate 0 len strings from kernel Davidlohr Bueso (6): fs/buffer: split locking for pagecache lookups fs/buffer: introduce sleeping flavors for pagecache lookups fs/buffer: use sleeping version of __find_get_block() fs/ocfs2: use sleeping version of __find_get_block() fs/jbd2: use sleeping version of __find_get_block() fs/ext4: use sleeping version of sb_find_get_block() Depeng Shao (2): media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available media: qcom: camss: Add default case in vfe_src_pad_code Dhananjay Ugwekar (1): cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost Dian-Syuan Yang (1): wifi: rtw89: set force HE TB mode when connecting to 11ax AP Dillon Varone (5): drm/amd/display: Fix DMUB reset sequence for DCN401 drm/amd/display: Fix p-state type when p-state is unsupported drm/amd/display: Fixes for mcache programming in DML21 drm/amd/display: Ammend DCPG IP control sequences to align with HW guidance drm/amd/display: Populate register address for dentist for dcn401 Diogo Ivo (2): ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator Dmitry Baryshkov (6): nvmem: core: fix bit offsets of more than one byte nvmem: core: verify cell's raw_len nvmem: core: update raw_len if the bit reading is required nvmem: qfprom: switch to 4-byte aligned reads phy: core: don't require set_mode() callback for phy_get_mode() to work pinctrl: qcom: switch to devm_register_sys_off_handler() Dmitry Bogdanov (1): scsi: target: iscsi: Fix timeout on deleted connection Dominik Grzegorzek (1): padata: do not leak refcount in reorder_work Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Douglas Anderson (1): drm/panel-edp: Add Starry 116KHD024006 Ed Burcher (1): ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 Eddie James (1): eeprom: ee1004: Check chip before probing Eder Zulian (1): mfd: syscon: Add check for invalid resource size Eduard Zingerman (3): bpf: don't do clean_live_states when state->loop_entry->branches > 0 bpf: copy_verifier_state() should copy 'loop_entry' field bpf: abort verification if env->cur_state->loop_entry != NULL Emily Deng (1): drm/amdgpu: Fix missing drain retry fault the last entry Emmanuel Grumbach (2): wifi: iwlwifi: fix the ECKV UEFI variable name wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx En-Wei Wu (1): Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling Eric Dumazet (7): cgroup/rstat: avoid disabling irqs for O(num_cpu) posix-timers: Add cond_resched() to posix_timer_add() search loop tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() tcp: be less liberal in TSEcr received while in SYN_RECV state net: flush_backlog() small changes net-sysfs: restore behavior for not running devices idpf: fix idpf_vport_splitq_napi_poll() Eric Huang (1): drm/amdkfd: fix missing L2 cache info in topology Eric Woudstra (1): net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only Erick Shepherd (2): mmc: host: Wait for Vdd to settle on card power off mmc: sdhci: Disable SD card clock before changing parameters Felix Fietkau (5): wifi: mt76: scan: fix setting tx_info fields wifi: mt76: mt7996: implement driver specific get_txpower function wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 wifi: mt76: mt7996: use the correct vif link for scanning/roc wifi: mt76: scan: set vif offchannel link for scanning/roc Felix Kuehling (1): drm/amdgpu: Allow P2P access through XGMI Filipe Manana (3): btrfs: fix non-empty delayed iputs list on unmount due to async workers btrfs: get zone unusable bytes while holding lock at btrfs_reclaim_bgs_work() btrfs: send: return -ENAMETOOLONG when attempting a path that is too long Flora Cui (2): drm/amdgpu/discovery: check ip_discovery fw file available drm/amdgpu: release xcp_mgr on exit Florent Revest (1): mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y Frank Li (3): PCI: dwc: ep: Ensure proper iteration over outbound map windows PCI: dwc: Use resource start as ioremap() input in dw_pcie_pme_turn_off() i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) Frederick Lawler (1): ima: process_measurement() needlessly takes inode_lock() on MAY_READ Frediano Ziglio (1): xen: Add support for XenServer 6.1 platform device Gabor Juhos (1): arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Gao Xiang (1): erofs: initialize decompression early Gaurav Batra (2): powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits Gašper Nemgar (1): platform/x86: ideapad-laptop: add support for some new buttons Ge Yang (1): mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios Geert Uytterhoeven (3): ipv4: ip_gre: Fix set but not used warning in ipgre_err() if IPv4-only serial: sh-sci: Save and restore more registers pmdomain: renesas: rcar: Remove obsolete nullify checks Geetha sowjanya (1): octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG George Shen (3): drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination drm/amd/display: Read LTTPR ALPM caps during link cap retrieval drm/amd/display: Update CR AUX RD interval interpretation Goldwyn Rodrigues (1): btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref Greg Kroah-Hartman (3): driver core: faux: only create the device if probe() succeeds spi: use container_of_cont() for to_spi_device() Linux 6.14.9 Guangguan Wang (1): net/smc: use the correct ndev to find pnetid by pnetid table Gustavo Sousa (1): drm/xe: Disambiguate GMDID-based IP names Hangbin Liu (1): bonding: report duplicate MAC address in all situations Hans Verkuil (2): media: cx231xx: set device_caps for 417 media: test-drivers: vivid: don't call schedule in loop Hans de Goede (1): mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type Hans-Frieder Vogt (2): net: tn40xx: add pci-id of the aqr105-based Tehuti TN4010 cards net: tn40xx: create swnode for mdio and aqr105 phy and add to mdiobus Haoran Jiang (1): samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora Hariprasad Kelam (1): Octeontx2-af: RPM: Register driver with PCI subsys IDs Harish Kasiviswanathan (3): drm/amdkfd: Set per-process flags only once for gfx9/10/11/12 drm/amdkfd: Set per-process flags only once cik/vi drm/amdgpu: Set snoop bit for SDMA for MI series Harry VanZyllDeJong (1): drm/amd/display: Add support for disconnected eDP streams Harry Wentland (1): drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Hector Martin (4): soc: apple: rtkit: Implement OSLog buffers properly ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG ASoC: tas2764: Mark SW_RESET as volatile ASoC: tas2764: Power up/down amp on mute ops Heiko Carstens (1): s390/tlb: Use mm_has_pgste() instead of mm_alloc_pgste() Heiko Stuebner (2): nvmem: rockchip-otp: Move read-offset into variant-data nvmem: rockchip-otp: add rk3576 variant data Heiner Kallweit (2): r8169: increase max jumbo packet size on RTL8125/RTL8126 r8169: don't scan PHY addresses > 0 Heming Zhao (1): dlm: make tcp still work in multi-link env Herbert Xu (3): crypto: lzo - Fix compression buffer overrun crypto: ahash - Set default reqsize from ahash_alg crypto: skcipher - Zap type in crypto_alloc_sync_skcipher Huacai Chen (1): net: stmmac: dwmac-loongson: Set correct {tx,rx}_fifo_size Huisong Li (1): hwmon: (acpi_power_meter) Fix the fake power alarm reporting Ian Rogers (1): tools/build: Don't pass test log files to linker Ido Schimmel (2): vxlan: Annotate FDB data races bridge: netfilter: Fix forwarding of fragmented packets Ignacio Moreno Gonzalez (1): mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled Ihor Solodrai (1): selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure Ilan Peer (2): wifi: cfg80211: Update the link address when a link is added wifi: mac80211_hwsim: Fix MLD address translation Ilia Gavrilov (1): llc: fix data loss when reading from a socket in llc_ui_recvmsg() Ilpo Järvinen (2): tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() PCI: Fix old_size lower bound in calculate_iosize() too Ilya Bakoulin (2): drm/amd/display: Fix BT2020 YCbCr limited/full range input drm/amd/display: Don't try AUX transactions on disconnected link Imre Deak (1): drm/i915/dp: Fix determining SST/MST mode during MTP TU state computation Ingo Molnar (1): x86/stackprotector/64: Only export __ref_stack_chk_guard on CONFIG_SMP Inochi Amaoto (1): pinctrl: sophgo: avoid to modify untouched bit when setting cv1800 pinconf Isaac Scott (1): regulator: ad5398: Add device tree support Ivan Pravdin (1): crypto: algif_hash - fix double free in hash_accept Jaakko Karrenpalo (1): net: hsr: Fix PRP duplicate detection Jacob Keller (1): ice: fix vf->num_mac count with port representors Jaegeuk Kim (1): f2fs: introduce f2fs_base_attr for global sysfs entries Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jakub Kicinski (4): eth: mlx4: don't try to complete XDP frames in netpoll netdevsim: allow normal queue reset while down net: page_pool: avoid false positive warning if NAPI was never added tools: ynl-gen: don't output external constants Jan Kara (2): jbd2: do not try to recover wiped journal jbd2: Avoid long replay times due to high number or revoke blocks Janne Grunau (1): soc: apple: rtkit: Use high prio work queue Jason Andryuk (1): xenbus: Allow PVH dom0 a non-local xenstore Jason Gunthorpe (2): iommu/vt-d: Check if SVA is supported when attaching the SVA domain genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie Jedrzej Jagielski (1): ixgbe: add support for thermal sensor event reception Jeff Chen (1): wifi: mwifiex: Fix HT40 bandwidth issue. Jens Axboe (2): io_uring/fdinfo: annotate racy sq/cq head/tail reads io_uring/net: only retry recv bundle for a full transfer Jernej Skrabec (1): Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection" Jessica Zhang (2): drm/msm/dpu: Set possible clones for all encoders drm: Add valid clones check Jianbo Liu (1): net/mlx5e: Add correct match to check IPSec syndromes for switchdev mode Jiang Liu (2): drm/amdgpu: reset psp->cmd to NULL after releasing the buffer amdgpu/soc15: enable asic reset for dGPU in case of suspend abort Jiasheng Jiang (1): dpll: Add an assertion to check freq_supported_num Jiayuan Chen (1): bpftool: Using the right format specifiers Jing Su (1): dql: Fix dql->limit value when reset. Jing Zhou (1): drm/amd/display: Guard against setting dispclk low for dcn31x Jinliang Zheng (1): dm: fix unconditional IO throttle caused by REQ_PREFLUSH Jinqian Yang (1): arm64: Add support for HIP09 Spectre-BHB mitigation Johannes Berg (11): wifi: iwlwifi: fix debug actions order wifi: iwlwifi: mark Br device not integrated wifi: mac80211: don't include MLE in ML reconf per-STA profile wifi: mac80211: fix warning on disconnect during failed ML reconf wifi: mac80211: fix U-APSD check in ML reconfiguration wifi: iwlwifi: use correct IMR dump variable wifi: mac80211: always send max agg subframe num in strict mode wifi: mac80211: don't unconditionally call drv_mgd_complete_tx() wifi: mac80211: remove misplaced drv_mgd_complete_tx() call wifi: iwlwifi: add support for Killer on MTL wifi: mac80211: restore monitor for outgoing frames Johannes Thumshirn (1): block: only update request sector if needed John Harrison (1): drm/xe/guc: Drop error messages about missing GuC logs John Olender (1): drm/amd/display: Defer BW-optimization-blocked DRR adjustments Jon Hunter (1): arm64: tegra: Resize aperture for the IGX PCIe C5 slot Jonas Karlman (1): net: stmmac: dwmac-rk: Validate GRF and peripheral GRF during probe Jonathan Kim (1): drm/amdkfd: set precise mem ops caps to disabled for gfx 11 and 12 Jonathan McDowell (1): tpm: Convert warn to dbg in tpm2_start_auth_session() Jordan Crouse (1): clk: qcom: camcc-sm8250: Use clk_rcg2_shared_ops for some RCGs Josh Poimboeuf (2): objtool: Properly disable uaccess validation objtool: Fix error handling inconsistencies in check() Joshua Aberback (1): drm/amd/display: Increase block_sequence array size Judith Mendez (1): mmc: sdhci_am654: Add SDHCI_QUIRK2_SUPPRESS_V1P8_ENA quirk to am62 compatible Justin Tee (4): scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when pci_irq_vector() fails scsi: lpfc: Reduce log message generation during ELS ring clean up K Prateek Nayak (1): fs/pipe: Limit the slots in pipe_resize_ring() Kai Mäkisara (4): scsi: st: Tighten the page format heuristics with MODE SELECT scsi: st: ERASE does not change tape location scsi: scsi_debug: First fixes for tapes scsi: st: Restore some drive settings after reset Kai Vehmanen (1): ASoc: SOF: topology: connect DAI to a single DAI link Karl Chan (1): clk: qcom: ipq5018: allow it to be bulid on arm32 Karthikeyan Periyasamy (1): wifi: ath12k: Update the peer id in PPDU end user stats TLV Kate Hsuan (1): HID: Kconfig: Add LEDS_CLASS_MULTICOLOR dependency to HID_LOGITECH Kaustabh Chakraborty (1): mmc: dw_mmc: add exynos7870 DW MMC support Kees Cook (6): PNP: Expand length of fixup id string net/mlx4_core: Avoid impossible mlx4_db_alloc() order value pstore: Change kmsg_bytes storage size to u32 btrfs: compression: adjust cb->compressed_folios allocation type mm: vmalloc: actually use the in-place vrealloc region mm: vmalloc: only zero-init on vrealloc shrink Kevin Krakauer (1): selftests/net: have `gro.sh -t` return a correct exit code Konstantin Andreev (2): smack: recognize ipv4 CIPSO w/o categories smack: Revert "smackfs: Added check catlen" Konstantin Shkolnyy (1): vdpa/mlx5: Fix mlx5_vdpa_get_config() endianness on big-endian machines Konstantin Taranov (1): net/mana: fix warning in the writer of client oob Krzysztof Kozlowski (7): ASoC: codecs: wsa884x: Correct VI sense channel mask ASoC: codecs: wsa883x: Correct VI sense channel mask can: c_can: Use of_property_present() to test existence of DT property clk: qcom: clk-alpha-pll: Do not use random stack value for recalc rate iio: accel: fxls8962af: Fix wakeup source leaks on device unbind iio: adc: qcom-spmi-iadc: Fix wakeup source leaks on device unbind iio: imu: st_lsm6dsx: Fix wakeup source leaks on device unbind Kuan-Chung Chen (1): wifi: rtw89: 8922a: fix incorrect STA-ID in EHT MU PPDU Kuhanh Murugasen Krishnan (1): fpga: altera-cvp: Increase credit timeout Kunihiko Hayashi (1): net: stmmac: Correct usage of maximum queue number macros Kuninori Morimoto (1): ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() Kuniyuki Iwashima (3): ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config(). ipv4: fib: Hold rtnl_net_lock() in ip_rt_ioctl(). ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). Kurt Borja (1): hwmon: (dell-smm) Increment the number of fans Kyunghwan Seo (1): watchdog: s3c2410_wdt: Fix PMU register bits for ExynosAutoV920 SoC Lad Prabhakar (1): clk: renesas: rzg2l-cpg: Refactor Runtime PM clock validation Larisa Grigore (2): spi: spi-fsl-dspi: restrict register range for regmap access spi: spi-fsl-dspi: Reset SR flags before sending a new message Lee Trager (1): eth: fbnic: Prepend TSENE FW fields with FBNIC_FW Len Brown (1): tools/power turbostat: Clustered Uncore MHz counters should honor show/hide options Leo Zeng (1): Revert "drm/amd/display: Request HW cursor on DCN3.2 with SubVP" Leon Huang (1): drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch Leon Romanovsky (1): xfrm: prevent high SEQ input in non-ESN mode Li Bin (1): ARM: at91: pm: fix at91_suspend_finish for ZQ calibration Lijo Lazar (5): drm/amdgpu: Reinit FW shared flags on VCN v5.0.1 drm/amdgpu: Avoid HDP flush on JPEG v5.0.1 drm/amdgpu: Add offset normalization in VCN v5.0.1 drm/amd/pm: Fetch current power limit from PMFW drm/amdgpu: Use active umc info from discovery Lin.Cao (1): drm/buddy: fix issue that force_merge cannot free all roots Lingbo Kong (2): wifi: ath12k: report station mode receive rate for IEEE 802.11be wifi: ath12k: report station mode transmit rate Linus Torvalds (3): gcc-15: make 'unterminated string initialization' just a warning gcc-15: disable '-Wunterminated-string-initialization' entirely for now Fix mis-uses of 'cc-option' for warning disablement Linus Walleij (1): ASoC: pcm6240: Drop bogus code handling IRQ as GPIO Lizhi Hou (2): accel/amdxdna: Check interrupt register before mailbox_rx_worker exits accel/amdxdna: Refactor hardware context destroy routine Lorenzo Stoakes (1): intel_th: avoid using deprecated page->mapping, index fields Lucas De Marchi (2): drm/xe: Stop ignoring errors from xe_ttm_stolen_mgr_init() drm/xe: Fix xe_tile_init_noalloc() error propagation Luis de Arquer (1): spi-rockchip: Fix register out of bounds access Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix not checking l2cap_chan security level Maarten Lankhorst (2): drm/xe: Move suballocator init to after display init drm/xe: Do not attempt to bootstrap VF in execlists mode Maciej S. Szmigiero (1): ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 Maher Sanalla (1): RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() Manish Pandey (1): scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices Manuel Fombuena (2): leds: Kconfig: leds-st1202: Add select for required LEDS_TRIGGER_PATTERN leds: leds-st1202: Initialize hardware before DT node child operations Marcin Bernatowicz (1): drm/xe/client: Skip show_run_ticks if unable to read timestamp Marcos Paulo de Souza (1): printk: Check CON_SUSPEND when unblanking a console Marek Szyprowski (1): dma-mapping: avoid potential unused data compilation warning Marek Vasut (1): leds: trigger: netdev: Configure LED blink interval for HW offload Mario Limonciello (2): x86/amd_node: Add SMN offsets to exclusive region access Revert "drm/amd: Keep display off while going into S4" Mark Harmstone (1): btrfs: avoid linker error in btrfs_find_create_tree_block() Mark Pearson (1): platform/x86: think-lmi: Fix attribute name usage for non-compliant items Mark Zhang (1): net/mlx5e: Use right API to free bitmap memory Markus Elfring (1): media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() Martin Blumenstingl (1): pinctrl: meson: define the pull up/down resistor value as 60 kOhm Martin KaFai Lau (1): bpf: Use kallsyms to find the function name of a struct_ops's stub function Martin Povišer (1): ASoC: ops: Enforce platform maximum on initial value Martin Tsai (1): drm/amd/display: Support multiple options during psr entry. Masahiro Yamada (1): kconfig: do not clear SYMBOL_VALID when reading include/config/auto.conf Matt Johnston (1): fuse: Return EPERM rather than ENOSYS from link() Matthew Brost (2): drm/xe: Nuke VM's mapping upon close drm/xe: Retry BO allocation Matthew Sakai (1): dm vdo: use a short static string for thread name prefix Matthew Wilcox (Oracle) (2): orangefs: Do not truncate file size highmem: add folio_test_partial_kmap() Matthias Fend (1): media: tc358746: improve calculation of the D-PHY timing registers Matthieu Baerts (NGI0) (1): mptcp: pm: userspace: flags: clearer msg if no remote addr Matti Lehtimäki (2): remoteproc: qcom_wcnss: Handle platforms with only single power domain remoteproc: qcom_wcnss: Fix on platforms without fallback regulators Michael Chan (1): bnxt_en: Set NPAR 1.2 support when registering with firmware Michael Jeanson (1): rseq: Fix segfault on registration when rseq_cs is non-zero Michael Margolin (1): RDMA/core: Fix best page size finding when it can cross SG entries Michael S. Tsirkin (2): virtio: break and reset virtio devices on device_shutdown() virtgpu: don't reset on shutdown Michal Pecio (1): usb: xhci: Don't change the status of stalled TDs on failed Stop EP Michal Swiatkowski (3): ice: init flow director before RDMA ice: treat dyn_allowed only as suggestion ice: count combined queues using Rx/Tx count Michal Wajdeczko (7): drm/xe/pf: Release all VFs configs on device removal drm/xe/relay: Don't use GFP_KERNEL for new transactions drm/xe/pf: Reset GuC VF config when unprovisioning critical resource drm/xe/pf: Move VFs reprovisioning to worker drm/xe/sa: Always call drm_suballoc_manager_fini() drm/xe/vf: Perform early GT MMIO initialization to read GMDID drm/xe: Always setup GT MMIO adjustment data Mika Westerberg (1): thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer Mike Christie (1): vhost-scsi: Return queue full for page alloc failures during copy Mikulas Patocka (1): dm: restrict dm device size to 2^63-512 bytes Ming Lei (2): loop: move vfs_fsync() out of loop_update_dio() blk-throttle: don't take carryover for prioritized processing of metadata Ming Yen Hsieh (1): wifi: mt76: mt7925: load the appropriate CLC data based on hardware type Ming-Hung Tsai (1): dm cache: prevent BUG_ON by blocking retries on failed device resumes Miri Korenblit (2): wifi: iwlwifi: don't warn when if there is a FW error wifi: iwlwifi: don't warn during reprobe Moshe Shemesh (1): net/mlx5: Avoid report two health errors on same syndrome Mrinmay Sarkar (1): PCI: epf-mhi: Update device ID for SA8775P Mukesh Kumar Savaliya (1): i2c: qcom-geni: Update i2c frequency table to match hardware guidance Mykyta Yatsenko (1): bpf: Return prog btf_id without capable check Naman Trivedi (1): arm64: zynqmp: add clock-output-names property in clock nodes Namjae Jeon (2): cifs: add validation check for the fields in smb_aces ksmbd: fix stream write failure Nandakumar Edamana (1): libbpf: Fix out-of-bound read Nathan Chancellor (2): i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() kbuild: Properly disable -Wunterminated-string-initialization for clang Navid Assadian (1): drm/amd/display: Add opp recout adjustment Nicholas Kazlauskas (2): drm/amd/display: Ensure DMCUB idle before reset on DCN31/DCN35 drm/amd/display: Guard against setting dispclk low when active Nicholas Susanto (1): drm/amd/display: Enable urgent latency adjustment on DCN35 Nick Hu (1): clocksource/drivers/timer-riscv: Stop stimecmp when cpu hotplug Nicolas Bouchinet (2): netfilter: conntrack: Bound nf_conntrack sysctl writes scsi: logging: Fix scsi_logging_level bounds Nicolas Bretz (1): ext4: on a remount, only log the ro or r/w state when it has changed Nicolas Escande (1): wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override Niklas Cassel (2): misc: pci_endpoint_test: Give disabled BARs a distinct error code selftests: pci_endpoint: Skip disabled BARs Niklas Neronin (1): usb: xhci: set page size to the xHCI-supported size Niklas Söderlund (1): media: adv7180: Disable test-pattern control on adv7180 Nilay Shroff (1): block: acquire q->limits_lock while reading sysfs attributes Nir Lichtman (1): x86/build: Fix broken copy command in genimage.sh when making isoimage Nícolas F. R. A. Prado (4): thermal/drivers/mediatek/lvts: Start sensor interrupts disabled ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile ASoC: mediatek: mt8188: Add reference for dmic clocks Oak Zeng (1): drm/xe: Reject BO eviction if BO is bound to current VM Oliver Hartkopp (2): can: bcm: add locking for bcm_op runtime updates can: bcm: add missing rcu read protection for procfs content Olivier Moysan (1): drm: bridge: adv7511: fill stream capabilities Ovidiu Bunea (1): drm/amd/display: Exit idle optimizations before accessing PHY P Praneesh (3): wifi: ath12k: fix the ampdu id fetch in the HAL_RX_MPDU_START TLV wifi: ath12k: Fix end offset bit definition in monitor ring descriptor wifi: ath11k: Use dma_alloc_noncoherent for rx_tid buffer allocation Pali Rohár (10): cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES cifs: Fix querying and creating MF symlinks over SMB1 cifs: Fix access_flags_to_smbopen_mode cifs: Fix negotiate retry functionality cifs: Set default Netbios RFC1001 server name to hostname in UNC cifs: Fix establishing NetBIOS session for SMB2+ connection cifs: Fix getting DACL-only xattr system.cifs_acl and system.smb3_acl cifs: Check if server supports reparse points before using them cifs: Fix and improve cifs_query_path_info() and cifs_query_file_info() cifs: Fix changing times and read-only attr over SMB1 smb_set_file_info() function Paolo Abeni (1): mr: consolidate the ipmr_can_free_table() checks. Patrisious Haddad (1): net/mlx5: Change POOL_NEXT_SIZE define value and make it global Paul Burton (2): MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core clocksource: mips-gic-timer: Enable counter when CPUs start Paul Chaignon (1): xfrm: Sanitize marks before insert Paul E. McKenney (1): rcu: Fix get_state_synchronize_rcu_full() GP-start detection Paul Elder (1): media: imx335: Set vblank immediately Paul Kocialkowski (1): net: dwmac-sun8i: Use parsed internal PHY address instead of 1 Pavan Kumar Linga (1): idpf: fix null-ptr-deref in idpf_features_check Pavel Begunkov (4): io_uring: don't duplicate flushing in io_req_post_cqe io_uring/msg: initialise msg request opcode io_uring: sanitise ring params earlier io_uring: fix overflow resched cqe reordering Pavel Nikulin (1): platform/x86: asus-wmi: Disable OOBE state after resume from hibernation Paweł Anikiel (1): x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Pedro Nishiyama (1): Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken Peichen Huang (1): drm/amd/display: not abort link train when bw is low Pengyu Luo (1): cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist Peter Seiderer (2): net: pktgen: fix mpls maximum labels list parsing net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Peter Ujfalusi (3): ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction Peter Zijlstra (5): perf/core: Clean up perf_try_init_event() perf/core: Fix perf_mmap() failure path x86/ibt: Handle FineIBT in handle_cfi_failure() x86/traps: Cleanup and robustify decode_bug() x86/boot: Mark start_secondary() with __noendbr Peter Zijlstra (Intel) (1): perf: Avoid the read if the count is already updated Peterson Guo (1): drm/amd/display: Reverse the visual confirm recouts Petr Machata (2): vxlan: Join / leave MC group after remote changes bridge: mdb: Allow replace of a host-joined group Philip Redkin (1): x86/mm: Check return value from memblock_phys_alloc_range() Philip Yang (1): drm/amdkfd: KFD release_work possible circular locking Philippe Simons (1): clk: sunxi-ng: h616: Reparent GPU clock during frequency changes Ping-Ke Shih (7): wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32() wifi: rtw89: fw: add blacklist to avoid obsolete secure firmware wifi: rtw89: fw: validate multi-firmware header before getting its size wifi: rtw89: fw: validate multi-firmware header before accessing wifi: rtw89: call power_on ahead before selecting firmware wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet Prathamesh Shete (1): pinctrl-tegra: Restore SFSEL bit when freeing pins Qu Wenruo (2): btrfs: run btrfs_error_commit_super() early btrfs: avoid NULL pointer dereference if no valid csum tree Quan Zhou (2): wifi: mt76: mt7925: Simplify HIF suspend handling to avoid suspend fail wifi: mt76: mt7925: fix fails to enter low power mode in suspend state Raag Jadav (2): devres: Introduce devm_kmemdup_array() err.h: move IOMEM_ERR_PTR() to err.h Rae Moar (1): kunit: tool: Fix bug in parsing test plan Rafael J. Wysocki (1): cpuidle: menu: Avoid discarding useful information Ramasamy Kaliappan (1): wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band Ranjan Kumar (2): scsi: mpi3mr: Add level check to control event logging scsi: mpi3mr: Update timestamp only for supervisor IOCs Ravi Bangoria (2): perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt perf/amd/ibs: Fix ->config to sample period calculation for OP PMU Rex Lu (1): wifi: mt76: mt7996: fix SER reset trigger on WED reset Ricardo Ribalda (2): media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value Rik van Riel (1): x86/mm: Make MMU_GATHER_RCU_TABLE_FREE unconditional Ritesh Harjani (IBM) (1): book3s64/radix: Fix compile errors when CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=n Rob Herring (Arm) (1): perf: arm_pmuv3: Call kvm_vcpu_pmu_resync_el0() before enabling counters Robert Richter (1): libnvdimm/labels: Fix divide error in nd_label_data_init() Robin Murphy (1): iommu: Keep dev->iommu state consistent Rodrigo Vivi (2): drm/xe/display: Remove hpd cancel work sync from runtime pm path drm/xe: Fix PVC RPe and RPa information Roger Pau Monne (2): PCI: vmd: Disable MSI remapping bypass under Xen xen/pci: Do not register devices with segments >= 0x10000 Roger Quadros (1): dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (1): wifi: ath9k: return by of_get_mac_address Ryan Roberts (2): arm64/mm: Check pmd_table() in pmd_trans_huge() arm64/mm: Check PUD_TYPE_TABLE in pud_bad() Ryan Walklin (2): ASoC: sun4i-codec: support hp-det-gpios property ASoC: sun4i-codec: correct dapm widgets and controls for h616 Ryo Takakura (1): lockdep: Fix wait context check on softirq for PREEMPT_RT Ryusuke Konishi (1): nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs() Sabrina Dubroca (2): espintcp: fix skb leaks espintcp: remove encap socket caching to avoid reference leak Sagi Maimon (1): ptp: ocp: Limit signal/freq counts in summary output functions Sakari Ailus (2): media: v4l: Memset argument to 0 before calling get_mbus_config pad op media: i2c: ov2740: Free control handler on error path Saket Kumar Bhaskar (1): perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type Salah Triki (1): smb: server: smb2pdu: check return value of xa_store() Samiullah Khawaja (1): xsk: Bring back busy polling support in XDP_COPY Samson Tam (3): drm/amd/display: fix check for identity ratio drm/amd/display: Fix mismatch type comparison in custom_float drm/amd/display: remove TF check for LLS policy Samuel Holland (1): riscv: Allow NOMMU kernels to access all of RAM Saranya Gopal (1): platform/x86/intel: hid: Add Pantherlake support Satyanarayana K V P (2): drm/xe/vf: Retry sending MMIO request to GUC on timeout error drm/xe/pf: Create a link between PF and VF devices Sean Anderson (1): spi: zynqmp-gqspi: Always acknowledge interrupts Sean Wang (1): Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler removal Seongman Lee (1): x86/sev: Fix operator precedence in GHCB_MSR_VMPL_REQ_LEVEL macro Sergio Perez Gonzalez (1): spi: spi-mux: Fix coverity issue, unchecked return value Seyediman Seyedarab (1): kbuild: fix argument parsing in scripts/config Shahar Shitrit (2): net/mlx5: Modify LSB bitmask in temperature event to include only the first bit net/mlx5: Apply rate-limiting to high temperature warning Shashank Gupta (1): crypto: octeontx2 - suppress auth failure screaming due to negative tests Shayne Chen (1): wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv() Shin'ichiro Kawasaki (1): null_blk: generate null_blk configfs features string Shivasharan S (1): scsi: mpt3sas: Send a diag reset if target reset fails Shiwu Zhang (1): drm/amdgpu: enlarge the VBIOS binary size limit Shixiong Ou (1): fbdev: fsl-diu-fb: add missing device_remove_file() Shree Ramamoorthy (1): mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check Shuicheng Lin (2): drm/xe/debugfs: Add missing xe_pm_runtime_put in wedge_mode_set drm/xe: Use xe_mmio_read32() to read mtcfg register Shyam Sundar S K (1): i2c: amd-asf: Set cmd variable when encountering an error Simona Vetter (1): drm/atomic: clarify the rules around drm_atomic_state->allow_modeset Siva Durga Prasad Paladugu (1): firmware: xilinx: Dont send linux address to get fpga config get status Soeren Moch (1): wifi: rtl8xxxu: retry firmware download on error Sohil Mehta (2): x86/smpboot: Fix INIT delay assignment for extended Intel Families x86/microcode: Update the Intel processor flag scan check Song Liu (1): bpf: arm64: Silence "UBSAN: negation-overflow" warning Song Yoong Siang (1): igc: Avoid unnecessary link down event in XDP_SETUP_PROG process Srinivasan Shanmugam (2): drm/amdgpu/gfx10: Add cleaner shader for GFX10.1.10 drm/amdkfd: Fix error handling for missing PASID in 'kfd_process_device_init_vm' Stanimir Varbanov (2): PCI: brcmstb: Expand inbound window size up to 64GB PCI: brcmstb: Add a softdep to MIP MSI-X driver Stanley Chu (1): i3c: master: svc: Fix missing STOP for master request Stefan Binding (2): ASoC: intel/sdw_utils: Add volume limit to cs42l43 speakers ASoC: intel/sdw_utils: Add volume limit to cs35l56 speakers Stefan Wahren (3): staging: vchiq_arm: Create keep-alive thread during probe drm/v3d: Add clock handling dmaengine: fsl-edma: Fix return code for unhandled interrupts Stefano Garzarella (1): vhost_task: fix vhost_task_create() documentation Stephan Gerhold (1): i2c: qup: Vote for interconnect bandwidth to DRAM Steven Rostedt (1): ring-buffer: Use kaslr address instead of text delta Subbaraya Sundeep (1): octeontx2-af: Set LMT_ENA bit for APR table entries Subramanian Mohan (1): pps: generators: replace copy of pps-gen info struct with const pointer Sudeep Holla (4): mailbox: pcc: Use acpi_os_ioremap() instead of ioremap() firmware: arm_ffa: Reject higher major version as incompatible firmware: arm_ffa: Handle the presence of host partition in the partition info firmware: arm_scmi: Relax duplicate name constraint across protocol ids Suman Ghosh (4): octeontx2-pf: use xdp_return_frame() to free xdp buffers octeontx2-pf: Add AF_XDP non-zero copy support octeontx2-pf: AF_XDP zero copy receive support octeontx2-pf: Avoid adding dcbnl_ops for LBK and SDP vf Sungjong Seo (1): exfat: call bh_read in get_block only when necessary Sunil Khatri (1): drm/ttm: fix the warning for hit_low and evict_low Suren Baghdasaryan (1): alloc_tag: allocate percpu counters for module tags dynamically Sven Schwermer (1): crypto: mxs-dcp - Only set OTP_KEY bit for OTP key Svyatoslav Ryhel (1): ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 Takashi Iwai (5): ALSA: seq: Improve data consistency at polling ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx ALSA: usb-audio: Fix duplicated name in MIDI substream names ALSA: pcm: Fix race of buffer access at PCM OSS layer Taniya Das (1): clk: qcom: lpassaudiocc-sc7280: Add support for LPASS resets for QCM6490 Tao Zhou (1): drm/amdgpu: increase RAS bad page threshold Tavian Barnes (1): ASoC: SOF: Intel: hda: Fix UAF when reloading module Thangaraj Samynathan (1): net: lan743x: Restore SGMII CTRL register on resume Thippeswamy Havalige (1): PCI: xilinx-cpm: Add cpm_csr register mapping for CPM5_HOST1 variant Thomas Gleixner (1): posix-timers: Ensure that timer initialization is fully visible Thomas Huth (2): x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in non-UAPI headers x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers Thomas Weißschuh (1): timer_list: Don't use %pK through printk() Thomas Zimmermann (4): drm/gem: Test for imported GEM buffers with helper drm/ast: Find VBIOS mode from regular display size drm/ast: Hide Gens 1 to 3 TX detection in branch drm/gem: Internally test import_attach for imported objects Tianyang Zhang (1): mm/page_alloc.c: avoid infinite retries caused by cpuset race Tiwei Bie (1): um: Update min_low_pfn to match changes in uml_reserved Tobias Brunner (1): xfrm: Fix UDP GRO handling for some corner cases Tom Chung (1): drm/amd/display: Initial psr_version with correct setting Trond Myklebust (7): NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() NFS: Don't allow waiting for exiting tasks SUNRPC: Don't allow waiting for exiting tasks NFSv4: Treat ENETUNREACH errors as fatal for state recovery SUNRPC: rpc_clnt_set_transport() must not change the autobind setting SUNRPC: rpcbind should never reset the port to the value '0' pNFS/flexfiles: Report ENETDOWN as a connection error Tudor Ambarus (1): mailbox: use error ret code of of_parse_phandle_with_args() Uday Shankar (1): ublk: enforce ublks_max only for unprivileged devices Umesh Nerlige Ramappa (1): drm/xe/oa: Ensure that polled read returns latest data Uros Bizjak (1): x86/locking: Use ALT_OUTPUT_SP() for percpu_{,try_}cmpxchg{64,128}_op() Valentin Caron (1): pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map Vasant Hegde (1): iommu/amd/pgtbl_v2: Improve error handling Vicki Pfau (1): Input: xpad - add more controllers Victor Lu (1): drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c Victor Skvortsov (2): drm/amdgpu: Skip pcie_replay_count sysfs creation for VF drm/amdgpu: Skip err_count sysfs creation on VF unsupported RAS blocks Vijendar Mukunda (1): soundwire: amd: change the soundwire wake enable/disable sequence Viktor Malik (1): bpftool: Fix readlink usage in get_fd_type Vinay Belgaumkar (1): drm/xe: Add locks in gtidle code Vinicius Costa Gomes (1): dmaengine: idxd: Fix allowing write() from different address spaces Vinith Kumar R (1): wifi: ath12k: Report proper tx completion status to mac80211 Viresh Kumar (1): firmware: arm_ffa: Set dma_mask for ffa devices Vitalii Mordan (1): i2c: pxa: fix call balance of i2c->clk handling routines Vitaliy Shevtsov (1): media: cec: use us_to_ktime() where appropriate Vladimir Kondratiev (1): irqchip/riscv-aplic: Add support for hart indexes Vladimir Moskovkin (1): platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() Waiman Long (1): x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() Wang Liang (1): net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Wang Yaxin (1): taskstats: fix struct taskstats breaks backward compatibility since version 15 Wang Zhaolong (3): smb: client: Store original IO parameters and prevent zero IO sizes smb: client: Fix use-after-free in cifs_fill_dirent smb: client: Reset all search buffer pointers when releasing buffer Wentao Guan (2): nvme-pci: add quirks for device 126f:1001 nvme-pci: add quirks for WDC Blue SN550 15b7:5009 Willem de Bruijn (2): ipv6: save dontfrag in cork ipv6: remove leftover ip6 cookie initializer William Tu (3): net/mlx5e: set the tx_queue_len for pfifo_fast net/mlx5e: reduce rep rxq depth to 256 for ECPF net/mlx5e: reduce the max log mpwrq sz for ECPF and reps Xiao Liang (2): net: ipv6: Init tunnel link-netns before registering dev rtnetlink: Lookup device in target netns when creating link Xiaofei Tan (1): ACPI: HED: Always initialize before evged Xiaogang Chen (2): drm/amdkfd: Have kfd driver use same PASID values from graphic driver drm/amdkfd: Fix pasid value leak Xin Li (Intel) (1): x86/fred: Fix system hang during S4 resume with FRED enabled Xin Wang (1): drm/xe/debugfs: fixed the return value of wedged_mode_set Xu Yang (1): PM: sleep: Suppress sleeping parent warning in special case Yeoreum Yun (2): coresight-etb10: change etb_drvdata spinlock's type to raw_spinlock_t coresight: change coresight_trace_id_map's lock type to raw_spinlock_t Yi Liu (2): iommufd: Extend IOMMU_GET_HW_INFO to report PASID capability iommufd: Disallow allocating nested parent domain with fault ID Yihan Zhu (1): drm/amd/display: handle max_downscale_src_width fail check Yonghong Song (1): bpf: Allow pre-ordering for bpf cgroup progs Youssef Samir (1): accel/qaic: Mask out SR-IOV PCI resources Yuanjun Gong (1): leds: pwm-multicolor: Add check for fwnode_property_read_u32 Zhang Rui (1): thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature Zhang Yi (2): ext4: don't write back data before punch hole in nojournal mode ext4: remove writable userspace mappings before truncating page cache Zhi Wang (1): drm/nouveau: fix the broken marco GSP_MSG_MAX_SIZE Zhikai Zhai (1): drm/amd/display: calculate the remain segments for all pipes Zhongqiu Han (1): virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN Zhongwei Zhang (1): drm/amd/display: Correct timing_adjust_pending flag setting. Zsolt Kajtar (2): fbcon: Use correct erase colour for clearing in fbcon fbdev: core: tileblit: Implement missing margin clearing for tileblit feijuan.li (1): drm/edid: fixed the bug that hdr metadata was not reset gaoxu (1): cgroup: Fix compilation issue due to cgroup_mutex not being exported junan (1): HID: usbkbd: Fix the bit shift number for LED_KANA shantiprasad shettar (1): bnxt_en: Query FW parameters when the CAPS_CHANGE bit is set zihan zhou (1): sched: Reduce the default slice to avoid tasks getting an extra tick

5 months, 3 weeks

1
1
0 0

Linux 6.12.31

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.31 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/kernel-parameters.txt | 2 Documentation/driver-api/serial/driver.rst | 2 Documentation/hwmon/dell-smm-hwmon.rst | 14 Makefile | 6 arch/arm/boot/dts/nvidia/tegra114.dtsi | 2 arch/arm/mach-at91/pm.c | 21 arch/arm64/boot/dts/allwinner/sun50i-h6-beelink-gs1.dts | 38 - arch/arm64/boot/dts/allwinner/sun50i-h6-orangepi-3.dts | 14 arch/arm64/boot/dts/allwinner/sun50i-h6-orangepi.dtsi | 22 arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi | 2 arch/arm64/boot/dts/nvidia/tegra234-p3740-0002+p3701-0008.dts | 10 arch/arm64/boot/dts/xilinx/zynqmp-clk-ccf.dtsi | 15 arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/pgtable.h | 27 - arch/arm64/kernel/proton-pack.c | 1 arch/loongarch/kernel/Makefile | 8 arch/loongarch/kvm/Makefile | 2 arch/mips/include/asm/ftrace.h | 16 arch/mips/kernel/pm-cps.c | 30 - arch/powerpc/include/asm/mmzone.h | 1 arch/powerpc/kernel/prom_init.c | 4 arch/powerpc/mm/book3s64/radix_pgtable.c | 3 arch/powerpc/mm/numa.c | 2 arch/powerpc/perf/core-book3s.c | 20 arch/powerpc/perf/isa207-common.c | 4 arch/powerpc/platforms/pseries/iommu.c | 139 ++++-- arch/riscv/include/asm/page.h | 12 arch/riscv/include/asm/pgtable.h | 2 arch/riscv/kernel/Makefile | 4 arch/riscv/mm/tlbflush.c | 37 - arch/s390/hypfs/hypfs_diag_fs.c | 2 arch/s390/include/asm/tlb.h | 2 arch/um/kernel/mem.c | 1 arch/x86/Kconfig | 1 arch/x86/boot/genimage.sh | 5 arch/x86/entry/entry.S | 2 arch/x86/events/amd/ibs.c | 20 arch/x86/events/intel/ds.c | 9 arch/x86/include/asm/bug.h | 5 arch/x86/include/asm/cfi.h | 11 arch/x86/include/asm/ibt.h | 4 arch/x86/include/asm/intel-family.h | 1 arch/x86/include/asm/nmi.h | 2 arch/x86/include/asm/percpu.h | 28 - arch/x86/include/asm/perf_event.h | 1 arch/x86/include/asm/sev-common.h | 2 arch/x86/include/uapi/asm/bootparam.h | 4 arch/x86/include/uapi/asm/e820.h | 4 arch/x86/include/uapi/asm/ldt.h | 4 arch/x86/include/uapi/asm/msr.h | 4 arch/x86/include/uapi/asm/ptrace-abi.h | 6 arch/x86/include/uapi/asm/ptrace.h | 4 arch/x86/include/uapi/asm/setup_data.h | 4 arch/x86/include/uapi/asm/signal.h | 8 arch/x86/kernel/alternative.c | 30 + arch/x86/kernel/cfi.c | 22 arch/x86/kernel/cpu/bugs.c | 10 arch/x86/kernel/cpu/microcode/intel.c | 2 arch/x86/kernel/nmi.c | 42 + arch/x86/kernel/reboot.c | 10 arch/x86/kernel/smpboot.c | 6 arch/x86/kernel/traps.c | 82 ++- arch/x86/mm/init.c | 9 arch/x86/mm/init_64.c | 15 arch/x86/mm/kaslr.c | 10 arch/x86/power/cpu.c | 14 arch/x86/um/os-Linux/mcontext.c | 3 block/badblocks.c | 5 block/bdev.c | 17 block/blk-cgroup.c | 22 block/blk-settings.c | 5 block/blk-throttle.c | 15 block/blk-zoned.c | 5 block/blk.h | 3 block/bounce.c | 2 block/fops.c | 16 block/ioctl.c | 6 crypto/ahash.c | 4 crypto/algif_hash.c | 4 crypto/lzo-rle.c | 2 crypto/lzo.c | 2 crypto/skcipher.c | 1 drivers/accel/qaic/qaic_drv.c | 2 drivers/acpi/Kconfig | 2 drivers/acpi/acpi_pnp.c | 2 drivers/acpi/hed.c | 7 drivers/auxdisplay/charlcd.c | 5 drivers/auxdisplay/charlcd.h | 5 drivers/auxdisplay/hd44780.c | 2 drivers/auxdisplay/lcd2s.c | 2 drivers/auxdisplay/panel.c | 2 drivers/block/loop.c | 5 drivers/block/ublk_drv.c | 53 +- drivers/bluetooth/btmtksdio.c | 15 drivers/bluetooth/btusb.c | 98 +--- drivers/char/tpm/tpm2-sessions.c | 2 drivers/clk/clk-s2mps11.c | 3 drivers/clk/imx/clk-imx8mp.c | 151 ++++++ drivers/clk/qcom/Kconfig | 2 drivers/clk/qcom/camcc-sm8250.c | 56 +- drivers/clk/qcom/clk-alpha-pll.c | 52 +- drivers/clk/qcom/lpassaudiocc-sc7280.c | 23 - drivers/clk/renesas/rzg2l-cpg.c | 102 ++-- drivers/clk/sunxi-ng/ccu-sun20i-d1.c | 44 + drivers/clk/sunxi-ng/ccu_mp.h | 22 drivers/clocksource/mips-gic-timer.c | 6 drivers/clocksource/timer-riscv.c | 6 drivers/cpufreq/amd-pstate.c | 1 drivers/cpufreq/cpufreq-dt-platdev.c | 1 drivers/cpufreq/tegra186-cpufreq.c | 7 drivers/cpuidle/governors/menu.c | 13 drivers/crypto/marvell/octeontx2/otx2_cptvf_reqmgr.c | 7 drivers/crypto/mxs-dcp.c | 8 drivers/dma/fsl-edma-main.c | 2 drivers/dma/idxd/cdev.c | 9 drivers/dpll/dpll_core.c | 5 drivers/edac/ie31200_edac.c | 28 - drivers/firmware/arm_ffa/bus.c | 1 drivers/firmware/arm_ffa/driver.c | 12 drivers/firmware/arm_scmi/bus.c | 19 drivers/firmware/xilinx/zynqmp.c | 6 drivers/fpga/altera-cvp.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 52 -- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 30 + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 31 - drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 30 + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_ih.h | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 38 + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c | 42 + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 47 +- drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 48 +- drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c | 10 drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 1 drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c | 25 + drivers/gpu/drm/amd/amdgpu/mmhub_v1_8.c | 27 + drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c | 31 + drivers/gpu/drm/amd/amdgpu/nv.c | 16 drivers/gpu/drm/amd/amdgpu/soc21.c | 10 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 39 - drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c | 69 ++- drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v10.c | 41 + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v11.c | 41 + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v12.c | 41 + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v9.c | 35 + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c | 71 +-- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 16 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 23 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 41 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 6 drivers/gpu/drm/amd/display/dc/basics/dc_common.c | 3 drivers/gpu/drm/amd/display/dc/bios/command_table2.c | 9 drivers/gpu/drm/amd/display/dc/bios/command_table_helper2.c | 3 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c | 22 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn316/dcn316_clk_mgr.c | 15 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 13 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 2 drivers/gpu/drm/amd/display/dc/core/dc.c | 22 drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c | 21 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 12 drivers/gpu/drm/amd/display/dc/dc_hw_types.h | 5 drivers/gpu/drm/amd/display/dc/dc_types.h | 7 drivers/gpu/drm/amd/display/dc/dccg/dcn401/dcn401_dccg.c | 3 drivers/gpu/drm/amd/display/dc/dce/dce_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/dce/dmub_psr.c | 4 drivers/gpu/drm/amd/display/dc/dio/dcn10/dcn10_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/dio/dcn401/dcn401_dio_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c | 6 drivers/gpu/drm/amd/display/dc/dml/dcn351/dcn351_fpu.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 8 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 5 drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.h | 1 drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 11 drivers/gpu/drm/amd/display/dc/hpo/dcn31/dcn31_hpo_dp_stream_encoder.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 10 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 8 drivers/gpu/drm/amd/display/dc/hwss/dcn31/dcn31_hwseq.c | 4 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 139 +++++- drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.h | 7 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_init.c | 4 drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer.h | 6 drivers/gpu/drm/amd/display/dc/inc/core_types.h | 2 drivers/gpu/drm/amd/display/dc/inc/hw/clk_mgr_internal.h | 1 drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 6 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 42 + drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_phy.c | 8 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 5 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_8b_10b.c | 7 drivers/gpu/drm/amd/display/dc/link/protocols/link_edp_panel_control.c | 25 - drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c | 42 - drivers/gpu/drm/amd/display/dc/spl/dc_spl.c | 4 drivers/gpu/drm/amd/display/dc/spl/dc_spl_types.h | 2 drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h | 6 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn31.c | 17 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c | 4 drivers/gpu/drm/amd/display/dmub/src/dmub_dcn401.c | 47 +- drivers/gpu/drm/amd/display/dmub/src/dmub_dcn401.h | 3 drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c | 4 drivers/gpu/drm/amd/include/asic_reg/mmhub/mmhub_9_4_1_offset.h | 32 + drivers/gpu/drm/amd/include/asic_reg/mmhub/mmhub_9_4_1_sh_mask.h | 48 ++ drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 1 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c | 5 drivers/gpu/drm/ast/ast_mode.c | 10 drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 2 drivers/gpu/drm/drm_atomic_helper.c | 28 + drivers/gpu/drm/drm_buddy.c | 5 drivers/gpu/drm/drm_edid.c | 1 drivers/gpu/drm/drm_gem.c | 4 drivers/gpu/drm/mediatek/mtk_dpi.c | 5 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 2 drivers/gpu/drm/panel/panel-edp.c | 1 drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 40 + drivers/gpu/drm/v3d/v3d_drv.c | 25 - drivers/gpu/drm/xe/xe_bo.c | 22 drivers/gpu/drm/xe/xe_debugfs.c | 3 drivers/gpu/drm/xe/xe_device.c | 10 drivers/gpu/drm/xe/xe_gen_wa_oob.c | 6 drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 37 + drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 12 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 22 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h | 2 drivers/gpu/drm/xe/xe_guc_relay.c | 2 drivers/gpu/drm/xe/xe_oa.c | 1 drivers/gpu/drm/xe/xe_pci_sriov.c | 51 ++ drivers/gpu/drm/xe/xe_pt.c | 14 drivers/gpu/drm/xe/xe_pt.h | 3 drivers/gpu/drm/xe/xe_sa.c | 3 drivers/gpu/drm/xe/xe_tile.c | 12 drivers/gpu/drm/xe/xe_tile.h | 1 drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 17 drivers/gpu/drm/xe/xe_ttm_stolen_mgr.h | 2 drivers/gpu/drm/xe/xe_vm.c | 32 + drivers/hid/usbhid/usbkbd.c | 2 drivers/hwmon/dell-smm-hwmon.c | 5 drivers/hwmon/gpio-fan.c | 16 drivers/hwmon/xgene-hwmon.c | 2 drivers/hwtracing/coresight/coresight-etb10.c | 26 - drivers/hwtracing/intel_th/Kconfig | 1 drivers/hwtracing/intel_th/msu.c | 31 - drivers/i2c/busses/i2c-designware-pcidrv.c | 33 - drivers/i2c/busses/i2c-designware-platdrv.c | 48 +- drivers/i2c/busses/i2c-pxa.c | 5 drivers/i2c/busses/i2c-qup.c | 36 + drivers/i3c/master/svc-i3c-master.c | 4 drivers/iio/adc/ad7944.c | 16 drivers/infiniband/core/umem.c | 36 + drivers/infiniband/core/uverbs_cmd.c | 144 +++--- drivers/infiniband/core/verbs.c | 11 drivers/input/joystick/xpad.c | 3 drivers/iommu/amd/io_pgtable_v2.c | 2 drivers/iommu/dma-iommu.c | 28 - drivers/iommu/iommu-priv.h | 2 drivers/iommu/iommu.c | 2 drivers/iommu/iommufd/device.c | 34 + drivers/iommu/iommufd/hw_pagetable.c | 3 drivers/iommu/of_iommu.c | 6 drivers/irqchip/irq-riscv-aplic-direct.c | 24 - drivers/irqchip/irq-riscv-imsic-early.c | 8 drivers/irqchip/irq-riscv-imsic-platform.c | 16 drivers/irqchip/irq-riscv-imsic-state.c | 96 ++-- drivers/irqchip/irq-riscv-imsic-state.h | 7 drivers/leds/rgb/leds-pwm-multicolor.c | 5 drivers/leds/trigger/ledtrig-netdev.c | 16 drivers/mailbox/mailbox.c | 7 drivers/mailbox/pcc.c | 8 drivers/md/dm-cache-target.c | 24 + drivers/md/dm-table.c | 4 drivers/md/dm-vdo/indexer/index-layout.c | 5 drivers/md/dm-vdo/vdo.c | 11 drivers/md/dm.c | 8 drivers/media/i2c/adv7180.c | 34 - drivers/media/i2c/imx219.c | 2 drivers/media/i2c/imx335.c | 21 drivers/media/i2c/tc358746.c | 19 drivers/media/platform/qcom/camss/camss-csid.c | 60 +- drivers/media/platform/qcom/camss/camss-vfe.c | 4 drivers/media/platform/st/sti/c8sectpfe/c8sectpfe-core.c | 3 drivers/media/test-drivers/vivid/vivid-kthread-cap.c | 11 drivers/media/test-drivers/vivid/vivid-kthread-out.c | 11 drivers/media/test-drivers/vivid/vivid-kthread-touch.c | 11 drivers/media/test-drivers/vivid/vivid-sdr-cap.c | 11 drivers/media/usb/cx231xx/cx231xx-417.c | 2 drivers/media/usb/uvc/uvc_ctrl.c | 77 +-- drivers/media/usb/uvc/uvc_v4l2.c | 6 drivers/media/v4l2-core/v4l2-subdev.c | 2 drivers/mfd/axp20x.c | 1 drivers/mfd/tps65219.c | 7 drivers/misc/eeprom/ee1004.c | 4 drivers/misc/mei/vsc-tp.c | 14 drivers/misc/pci_endpoint_test.c | 6 drivers/mmc/host/dw_mmc-exynos.c | 41 + drivers/mmc/host/sdhci-pci-core.c | 6 drivers/mmc/host/sdhci.c | 9 drivers/net/bonding/bond_main.c | 2 drivers/net/can/c_can/c_can_platform.c | 2 drivers/net/can/kvaser_pciefd.c | 101 ++-- drivers/net/can/slcan/slcan-core.c | 26 - drivers/net/ethernet/apm/xgene-v2/main.c | 4 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 drivers/net/ethernet/freescale/enetc/enetc.c | 16 drivers/net/ethernet/freescale/fec_main.c | 52 +- drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 drivers/net/ethernet/intel/ice/ice_irq.c | 25 - drivers/net/ethernet/intel/ice/ice_lag.c | 6 drivers/net/ethernet/intel/ice/ice_lib.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 6 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 1 drivers/net/ethernet/intel/idpf/idpf.h | 2 drivers/net/ethernet/intel/idpf/idpf_lib.c | 10 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 18 drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 14 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 2 drivers/net/ethernet/marvell/octeontx2/af/rvu_cn10k.c | 24 - drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 11 drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 8 drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 22 drivers/net/ethernet/mellanox/mlx4/alloc.c | 6 drivers/net/ethernet/mellanox/mlx4/en_tx.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 drivers/net/ethernet/mellanox/mlx5/core/en/params.c | 16 drivers/net/ethernet/mellanox/mlx5/core/en/params.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 49 -- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 28 - drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 36 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 5 drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c | 3 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c | 13 drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.h | 5 drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 2 drivers/net/ethernet/mellanox/mlx5/core/events.c | 11 drivers/net/ethernet/mellanox/mlx5/core/fs_ft_pool.c | 6 drivers/net/ethernet/mellanox/mlx5/core/fs_ft_pool.h | 2 drivers/net/ethernet/mellanox/mlx5/core/health.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/fs_chains.c | 3 drivers/net/ethernet/meta/fbnic/fbnic_netdev.c | 2 drivers/net/ethernet/microchip/lan743x_main.c | 19 drivers/net/ethernet/microsoft/mana/gdma_main.c | 2 drivers/net/ethernet/realtek/r8169_main.c | 28 + drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 3 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 21 drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 drivers/net/ethernet/tehuti/tn40.c | 9 drivers/net/ethernet/tehuti/tn40.h | 33 + drivers/net/ethernet/tehuti/tn40_mdio.c | 82 +++ drivers/net/ethernet/ti/cpsw_new.c | 1 drivers/net/ieee802154/ca8210.c | 9 drivers/net/mctp/mctp-i2c.c | 2 drivers/net/phy/nxp-c45-tja11xx.c | 54 ++ drivers/net/phy/phylink.c | 2 drivers/net/usb/r8152.c | 1 drivers/net/vmxnet3/vmxnet3_drv.c | 5 drivers/net/vxlan/vxlan_core.c | 36 + drivers/net/wireless/ath/ath11k/dp.h | 6 drivers/net/wireless/ath/ath11k/dp_rx.c | 117 ++--- drivers/net/wireless/ath/ath12k/core.c | 12 drivers/net/wireless/ath/ath12k/core.h | 1 drivers/net/wireless/ath/ath12k/dp_mon.c | 16 drivers/net/wireless/ath/ath12k/dp_tx.c | 6 drivers/net/wireless/ath/ath12k/hal_desc.h | 2 drivers/net/wireless/ath/ath12k/hal_rx.h | 3 drivers/net/wireless/ath/ath12k/pci.c | 13 drivers/net/wireless/ath/ath12k/wmi.c | 4 drivers/net/wireless/ath/ath9k/init.c | 4 drivers/net/wireless/intel/iwlwifi/cfg/dr.c | 2 drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 4 drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 8 drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 4 drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 10 drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 8 drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 4 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 15 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 3 drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 drivers/net/wireless/marvell/mwifiex/11n.c | 6 drivers/net/wireless/mediatek/mt76/mt76.h | 1 drivers/net/wireless/mediatek/mt76/mt76_connac3_mac.h | 3 drivers/net/wireless/mediatek/mt76/mt76x0/pci.c | 3 drivers/net/wireless/mediatek/mt76/mt76x0/usb.c | 3 drivers/net/wireless/mediatek/mt76/mt76x2/pci.c | 3 drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 3 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 64 ++ drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 3 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 3 drivers/net/wireless/mediatek/mt76/mt7996/mmio.c | 2 drivers/net/wireless/mediatek/mt76/tx.c | 3 drivers/net/wireless/realtek/rtl8xxxu/core.c | 17 drivers/net/wireless/realtek/rtw88/mac.c | 6 drivers/net/wireless/realtek/rtw88/main.c | 40 - drivers/net/wireless/realtek/rtw88/reg.h | 3 drivers/net/wireless/realtek/rtw88/rtw8822b.c | 14 drivers/net/wireless/realtek/rtw88/util.c | 3 drivers/net/wireless/realtek/rtw89/coex.c | 14 drivers/net/wireless/realtek/rtw89/core.c | 23 - drivers/net/wireless/realtek/rtw89/core.h | 2 drivers/net/wireless/realtek/rtw89/fw.c | 101 ++++ drivers/net/wireless/realtek/rtw89/fw.h | 12 drivers/net/wireless/realtek/rtw89/mac.c | 55 ++ drivers/net/wireless/realtek/rtw89/mac.h | 3 drivers/net/wireless/realtek/rtw89/mac80211.c | 1 drivers/net/wireless/realtek/rtw89/reg.h | 4 drivers/net/wireless/realtek/rtw89/regd.c | 2 drivers/net/wireless/realtek/rtw89/rtw8851b.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852a.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852b.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852bt.c | 1 drivers/net/wireless/realtek/rtw89/rtw8852c.c | 1 drivers/net/wireless/realtek/rtw89/rtw8922a.c | 1 drivers/net/wireless/realtek/rtw89/ser.c | 4 drivers/net/wireless/virtual/mac80211_hwsim.c | 14 drivers/nvdimm/label.c | 3 drivers/nvme/host/pci.c | 6 drivers/nvme/target/tcp.c | 3 drivers/nvmem/core.c | 40 + drivers/nvmem/qfprom.c | 26 - drivers/nvmem/rockchip-otp.c | 17 drivers/pci/Kconfig | 6 drivers/pci/ats.c | 33 + drivers/pci/controller/dwc/pcie-designware-ep.c | 2 drivers/pci/controller/dwc/pcie-designware-host.c | 2 drivers/pci/controller/pcie-brcmstb.c | 5 drivers/pci/controller/vmd.c | 20 drivers/pci/endpoint/functions/pci-epf-mhi.c | 2 drivers/pci/endpoint/functions/pci-epf-test.c | 2 drivers/pci/setup-bus.c | 6 drivers/perf/arm_pmuv3.c | 4 drivers/phy/phy-core.c | 7 drivers/phy/renesas/phy-rcar-gen3-usb2.c | 95 ++-- drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 4 drivers/phy/rockchip/phy-rockchip-usbdp.c | 87 ++- drivers/phy/samsung/phy-exynos5-usbdrd.c | 7 drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 44 - drivers/pinctrl/devicetree.c | 10 drivers/pinctrl/meson/pinctrl-meson.c | 2 drivers/pinctrl/qcom/pinctrl-msm.c | 23 - drivers/pinctrl/renesas/pinctrl-rzg2l.c | 19 drivers/pinctrl/sophgo/pinctrl-cv18xx.c | 33 + drivers/pinctrl/tegra/pinctrl-tegra.c | 59 ++ drivers/pinctrl/tegra/pinctrl-tegra.h | 6 drivers/platform/x86/asus-wmi.c | 11 drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c | 2 drivers/platform/x86/ideapad-laptop.c | 16 drivers/platform/x86/intel/hid.c | 21 drivers/platform/x86/think-lmi.c | 26 - drivers/platform/x86/think-lmi.h | 1 drivers/pmdomain/core.c | 2 drivers/pmdomain/imx/gpcv2.c | 2 drivers/pmdomain/renesas/rcar-gen4-sysc.c | 5 drivers/pmdomain/renesas/rcar-sysc.c | 5 drivers/power/supply/axp20x_battery.c | 21 drivers/ptp/ptp_ocp.c | 24 - drivers/regulator/ad5398.c | 12 drivers/remoteproc/qcom_wcnss.c | 34 + drivers/rtc/rtc-ds1307.c | 4 drivers/rtc/rtc-rv3032.c | 2 drivers/s390/crypto/vfio_ap_ops.c | 72 ++- drivers/scsi/lpfc/lpfc_hbadisc.c | 29 - drivers/scsi/lpfc/lpfc_init.c | 2 drivers/scsi/mpi3mr/mpi3mr_fw.c | 8 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 12 drivers/scsi/scsi_debug.c | 55 ++ drivers/scsi/scsi_sysctl.c | 4 drivers/scsi/st.c | 29 + drivers/scsi/st.h | 2 drivers/soc/apple/rtkit-internal.h | 1 drivers/soc/apple/rtkit.c | 58 +- drivers/soc/mediatek/mtk-mutex.c | 6 drivers/soc/samsung/exynos-asv.c | 1 drivers/soc/samsung/exynos-chipid.c | 1 drivers/soc/samsung/exynos-pmu.c | 1 drivers/soc/samsung/exynos-usi.c | 1 drivers/soc/samsung/exynos3250-pmu.c | 1 drivers/soc/samsung/exynos5250-pmu.c | 1 drivers/soc/samsung/exynos5420-pmu.c | 1 drivers/soc/ti/k3-socinfo.c | 13 drivers/soundwire/amd_manager.c | 2 drivers/soundwire/bus.c | 9 drivers/soundwire/cadence_master.c | 22 drivers/spi/spi-fsl-dspi.c | 46 +- drivers/spi/spi-mux.c | 4 drivers/spi/spi-rockchip.c | 2 drivers/spi/spi-zynqmp-gqspi.c | 20 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 69 +-- drivers/target/iscsi/iscsi_target.c | 2 drivers/target/target_core_spc.c | 14 drivers/thermal/intel/x86_pkg_temp_thermal.c | 1 drivers/thermal/mediatek/lvts_thermal.c | 3 drivers/thermal/qoriq_thermal.c | 13 drivers/thunderbolt/retimer.c | 8 drivers/tty/serial/8250/8250_port.c | 2 drivers/tty/serial/atmel_serial.c | 2 drivers/tty/serial/imx.c | 2 drivers/tty/serial/serial_mctrl_gpio.c | 34 + drivers/tty/serial/serial_mctrl_gpio.h | 17 drivers/tty/serial/sh-sci.c | 98 ++++ drivers/tty/serial/stm32-usart.c | 2 drivers/ufs/core/ufshcd.c | 29 + drivers/usb/host/xhci-mem.c | 34 - drivers/usb/host/xhci-ring.c | 12 drivers/usb/host/xhci.h | 8 drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 drivers/vfio/pci/vfio_pci_config.c | 3 drivers/vfio/pci/vfio_pci_core.c | 10 drivers/vfio/pci/vfio_pci_intrs.c | 2 drivers/vhost/scsi.c | 23 - drivers/video/fbdev/core/bitblit.c | 5 drivers/video/fbdev/core/fbcon.c | 10 drivers/video/fbdev/core/fbcon.h | 38 - drivers/video/fbdev/core/fbcon_ccw.c | 5 drivers/video/fbdev/core/fbcon_cw.c | 5 drivers/video/fbdev/core/fbcon_ud.c | 5 drivers/video/fbdev/core/tileblit.c | 45 + drivers/video/fbdev/fsl-diu-fb.c | 1 drivers/virtio/virtio_ring.c | 2 drivers/watchdog/aspeed_wdt.c | 81 +++ drivers/xen/pci.c | 32 + drivers/xen/platform-pci.c | 4 drivers/xen/xenbus/xenbus_probe.c | 14 fs/btrfs/block-group.c | 18 fs/btrfs/compression.c | 2 fs/btrfs/discard.c | 34 - fs/btrfs/disk-io.c | 28 - fs/btrfs/extent_io.c | 7 fs/btrfs/extent_io.h | 2 fs/btrfs/scrub.c | 4 fs/btrfs/send.c | 6 fs/buffer.c | 61 +- fs/dlm/lowcomms.c | 4 fs/erofs/internal.h | 4 fs/erofs/super.c | 46 -- fs/erofs/zdata.c | 4 fs/exfat/inode.c | 159 +++--- fs/ext4/balloc.c | 4 fs/ext4/ext4.h | 5 fs/ext4/extents.c | 19 fs/ext4/inode.c | 81 ++- fs/ext4/mballoc.c | 3 fs/ext4/page-io.c | 16 fs/ext4/super.c | 19 fs/f2fs/sysfs.c | 74 ++- fs/fuse/dir.c | 2 fs/gfs2/glock.c | 11 fs/jbd2/recovery.c | 11 fs/jbd2/revoke.c | 15 fs/namespace.c | 6 fs/nfs/delegation.c | 3 fs/nfs/flexfilelayout/flexfilelayout.c | 1 fs/nfs/inode.c | 2 fs/nfs/internal.h | 5 fs/nfs/nfs3proc.c | 2 fs/nfs/nfs4proc.c | 9 fs/nfs/nfs4state.c | 10 fs/nilfs2/the_nilfs.c | 3 fs/ocfs2/journal.c | 2 fs/orangefs/inode.c | 7 fs/pidfs.c | 9 fs/pstore/inode.c | 2 fs/pstore/internal.h | 4 fs/pstore/platform.c | 11 fs/smb/client/cifsacl.c | 17 fs/smb/client/cifspdu.h | 5 fs/smb/client/cifsproto.h | 7 fs/smb/client/cifssmb.c | 57 ++ fs/smb/client/connect.c | 30 + fs/smb/client/fs_context.c | 13 fs/smb/client/fs_context.h | 3 fs/smb/client/link.c | 8 fs/smb/client/readdir.c | 7 fs/smb/client/smb1ops.c | 228 ++++++++-- fs/smb/client/smb2file.c | 11 fs/smb/client/smb2ops.c | 30 - fs/smb/client/transport.c | 2 fs/smb/common/smb2pdu.h | 3 fs/smb/server/smb2pdu.c | 9 fs/smb/server/vfs.c | 14 include/crypto/hash.h | 3 include/drm/drm_atomic.h | 23 - include/drm/drm_gem.h | 13 include/linux/bpf-cgroup.h | 1 include/linux/buffer_head.h | 8 include/linux/device.h | 119 ----- include/linux/device/devres.h | 129 +++++ include/linux/dma-mapping.h | 12 include/linux/err.h | 3 include/linux/highmem.h | 10 include/linux/io.h | 2 include/linux/ipv6.h | 1 include/linux/lzo.h | 8 include/linux/mfd/axp20x.h | 1 include/linux/mlx4/device.h | 2 include/linux/mlx5/eswitch.h | 2 include/linux/mlx5/fs.h | 2 include/linux/mman.h | 2 include/linux/msi.h | 33 - include/linux/page-flags.h | 7 include/linux/pci-ats.h | 3 include/linux/perf_event.h | 8 include/linux/pnp.h | 2 include/linux/rcupdate.h | 2 include/linux/rcutree.h | 2 include/linux/spi/spi.h | 5 include/linux/trace.h | 4 include/linux/trace_seq.h | 8 include/linux/usb/r8152.h | 1 include/media/v4l2-subdev.h | 4 include/net/cfg80211.h | 3 include/net/mac80211.h | 4 include/net/xfrm.h | 1 include/rdma/uverbs_std_types.h | 2 include/sound/hda_codec.h | 1 include/sound/pcm.h | 2 include/trace/events/btrfs.h | 2 include/uapi/linux/bpf.h | 1 include/uapi/linux/iommufd.h | 14 include/uapi/linux/nl80211.h | 52 +- include/ufs/ufs_quirks.h | 6 io_uring/fdinfo.c | 4 io_uring/io_uring.c | 12 io_uring/msg_ring.c | 1 kernel/bpf/bpf_struct_ops.c | 98 +--- kernel/bpf/cgroup.c | 33 + kernel/bpf/hashtab.c | 2 kernel/bpf/syscall.c | 7 kernel/bpf/verifier.c | 34 + kernel/cgroup/cgroup.c | 2 kernel/cgroup/rstat.c | 12 kernel/dma/mapping.c | 25 - kernel/events/core.c | 98 ++-- kernel/events/hw_breakpoint.c | 5 kernel/events/ring_buffer.c | 1 kernel/exit.c | 6 kernel/fork.c | 9 kernel/padata.c | 3 kernel/printk/printk.c | 14 kernel/rcu/rcu.h | 2 kernel/rcu/tree.c | 15 kernel/rcu/tree_plugin.h | 22 kernel/sched/fair.c | 6 kernel/signal.c | 3 kernel/softirq.c | 18 kernel/time/hrtimer.c | 29 - kernel/time/posix-timers.c | 22 kernel/time/timer_list.c | 4 kernel/trace/trace.c | 11 kernel/trace/trace.h | 16 kernel/vhost_task.c | 2 lib/dynamic_queue_limits.c | 2 lib/lzo/Makefile | 2 lib/lzo/lzo1x_compress.c | 102 +++- lib/lzo/lzo1x_compress_safe.c | 18 mm/memcontrol.c | 6 mm/page_alloc.c | 8 mm/vmalloc.c | 13 net/bluetooth/hci_event.c | 3 net/bluetooth/l2cap_core.c | 15 net/bridge/br_mdb.c | 2 net/bridge/br_nf_core.c | 7 net/bridge/br_private.h | 1 net/can/bcm.c | 79 ++- net/core/dev.c | 12 net/core/dev.h | 12 net/core/page_pool.c | 7 net/core/pktgen.c | 13 net/dsa/tag_ksz.c | 19 net/hsr/hsr_device.c | 2 net/hsr/hsr_forward.c | 4 net/hsr/hsr_framereg.c | 95 ++++ net/hsr/hsr_framereg.h | 8 net/hsr/hsr_main.h | 2 net/ipv4/esp4.c | 53 -- net/ipv4/fib_frontend.c | 18 net/ipv4/fib_rules.c | 4 net/ipv4/fib_trie.c | 22 net/ipv4/inet_hashtables.c | 37 + net/ipv4/ip_gre.c | 16 net/ipv4/tcp_input.c | 56 +- net/ipv4/xfrm4_input.c | 18 net/ipv6/esp6.c | 53 -- net/ipv6/fib6_rules.c | 4 net/ipv6/ip6_gre.c | 2 net/ipv6/ip6_output.c | 9 net/ipv6/ip6_tunnel.c | 3 net/ipv6/ip6_vti.c | 3 net/ipv6/sit.c | 8 net/ipv6/xfrm6_input.c | 18 net/llc/af_llc.c | 8 net/mac80211/driver-ops.h | 3 net/mac80211/mlme.c | 10 net/mptcp/pm_userspace.c | 8 net/netfilter/nf_conntrack_standalone.c | 12 net/sched/sch_hfsc.c | 6 net/smc/smc_pnet.c | 8 net/sunrpc/clnt.c | 3 net/sunrpc/rpcb_clnt.c | 5 net/sunrpc/sched.c | 2 net/tipc/crypto.c | 5 net/wireless/chan.c | 8 net/wireless/nl80211.c | 4 net/wireless/reg.c | 4 net/xfrm/espintcp.c | 4 net/xfrm/xfrm_policy.c | 3 net/xfrm/xfrm_state.c | 6 net/xfrm/xfrm_user.c | 12 samples/bpf/Makefile | 2 scripts/Makefile.extrawarn | 11 scripts/config | 26 - scripts/kconfig/confdata.c | 19 scripts/kconfig/merge_config.sh | 4 security/integrity/ima/ima_main.c | 4 security/smack/smackfs.c | 21 sound/core/oss/pcm_oss.c | 3 sound/core/pcm_native.c | 11 sound/core/seq/seq_clientmgr.c | 5 sound/core/seq/seq_memory.c | 1 sound/pci/hda/hda_beep.c | 15 sound/pci/hda/patch_realtek.c | 77 +++ sound/soc/codecs/cs42l43-jack.c | 7 sound/soc/codecs/mt6359-accdet.h | 9 sound/soc/codecs/pcm3168a.c | 6 sound/soc/codecs/pcm6240.c | 28 - sound/soc/codecs/pcm6240.h | 7 sound/soc/codecs/rt722-sdca-sdw.c | 49 ++ sound/soc/codecs/tas2764.c | 53 +- sound/soc/codecs/wsa883x.c | 2 sound/soc/codecs/wsa884x.c | 2 sound/soc/fsl/imx-card.c | 2 sound/soc/intel/boards/bytcr_rt5640.c | 13 sound/soc/mediatek/mt8188/mt8188-afe-clk.c | 8 sound/soc/mediatek/mt8188/mt8188-afe-clk.h | 8 sound/soc/mediatek/mt8188/mt8188-afe-pcm.c | 4 sound/soc/qcom/sm8250.c | 3 sound/soc/sdw_utils/soc_sdw_cs42l43.c | 10 sound/soc/soc-dai.c | 8 sound/soc/soc-ops.c | 29 + sound/soc/sof/intel/hda-bus.c | 2 sound/soc/sof/intel/hda.c | 16 sound/soc/sof/ipc4-control.c | 11 sound/soc/sof/ipc4-pcm.c | 3 sound/soc/sof/topology.c | 18 sound/soc/sunxi/sun4i-codec.c | 53 ++ sound/usb/midi.c | 16 tools/bpf/bpftool/common.c | 3 tools/build/Makefile.build | 6 tools/include/uapi/linux/bpf.h | 1 tools/lib/bpf/libbpf.c | 2 tools/net/ynl/lib/ynl.c | 2 tools/net/ynl/ynl-gen-c.py | 3 tools/objtool/check.c | 21 tools/power/x86/turbostat/turbostat.8 | 1 tools/power/x86/turbostat/turbostat.c | 13 tools/testing/kunit/qemu_configs/x86_64.py | 4 tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c | 1 tools/testing/selftests/iommu/iommufd.c | 4 tools/testing/selftests/net/forwarding/bridge_mdb.sh | 2 tools/testing/selftests/net/gro.sh | 3 767 files changed, 8223 insertions(+), 3618 deletions(-) Aaradhana Sahu (1): wifi: ath12k: Fetch regdb.bin file from board-2.bin Aaron Kling (1): cpufreq: tegra186: Share policy per cluster Adrian Hunter (1): perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Ahmad Fatoum (2): clk: imx8mp: inform CCF of maximum frequency of clocks pmdomain: imx: gpcv2: use proper helper for property detection Al Viro (2): hypfs_create_cpu_files(): add missing check for hypfs_mkdir() failure __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock Aleksander Jan Bajkowski (1): r8152: add vendor/device ID pair for Dell Alienware AW1022z Alex Deucher (5): drm/amdgpu: adjust drm_firmware_drivers_only() handling drm/amdgpu/gfx12: don't read registers in mqd init drm/amdgpu/gfx11: don't read registers in mqd init drm/amdgpu/mes11: fix set_hw_resources_1 calculation drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() Alex Williamson (1): vfio/pci: Handle INTx IRQ_NOTCONNECTED Alexander Duyck (1): eth: fbnic: set IFF_UNICAST_FLT to avoid enabling promiscuous mode when adding unicast addrs Alexander Stein (1): hwmon: (gpio-fan) Add missing mutex locks Alexander Sverdlin (1): net: ethernet: ti: cpsw_new: populate netdev of_node Alexandre Belloni (2): rtc: rv3032: fix EERD location rtc: ds1307: stop disabling alarms on probe Alexandre Ghiti (1): riscv: Call secondary mmu notifier when flushing the tlb Alexei Lazar (2): net/mlx5: XDP, Enable TX side XDP multi-buffer support net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB Alexey Klimov (1): ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() Alexis Lothoré (1): serial: mctrl_gpio: split disable_ms into sync and no_sync APIs Alice Guo (1): thermal/drivers/qoriq: Power down TMU on system suspend Alistair Francis (1): nvmet-tcp: don't restore null sk_state_change Amber Lin (1): drm/amdkfd: Correct F8_MODE for gfx950 Amery Hung (1): bpf: Search and add kfuncs in struct_ops prologue and epilogue Andre Przywara (1): clk: sunxi-ng: d1: Add missing divider for MMC mod clocks Andreas Gruenbacher (1): gfs2: Check for empty queue in run_queue Andreas Schwab (1): powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 Andrei Botila (1): net: phy: nxp-c45-tja11xx: add match_phy_device to TJA1103/TJA1104 Andrew Bresticker (1): irqchip/riscv-imsic: Start local sync timer on correct CPU Andrew Davis (1): soc: ti: k3-socinfo: Do not use syscon helper to build regmap Andrew Jones (1): irqchip/riscv-imsic: Set irq_set_affinity() for IMSIC base Andrey Vatoropin (1): hwmon: (xgene-hwmon) use appropriate type for the latency value André Draszik (2): phy: exynos5-usbdrd: fix EDS distribution tuning (gs101) clk: s2mps11: initialise clk_hw_onecell_data::num before accessing ::hws[] in probe() Andy Shevchenko (6): i2c: designware: Use temporary variable for struct device tracing: Mark binary printing functions with __printf() attribute auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common" ieee802154: ca8210: Use proper setters and getters for bitwise types hrtimers: Replace hrtimer_clock_to_base_table with switch-case driver core: Split devres APIs to device/devres.h Andy Yan (2): phy: rockchip: usbdp: Only verify link rates/lanes/voltage when the corresponding set flags are set drm/rockchip: vop2: Add uv swap for cluster window AngeloGioacchino Del Regno (2): soc: mediatek: mtk-mutex: Add DPI1 SOF/EOF to MT8188 mutex tables drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence Anjaneyulu (1): wifi: cfg80211: allow IR in 20 MHz configurations Ankur Arora (3): rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y rcu: handle unstable rdp in rcu_read_unlock_strict() rcu: fix header guard for rcu_all_qs() Anthony Krowiak (1): s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log Anup Patel (1): irqchip/riscv-imsic: Separate next and previous pointers in IMSIC vector Aric Cyr (1): drm/amd/display: Request HW cursor on DCN3.2 with SubVP Arnd Bergmann (4): soc: samsung: include linux/array_size.h where needed net: xgene-v2: remove incorrect ACPI_PTR annotation EDAC/ie31200: work around false positive build warning watchdog: aspeed: fix 64-bit division Artur Weber (1): pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" Asad Kamal (1): drm/amd/pm: Skip P2S load for SMU v13.0.12 Assadian, Navid (1): drm/amd/display: Fix mismatch type comparison Athira Rajeev (1): arch/powerpc/perf: Check the instruction type before creating sample with perf_mem_data_src Austin Zheng (2): drm/amd/display: Use Nominal vBlank If Provided Instead Of Capping It drm/amd/display: Call FP Protect Before Mode Programming/Mode Support Avraham Stern (1): wifi: iwlwifi: mvm: fix setting the TK when associated Avula Sri Charan (1): wifi: ath12k: Avoid napi_sync() before napi_enable() Axel Forsman (2): can: kvaser_pciefd: Continue parsing DMA buf after dropped RX can: kvaser_pciefd: Fix echo_skb race Balbir Singh (4): dma/mapping.c: dev_dbg support for dma_addressing_limited dma-mapping: Fix warning reported for missing prototype x86/kaslr: Reduce KASLR entropy on most x86 systems x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers bounce buffers Baokun Li (2): ext4: reject the 'data_err=abort' option in nojournal mode ext4: do not convert the unwritten extents if data writeback fails Bard Liao (1): soundwire: cadence_master: set frame shape and divider based on actual clk freq Benjamin Berg (1): um: Store full CSGSFS and SS register from mcontext Benjamin Lin (1): wifi: mt76: mt7996: revise TXS size Bibo Mao (1): MIPS: Use arch specific syscall name match function Bitterblue Smith (6): wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 wifi: rtw88: Fix download_firmware_validate() for RTL8814AU wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate Bogdan-Gabriel Roman (1): spi: spi-fsl-dspi: Halt the module after a new message transfer Boris Burkov (2): btrfs: make btrfs_discard_workfn() block_group ref explicit btrfs: handle empty eb->folios in num_extent_folios() Brandon Kammerdiener (1): bpf: fix possible endless loop in BPF map iteration Brandon Syu (1): Revert "drm/amd/display: Exit idle optimizations before attempt to access PHY" Brendan Jackman (1): kunit: tool: Use qboot on QEMU x86_64 Breno Leitao (2): x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 memcg: always call cond_resched() after fn() Caleb Sander Mateos (1): ublk: complete command synchronously on error Carlos Sanchez (1): can: slcan: allow reception of short error messages Carolina Jubran (1): net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled Cezary Rojewski (1): ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode Chaohai Chen (1): scsi: target: spc: Fix loop traversal in spc_rsoc_get_descr() Charlene Liu (3): drm/amd/display: remove minimum Dispclk and apply oem panel timing. drm/amd/display: fix dcn4x init failed drm/amd/display: pass calculated dram_speed_mts to dml2 Charles Keepax (3): ASoC: rt722-sdca: Add some missing readable registers ASoC: cs42l43: Disable headphone clamps during type detection soundwire: bus: Fix race on the creation of the IRQ domain Chen Linxuan (1): blk-cgroup: improve policy registration error handling Chenyuan Yang (1): ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() Chin-Ting Kuo (1): watchdog: aspeed: Update bootstatus handling Ching-Te Ku (2): wifi: rtw89: coex: Assign value over than 0 to avoid firmware timer hang wifi: rtw89: coex: Separated Wi-Fi connecting event from Wi-Fi scan event Choong Yong Liang (1): net: phylink: use pl->link_interface in phylink_expects_phy() Chris Lu (2): Bluetooth: btmtksdio: Check function enabled before doing close Bluetooth: btmtksdio: Do close if SDIO card removed without close Chris Morgan (2): power: supply: axp20x_battery: Update temp sensor for AXP717 from device tree mfd: axp20x: AXP717: Add AXP717_TS_PIN_CFG to writeable regs Christian Brauner (1): pidfs: improve multi-threaded exec and premature thread-group leader exit polling Christian Bruel (1): PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Christian Göttsche (1): ext4: reorder capability check last Christian König (1): drm/amdgpu: remove all KFD fences from the BO on release Christoph Hellwig (3): block: mark bounce buffering as incompatible with integrity loop: check in LO_FLAGS_DIRECT_IO in loop_default_blocksize loop: don't require ->write_iter for writable files in loop_configure Christophe JAILLET (1): i2c: designware: Fix an error handling path in i2c_dw_pci_probe() ChunHao Lin (1): r8169: disable RTL8126 ZRX-DC timeout Chung Chung (1): dm vdo indexer: prevent unterminated string warning Claudiu Beznea (5): phy: renesas: rcar-gen3-usb2: Move IRQ request in probe phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off serial: sh-sci: Update the suspend/resume support pinctrl: renesas: rzg2l: Add suspend/resume support for pull up/down Coly Li (1): badblocks: Fix a nonsense WARN_ON() which checks whether a u64 variable < 0 Cong Wang (1): sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() Cristian Ciocaltea (1): drm/rockchip: vop2: Improve display modes handling on RK3588 HDMI0 Csókás, Bence (1): net: fec: Refactor MAC reset to function Damon Ding (1): phy: phy-rockchip-samsung-hdptx: Swap the definitions of LCPLL_REF and ROPLL_REF Dan Carpenter (2): pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() Daniel Gabay (1): wifi: iwlwifi: w/a FW SMPS mode selection Daniel Gomez (2): kconfig: merge_config: use an empty file as initfile drm/xe: xe_gen_wa_oob: replace program_invocation_short_name Daniel Hsu (1): mctp: Fix incorrect tx flow invalidation condition in mctp-i2c Danny Wang (1): drm/amd/display: Do not enable replay when vtotal update is pending. Darrick J. Wong (1): block: fix race between set_blocksize and read paths Dave Ertman (1): ice: Fix LACP bonds without SRIOV environment Dave Jiang (1): dmaengine: idxd: Fix ->poll() return value David Hildenbrand (1): kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork() David Lechner (1): iio: adc: ad7944: don't use storagebits for sizing David Plowman (1): media: i2c: imx219: Correct the minimum vblanking value David Rosca (1): drm/amdgpu: Update SRIOV video codec caps David Wei (1): tools: ynl-gen: validate 0 len strings from kernel Davidlohr Bueso (6): fs/buffer: split locking for pagecache lookups fs/buffer: introduce sleeping flavors for pagecache lookups fs/buffer: use sleeping version of __find_get_block() fs/ocfs2: use sleeping version of __find_get_block() fs/jbd2: use sleeping version of __find_get_block() fs/ext4: use sleeping version of sb_find_get_block() Depeng Shao (2): media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available media: qcom: camss: Add default case in vfe_src_pad_code Dhananjay Ugwekar (1): cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost Dian-Syuan Yang (1): wifi: rtw89: set force HE TB mode when connecting to 11ax AP Dillon Varone (4): drm/amd/display: Configure DTBCLK_P with OPTC only for dcn401 drm/amd/display: Fix DMUB reset sequence for DCN401 drm/amd/display: Fix p-state type when p-state is unsupported drm/amd/display: Populate register address for dentist for dcn401 Diogo Ivo (2): ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator Dmitry Baryshkov (6): nvmem: core: fix bit offsets of more than one byte nvmem: core: verify cell's raw_len nvmem: core: update raw_len if the bit reading is required nvmem: qfprom: switch to 4-byte aligned reads phy: core: don't require set_mode() callback for phy_get_mode() to work pinctrl: qcom: switch to devm_register_sys_off_handler() Dmitry Bogdanov (1): scsi: target: iscsi: Fix timeout on deleted connection Dominik Grzegorzek (1): padata: do not leak refcount in reorder_work Dongli Zhang (1): vhost-scsi: protect vq->log_used with vq->mutex Douglas Anderson (1): drm/panel-edp: Add Starry 116KHD024006 Ed Burcher (1): ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 Eddie James (1): eeprom: ee1004: Check chip before probing Eduard Zingerman (3): bpf: don't do clean_live_states when state->loop_entry->branches > 0 bpf: copy_verifier_state() should copy 'loop_entry' field bpf: abort verification if env->cur_state->loop_entry != NULL Emily Deng (1): drm/amdgpu: Fix missing drain retry fault the last entry Emmanuel Grumbach (2): wifi: iwlwifi: fix the ECKV UEFI variable name wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx En-Wei Wu (1): Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA dump handling Eric Dumazet (5): cgroup/rstat: avoid disabling irqs for O(num_cpu) posix-timers: Add cond_resched() to posix_timer_add() search loop tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() net: flush_backlog() small changes idpf: fix idpf_vport_splitq_napi_poll() Eric Huang (1): drm/amdkfd: fix missing L2 cache info in topology Eric Woudstra (1): net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only Erick Shepherd (2): mmc: host: Wait for Vdd to settle on card power off mmc: sdhci: Disable SD card clock before changing parameters Felix Fietkau (1): wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 Felix Kuehling (1): drm/amdgpu: Allow P2P access through XGMI Filipe Manana (3): btrfs: fix non-empty delayed iputs list on unmount due to async workers btrfs: get zone unusable bytes while holding lock at btrfs_reclaim_bgs_work() btrfs: send: return -ENAMETOOLONG when attempting a path that is too long Flora Cui (2): drm/amdgpu/discovery: check ip_discovery fw file available drm/amdgpu: release xcp_mgr on exit Frank Li (3): PCI: dwc: ep: Ensure proper iteration over outbound map windows PCI: dwc: Use resource start as ioremap() input in dw_pcie_pme_turn_off() i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) Frederick Lawler (1): ima: process_measurement() needlessly takes inode_lock() on MAY_READ Frediano Ziglio (1): xen: Add support for XenServer 6.1 platform device Gabor Juhos (1): arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Gao Xiang (1): erofs: initialize decompression early Gaurav Batra (2): powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory powerpc/pseries/iommu: create DDW for devices with DMA mask less than 64-bits Gašper Nemgar (1): platform/x86: ideapad-laptop: add support for some new buttons Geert Uytterhoeven (3): ipv4: ip_gre: Fix set but not used warning in ipgre_err() if IPv4-only pmdomain: renesas: rcar: Remove obsolete nullify checks serial: sh-sci: Save and restore more registers Geetha sowjanya (1): octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG George Shen (3): drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination drm/amd/display: Read LTTPR ALPM caps during link cap retrieval drm/amd/display: Update CR AUX RD interval interpretation Goldwyn Rodrigues (1): btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref Greg Kroah-Hartman (2): spi: use container_of_cont() for to_spi_device() Linux 6.12.31 Guangguan Wang (1): net/smc: use the correct ndev to find pnetid by pnetid table Hangbin Liu (1): bonding: report duplicate MAC address in all situations Hans Verkuil (2): media: cx231xx: set device_caps for 417 media: test-drivers: vivid: don't call schedule in loop Hans de Goede (1): mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type Hans-Frieder Vogt (2): net: tn40xx: add pci-id of the aqr105-based Tehuti TN4010 cards net: tn40xx: create swnode for mdio and aqr105 phy and add to mdiobus Haoran Jiang (1): samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora Hariprasad Kelam (1): Octeontx2-af: RPM: Register driver with PCI subsys IDs Harish Kasiviswanathan (3): drm/amdkfd: Set per-process flags only once for gfx9/10/11/12 drm/amdkfd: Set per-process flags only once cik/vi drm/amdgpu: Set snoop bit for SDMA for MI series Harry VanZyllDeJong (1): drm/amd/display: Add support for disconnected eDP streams Harry Wentland (1): drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Hector Martin (4): soc: apple: rtkit: Implement OSLog buffers properly ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG ASoC: tas2764: Mark SW_RESET as volatile ASoC: tas2764: Power up/down amp on mute ops Heiko Carstens (1): s390/tlb: Use mm_has_pgste() instead of mm_alloc_pgste() Heiko Stuebner (2): nvmem: rockchip-otp: Move read-offset into variant-data nvmem: rockchip-otp: add rk3576 variant data Heiner Kallweit (1): r8169: don't scan PHY addresses > 0 Heming Zhao (1): dlm: make tcp still work in multi-link env Herbert Xu (3): crypto: lzo - Fix compression buffer overrun crypto: ahash - Set default reqsize from ahash_alg crypto: skcipher - Zap type in crypto_alloc_sync_skcipher Huacai Chen (1): net: stmmac: dwmac-loongson: Set correct {tx,rx}_fifo_size Ian Rogers (1): tools/build: Don't pass test log files to linker Ido Schimmel (2): vxlan: Annotate FDB data races bridge: netfilter: Fix forwarding of fragmented packets Ignacio Moreno Gonzalez (1): mm: mmap: map MAP_STACK to VM_NOHUGEPAGE only if THP is enabled Ihor Solodrai (1): selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure Ilan Peer (1): wifi: mac80211_hwsim: Fix MLD address translation Ilia Gavrilov (1): llc: fix data loss when reading from a socket in llc_ui_recvmsg() Ilpo Järvinen (2): tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() PCI: Fix old_size lower bound in calculate_iosize() too Ilya Bakoulin (2): drm/amd/display: Fix BT2020 YCbCr limited/full range input drm/amd/display: Don't try AUX transactions on disconnected link Ingo Molnar (1): x86/stackprotector/64: Only export __ref_stack_chk_guard on CONFIG_SMP Inochi Amaoto (1): pinctrl: sophgo: avoid to modify untouched bit when setting cv1800 pinconf Isaac Scott (1): regulator: ad5398: Add device tree support Ivan Pravdin (1): crypto: algif_hash - fix double free in hash_accept Jaakko Karrenpalo (1): net: hsr: Fix PRP duplicate detection Jacob Keller (1): ice: fix vf->num_mac count with port representors Jaegeuk Kim (1): f2fs: introduce f2fs_base_attr for global sysfs entries Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jakub Kicinski (3): eth: mlx4: don't try to complete XDP frames in netpoll net: page_pool: avoid false positive warning if NAPI was never added tools: ynl-gen: don't output external constants Jan Kara (1): jbd2: do not try to recover wiped journal Janne Grunau (1): soc: apple: rtkit: Use high prio work queue Jason Andryuk (1): xenbus: Allow PVH dom0 a non-local xenstore Jason Gunthorpe (1): genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie Jeff Chen (1): wifi: mwifiex: Fix HT40 bandwidth issue. Jens Axboe (1): io_uring/fdinfo: annotate racy sq/cq head/tail reads Jernej Skrabec (1): Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC connection" Jessica Zhang (1): drm: Add valid clones check Jianbo Liu (1): net/mlx5e: Add correct match to check IPSec syndromes for switchdev mode Jiang Liu (1): drm/amdgpu: reset psp->cmd to NULL after releasing the buffer Jiasheng Jiang (1): dpll: Add an assertion to check freq_supported_num Jing Su (1): dql: Fix dql->limit value when reset. Jing Zhou (1): drm/amd/display: Guard against setting dispclk low for dcn31x Jinliang Zheng (1): dm: fix unconditional IO throttle caused by REQ_PREFLUSH Jinqian Yang (1): arm64: Add support for HIP09 Spectre-BHB mitigation Johannes Berg (7): wifi: iwlwifi: fix debug actions order wifi: iwlwifi: mark Br device not integrated wifi: mac80211: fix warning on disconnect during failed ML reconf wifi: iwlwifi: use correct IMR dump variable wifi: mac80211: don't unconditionally call drv_mgd_complete_tx() wifi: mac80211: remove misplaced drv_mgd_complete_tx() call wifi: iwlwifi: add support for Killer on MTL Johannes Thumshirn (1): block: only update request sector if needed John Olender (1): drm/amd/display: Defer BW-optimization-blocked DRR adjustments Jon Hunter (1): arm64: tegra: Resize aperture for the IGX PCIe C5 slot Jonas Karlman (1): net: stmmac: dwmac-rk: Validate GRF and peripheral GRF during probe Jonathan Kim (1): drm/amdkfd: set precise mem ops caps to disabled for gfx 11 and 12 Jonathan McDowell (1): tpm: Convert warn to dbg in tpm2_start_auth_session() Jordan Crouse (1): clk: qcom: camcc-sm8250: Use clk_rcg2_shared_ops for some RCGs Josh Poimboeuf (2): objtool: Properly disable uaccess validation objtool: Fix error handling inconsistencies in check() Joshua Aberback (1): drm/amd/display: Increase block_sequence array size Justin Tee (3): scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when pci_irq_vector() fails Kai Mäkisara (4): scsi: st: Tighten the page format heuristics with MODE SELECT scsi: st: ERASE does not change tape location scsi: scsi_debug: First fixes for tapes scsi: st: Restore some drive settings after reset Kai Vehmanen (1): ASoc: SOF: topology: connect DAI to a single DAI link Karl Chan (1): clk: qcom: ipq5018: allow it to be bulid on arm32 Kaustabh Chakraborty (1): mmc: dw_mmc: add exynos7870 DW MMC support Kees Cook (6): PNP: Expand length of fixup id string net/mlx4_core: Avoid impossible mlx4_db_alloc() order value pstore: Change kmsg_bytes storage size to u32 btrfs: compression: adjust cb->compressed_folios allocation type mm: vmalloc: actually use the in-place vrealloc region mm: vmalloc: only zero-init on vrealloc shrink Kevin Krakauer (1): selftests/net: have `gro.sh -t` return a correct exit code Konstantin Andreev (2): smack: recognize ipv4 CIPSO w/o categories smack: Revert "smackfs: Added check catlen" Konstantin Shkolnyy (1): vdpa/mlx5: Fix mlx5_vdpa_get_config() endianness on big-endian machines Konstantin Taranov (1): net/mana: fix warning in the writer of client oob Krzysztof Kozlowski (4): ASoC: codecs: wsa884x: Correct VI sense channel mask ASoC: codecs: wsa883x: Correct VI sense channel mask can: c_can: Use of_property_present() to test existence of DT property clk: qcom: clk-alpha-pll: Do not use random stack value for recalc rate Kuan-Chung Chen (1): wifi: rtw89: 8922a: fix incorrect STA-ID in EHT MU PPDU Kuhanh Murugasen Krishnan (1): fpga: altera-cvp: Increase credit timeout Kuninori Morimoto (1): ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() Kuniyuki Iwashima (2): ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config(). ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). Kurt Borja (1): hwmon: (dell-smm) Increment the number of fans Lad Prabhakar (1): clk: renesas: rzg2l-cpg: Refactor Runtime PM clock validation Larisa Grigore (2): spi: spi-fsl-dspi: restrict register range for regmap access spi: spi-fsl-dspi: Reset SR flags before sending a new message Len Brown (1): tools/power turbostat: Clustered Uncore MHz counters should honor show/hide options Leo Zeng (1): Revert "drm/amd/display: Request HW cursor on DCN3.2 with SubVP" Leon Huang (1): drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch Leon Romanovsky (1): xfrm: prevent high SEQ input in non-ESN mode Li Bin (1): ARM: at91: pm: fix at91_suspend_finish for ZQ calibration Lijo Lazar (2): drm/amd/pm: Fetch current power limit from PMFW drm/amdgpu: Use active umc info from discovery Lin.Cao (1): drm/buddy: fix issue that force_merge cannot free all roots Linus Torvalds (3): gcc-15: make 'unterminated string initialization' just a warning gcc-15: disable '-Wunterminated-string-initialization' entirely for now Fix mis-uses of 'cc-option' for warning disablement Linus Walleij (1): ASoC: pcm6240: Drop bogus code handling IRQ as GPIO Lorenzo Stoakes (1): intel_th: avoid using deprecated page->mapping, index fields Lucas De Marchi (2): drm/xe: Stop ignoring errors from xe_ttm_stolen_mgr_init() drm/xe: Fix xe_tile_init_noalloc() error propagation Luis de Arquer (1): spi-rockchip: Fix register out of bounds access Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix not checking l2cap_chan security level Maarten Lankhorst (2): drm/xe: Move suballocator init to after display init drm/xe: Do not attempt to bootstrap VF in execlists mode Maciej S. Szmigiero (1): ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 Maher Sanalla (1): RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() Manish Pandey (1): scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices Marcos Paulo de Souza (1): printk: Check CON_SUSPEND when unblanking a console Marek Szyprowski (1): dma-mapping: avoid potential unused data compilation warning Marek Vasut (1): leds: trigger: netdev: Configure LED blink interval for HW offload Mario Limonciello (1): Revert "drm/amd: Keep display off while going into S4" Mark Harmstone (1): btrfs: avoid linker error in btrfs_find_create_tree_block() Mark Pearson (1): platform/x86: think-lmi: Fix attribute name usage for non-compliant items Markus Elfring (1): media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() Martin Blumenstingl (1): pinctrl: meson: define the pull up/down resistor value as 60 kOhm Martin KaFai Lau (1): bpf: Use kallsyms to find the function name of a struct_ops's stub function Martin Povišer (1): ASoC: ops: Enforce platform maximum on initial value Martin Tsai (1): drm/amd/display: Support multiple options during psr entry. Masahiro Yamada (1): kconfig: do not clear SYMBOL_VALID when reading include/config/auto.conf Matt Johnston (1): fuse: Return EPERM rather than ENOSYS from link() Matthew Brost (2): drm/xe: Nuke VM's mapping upon close drm/xe: Retry BO allocation Matthew Sakai (1): dm vdo: use a short static string for thread name prefix Matthew Wilcox (Oracle) (2): orangefs: Do not truncate file size highmem: add folio_test_partial_kmap() Matthias Fend (1): media: tc358746: improve calculation of the D-PHY timing registers Matthieu Baerts (NGI0) (1): mptcp: pm: userspace: flags: clearer msg if no remote addr Matti Lehtimäki (2): remoteproc: qcom_wcnss: Handle platforms with only single power domain remoteproc: qcom_wcnss: Fix on platforms without fallback regulators Michael Margolin (1): RDMA/core: Fix best page size finding when it can cross SG entries Michal Pecio (1): usb: xhci: Don't change the status of stalled TDs on failed Stop EP Michal Swiatkowski (3): ice: init flow director before RDMA ice: treat dyn_allowed only as suggestion ice: count combined queues using Rx/Tx count Michal Wajdeczko (3): drm/xe/relay: Don't use GFP_KERNEL for new transactions drm/xe/pf: Reset GuC VF config when unprovisioning critical resource drm/xe/sa: Always call drm_suballoc_manager_fini() Mika Westerberg (1): thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer Mike Christie (1): vhost-scsi: Return queue full for page alloc failures during copy Mikulas Patocka (1): dm: restrict dm device size to 2^63-512 bytes Ming Lei (1): blk-throttle: don't take carryover for prioritized processing of metadata Ming Yen Hsieh (1): wifi: mt76: mt7925: load the appropriate CLC data based on hardware type Ming-Hung Tsai (1): dm cache: prevent BUG_ON by blocking retries on failed device resumes Miri Korenblit (2): wifi: iwlwifi: don't warn when if there is a FW error wifi: iwlwifi: don't warn during reprobe Moshe Shemesh (1): net/mlx5: Avoid report two health errors on same syndrome Mrinmay Sarkar (1): PCI: epf-mhi: Update device ID for SA8775P Mykyta Yatsenko (1): bpf: Return prog btf_id without capable check Naman Trivedi (1): arm64: zynqmp: add clock-output-names property in clock nodes Namjae Jeon (2): cifs: add validation check for the fields in smb_aces ksmbd: fix stream write failure Nandakumar Edamana (1): libbpf: Fix out-of-bound read Nathan Chancellor (2): kbuild: Properly disable -Wunterminated-string-initialization for clang i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() Nicholas Kazlauskas (2): drm/amd/display: Ensure DMCUB idle before reset on DCN31/DCN35 drm/amd/display: Guard against setting dispclk low when active Nicholas Susanto (1): drm/amd/display: Enable urgent latency adjustment on DCN35 Nick Hu (1): clocksource/drivers/timer-riscv: Stop stimecmp when cpu hotplug Nicolas Bouchinet (2): netfilter: conntrack: Bound nf_conntrack sysctl writes scsi: logging: Fix scsi_logging_level bounds Nicolas Bretz (1): ext4: on a remount, only log the ro or r/w state when it has changed Nicolas Escande (1): wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override Niklas Cassel (1): misc: pci_endpoint_test: Give disabled BARs a distinct error code Niklas Neronin (1): usb: xhci: set page size to the xHCI-supported size Niklas Söderlund (1): media: adv7180: Disable test-pattern control on adv7180 Nir Lichtman (1): x86/build: Fix broken copy command in genimage.sh when making isoimage Nícolas F. R. A. Prado (4): thermal/drivers/mediatek/lvts: Start sensor interrupts disabled ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile ASoC: mediatek: mt8188: Add reference for dmic clocks Oak Zeng (1): drm/xe: Reject BO eviction if BO is bound to current VM Oliver Hartkopp (2): can: bcm: add locking for bcm_op runtime updates can: bcm: add missing rcu read protection for procfs content Olivier Moysan (1): drm: bridge: adv7511: fill stream capabilities Ovidiu Bunea (1): drm/amd/display: Exit idle optimizations before accessing PHY P Praneesh (3): wifi: ath12k: fix the ampdu id fetch in the HAL_RX_MPDU_START TLV wifi: ath12k: Fix end offset bit definition in monitor ring descriptor wifi: ath11k: Use dma_alloc_noncoherent for rx_tid buffer allocation Pali Rohár (7): cifs: Add fallback for SMB2 CREATE without FILE_READ_ATTRIBUTES cifs: Fix querying and creating MF symlinks over SMB1 cifs: Fix negotiate retry functionality cifs: Set default Netbios RFC1001 server name to hostname in UNC cifs: Fix establishing NetBIOS session for SMB2+ connection cifs: Fix and improve cifs_query_path_info() and cifs_query_file_info() cifs: Fix changing times and read-only attr over SMB1 smb_set_file_info() function Patrisious Haddad (1): net/mlx5: Change POOL_NEXT_SIZE define value and make it global Paul Burton (2): MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core clocksource: mips-gic-timer: Enable counter when CPUs start Paul Chaignon (1): xfrm: Sanitize marks before insert Paul E. McKenney (1): rcu: Fix get_state_synchronize_rcu_full() GP-start detection Paul Elder (1): media: imx335: Set vblank immediately Paul Kocialkowski (1): net: dwmac-sun8i: Use parsed internal PHY address instead of 1 Pavan Kumar Linga (1): idpf: fix null-ptr-deref in idpf_features_check Pavel Begunkov (3): io_uring: don't duplicate flushing in io_req_post_cqe io_uring/msg: initialise msg request opcode io_uring: fix overflow resched cqe reordering Pavel Nikulin (1): platform/x86: asus-wmi: Disable OOBE state after resume from hibernation Paweł Anikiel (1): x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Pedro Nishiyama (1): Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken Peichen Huang (1): drm/amd/display: not abort link train when bw is low Pengyu Luo (1): cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist Peter Seiderer (2): net: pktgen: fix mpls maximum labels list parsing net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Peter Ujfalusi (3): ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for bytes_ext ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms ASoC: SOF: ipc4-pcm: Delay reporting is only supported for playback direction Peter Zijlstra (3): perf/core: Clean up perf_try_init_event() x86/ibt: Handle FineIBT in handle_cfi_failure() x86/traps: Cleanup and robustify decode_bug() Peter Zijlstra (Intel) (1): perf: Avoid the read if the count is already updated Petr Machata (2): vxlan: Join / leave MC group after remote changes bridge: mdb: Allow replace of a host-joined group Philip Redkin (1): x86/mm: Check return value from memblock_phys_alloc_range() Philip Yang (1): drm/amdkfd: KFD release_work possible circular locking Ping-Ke Shih (7): wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32() wifi: rtw89: fw: add blacklist to avoid obsolete secure firmware wifi: rtw89: fw: validate multi-firmware header before getting its size wifi: rtw89: fw: validate multi-firmware header before accessing wifi: rtw89: call power_on ahead before selecting firmware wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet Prathamesh Shete (1): pinctrl-tegra: Restore SFSEL bit when freeing pins Qu Wenruo (2): btrfs: run btrfs_error_commit_super() early btrfs: avoid NULL pointer dereference if no valid csum tree Quan Zhou (1): wifi: mt76: mt7925: fix fails to enter low power mode in suspend state Raag Jadav (2): devres: Introduce devm_kmemdup_array() err.h: move IOMEM_ERR_PTR() to err.h Rafael J. Wysocki (1): cpuidle: menu: Avoid discarding useful information Ramasamy Kaliappan (1): wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band Ranjan Kumar (2): scsi: mpi3mr: Add level check to control event logging scsi: mpi3mr: Update timestamp only for supervisor IOCs Ravi Bangoria (2): perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt perf/amd/ibs: Fix ->config to sample period calculation for OP PMU Rex Lu (1): wifi: mt76: mt7996: fix SER reset trigger on WED reset Ricardo Ribalda (2): media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value Ritesh Harjani (IBM) (1): book3s64/radix: Fix compile errors when CONFIG_ARCH_WANT_OPTIMIZE_DAX_VMEMMAP=n Rob Herring (Arm) (1): perf: arm_pmuv3: Call kvm_vcpu_pmu_resync_el0() before enabling counters Robert Richter (1): libnvdimm/labels: Fix divide error in nd_label_data_init() Robin Murphy (1): iommu: Keep dev->iommu state consistent Roger Pau Monne (2): PCI: vmd: Disable MSI remapping bypass under Xen xen/pci: Do not register devices with segments >= 0x10000 Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (1): wifi: ath9k: return by of_get_mac_address Ryan Roberts (2): arm64/mm: Check pmd_table() in pmd_trans_huge() arm64/mm: Check PUD_TYPE_TABLE in pud_bad() Ryan Walklin (1): ASoC: sun4i-codec: support hp-det-gpios property Ryo Takakura (1): lockdep: Fix wait context check on softirq for PREEMPT_RT Ryusuke Konishi (1): nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs() Sabrina Dubroca (2): espintcp: fix skb leaks espintcp: remove encap socket caching to avoid reference leak Sagi Maimon (1): ptp: ocp: Limit signal/freq counts in summary output functions Sakari Ailus (1): media: v4l: Memset argument to 0 before calling get_mbus_config pad op Saket Kumar Bhaskar (1): perf/hw_breakpoint: Return EOPNOTSUPP for unsupported breakpoint type Salah Triki (1): smb: server: smb2pdu: check return value of xa_store() Samuel Holland (1): riscv: Allow NOMMU kernels to access all of RAM Saranya Gopal (1): platform/x86/intel: hid: Add Pantherlake support Satyanarayana K V P (2): drm/xe/vf: Retry sending MMIO request to GUC on timeout error drm/xe/pf: Create a link between PF and VF devices Sean Anderson (1): spi: zynqmp-gqspi: Always acknowledge interrupts Sean Wang (1): Bluetooth: btmtksdio: Prevent enabling interrupts after IRQ handler removal Seongman Lee (1): x86/sev: Fix operator precedence in GHCB_MSR_VMPL_REQ_LEVEL macro Sergio Perez Gonzalez (1): spi: spi-mux: Fix coverity issue, unchecked return value Seyediman Seyedarab (1): kbuild: fix argument parsing in scripts/config Shahar Shitrit (2): net/mlx5: Modify LSB bitmask in temperature event to include only the first bit net/mlx5: Apply rate-limiting to high temperature warning Shashank Gupta (1): crypto: octeontx2 - suppress auth failure screaming due to negative tests Shivasharan S (1): scsi: mpt3sas: Send a diag reset if target reset fails Shiwu Zhang (1): drm/amdgpu: enlarge the VBIOS binary size limit Shixiong Ou (1): fbdev: fsl-diu-fb: add missing device_remove_file() Shree Ramamoorthy (1): mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check Shuicheng Lin (1): drm/xe/debugfs: Add missing xe_pm_runtime_put in wedge_mode_set Simona Vetter (1): drm/atomic: clarify the rules around drm_atomic_state->allow_modeset Siva Durga Prasad Paladugu (1): firmware: xilinx: Dont send linux address to get fpga config get status Soeren Moch (1): wifi: rtl8xxxu: retry firmware download on error Sohil Mehta (2): x86/smpboot: Fix INIT delay assignment for extended Intel Families x86/microcode: Update the Intel processor flag scan check Stanimir Varbanov (2): PCI: brcmstb: Expand inbound window size up to 64GB PCI: brcmstb: Add a softdep to MIP MSI-X driver Stanley Chu (1): i3c: master: svc: Fix missing STOP for master request Stefan Binding (1): ASoC: intel/sdw_utils: Add volume limit to cs42l43 speakers Stefan Wahren (3): staging: vchiq_arm: Create keep-alive thread during probe drm/v3d: Add clock handling dmaengine: fsl-edma: Fix return code for unhandled interrupts Stefano Garzarella (1): vhost_task: fix vhost_task_create() documentation Stephan Gerhold (1): i2c: qup: Vote for interconnect bandwidth to DRAM Subbaraya Sundeep (1): octeontx2-af: Set LMT_ENA bit for APR table entries Sudeep Holla (4): mailbox: pcc: Use acpi_os_ioremap() instead of ioremap() firmware: arm_ffa: Reject higher major version as incompatible firmware: arm_ffa: Handle the presence of host partition in the partition info firmware: arm_scmi: Relax duplicate name constraint across protocol ids Suman Ghosh (1): octeontx2-pf: Add AF_XDP non-zero copy support Sungjong Seo (1): exfat: call bh_read in get_block only when necessary Sven Schwermer (1): crypto: mxs-dcp - Only set OTP_KEY bit for OTP key Svyatoslav Ryhel (1): ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 Takashi Iwai (5): ALSA: seq: Improve data consistency at polling ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx ALSA: usb-audio: Fix duplicated name in MIDI substream names ALSA: pcm: Fix race of buffer access at PCM OSS layer Taniya Das (1): clk: qcom: lpassaudiocc-sc7280: Add support for LPASS resets for QCM6490 Tavian Barnes (1): ASoC: SOF: Intel: hda: Fix UAF when reloading module Thangaraj Samynathan (1): net: lan743x: Restore SGMII CTRL register on resume Thomas Gleixner (1): posix-timers: Ensure that timer initialization is fully visible Thomas Huth (1): x86/headers: Replace __ASSEMBLY__ with __ASSEMBLER__ in UAPI headers Thomas Weißschuh (1): timer_list: Don't use %pK through printk() Thomas Zimmermann (3): drm/gem: Test for imported GEM buffers with helper drm/ast: Find VBIOS mode from regular display size drm/gem: Internally test import_attach for imported objects Tianyang Zhang (1): mm/page_alloc.c: avoid infinite retries caused by cpuset race Tiwei Bie (1): um: Update min_low_pfn to match changes in uml_reserved Tobias Brunner (1): xfrm: Fix UDP GRO handling for some corner cases Tom Chung (1): drm/amd/display: Initial psr_version with correct setting Trond Myklebust (7): NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() NFS: Don't allow waiting for exiting tasks SUNRPC: Don't allow waiting for exiting tasks NFSv4: Treat ENETUNREACH errors as fatal for state recovery SUNRPC: rpc_clnt_set_transport() must not change the autobind setting SUNRPC: rpcbind should never reset the port to the value '0' pNFS/flexfiles: Report ENETDOWN as a connection error Tudor Ambarus (1): mailbox: use error ret code of of_parse_phandle_with_args() Uday Shankar (1): ublk: enforce ublks_max only for unprivileged devices Umesh Nerlige Ramappa (1): drm/xe/oa: Ensure that polled read returns latest data Uros Bizjak (1): x86/locking: Use ALT_OUTPUT_SP() for percpu_{,try_}cmpxchg{64,128}_op() Valentin Caron (1): pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map Vasant Hegde (1): iommu/amd/pgtbl_v2: Improve error handling Vicki Pfau (1): Input: xpad - add more controllers Victor Lu (1): drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c Victor Skvortsov (1): drm/amdgpu: Skip pcie_replay_count sysfs creation for VF Vijendar Mukunda (1): soundwire: amd: change the soundwire wake enable/disable sequence Viktor Malik (1): bpftool: Fix readlink usage in get_fd_type Vinicius Costa Gomes (1): dmaengine: idxd: Fix allowing write() from different address spaces Vinith Kumar R (1): wifi: ath12k: Report proper tx completion status to mac80211 Viresh Kumar (1): firmware: arm_ffa: Set dma_mask for ffa devices Vitalii Mordan (1): i2c: pxa: fix call balance of i2c->clk handling routines Vladimir Kondratiev (1): irqchip/riscv-aplic: Add support for hart indexes Vladimir Moskovkin (1): platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() Vladimir Oltean (1): net: enetc: refactor bulk flipping of RX buffers to separate function Waiman Long (1): x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() Wang Liang (1): net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Wang Zhaolong (3): smb: client: Store original IO parameters and prevent zero IO sizes smb: client: Fix use-after-free in cifs_fill_dirent smb: client: Reset all search buffer pointers when releasing buffer Wentao Guan (2): nvme-pci: add quirks for device 126f:1001 nvme-pci: add quirks for WDC Blue SN550 15b7:5009 Willem de Bruijn (1): ipv6: save dontfrag in cork William Tu (3): net/mlx5e: set the tx_queue_len for pfifo_fast net/mlx5e: reduce rep rxq depth to 256 for ECPF net/mlx5e: reduce the max log mpwrq sz for ECPF and reps Xiao Liang (1): net: ipv6: Init tunnel link-netns before registering dev Xiaofei Tan (1): ACPI: HED: Always initialize before evged Xin Li (Intel) (1): x86/fred: Fix system hang during S4 resume with FRED enabled Xin Wang (1): drm/xe/debugfs: fixed the return value of wedged_mode_set Yeoreum Yun (1): coresight-etb10: change etb_drvdata spinlock's type to raw_spinlock_t Yi Liu (2): iommufd: Extend IOMMU_GET_HW_INFO to report PASID capability iommufd: Disallow allocating nested parent domain with fault ID Yihan Zhu (1): drm/amd/display: handle max_downscale_src_width fail check Yonghong Song (1): bpf: Allow pre-ordering for bpf cgroup progs Youssef Samir (1): accel/qaic: Mask out SR-IOV PCI resources Yuanjun Gong (1): leds: pwm-multicolor: Add check for fwnode_property_read_u32 Zhang Rui (1): thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature Zhang Yi (2): ext4: don't write back data before punch hole in nojournal mode ext4: remove writable userspace mappings before truncating page cache Zhi Wang (1): drm/nouveau: fix the broken marco GSP_MSG_MAX_SIZE Zhikai Zhai (1): drm/amd/display: calculate the remain segments for all pipes Zhongqiu Han (1): virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN Zhongwei Zhang (1): drm/amd/display: Correct timing_adjust_pending flag setting. Zsolt Kajtar (2): fbcon: Use correct erase colour for clearing in fbcon fbdev: core: tileblit: Implement missing margin clearing for tileblit feijuan.li (1): drm/edid: fixed the bug that hdr metadata was not reset gaoxu (1): cgroup: Fix compilation issue due to cgroup_mutex not being exported junan (1): HID: usbkbd: Fix the bit shift number for LED_KANA shantiprasad shettar (1): bnxt_en: Query FW parameters when the CAPS_CHANGE bit is set zihan zhou (1): sched: Reduce the default slice to avoid tasks getting an extra tick

5 months, 3 weeks

1
1
0 0

[PATCH -stable,5.4 0/3] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport fix for 5.4 -stable. The following list shows the backported patches, I am using original commit IDs for reference: 1) 8965d42bcf54 ("netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx") This is a stable dependency for the next patch. 2) c03d278fdf35 ("netfilter: nf_tables: wait for rcu grace period on net_device removal") 3) b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu") This is a fix-for-fix for patch 2. These three patches are required to fix the netdevice release path for netdev family basechains. NOTE: -stable kernels >= 5.4 already provide these backport fixes. Please, apply, Thanks ** BLURB HERE *** Florian Westphal (2): netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx netfilter: nf_tables: do not defer rule destruction via call_rcu Pablo Neira Ayuso (1): netfilter: nf_tables: wait for rcu grace period on net_device removal net/netfilter/nf_tables_api.c | 51 ++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 15 deletions(-) -- 2.30.2

5 months, 3 weeks

1
3
0 0

[PATCH] leds: flash: leds-qcom-flash: Fix registry access after re-bind

by Krzysztof Kozlowski

Driver in probe() updates each of 'reg_field' with 'reg_base': for (i = 0; i < REG_MAX_COUNT; i++) regs[i].reg += reg_base; 'reg_field' array (under variable 'regs' above) is statically allocated, this each re-bind would add another 'reg_base' leading to bogus register addresses. Constify the local 'reg_field' array and duplicate it in probe to solve this. Fixes: 96a2e242a5dc ("leds: flash: Add driver to support flash LED module in QCOM PMICs") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- This is a nice example why constifying static memory is useful. --- drivers/leds/flash/leds-qcom-flash.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/leds/flash/leds-qcom-flash.c b/drivers/leds/flash/leds-qcom-flash.c index b4c19be51c4d..b8a48c15d797 100644 --- a/drivers/leds/flash/leds-qcom-flash.c +++ b/drivers/leds/flash/leds-qcom-flash.c @@ -117,7 +117,7 @@ enum { REG_MAX_COUNT, }; -static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { +static const struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { REG_FIELD(0x08, 0, 7), /* status1 */ REG_FIELD(0x09, 0, 7), /* status2 */ REG_FIELD(0x0a, 0, 7), /* status3 */ @@ -132,7 +132,7 @@ static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { REG_FIELD(0x58, 0, 2), /* therm_thrsh3 */ }; -static struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { +static const struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { REG_FIELD(0x06, 0, 7), /* status1 */ REG_FIELD(0x07, 0, 6), /* status2 */ REG_FIELD(0x09, 0, 7), /* status3 */ @@ -854,11 +854,17 @@ static int qcom_flash_led_probe(struct platform_device *pdev) if (val == FLASH_SUBTYPE_3CH_PM8150_VAL || val == FLASH_SUBTYPE_3CH_PMI8998_VAL) { flash_data->hw_type = QCOM_MVFLASH_3CH; flash_data->max_channels = 3; - regs = mvflash_3ch_regs; + regs = devm_kmemdup(dev, mvflash_3ch_regs, sizeof(mvflash_3ch_regs), + GFP_KERNEL); + if (!regs) + return -ENOMEM; } else if (val == FLASH_SUBTYPE_4CH_VAL) { flash_data->hw_type = QCOM_MVFLASH_4CH; flash_data->max_channels = 4; - regs = mvflash_4ch_regs; + regs = devm_kmemdup(dev, mvflash_4ch_regs, sizeof(mvflash_3ch_regs), + GFP_KERNEL); + if (!regs) + return -ENOMEM; rc = regmap_read(regmap, reg_base + FLASH_REVISION_REG, &val); if (rc < 0) { @@ -880,6 +886,7 @@ static int qcom_flash_led_probe(struct platform_device *pdev) dev_err(dev, "Failed to allocate regmap field, rc=%d\n", rc); return rc; } + devm_kfree(dev, regs); /* devm_regmap_field_bulk_alloc() makes copies */ platform_set_drvdata(pdev, flash_data); mutex_init(&flash_data->lock); -- 2.45.2

5 months, 3 weeks

2
2
0 0

[PATCH v3] drm/xe/sched: stop re-submitting signalled jobs

by Matthew Auld

Customer is reporting a really subtle issue where we get random DMAR faults, hangs and other nasties for kernel migration jobs when stressing stuff like s2idle/s3/s4. The explosions seems to happen somewhere after resuming the system with splats looking something like: PM: suspend exit rfkill: input handler disabled xe 0000:00:02.0: [drm] GT0: Engine reset: engine_class=bcs, logical_mask: 0x2, guc_id=0 xe 0000:00:02.0: [drm] GT0: Timedout job: seqno=24496, lrc_seqno=24496, guc_id=0, flags=0x13 in no process [-1] xe 0000:00:02.0: [drm] GT0: Kernel-submitted job timed out The likely cause appears to be a race between suspend cancelling the worker that processes the free_job()'s, such that we still have pending jobs to be freed after the cancel. Following from this, on resume the pending_list will now contain at least one already complete job, but it looks like we call drm_sched_resubmit_jobs(), which will then call run_job() on everything still on the pending_list. But if the job was already complete, then all the resources tied to the job, like the bb itself, any memory that is being accessed, the iommu mappings etc. might be long gone since those are usually tied to the fence signalling. This scenario can be seen in ftrace when running a slightly modified xe_pm (kernel was only modified to inject artificial latency into free_job to make the race easier to hit): xe_sched_job_run: dev=0000:00:02.0, fence=0xffff888276cc8540, seqno=0, lrc_seqno=0, gt=0, guc_id=0, batch_addr=0x000000146910 ... xe_exec_queue_stop: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x0, flags=0x13 xe_exec_queue_stop: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=1, guc_state=0x0, flags=0x4 xe_exec_queue_stop: dev=0000:00:02.0, 4:0x1, gt=1, width=1, guc_id=0, guc_state=0x0, flags=0x3 xe_exec_queue_stop: dev=0000:00:02.0, 1:0x1, gt=1, width=1, guc_id=1, guc_state=0x0, flags=0x3 xe_exec_queue_stop: dev=0000:00:02.0, 4:0x1, gt=1, width=1, guc_id=2, guc_state=0x0, flags=0x3 xe_exec_queue_resubmit: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x0, flags=0x13 xe_sched_job_run: dev=0000:00:02.0, fence=0xffff888276cc8540, seqno=0, lrc_seqno=0, gt=0, guc_id=0, batch_addr=0x000000146910 ... ..... xe_exec_queue_memory_cat_error: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x3, flags=0x13 So the job_run() is clearly triggered twice for the same job, even though the first must have already signalled to completion during suspend. We can also see a CAT error after the re-submit. To prevent this try to call xe_sched_stop() to forcefully remove anything on the pending_list that has already signalled, before we re-submit. v2: - Make sure to re-arm the fence callbacks with sched_start(). v3 (Matt B): - Stop using drm_sched_resubmit_jobs(), which appears to be deprecated and just open-code a simple loop such that we skip calling run_job() and anything already signalled. Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4856 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: William Tseng <william.tseng(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_gpu_scheduler.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_gpu_scheduler.h b/drivers/gpu/drm/xe/xe_gpu_scheduler.h index c250ea773491..308061f0cf37 100644 --- a/drivers/gpu/drm/xe/xe_gpu_scheduler.h +++ b/drivers/gpu/drm/xe/xe_gpu_scheduler.h @@ -51,7 +51,15 @@ static inline void xe_sched_tdr_queue_imm(struct xe_gpu_scheduler *sched) static inline void xe_sched_resubmit_jobs(struct xe_gpu_scheduler *sched) { - drm_sched_resubmit_jobs(&sched->base); + struct drm_sched_job *s_job; + + list_for_each_entry(s_job, &sched->base.pending_list, list) { + struct drm_sched_fence *s_fence = s_job->s_fence; + struct dma_fence *hw_fence = s_fence->parent; + + if (hw_fence && !dma_fence_is_signaled(hw_fence)) + sched->base.ops->run_job(s_job); + } } static inline bool -- 2.49.0

5 months, 3 weeks

3
4
0 0

[PATCH] net: ch9200: fix uninitialised access during mii_nway_restart

by Qasim Ijaz

In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff". To fix this we should check the return value of control_read() and return early on error. Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9 Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9(a)syzkaller.appspotmail.com> Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/net/usb/ch9200.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c index f69d9b902da0..a206ffa76f1b 100644 --- a/drivers/net/usb/ch9200.c +++ b/drivers/net/usb/ch9200.c @@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) { struct usbnet *dev = netdev_priv(netdev); unsigned char buff[2]; + int ret; netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n", __func__, phy_id, loc); @@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_device *netdev, int phy_id, int loc) if (phy_id != 0) return -ENODEV; - control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, - CONTROL_TIMEOUT_MS); + ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02, + CONTROL_TIMEOUT_MS); + if (ret < 0) + return ret; return (buff[0] | buff[1] << 8); } -- 2.39.5

5 months, 3 weeks

2
1
0 0

[PATCH] net: af_key: Add error check in set_sadb_address()

by Wentao Liang

The function set_sadb_address() calls the function pfkey_sockaddr_fill(), but does not check its return value. A proper implementation can be found in set_sadb_kmaddress(). Add an error check for set_sadb_address(), return error code if the function fails. Fixes: e5b56652c11b ("key: Share common code path to fill sockaddr{}.") Cc: stable(a)vger.kernel.org # v2.6 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- net/key/af_key.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/key/af_key.c b/net/key/af_key.c index c56bb4f451e6..537c9604e356 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -3474,15 +3474,17 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type, switch (type) { case SADB_EXT_ADDRESS_SRC: addr->sadb_address_prefixlen = sel->prefixlen_s; - pfkey_sockaddr_fill(&sel->saddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + if (!pfkey_sockaddr_fill(&sel->saddr, 0, + (struct sockaddr *)(addr + 1), + sel->family)) + return -EINVAL; break; case SADB_EXT_ADDRESS_DST: addr->sadb_address_prefixlen = sel->prefixlen_d; - pfkey_sockaddr_fill(&sel->daddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + if (!pfkey_sockaddr_fill(&sel->daddr, 0, + (struct sockaddr *)(addr + 1), + sel->family)) + return -EINVAL; break; default: return -EINVAL; -- 2.42.0.windows.2

5 months, 3 weeks

3
2
0 0

[PATCH 2/5] LoongArch: KVM: Check interrupt route from physical cpu with eiointc

by Bibo Mao

With eiointc interrupt controller, physical cpu id is set for irq route. However function kvm_get_vcpu() is used to get destination vCPU when delivering irq. With API kvm_get_vcpu(), logical cpu is used. With API kvm_get_vcpu_by_cpuid(), vCPU can be searched from physical cpu id. Cc: stable(a)vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index d2c521b0e923..0b648c56b0c3 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -9,7 +9,8 @@ static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) { - int ipnum, cpu, irq_index, irq_mask, irq; + int ipnum, cpu, irq_index, irq_mask, irq, cpuid; + struct kvm_vcpu *vcpu; for (irq = 0; irq < EIOINTC_IRQS; irq++) { ipnum = s->ipmap.reg_u8[irq / 32]; @@ -20,7 +21,12 @@ static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) irq_index = irq / 32; irq_mask = BIT(irq & 0x1f); - cpu = s->coremap.reg_u8[irq]; + cpuid = s->coremap.reg_u8[irq]; + vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid); + if (vcpu == NULL) + continue; + + cpu = vcpu->vcpu_id; if (!!(s->coreisr.reg_u32[cpu][irq_index] & irq_mask)) set_bit(irq, s->sw_coreisr[cpu][ipnum]); else @@ -68,17 +74,23 @@ static void eiointc_update_irq(struct loongarch_eiointc *s, int irq, int level) static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, int irq, u64 val, u32 len, bool notify) { - int i, cpu; + int i, cpu, cpuid; + struct kvm_vcpu *vcpu; for (i = 0; i < len; i++) { - cpu = val & 0xff; + cpuid = val & 0xff; val = val >> 8; if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) { - cpu = ffs(cpu) - 1; - cpu = (cpu >= 4) ? 0 : cpu; + cpuid = ffs(cpuid) - 1; + cpuid = (cpuid >= 4) ? 0 : cpuid; } + vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid); + if (vcpu == NULL) + continue; + + cpu = vcpu->vcpu_id; if (s->sw_coremap[irq + i] == cpu) continue; -- 2.39.3

5 months, 3 weeks

1
0
0 0

[PATCH 1/5] LoongArch: KVM: Fix interrupt route update with eiointc

by Bibo Mao

With function eiointc_update_sw_coremap(), there is forced assignment like val = *(u64 *)pvalue. Parameter pvalue may be pointer to char type or others, there is problem with forced assignment with u64 type. Here the detailed value is passed rather address pointer. Cc: stable(a)vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index f39929d7bf8a..d2c521b0e923 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -66,10 +66,9 @@ static void eiointc_update_irq(struct loongarch_eiointc *s, int irq, int level) } static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, - int irq, void *pvalue, u32 len, bool notify) + int irq, u64 val, u32 len, bool notify) { int i, cpu; - u64 val = *(u64 *)pvalue; for (i = 0; i < len; i++) { cpu = val & 0xff; @@ -398,7 +397,7 @@ static int loongarch_eiointc_writeb(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq; s->coremap.reg_u8[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -484,7 +483,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq >> 1; s->coremap.reg_u16[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -570,7 +569,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq >> 2; s->coremap.reg_u32[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -656,7 +655,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq >> 3; s->coremap.reg_u64[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -809,7 +808,7 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev, for (i = 0; i < (EIOINTC_IRQS / 4); i++) { start_irq = i * 4; eiointc_update_sw_coremap(s, start_irq, - (void *)&s->coremap.reg_u32[i], sizeof(u32), false); + s->coremap.reg_u32[i], sizeof(u32), false); } break; default: -- 2.39.3

5 months, 3 weeks

1
0
0 0

[PATCH] net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe()

by Haoxiang Li

Add check for the return value of rcar_gen4_ptp_alloc() to prevent potential null pointer dereference. Fixes: b0d3969d2b4d ("net: ethernet: rtsn: Add support for Renesas Ethernet-TSN") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/net/ethernet/renesas/rtsn.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/renesas/rtsn.c b/drivers/net/ethernet/renesas/rtsn.c index 6b3f7fca8d15..f5df3374d279 100644 --- a/drivers/net/ethernet/renesas/rtsn.c +++ b/drivers/net/ethernet/renesas/rtsn.c @@ -1260,6 +1260,10 @@ static int rtsn_probe(struct platform_device *pdev) priv->pdev = pdev; priv->ndev = ndev; priv->ptp_priv = rcar_gen4_ptp_alloc(pdev); + if (!priv->ptp_priv) { + ret = -ENOMEM; + goto error_free; + } spin_lock_init(&priv->lock); platform_set_drvdata(pdev, priv); -- 2.25.1

5 months, 3 weeks

3
2
0 0

[alternative-merged] mm-contig_alloc-fix-alloc_contig_range-when-__gfp_comp-and-order-max_order.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/contig_alloc: fix alloc_contig_range when __GFP_COMP and order < MAX_ORDER has been removed from the -mm tree. Its filename was mm-contig_alloc-fix-alloc_contig_range-when-__gfp_comp-and-order-max_order.patch This patch was dropped because an alternative patch was or shall be merged ------------------------------------------------------ From: Jinjiang Tu <tujinjiang(a)huawei.com> Subject: mm/contig_alloc: fix alloc_contig_range when __GFP_COMP and order < MAX_ORDER Date: Mon, 21 Apr 2025 09:36:20 +0800 When calling alloc_contig_range() with __GFP_COMP and the order of requested pfn range is pageblock_order, less than MAX_ORDER, I triggered WARNING as follows: PFN range: requested [2150105088, 2150105600), allocated [2150105088, 2150106112) WARNING: CPU: 3 PID: 580 at mm/page_alloc.c:6877 alloc_contig_range+0x280/0x340 alloc_contig_range() marks pageblocks of the requested pfn range to be isolated, migrate these pages if they are in use and will be freed to MIGRATE_ISOLATED freelist. Suppose two alloc_contig_range() calls at the same time and the requested pfn range are [0x80280000, 0x80280200) and [0x80280200, 0x80280400) respectively. Suppose the two memory range are in use, then alloc_contig_range() will migrate and free these pages to MIGRATE_ISOLATED freelist. __free_one_page() will merge MIGRATE_ISOLATE buddy to larger buddy, resulting in a MAX_ORDER buddy. Finally, find_large_buddy() in alloc_contig_range() returns a MAX_ORDER buddy and results in WARNING. To fix it, call free_contig_range() to free the excess pfn range. Link: https://lkml.kernel.org/r/20250421013620.459740-1-tujinjiang@huawei.com Fixes: e98337d11bbd ("mm/contig_alloc: support __GFP_COMP") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) --- a/mm/page_alloc.c~mm-contig_alloc-fix-alloc_contig_range-when-__gfp_comp-and-order-max_order +++ a/mm/page_alloc.c @@ -6693,6 +6693,7 @@ int alloc_contig_range_noprof(unsigned l .alloc_contig = true, }; INIT_LIST_HEAD(&cc.migratepages); + bool is_range_aligned; gfp_mask = current_gfp_context(gfp_mask); if (__alloc_contig_verify_gfp_mask(gfp_mask, (gfp_t *)&cc.gfp_mask)) @@ -6781,7 +6782,14 @@ int alloc_contig_range_noprof(unsigned l goto done; } - if (!(gfp_mask & __GFP_COMP)) { + /* + * With __GFP_COMP and the requested order < MAX_PAGE_ORDER, + * isolated free pages can have higher order than the requested + * one. Use split_free_pages() to free out of range pages. + */ + is_range_aligned = is_power_of_2(end - start); + if (!(gfp_mask & __GFP_COMP) || + (is_range_aligned && ilog2(end - start) < MAX_PAGE_ORDER)) { split_free_pages(cc.freepages, gfp_mask); /* Free head and tail (if any) */ @@ -6789,7 +6797,15 @@ int alloc_contig_range_noprof(unsigned l free_contig_range(outer_start, start - outer_start); if (end != outer_end) free_contig_range(end, outer_end - end); - } else if (start == outer_start && end == outer_end && is_power_of_2(end - start)) { + + outer_start = start; + outer_end = end; + + if (!(gfp_mask & __GFP_COMP)) + goto done; + } + + if (start == outer_start && end == outer_end && is_range_aligned) { struct page *head = pfn_to_page(start); int order = ilog2(end - start); _ Patches currently in -mm which might be from tujinjiang(a)huawei.com are

5 months, 3 weeks

1
0
0 0

[for-next][PATCH 02/10] ring-buffer: Do not trigger WARN_ON() due to a commit_overrun

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as "missed_events". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 </TASK> irq event stamp: 5080 hardirqs last enabled at (5079): [<ffffffff83e0adb0>] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [<ffffffff83e0aa83>] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [<ffffffff81516122>] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [<ffffffff815163f7>] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough events to wrap the buffer. trace-cmd was modified to have --nosplice use mmap instead of reading the buffer. The way to differentiate this case from the normal case of there only being one page written to where the swap of the reader page received that one page (which is the commit page), check if the tail page is on the reader page. The difference between the commit page and the tail page is that the tail page is where new writes go to, and the commit page holds the first write that hasn't been committed yet. In the case of an interrupt preempting the write of an event and filling the buffer, it would move the tail page but not the commit page. Have the warning only trigger if the tail page is also on the reader page, and also print out the number of events dropped by a commit overrun as that can not yet be safely added to the page so that the reader can see there were events dropped. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Vincent Donnefort <vdonnefort(a)google.com> Link: https://lore.kernel.org/20250528121555.2066527e@gandalf.local.home Fixes: fe832be05a8ee ("ring-buffer: Have mmapped ring buffer keep track of missed events") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index ca1a8e706004..683aa57870fe 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -7285,8 +7285,8 @@ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu) /* Check if any events were dropped */ missed_events = cpu_buffer->lost_events; - if (cpu_buffer->reader_page != cpu_buffer->commit_page) { - if (missed_events) { + if (missed_events) { + if (cpu_buffer->reader_page != cpu_buffer->commit_page) { struct buffer_data_page *bpage = reader->page; unsigned int commit; /* @@ -7307,13 +7307,23 @@ int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu) local_add(RB_MISSED_STORED, &bpage->commit); } local_add(RB_MISSED_EVENTS, &bpage->commit); + } else if (!WARN_ONCE(cpu_buffer->reader_page == cpu_buffer->tail_page, + "Reader on commit with %ld missed events", + missed_events)) { + /* + * There shouldn't be any missed events if the tail_page + * is on the reader page. But if the tail page is not on the + * reader page and the commit_page is, that would mean that + * there's a commit_overrun (an interrupt preempted an + * addition of an event and then filled the buffer + * with new events). In this case it's not an + * error, but it should still be reported. + * + * TODO: Add missed events to the page for user space to know. + */ + pr_info("Ring buffer [%d] commit overrun lost %ld events at timestamp:%lld\n", + cpu, missed_events, cpu_buffer->reader_page->page->time_stamp); } - } else { - /* - * There really shouldn't be any missed events if the commit - * is on the reader page. - */ - WARN_ON_ONCE(missed_events); } cpu_buffer->lost_events = 0; -- 2.47.2

5 months, 3 weeks

1
0
0 0

[for-next][PATCH 01/10] ring-buffer: Move cpus_read_lock() outside of buffer->mutex

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> Running a modified trace-cmd record --nosplice where it does a mmap of the ring buffer when '--nosplice' is set, caused the following lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.15.0-rc7-test-00002-gfb7d03d8a82f #551 Not tainted ------------------------------------------------------ trace-cmd/1113 is trying to acquire lock: ffff888100062888 (&buffer->mutex){+.+.}-{4:4}, at: ring_buffer_map+0x11c/0xe70 but task is already holding lock: ffff888100a5f9f8 (&cpu_buffer->mapping_lock){+.+.}-{4:4}, at: ring_buffer_map+0xcf/0xe70 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #5 (&cpu_buffer->mapping_lock){+.+.}-{4:4}: __mutex_lock+0x192/0x18c0 ring_buffer_map+0xcf/0xe70 tracing_buffers_mmap+0x1c4/0x3b0 __mmap_region+0xd8d/0x1f70 do_mmap+0x9d7/0x1010 vm_mmap_pgoff+0x20b/0x390 ksys_mmap_pgoff+0x2e9/0x440 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #4 (&mm->mmap_lock){++++}-{4:4}: __might_fault+0xa5/0x110 _copy_to_user+0x22/0x80 _perf_ioctl+0x61b/0x1b70 perf_ioctl+0x62/0x90 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #3 (&cpuctx_mutex){+.+.}-{4:4}: __mutex_lock+0x192/0x18c0 perf_event_init_cpu+0x325/0x7c0 perf_event_init+0x52a/0x5b0 start_kernel+0x263/0x3e0 x86_64_start_reservations+0x24/0x30 x86_64_start_kernel+0x95/0xa0 common_startup_64+0x13e/0x141 -> #2 (pmus_lock){+.+.}-{4:4}: __mutex_lock+0x192/0x18c0 perf_event_init_cpu+0xb7/0x7c0 cpuhp_invoke_callback+0x2c0/0x1030 __cpuhp_invoke_callback_range+0xbf/0x1f0 _cpu_up+0x2e7/0x690 cpu_up+0x117/0x170 cpuhp_bringup_mask+0xd5/0x120 bringup_nonboot_cpus+0x13d/0x170 smp_init+0x2b/0xf0 kernel_init_freeable+0x441/0x6d0 kernel_init+0x1e/0x160 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 -> #1 (cpu_hotplug_lock){++++}-{0:0}: cpus_read_lock+0x2a/0xd0 ring_buffer_resize+0x610/0x14e0 __tracing_resize_ring_buffer.part.0+0x42/0x120 tracing_set_tracer+0x7bd/0xa80 tracing_set_trace_write+0x132/0x1e0 vfs_write+0x21c/0xe80 ksys_write+0xf9/0x1c0 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (&buffer->mutex){+.+.}-{4:4}: __lock_acquire+0x1405/0x2210 lock_acquire+0x174/0x310 __mutex_lock+0x192/0x18c0 ring_buffer_map+0x11c/0xe70 tracing_buffers_mmap+0x1c4/0x3b0 __mmap_region+0xd8d/0x1f70 do_mmap+0x9d7/0x1010 vm_mmap_pgoff+0x20b/0x390 ksys_mmap_pgoff+0x2e9/0x440 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &buffer->mutex --> &mm->mmap_lock --> &cpu_buffer->mapping_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&cpu_buffer->mapping_lock); lock(&mm->mmap_lock); lock(&cpu_buffer->mapping_lock); lock(&buffer->mutex); *** DEADLOCK *** 2 locks held by trace-cmd/1113: #0: ffff888106b847e0 (&mm->mmap_lock){++++}-{4:4}, at: vm_mmap_pgoff+0x192/0x390 #1: ffff888100a5f9f8 (&cpu_buffer->mapping_lock){+.+.}-{4:4}, at: ring_buffer_map+0xcf/0xe70 stack backtrace: CPU: 5 UID: 0 PID: 1113 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00002-gfb7d03d8a82f #551 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 print_circular_bug.cold+0x178/0x1be check_noncircular+0x146/0x160 __lock_acquire+0x1405/0x2210 lock_acquire+0x174/0x310 ? ring_buffer_map+0x11c/0xe70 ? ring_buffer_map+0x11c/0xe70 ? __mutex_lock+0x169/0x18c0 __mutex_lock+0x192/0x18c0 ? ring_buffer_map+0x11c/0xe70 ? ring_buffer_map+0x11c/0xe70 ? function_trace_call+0x296/0x370 ? __pfx___mutex_lock+0x10/0x10 ? __pfx_function_trace_call+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 ? _raw_spin_unlock+0x2d/0x50 ? ring_buffer_map+0x11c/0xe70 ? ring_buffer_map+0x11c/0xe70 ? __mutex_lock+0x5/0x18c0 ring_buffer_map+0x11c/0xe70 ? do_raw_spin_lock+0x12d/0x270 ? find_held_lock+0x2b/0x80 ? _raw_spin_unlock+0x2d/0x50 ? rcu_is_watching+0x15/0xb0 ? _raw_spin_unlock+0x2d/0x50 ? trace_preempt_on+0xd0/0x110 tracing_buffers_mmap+0x1c4/0x3b0 __mmap_region+0xd8d/0x1f70 ? ring_buffer_lock_reserve+0x99/0xff0 ? __pfx___mmap_region+0x10/0x10 ? ring_buffer_lock_reserve+0x99/0xff0 ? __pfx_ring_buffer_lock_reserve+0x10/0x10 ? __pfx_ring_buffer_lock_reserve+0x10/0x10 ? bpf_lsm_mmap_addr+0x4/0x10 ? security_mmap_addr+0x46/0xd0 ? lock_is_held_type+0xd9/0x130 do_mmap+0x9d7/0x1010 ? 0xffffffffc0370095 ? __pfx_do_mmap+0x10/0x10 vm_mmap_pgoff+0x20b/0x390 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? 0xffffffffc0370095 ksys_mmap_pgoff+0x2e9/0x440 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fb0963a7de2 Code: 00 00 00 0f 1f 44 00 00 41 f7 c1 ff 0f 00 00 75 27 55 89 cd 53 48 89 fb 48 85 ff 74 3b 41 89 ea 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 5b 5d c3 0f 1f 00 48 8b 05 e1 9f 0d 00 64 RSP: 002b:00007ffdcc8fb878 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb0963a7de2 RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000 RBP: 0000000000000001 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffdcc8fbe68 R14: 00007fb096628000 R15: 00005633e01a5c90 </TASK> The issue is that cpus_read_lock() is taken within buffer->mutex. The memory mapped pages are taken with the mmap_lock held. The buffer->mutex is taken within the cpu_buffer->mapping_lock. There's quite a chain with all these locks, where the deadlock can be fixed by moving the cpus_read_lock() outside the taking of the buffer->mutex. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Vincent Donnefort <vdonnefort(a)google.com> Link: https://lore.kernel.org/20250527105820.0f45d045@gandalf.local.home Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 3f9bf562beea..ca1a8e706004 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -2849,6 +2849,12 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, if (nr_pages < 2) nr_pages = 2; + /* + * Keep CPUs from coming online while resizing to synchronize + * with new per CPU buffers being created. + */ + guard(cpus_read_lock)(); + /* prevent another thread from changing buffer sizes */ mutex_lock(&buffer->mutex); atomic_inc(&buffer->resizing); @@ -2893,7 +2899,6 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, cond_resched(); } - cpus_read_lock(); /* * Fire off all the required work handlers * We can't schedule on offline CPUs, but it's not necessary @@ -2933,7 +2938,6 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, cpu_buffer->nr_pages_to_update = 0; } - cpus_read_unlock(); } else { cpu_buffer = buffer->buffers[cpu_id]; @@ -2961,8 +2965,6 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, goto out_err; } - cpus_read_lock(); - /* Can't run something on an offline CPU. */ if (!cpu_online(cpu_id)) rb_update_pages(cpu_buffer); @@ -2981,7 +2983,6 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, } cpu_buffer->nr_pages_to_update = 0; - cpus_read_unlock(); } out: -- 2.47.2

5 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.4] fs/filesystems: Fix potential unsigned integer underflow in fs_name()

by Sasha Levin

From: Zijun Hu <quic_zijuhu(a)quicinc.com> [ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ] fs_name() has @index as unsigned int, so there is underflow risk for operation '@index--'. Fix by breaking the for loop when '@index == 0' which is also more proper than '@index <= 0' for unsigned integer comparison. Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **The Bug:** The `fs_name()` function at `fs/filesystems.c:156-174` has a critical unsigned integer underflow vulnerability. When the function receives `index=0` as a parameter, the loop `for (tmp = file_systems; tmp; tmp = tmp->next, index--)` decrements `index` from 0 to `UINT_MAX` (4294967295 on 32-bit systems), causing the condition `if (index <= 0 && try_module_get(tmp->owner))` to evaluate incorrectly. **The Fix:** The commit changes the logic from: - Old: `if (index <= 0 && try_module_get(tmp->owner))` - New: `if (index == 0) { if (try_module_get(tmp->owner)) res = 0; break; }` This prevents the unsigned integer from wrapping around and provides proper bounds checking. **Impact and Severity:** 1. **User-accessible vulnerability**: The `fs_name()` function is called through the `sysfs` system call (syscall #139) with option 2, making it directly accessible to userspace applications. 2. **Potential for exploitation**: An attacker could call `sysfs(2, 0, buffer)` to trigger the underflow, potentially causing: - Infinite loops in the filesystem list traversal - Unintended module reference acquisition - System instability or denial of service 3. **Core filesystem subsystem**: This affects the fundamental filesystem registration mechanism in the kernel. **Comparison with Similar Commits:** This follows the same pattern as the **accepted backport examples**: - **Similar to Commit #1 (ntfs3)**: Both fix integer overflow/underflow issues that could cause system instability - **Similar to Commit #3 (f2fs)**: Both prevent integer arithmetic issues in filesystem code - **Similar to Commit #5 (f2fs)**: Both add bounds checking to prevent corruption **Stable Tree Criteria:** ✅ **Fixes important bug**: Prevents potential system instability and undefined behavior ✅ **Small and contained**: Minimal code change, only affects one function ✅ **Clear side effects**: No architectural changes, just safer bounds checking ✅ **Low regression risk**: The fix makes the function more robust without changing expected behavior ✅ **Critical subsystem**: Filesystem management is fundamental to kernel operation **Conclusion:** This is a textbook example of a commit suitable for stable backporting: it fixes a clear bug with security implications in core kernel infrastructure, uses a minimal and safe approach, and has no risk of introducing regressions. The unsigned integer underflow could lead to system instability when triggered through the accessible `sysfs` syscall. fs/filesystems.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/filesystems.c b/fs/filesystems.c index 5e1a190133738..148073e372acd 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -155,15 +155,19 @@ static int fs_index(const char __user * __name) static int fs_name(unsigned int index, char __user * buf) { struct file_system_type * tmp; - int len, res; + int len, res = -EINVAL; read_lock(&file_systems_lock); - for (tmp = file_systems; tmp; tmp = tmp->next, index--) - if (index <= 0 && try_module_get(tmp->owner)) + for (tmp = file_systems; tmp; tmp = tmp->next, index--) { + if (index == 0) { + if (try_module_get(tmp->owner)) + res = 0; break; + } + } read_unlock(&file_systems_lock); - if (!tmp) - return -EINVAL; + if (res) + return res; /* OK, we got the reference, so we can safely block */ len = strlen(tmp->name) + 1; -- 2.39.5

5 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.10] fs/filesystems: Fix potential unsigned integer underflow in fs_name()

by Sasha Levin

From: Zijun Hu <quic_zijuhu(a)quicinc.com> [ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ] fs_name() has @index as unsigned int, so there is underflow risk for operation '@index--'. Fix by breaking the for loop when '@index == 0' which is also more proper than '@index <= 0' for unsigned integer comparison. Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **The Bug:** The `fs_name()` function at `fs/filesystems.c:156-174` has a critical unsigned integer underflow vulnerability. When the function receives `index=0` as a parameter, the loop `for (tmp = file_systems; tmp; tmp = tmp->next, index--)` decrements `index` from 0 to `UINT_MAX` (4294967295 on 32-bit systems), causing the condition `if (index <= 0 && try_module_get(tmp->owner))` to evaluate incorrectly. **The Fix:** The commit changes the logic from: - Old: `if (index <= 0 && try_module_get(tmp->owner))` - New: `if (index == 0) { if (try_module_get(tmp->owner)) res = 0; break; }` This prevents the unsigned integer from wrapping around and provides proper bounds checking. **Impact and Severity:** 1. **User-accessible vulnerability**: The `fs_name()` function is called through the `sysfs` system call (syscall #139) with option 2, making it directly accessible to userspace applications. 2. **Potential for exploitation**: An attacker could call `sysfs(2, 0, buffer)` to trigger the underflow, potentially causing: - Infinite loops in the filesystem list traversal - Unintended module reference acquisition - System instability or denial of service 3. **Core filesystem subsystem**: This affects the fundamental filesystem registration mechanism in the kernel. **Comparison with Similar Commits:** This follows the same pattern as the **accepted backport examples**: - **Similar to Commit #1 (ntfs3)**: Both fix integer overflow/underflow issues that could cause system instability - **Similar to Commit #3 (f2fs)**: Both prevent integer arithmetic issues in filesystem code - **Similar to Commit #5 (f2fs)**: Both add bounds checking to prevent corruption **Stable Tree Criteria:** ✅ **Fixes important bug**: Prevents potential system instability and undefined behavior ✅ **Small and contained**: Minimal code change, only affects one function ✅ **Clear side effects**: No architectural changes, just safer bounds checking ✅ **Low regression risk**: The fix makes the function more robust without changing expected behavior ✅ **Critical subsystem**: Filesystem management is fundamental to kernel operation **Conclusion:** This is a textbook example of a commit suitable for stable backporting: it fixes a clear bug with security implications in core kernel infrastructure, uses a minimal and safe approach, and has no risk of introducing regressions. The unsigned integer underflow could lead to system instability when triggered through the accessible `sysfs` syscall. fs/filesystems.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/filesystems.c b/fs/filesystems.c index 90b8d879fbaf3..1ab8eb5edf28e 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -156,15 +156,19 @@ static int fs_index(const char __user * __name) static int fs_name(unsigned int index, char __user * buf) { struct file_system_type * tmp; - int len, res; + int len, res = -EINVAL; read_lock(&file_systems_lock); - for (tmp = file_systems; tmp; tmp = tmp->next, index--) - if (index <= 0 && try_module_get(tmp->owner)) + for (tmp = file_systems; tmp; tmp = tmp->next, index--) { + if (index == 0) { + if (try_module_get(tmp->owner)) + res = 0; break; + } + } read_unlock(&file_systems_lock); - if (!tmp) - return -EINVAL; + if (res) + return res; /* OK, we got the reference, so we can safely block */ len = strlen(tmp->name) + 1; -- 2.39.5

5 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.15 1/3] fs/filesystems: Fix potential unsigned integer underflow in fs_name()

by Sasha Levin

From: Zijun Hu <quic_zijuhu(a)quicinc.com> [ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ] fs_name() has @index as unsigned int, so there is underflow risk for operation '@index--'. Fix by breaking the for loop when '@index == 0' which is also more proper than '@index <= 0' for unsigned integer comparison. Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **The Bug:** The `fs_name()` function at `fs/filesystems.c:156-174` has a critical unsigned integer underflow vulnerability. When the function receives `index=0` as a parameter, the loop `for (tmp = file_systems; tmp; tmp = tmp->next, index--)` decrements `index` from 0 to `UINT_MAX` (4294967295 on 32-bit systems), causing the condition `if (index <= 0 && try_module_get(tmp->owner))` to evaluate incorrectly. **The Fix:** The commit changes the logic from: - Old: `if (index <= 0 && try_module_get(tmp->owner))` - New: `if (index == 0) { if (try_module_get(tmp->owner)) res = 0; break; }` This prevents the unsigned integer from wrapping around and provides proper bounds checking. **Impact and Severity:** 1. **User-accessible vulnerability**: The `fs_name()` function is called through the `sysfs` system call (syscall #139) with option 2, making it directly accessible to userspace applications. 2. **Potential for exploitation**: An attacker could call `sysfs(2, 0, buffer)` to trigger the underflow, potentially causing: - Infinite loops in the filesystem list traversal - Unintended module reference acquisition - System instability or denial of service 3. **Core filesystem subsystem**: This affects the fundamental filesystem registration mechanism in the kernel. **Comparison with Similar Commits:** This follows the same pattern as the **accepted backport examples**: - **Similar to Commit #1 (ntfs3)**: Both fix integer overflow/underflow issues that could cause system instability - **Similar to Commit #3 (f2fs)**: Both prevent integer arithmetic issues in filesystem code - **Similar to Commit #5 (f2fs)**: Both add bounds checking to prevent corruption **Stable Tree Criteria:** ✅ **Fixes important bug**: Prevents potential system instability and undefined behavior ✅ **Small and contained**: Minimal code change, only affects one function ✅ **Clear side effects**: No architectural changes, just safer bounds checking ✅ **Low regression risk**: The fix makes the function more robust without changing expected behavior ✅ **Critical subsystem**: Filesystem management is fundamental to kernel operation **Conclusion:** This is a textbook example of a commit suitable for stable backporting: it fixes a clear bug with security implications in core kernel infrastructure, uses a minimal and safe approach, and has no risk of introducing regressions. The unsigned integer underflow could lead to system instability when triggered through the accessible `sysfs` syscall. fs/filesystems.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/filesystems.c b/fs/filesystems.c index 58b9067b2391c..95e5256821a53 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -156,15 +156,19 @@ static int fs_index(const char __user * __name) static int fs_name(unsigned int index, char __user * buf) { struct file_system_type * tmp; - int len, res; + int len, res = -EINVAL; read_lock(&file_systems_lock); - for (tmp = file_systems; tmp; tmp = tmp->next, index--) - if (index <= 0 && try_module_get(tmp->owner)) + for (tmp = file_systems; tmp; tmp = tmp->next, index--) { + if (index == 0) { + if (try_module_get(tmp->owner)) + res = 0; break; + } + } read_unlock(&file_systems_lock); - if (!tmp) - return -EINVAL; + if (res) + return res; /* OK, we got the reference, so we can safely block */ len = strlen(tmp->name) + 1; -- 2.39.5

5 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 6.1 1/3] fs/filesystems: Fix potential unsigned integer underflow in fs_name()

by Sasha Levin

From: Zijun Hu <quic_zijuhu(a)quicinc.com> [ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ] fs_name() has @index as unsigned int, so there is underflow risk for operation '@index--'. Fix by breaking the for loop when '@index == 0' which is also more proper than '@index <= 0' for unsigned integer comparison. Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **The Bug:** The `fs_name()` function at `fs/filesystems.c:156-174` has a critical unsigned integer underflow vulnerability. When the function receives `index=0` as a parameter, the loop `for (tmp = file_systems; tmp; tmp = tmp->next, index--)` decrements `index` from 0 to `UINT_MAX` (4294967295 on 32-bit systems), causing the condition `if (index <= 0 && try_module_get(tmp->owner))` to evaluate incorrectly. **The Fix:** The commit changes the logic from: - Old: `if (index <= 0 && try_module_get(tmp->owner))` - New: `if (index == 0) { if (try_module_get(tmp->owner)) res = 0; break; }` This prevents the unsigned integer from wrapping around and provides proper bounds checking. **Impact and Severity:** 1. **User-accessible vulnerability**: The `fs_name()` function is called through the `sysfs` system call (syscall #139) with option 2, making it directly accessible to userspace applications. 2. **Potential for exploitation**: An attacker could call `sysfs(2, 0, buffer)` to trigger the underflow, potentially causing: - Infinite loops in the filesystem list traversal - Unintended module reference acquisition - System instability or denial of service 3. **Core filesystem subsystem**: This affects the fundamental filesystem registration mechanism in the kernel. **Comparison with Similar Commits:** This follows the same pattern as the **accepted backport examples**: - **Similar to Commit #1 (ntfs3)**: Both fix integer overflow/underflow issues that could cause system instability - **Similar to Commit #3 (f2fs)**: Both prevent integer arithmetic issues in filesystem code - **Similar to Commit #5 (f2fs)**: Both add bounds checking to prevent corruption **Stable Tree Criteria:** ✅ **Fixes important bug**: Prevents potential system instability and undefined behavior ✅ **Small and contained**: Minimal code change, only affects one function ✅ **Clear side effects**: No architectural changes, just safer bounds checking ✅ **Low regression risk**: The fix makes the function more robust without changing expected behavior ✅ **Critical subsystem**: Filesystem management is fundamental to kernel operation **Conclusion:** This is a textbook example of a commit suitable for stable backporting: it fixes a clear bug with security implications in core kernel infrastructure, uses a minimal and safe approach, and has no risk of introducing regressions. The unsigned integer underflow could lead to system instability when triggered through the accessible `sysfs` syscall. fs/filesystems.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/filesystems.c b/fs/filesystems.c index 58b9067b2391c..95e5256821a53 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -156,15 +156,19 @@ static int fs_index(const char __user * __name) static int fs_name(unsigned int index, char __user * buf) { struct file_system_type * tmp; - int len, res; + int len, res = -EINVAL; read_lock(&file_systems_lock); - for (tmp = file_systems; tmp; tmp = tmp->next, index--) - if (index <= 0 && try_module_get(tmp->owner)) + for (tmp = file_systems; tmp; tmp = tmp->next, index--) { + if (index == 0) { + if (try_module_get(tmp->owner)) + res = 0; break; + } + } read_unlock(&file_systems_lock); - if (!tmp) - return -EINVAL; + if (res) + return res; /* OK, we got the reference, so we can safely block */ len = strlen(tmp->name) + 1; -- 2.39.5

5 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 6.6 1/3] fs/filesystems: Fix potential unsigned integer underflow in fs_name()

by Sasha Levin

From: Zijun Hu <quic_zijuhu(a)quicinc.com> [ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ] fs_name() has @index as unsigned int, so there is underflow risk for operation '@index--'. Fix by breaking the for loop when '@index == 0' which is also more proper than '@index <= 0' for unsigned integer comparison. Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **The Bug:** The `fs_name()` function at `fs/filesystems.c:156-174` has a critical unsigned integer underflow vulnerability. When the function receives `index=0` as a parameter, the loop `for (tmp = file_systems; tmp; tmp = tmp->next, index--)` decrements `index` from 0 to `UINT_MAX` (4294967295 on 32-bit systems), causing the condition `if (index <= 0 && try_module_get(tmp->owner))` to evaluate incorrectly. **The Fix:** The commit changes the logic from: - Old: `if (index <= 0 && try_module_get(tmp->owner))` - New: `if (index == 0) { if (try_module_get(tmp->owner)) res = 0; break; }` This prevents the unsigned integer from wrapping around and provides proper bounds checking. **Impact and Severity:** 1. **User-accessible vulnerability**: The `fs_name()` function is called through the `sysfs` system call (syscall #139) with option 2, making it directly accessible to userspace applications. 2. **Potential for exploitation**: An attacker could call `sysfs(2, 0, buffer)` to trigger the underflow, potentially causing: - Infinite loops in the filesystem list traversal - Unintended module reference acquisition - System instability or denial of service 3. **Core filesystem subsystem**: This affects the fundamental filesystem registration mechanism in the kernel. **Comparison with Similar Commits:** This follows the same pattern as the **accepted backport examples**: - **Similar to Commit #1 (ntfs3)**: Both fix integer overflow/underflow issues that could cause system instability - **Similar to Commit #3 (f2fs)**: Both prevent integer arithmetic issues in filesystem code - **Similar to Commit #5 (f2fs)**: Both add bounds checking to prevent corruption **Stable Tree Criteria:** ✅ **Fixes important bug**: Prevents potential system instability and undefined behavior ✅ **Small and contained**: Minimal code change, only affects one function ✅ **Clear side effects**: No architectural changes, just safer bounds checking ✅ **Low regression risk**: The fix makes the function more robust without changing expected behavior ✅ **Critical subsystem**: Filesystem management is fundamental to kernel operation **Conclusion:** This is a textbook example of a commit suitable for stable backporting: it fixes a clear bug with security implications in core kernel infrastructure, uses a minimal and safe approach, and has no risk of introducing regressions. The unsigned integer underflow could lead to system instability when triggered through the accessible `sysfs` syscall. fs/filesystems.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/filesystems.c b/fs/filesystems.c index 58b9067b2391c..95e5256821a53 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -156,15 +156,19 @@ static int fs_index(const char __user * __name) static int fs_name(unsigned int index, char __user * buf) { struct file_system_type * tmp; - int len, res; + int len, res = -EINVAL; read_lock(&file_systems_lock); - for (tmp = file_systems; tmp; tmp = tmp->next, index--) - if (index <= 0 && try_module_get(tmp->owner)) + for (tmp = file_systems; tmp; tmp = tmp->next, index--) { + if (index == 0) { + if (try_module_get(tmp->owner)) + res = 0; break; + } + } read_unlock(&file_systems_lock); - if (!tmp) - return -EINVAL; + if (res) + return res; /* OK, we got the reference, so we can safely block */ len = strlen(tmp->name) + 1; -- 2.39.5

5 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 6.12 1/7] btrfs: exit after state insertion failure at btrfs_convert_extent_bit()

by Sasha Levin

From: Filipe Manana <fdmanana(a)suse.com> [ Upstream commit 3bf179e36da917c5d9bec71c714573ed1649b7c1 ] If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled. Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **1. Bug Description and Impact:** The commit fixes a serious potential memory corruption bug in the btrfs filesystem. When `insert_state()` fails in `btrfs_convert_extent_bit()`, it returns an error pointer (ERR_PTR). The current code calls `extent_io_tree_panic()` which triggers `BUG()`, but if `CONFIG_BUG` is disabled, the code continues executing and calls `cache_state(inserted_state, cached_state)` with the error pointer, causing invalid memory access. **2. Code Changes Analysis:** The fix is minimal and surgical - just adding a single `goto out;` statement after the `extent_io_tree_panic()` call: ```c if (IS_ERR(inserted_state)) { ret = PTR_ERR(inserted_state); extent_io_tree_panic(tree, prealloc, "insert", ret); + goto out; // <-- The fix } ``` This ensures that when `CONFIG_BUG` is disabled, execution jumps to the cleanup code instead of continuing with an invalid pointer. **3. Comparison with Similar Commits:** This commit aligns with the pattern seen in "Similar Commit #2" (Status: YES), which also: - Removes reliance on `BUG_ON()` behavior - Provides graceful error handling - Has minimal risk - Fixes a potential crash/corruption scenario Similar to commit #3 and #5 (both Status: NO), this touches BUG() handling, but unlike those commits which make broader architectural changes to error handling patterns, this fix is much more contained. **4. Stable Tree Criteria Assessment:** ✅ **Fixes important bug**: Prevents potential memory corruption/crashes ✅ **Small and contained**: Single line addition ✅ **Minimal risk**: Only affects error path when insert_state() fails AND CONFIG_BUG is disabled ✅ **No new features**: Pure bug fix ✅ **No architectural changes**: Preserves existing error handling, just prevents fallthrough ✅ **Critical subsystem**: btrfs filesystem corruption prevention ✅ **Clear side effects**: No unintended consequences beyond fixing the bug **5. Risk Assessment:** - **Very Low Risk**: The change only affects an error condition that's already problematic - **Exotic scenario**: Only impacts systems with `CONFIG_BUG` disabled (uncommon but not impossible) - **No regression potential**: The change only prevents executing invalid code, doesn't change normal operation - **Well-contained**: Affects only one function in one file **6. Security Implications:** While `CONFIG_BUG` disabled is uncommon, this could potentially be exploited if an attacker can trigger the `insert_state()` failure condition, leading to memory corruption. The fix prevents this attack vector. This is a clear candidate for stable backporting - it fixes a real bug with minimal risk and follows the stable tree rules perfectly. fs/btrfs/extent-io-tree.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/extent-io-tree.c b/fs/btrfs/extent-io-tree.c index 6d08c100b01de..bb3aaf610652a 100644 --- a/fs/btrfs/extent-io-tree.c +++ b/fs/btrfs/extent-io-tree.c @@ -1456,6 +1456,7 @@ int convert_extent_bit(struct extent_io_tree *tree, u64 start, u64 end, if (IS_ERR(inserted_state)) { ret = PTR_ERR(inserted_state); extent_io_tree_panic(tree, prealloc, "insert", ret); + goto out; } cache_state(inserted_state, cached_state); if (inserted_state == prealloc) -- 2.39.5

5 months, 3 weeks

1
6
0 0

[PATCH AUTOSEL 6.14 1/8] btrfs: exit after state insertion failure at btrfs_convert_extent_bit()

by Sasha Levin

From: Filipe Manana <fdmanana(a)suse.com> [ Upstream commit 3bf179e36da917c5d9bec71c714573ed1649b7c1 ] If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled. Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **1. Bug Description and Impact:** The commit fixes a serious potential memory corruption bug in the btrfs filesystem. When `insert_state()` fails in `btrfs_convert_extent_bit()`, it returns an error pointer (ERR_PTR). The current code calls `extent_io_tree_panic()` which triggers `BUG()`, but if `CONFIG_BUG` is disabled, the code continues executing and calls `cache_state(inserted_state, cached_state)` with the error pointer, causing invalid memory access. **2. Code Changes Analysis:** The fix is minimal and surgical - just adding a single `goto out;` statement after the `extent_io_tree_panic()` call: ```c if (IS_ERR(inserted_state)) { ret = PTR_ERR(inserted_state); extent_io_tree_panic(tree, prealloc, "insert", ret); + goto out; // <-- The fix } ``` This ensures that when `CONFIG_BUG` is disabled, execution jumps to the cleanup code instead of continuing with an invalid pointer. **3. Comparison with Similar Commits:** This commit aligns with the pattern seen in "Similar Commit #2" (Status: YES), which also: - Removes reliance on `BUG_ON()` behavior - Provides graceful error handling - Has minimal risk - Fixes a potential crash/corruption scenario Similar to commit #3 and #5 (both Status: NO), this touches BUG() handling, but unlike those commits which make broader architectural changes to error handling patterns, this fix is much more contained. **4. Stable Tree Criteria Assessment:** ✅ **Fixes important bug**: Prevents potential memory corruption/crashes ✅ **Small and contained**: Single line addition ✅ **Minimal risk**: Only affects error path when insert_state() fails AND CONFIG_BUG is disabled ✅ **No new features**: Pure bug fix ✅ **No architectural changes**: Preserves existing error handling, just prevents fallthrough ✅ **Critical subsystem**: btrfs filesystem corruption prevention ✅ **Clear side effects**: No unintended consequences beyond fixing the bug **5. Risk Assessment:** - **Very Low Risk**: The change only affects an error condition that's already problematic - **Exotic scenario**: Only impacts systems with `CONFIG_BUG` disabled (uncommon but not impossible) - **No regression potential**: The change only prevents executing invalid code, doesn't change normal operation - **Well-contained**: Affects only one function in one file **6. Security Implications:** While `CONFIG_BUG` disabled is uncommon, this could potentially be exploited if an attacker can trigger the `insert_state()` failure condition, leading to memory corruption. The fix prevents this attack vector. This is a clear candidate for stable backporting - it fixes a real bug with minimal risk and follows the stable tree rules perfectly. fs/btrfs/extent-io-tree.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/extent-io-tree.c b/fs/btrfs/extent-io-tree.c index 6d08c100b01de..bb3aaf610652a 100644 --- a/fs/btrfs/extent-io-tree.c +++ b/fs/btrfs/extent-io-tree.c @@ -1456,6 +1456,7 @@ int convert_extent_bit(struct extent_io_tree *tree, u64 start, u64 end, if (IS_ERR(inserted_state)) { ret = PTR_ERR(inserted_state); extent_io_tree_panic(tree, prealloc, "insert", ret); + goto out; } cache_state(inserted_state, cached_state); if (inserted_state == prealloc) -- 2.39.5

5 months, 3 weeks

1
7
0 0

[PATCH AUTOSEL 6.15 1/9] btrfs: exit after state insertion failure at btrfs_convert_extent_bit()

by Sasha Levin

From: Filipe Manana <fdmanana(a)suse.com> [ Upstream commit 3bf179e36da917c5d9bec71c714573ed1649b7c1 ] If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled. Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. **Detailed Analysis:** **1. Bug Description and Impact:** The commit fixes a serious potential memory corruption bug in the btrfs filesystem. When `insert_state()` fails in `btrfs_convert_extent_bit()`, it returns an error pointer (ERR_PTR). The current code calls `extent_io_tree_panic()` which triggers `BUG()`, but if `CONFIG_BUG` is disabled, the code continues executing and calls `cache_state(inserted_state, cached_state)` with the error pointer, causing invalid memory access. **2. Code Changes Analysis:** The fix is minimal and surgical - just adding a single `goto out;` statement after the `extent_io_tree_panic()` call: ```c if (IS_ERR(inserted_state)) { ret = PTR_ERR(inserted_state); extent_io_tree_panic(tree, prealloc, "insert", ret); + goto out; // <-- The fix } ``` This ensures that when `CONFIG_BUG` is disabled, execution jumps to the cleanup code instead of continuing with an invalid pointer. **3. Comparison with Similar Commits:** This commit aligns with the pattern seen in "Similar Commit #2" (Status: YES), which also: - Removes reliance on `BUG_ON()` behavior - Provides graceful error handling - Has minimal risk - Fixes a potential crash/corruption scenario Similar to commit #3 and #5 (both Status: NO), this touches BUG() handling, but unlike those commits which make broader architectural changes to error handling patterns, this fix is much more contained. **4. Stable Tree Criteria Assessment:** ✅ **Fixes important bug**: Prevents potential memory corruption/crashes ✅ **Small and contained**: Single line addition ✅ **Minimal risk**: Only affects error path when insert_state() fails AND CONFIG_BUG is disabled ✅ **No new features**: Pure bug fix ✅ **No architectural changes**: Preserves existing error handling, just prevents fallthrough ✅ **Critical subsystem**: btrfs filesystem corruption prevention ✅ **Clear side effects**: No unintended consequences beyond fixing the bug **5. Risk Assessment:** - **Very Low Risk**: The change only affects an error condition that's already problematic - **Exotic scenario**: Only impacts systems with `CONFIG_BUG` disabled (uncommon but not impossible) - **No regression potential**: The change only prevents executing invalid code, doesn't change normal operation - **Well-contained**: Affects only one function in one file **6. Security Implications:** While `CONFIG_BUG` disabled is uncommon, this could potentially be exploited if an attacker can trigger the `insert_state()` failure condition, leading to memory corruption. The fix prevents this attack vector. This is a clear candidate for stable backporting - it fixes a real bug with minimal risk and follows the stable tree rules perfectly. fs/btrfs/extent-io-tree.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/extent-io-tree.c b/fs/btrfs/extent-io-tree.c index 13de6af279e52..92cfde37b1d33 100644 --- a/fs/btrfs/extent-io-tree.c +++ b/fs/btrfs/extent-io-tree.c @@ -1456,6 +1456,7 @@ int convert_extent_bit(struct extent_io_tree *tree, u64 start, u64 end, if (IS_ERR(inserted_state)) { ret = PTR_ERR(inserted_state); extent_io_tree_panic(tree, prealloc, "insert", ret); + goto out; } cache_state(inserted_state, cached_state); if (inserted_state == prealloc) -- 2.39.5

5 months, 3 weeks

1
8
0 0

[PATCH v3] mm/hugetlb: fix a deadlock with pagecache_folio and hugetlb_fault_mutex_table

by Gavin Guo

There is ABBA dead locking scenario happening between hugetlb_fault() and hugetlb_wp() on the pagecache folio's lock and hugetlb global mutex, which is reproducible with syzkaller [1]. As below stack traces reveal, process-1 tries to take the hugetlb global mutex (A3), but with the pagecache folio's lock hold. Process-2 took the hugetlb global mutex but tries to take the pagecache folio's lock. Process-1 Process-2 ========= ========= hugetlb_fault mutex_lock (A1) filemap_lock_hugetlb_folio (B1) hugetlb_wp alloc_hugetlb_folio #error mutex_unlock (A2) hugetlb_fault mutex_lock (A4) filemap_lock_hugetlb_folio (B4) unmap_ref_private mutex_lock (A3) Fix it by releasing the pagecache folio's lock at (A2) of process-1 so that pagecache folio's lock is available to process-2 at (B4), to avoid the deadlock. In process-1, a new variable is added to track if the pagecache folio's lock has been released by its child function hugetlb_wp() to avoid double releases on the lock in hugetlb_fault(). The similar changes are applied to hugetlb_no_page(). Link: https://drive.google.com/file/d/1DVRnIW-vSayU5J1re9Ct_br3jJQU6Vpb/view?usp=… [1] Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Cc: <stable(a)vger.kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Florent Revest <revest(a)google.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> --- V1 -> V2 Suggested-by Oscar Salvador: - Use folio_test_locked to replace the unnecessary parameter passing. V2 -> V3 - Dropped the approach suggested by Oscar. - Refine the code and git commit suggested by Gavin Shan. mm/hugetlb.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 6a3cf7935c14..560b9b35262a 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6137,7 +6137,8 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, * Keep the pte_same checks anyway to make transition from the mutex easier. */ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio, - struct vm_fault *vmf) + struct vm_fault *vmf, + bool *pagecache_folio_locked) { struct vm_area_struct *vma = vmf->vma; struct mm_struct *mm = vma->vm_mm; @@ -6234,6 +6235,18 @@ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio, u32 hash; folio_put(old_folio); + /* + * The pagecache_folio has to be unlocked to avoid + * deadlock and we won't re-lock it in hugetlb_wp(). The + * pagecache_folio could be truncated after being + * unlocked. So its state should not be reliable + * subsequently. + */ + if (pagecache_folio) { + folio_unlock(pagecache_folio); + if (pagecache_folio_locked) + *pagecache_folio_locked = false; + } /* * Drop hugetlb_fault_mutex and vma_lock before * unmapping. unmapping needs to hold vma_lock @@ -6588,7 +6601,7 @@ static vm_fault_t hugetlb_no_page(struct address_space *mapping, hugetlb_count_add(pages_per_huge_page(h), mm); if ((vmf->flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ - ret = hugetlb_wp(folio, vmf); + ret = hugetlb_wp(folio, vmf, NULL); } spin_unlock(vmf->ptl); @@ -6660,6 +6673,7 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, struct hstate *h = hstate_vma(vma); struct address_space *mapping; int need_wait_lock = 0; + bool pagecache_folio_locked = true; struct vm_fault vmf = { .vma = vma, .address = address & huge_page_mask(h), @@ -6814,7 +6828,8 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (flags & (FAULT_FLAG_WRITE|FAULT_FLAG_UNSHARE)) { if (!huge_pte_write(vmf.orig_pte)) { - ret = hugetlb_wp(pagecache_folio, &vmf); + ret = hugetlb_wp(pagecache_folio, &vmf, + &pagecache_folio_locked); goto out_put_page; } else if (likely(flags & FAULT_FLAG_WRITE)) { vmf.orig_pte = huge_pte_mkdirty(vmf.orig_pte); @@ -6832,7 +6847,9 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, spin_unlock(vmf.ptl); if (pagecache_folio) { - folio_unlock(pagecache_folio); + if (pagecache_folio_locked) + folio_unlock(pagecache_folio); + folio_put(pagecache_folio); } out_mutex: base-commit: 914873bc7df913db988284876c16257e6ab772c6 -- 2.43.0

5 months, 3 weeks

5
10
0 0

[PATCH 2/8] drm/fdinfo: Switch to idr_for_each() in drm_show_memory_stats()

by Simona Vetter

Unlike idr_for_each_entry(), which terminates on the first NULL entry, idr_for_each passes them through. This fixes potential issues with the idr walk terminating prematurely due to transient NULL entries the exist when creating and destroying a handle. Note that transient NULL pointers in drm_file.object_idr have been a thing since f6cd7daecff5 ("drm: Release driver references to handle before making it available again"), this is a really old issue. Aside from temporarily inconsistent fdinfo statistic there's no other impact of this issue. Fixes: 686b21b5f6ca ("drm: Add fdinfo memory stats") Cc: Rob Clark <robdclark(a)chromium.org> Cc: Emil Velikov <emil.l.velikov(a)gmail.com> Cc: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.5+ Signed-off-by: Simona Vetter <simona.vetter(a)intel.com> Signed-off-by: Simona Vetter <simona.vetter(a)ffwll.ch> --- drivers/gpu/drm/drm_file.c | 95 ++++++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 40 deletions(-) diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c index 246cf845e2c9..428a4eb85e94 100644 --- a/drivers/gpu/drm/drm_file.c +++ b/drivers/gpu/drm/drm_file.c @@ -892,6 +892,58 @@ void drm_print_memory_stats(struct drm_printer *p, } EXPORT_SYMBOL(drm_print_memory_stats); +struct drm_bo_print_data { + struct drm_memory_stats status; + enum drm_gem_object_status supported_status; +}; + +static int +drm_bo_memory_stats(int id, void *ptr, void *data) +{ + struct drm_bo_print_data *drm_data; + struct drm_gem_object *obj = ptr; + enum drm_gem_object_status s = 0; + size_t add_size; + + if (!obj) + return 0; + + add_size = (obj->funcs && obj->funcs->rss) ? + obj->funcs->rss(obj) : obj->size; + + if (obj->funcs && obj->funcs->status) { + s = obj->funcs->status(obj); + drm_data->supported_status |= s; + } + + if (drm_gem_object_is_shared_for_memory_stats(obj)) + drm_data->status.shared += obj->size; + else + drm_data->status.private += obj->size; + + if (s & DRM_GEM_OBJECT_RESIDENT) { + drm_data->status.resident += add_size; + } else { + /* If already purged or not yet backed by pages, don't + * count it as purgeable: + */ + s &= ~DRM_GEM_OBJECT_PURGEABLE; + } + + if (!dma_resv_test_signaled(obj->resv, dma_resv_usage_rw(true))) { + drm_data->status.active += add_size; + drm_data->supported_status |= DRM_GEM_OBJECT_ACTIVE; + + /* If still active, don't count as purgeable: */ + s &= ~DRM_GEM_OBJECT_PURGEABLE; + } + + if (s & DRM_GEM_OBJECT_PURGEABLE) + drm_data->status.purgeable += add_size; + + return 0; +} + /** * drm_show_memory_stats - Helper to collect and show standard fdinfo memory stats * @p: the printer to print output to @@ -902,50 +954,13 @@ EXPORT_SYMBOL(drm_print_memory_stats); */ void drm_show_memory_stats(struct drm_printer *p, struct drm_file *file) { - struct drm_gem_object *obj; - struct drm_memory_stats status = {}; - enum drm_gem_object_status supported_status = 0; - int id; + struct drm_bo_print_data data = {}; spin_lock(&file->table_lock); - idr_for_each_entry (&file->object_idr, obj, id) { - enum drm_gem_object_status s = 0; - size_t add_size = (obj->funcs && obj->funcs->rss) ? - obj->funcs->rss(obj) : obj->size; - - if (obj->funcs && obj->funcs->status) { - s = obj->funcs->status(obj); - supported_status |= s; - } - - if (drm_gem_object_is_shared_for_memory_stats(obj)) - status.shared += obj->size; - else - status.private += obj->size; - - if (s & DRM_GEM_OBJECT_RESIDENT) { - status.resident += add_size; - } else { - /* If already purged or not yet backed by pages, don't - * count it as purgeable: - */ - s &= ~DRM_GEM_OBJECT_PURGEABLE; - } - - if (!dma_resv_test_signaled(obj->resv, dma_resv_usage_rw(true))) { - status.active += add_size; - supported_status |= DRM_GEM_OBJECT_ACTIVE; - - /* If still active, don't count as purgeable: */ - s &= ~DRM_GEM_OBJECT_PURGEABLE; - } - - if (s & DRM_GEM_OBJECT_PURGEABLE) - status.purgeable += add_size; - } + idr_for_each(&file->object_idr, &drm_bo_memory_stats, &data); spin_unlock(&file->table_lock); - drm_print_memory_stats(p, &status, supported_status, "memory"); + drm_print_memory_stats(p, &data.status, data.supported_status, "memory"); } EXPORT_SYMBOL(drm_show_memory_stats); -- 2.49.0

5 months, 3 weeks

2
2
0 0

[PATCH v2] can: kvaser_pciefd: refine error prone echo_skb_max handling logic

by Fedor Pchelkin

echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 8256e0ca6010 ("can: kvaser_pciefd: Fix echo_skb race") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v2: fix the problem by rounding up the KVASER_PCIEFD_CAN_TX_MAX_COUNT constant when allocating candev (Axel Forsman) drivers/net/can/kvaser_pciefd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index f6921368cd14..0071a51ce2c1 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -966,7 +966,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) u32 status, tx_nr_packets_max; netdev = alloc_candev(sizeof(struct kvaser_pciefd_can), - KVASER_PCIEFD_CAN_TX_MAX_COUNT); + roundup_pow_of_two(KVASER_PCIEFD_CAN_TX_MAX_COUNT)); if (!netdev) return -ENOMEM; @@ -995,7 +995,6 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) can->tx_max_count = min(KVASER_PCIEFD_CAN_TX_MAX_COUNT, tx_nr_packets_max - 1); can->can.clock.freq = pcie->freq; - can->can.echo_skb_max = roundup_pow_of_two(can->tx_max_count); spin_lock_init(&can->lock); can->can.bittiming_const = &kvaser_pciefd_bittiming_const; -- 2.49.0

5 months, 3 weeks

1
0
0 0

[PATCH] can: kvaser_pciefd: refine error prone echo_skb_max handling logic

by Fedor Pchelkin

echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Remove echo_skb_max rounding as this may increase it to unexpected values. In this sense restore echo_skb_max handling logic prior to commit 8256e0ca6010 ("can: kvaser_pciefd: Fix echo_skb race"). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 8256e0ca6010 ("can: kvaser_pciefd: Fix echo_skb race") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Actually the trick with rounding up allows to calculate seq numbers efficiently, avoiding a more consuming 'mod' operation used in the current patch. I see tx max size definitely matters only for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max size into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max number), so in some situations a bit more memory would be consumed than could be. So another approach to fix the problem would be to precompute the rounded up value of echo_skb_max and pass it to alloc_candev() making the size of the underlying echo_skb[] sufficient. If that looks more acceptable, I'll be glad to rework the patch in that direction. drivers/net/can/kvaser_pciefd.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index f6921368cd14..1ec4ab9510b6 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -411,7 +411,6 @@ struct kvaser_pciefd_can { void __iomem *reg_base; struct can_berr_counter bec; u8 cmd_seq; - u8 tx_max_count; u8 tx_idx; u8 ack_idx; int err_rep_cnt; @@ -760,7 +759,7 @@ static int kvaser_pciefd_stop(struct net_device *netdev) static unsigned int kvaser_pciefd_tx_avail(const struct kvaser_pciefd_can *can) { - return can->tx_max_count - (READ_ONCE(can->tx_idx) - READ_ONCE(can->ack_idx)); + return can->can.echo_skb_max - (READ_ONCE(can->tx_idx) - READ_ONCE(can->ack_idx)); } static int kvaser_pciefd_prepare_tx_packet(struct kvaser_pciefd_tx_packet *p, @@ -810,7 +809,7 @@ static netdev_tx_t kvaser_pciefd_start_xmit(struct sk_buff *skb, { struct kvaser_pciefd_can *can = netdev_priv(netdev); struct kvaser_pciefd_tx_packet packet; - unsigned int seq = can->tx_idx & (can->can.echo_skb_max - 1); + unsigned int seq = can->tx_idx % can->can.echo_skb_max; unsigned int frame_len; int nr_words; @@ -992,10 +991,9 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie) tx_nr_packets_max = FIELD_GET(KVASER_PCIEFD_KCAN_TX_NR_PACKETS_MAX_MASK, ioread32(can->reg_base + KVASER_PCIEFD_KCAN_TX_NR_PACKETS_REG)); - can->tx_max_count = min(KVASER_PCIEFD_CAN_TX_MAX_COUNT, tx_nr_packets_max - 1); + can->can.echo_skb_max = min(KVASER_PCIEFD_CAN_TX_MAX_COUNT, tx_nr_packets_max - 1); can->can.clock.freq = pcie->freq; - can->can.echo_skb_max = roundup_pow_of_two(can->tx_max_count); spin_lock_init(&can->lock); can->can.bittiming_const = &kvaser_pciefd_bittiming_const; @@ -1523,7 +1521,7 @@ static int kvaser_pciefd_handle_ack_packet(struct kvaser_pciefd *pcie, unsigned int len, frame_len = 0; struct sk_buff *skb; - if (echo_idx != (can->ack_idx & (can->can.echo_skb_max - 1))) + if (echo_idx != can->ack_idx % can->can.echo_skb_max) return 0; skb = can->can.echo_skb[echo_idx]; if (!skb) -- 2.49.0

5 months, 3 weeks

2
2
0 0

[PATCH] accel/ivpu: Fix warning in ivpu_gem_bo_free()

by Jacek Lawrynowicz

Don't WARN if imported buffers are in use in ivpu_gem_bo_free() as they can be indeed used in the original context/driver. Fixes: 647371a6609d ("accel/ivpu: Add GEM buffer object management") Cc: <stable(a)vger.kernel.org> # v6.3 Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_gem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c index 5908268ca45e9..0371a8b4a474f 100644 --- a/drivers/accel/ivpu/ivpu_gem.c +++ b/drivers/accel/ivpu/ivpu_gem.c @@ -285,7 +285,8 @@ static void ivpu_gem_bo_free(struct drm_gem_object *obj) list_del(&bo->bo_list_node); mutex_unlock(&vdev->bo_list_lock); - drm_WARN_ON(&vdev->drm, !dma_resv_test_signaled(obj->resv, DMA_RESV_USAGE_READ)); + drm_WARN_ON(&vdev->drm, !bo->base.base.import_attach && + !dma_resv_test_signaled(obj->resv, DMA_RESV_USAGE_READ)); drm_WARN_ON(&vdev->drm, ivpu_bo_size(bo) == 0); drm_WARN_ON(&vdev->drm, bo->base.vaddr); -- 2.45.1

5 months, 3 weeks

2
2
0 0

[PATCH] e1000e: fix heap overflow in e1000_set_eeprom()

by Mikael Wessel

The ETHTOOL_SETEEPROM ioctl copies user data into a kmalloc'ed buffer without validating eeprom->len and eeprom->offset. A CAP_NET_ADMIN user can overflow the heap and crash the kernel or gain code execution. Validate length and offset before kmalloc() to avoid leaking eeprom_buff. Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") Reported-by: Mikael Wessel <post(a)mikaelkw.online> Signed-off-by: Mikael Wessel <post(a)mikaelkw.online> Cc: stable(a)vger.kernel.org --- drivers/net/ethernet/intel/e1000e/ethtool.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c index 98e541e39730..d04e59528619 100644 --- a/drivers/net/ethernet/intel/e1000e/ethtool.c +++ b/drivers/net/ethernet/intel/e1000e/ethtool.c @@ -561,7 +561,7 @@ static int e1000_set_eeprom(struct net_device *netdev, return -EOPNOTSUPP; if (eeprom->magic != - (adapter->pdev->vendor | (adapter->pdev->device << 16))) + (adapter->pdev->vendor | (adapter->pdev->device << 16))) return -EFAULT; if (adapter->flags & FLAG_READ_ONLY_NVM) @@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_device *netdev, max_len = hw->nvm.word_size * 2; + /* bounds check: offset + len must not exceed EEPROM size */ + if (eeprom->offset + eeprom->len > max_len) + return -EINVAL; + first_word = eeprom->offset >> 1; last_word = (eeprom->offset + eeprom->len - 1) >> 1; eeprom_buff = kmalloc(max_len, GFP_KERNEL); @@ -596,9 +600,6 @@ static int e1000_set_eeprom(struct net_device *netdev, for (i = 0; i < last_word - first_word + 1; i++) le16_to_cpus(&eeprom_buff[i]); - if (eeprom->len > max_len || - eeprom->offset > max_len - eeprom->len) - return -EINVAL; memcpy(ptr, bytes, eeprom->len); for (i = 0; i < last_word - first_word + 1; i++) -- 2.48.1

5 months, 3 weeks

3
2
0 0

[PATCH] wifi: ath12k: fix ring-buffer corruption

by Johan Hovold

Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes breaks and the log fills up with errors like: ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492 ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484 which based on a quick look at the ath11k driver seemed to indicate some kind of ring-buffer corruption. Miaoqing Pan tracked it down to the host seeing the updated destination ring head pointer before the updated descriptor, and the error handling for that in turn leaves the ring buffer in an inconsistent state. While this has not yet been observed with ath12k, the ring-buffer implementation is very similar to the ath11k one and it suffers from the same bugs. Add the missing memory barrier to make sure that the descriptor is read after the head pointer to address the root cause of the corruption while fixing up the error handling in case there are ever any (ordering) bugs on the device side. Note that the READ_ONCE() are only needed to avoid compiler mischief in case the ring-buffer helpers are ever inlined. Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Cc: stable(a)vger.kernel.org # 6.3 Link: https://bugzilla.kernel.org/show_bug.cgi?id=218623 Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com Cc: Miaoqing Pan <quic_miaoqing(a)quicinc.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/net/wireless/ath/ath12k/ce.c | 11 +++++------ drivers/net/wireless/ath/ath12k/hal.c | 4 ++-- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/ce.c b/drivers/net/wireless/ath/ath12k/ce.c index be0d669d31fc..740586fe49d1 100644 --- a/drivers/net/wireless/ath/ath12k/ce.c +++ b/drivers/net/wireless/ath/ath12k/ce.c @@ -343,11 +343,10 @@ static int ath12k_ce_completed_recv_next(struct ath12k_ce_pipe *pipe, goto err; } + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + *nbytes = ath12k_hal_ce_dst_status_get_length(desc); - if (*nbytes == 0) { - ret = -EIO; - goto err; - } *skb = pipe->dest_ring->skb[sw_index]; pipe->dest_ring->skb[sw_index] = NULL; @@ -380,8 +379,8 @@ static void ath12k_ce_recv_process_cb(struct ath12k_ce_pipe *pipe) dma_unmap_single(ab->dev, ATH12K_SKB_RXCB(skb)->paddr, max_nbytes, DMA_FROM_DEVICE); - if (unlikely(max_nbytes < nbytes)) { - ath12k_warn(ab, "rxed more than expected (nbytes %d, max %d)", + if (unlikely(max_nbytes < nbytes || nbytes == 0)) { + ath12k_warn(ab, "unexpected rx length (nbytes %d, max %d)", nbytes, max_nbytes); dev_kfree_skb_any(skb); continue; diff --git a/drivers/net/wireless/ath/ath12k/hal.c b/drivers/net/wireless/ath/ath12k/hal.c index cd59ff8e6c7b..91d5126ca149 100644 --- a/drivers/net/wireless/ath/ath12k/hal.c +++ b/drivers/net/wireless/ath/ath12k/hal.c @@ -1962,7 +1962,7 @@ u32 ath12k_hal_ce_dst_status_get_length(struct hal_ce_srng_dst_status_desc *desc { u32 len; - len = le32_get_bits(desc->flags, HAL_CE_DST_STATUS_DESC_FLAGS_LEN); + len = le32_get_bits(READ_ONCE(desc->flags), HAL_CE_DST_STATUS_DESC_FLAGS_LEN); desc->flags &= ~cpu_to_le32(HAL_CE_DST_STATUS_DESC_FLAGS_LEN); return len; @@ -2132,7 +2132,7 @@ void ath12k_hal_srng_access_begin(struct ath12k_base *ab, struct hal_srng *srng) srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; else - srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr; + srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); } /* Update cached ring head/tail pointers to HW. ath12k_hal_srng_access_begin() -- 2.48.1

5 months, 3 weeks

5
6
0 0

[PATCH] iommu/arm-smmu-qcom: Add SM6115 MDSS compatible

by Alexey Klimov

Add the SM6115 MDSS compatible to clients compatible list, as it also needs that workaround. Without this workaround, for example, QRB4210 RB2 which is based on SM4250/SM6115 generates a lot of smmu unhandled context faults during boot: arm_smmu_context_fault: 116854 callbacks suppressed arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 arm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1] arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 and also leads to failed initialisation of lontium lt9611uxc driver and gpu afterwards: ------------[ cut here ]------------ !aspace WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm] Modules linked in: ... (long list of modules) CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : msm_gem_vma_init+0x150/0x18c [msm] lr : msm_gem_vma_init+0x150/0x18c [msm] sp : ffff80008144b280 ... Call trace: msm_gem_vma_init+0x150/0x18c [msm] (P) get_vma_locked+0xc0/0x194 [msm] msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm] msm_gem_kernel_new+0x48/0x160 [msm] msm_gpu_init+0x34c/0x53c [msm] adreno_gpu_init+0x1b0/0x2d8 [msm] a6xx_gpu_init+0x1e8/0x9e0 [msm] adreno_bind+0x2b8/0x348 [msm] component_bind_all+0x100/0x230 msm_drm_bind+0x13c/0x3d0 [msm] try_to_bring_up_aggregate_device+0x164/0x1d0 __component_add+0xa4/0x174 component_add+0x14/0x20 dsi_dev_attach+0x20/0x34 [msm] dsi_host_attach+0x58/0x98 [msm] devm_mipi_dsi_attach+0x34/0x90 lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc] lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc] i2c_device_probe+0x148/0x2a8 really_probe+0xbc/0x2c0 __driver_probe_device+0x78/0x120 driver_probe_device+0x3c/0x154 __driver_attach+0x90/0x1a0 bus_for_each_dev+0x68/0xb8 driver_attach+0x24/0x30 bus_add_driver+0xe4/0x208 driver_register+0x68/0x124 i2c_register_driver+0x48/0xcc lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc] do_one_initcall+0x60/0x1d4 do_init_module+0x54/0x1fc load_module+0x1748/0x1c8c init_module_from_file+0x74/0xa0 __arm64_sys_finit_module+0x130/0x2f8 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x2c/0x80 el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22 msm_dpu 5e01000.display-controller: failed to load adreno gpu platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19 msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22 msm_dpu 5e01000.display-controller: adev bind failed: -22 lt9611uxc 0-002b: failed to attach dsi to host lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22 Suggested-by: Bjorn Andersson <andersson(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Alexey Klimov <alexey.klimov(a)linaro.org> --- drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c index 59d02687280e..c919babcea75 100644 --- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c @@ -365,6 +365,7 @@ static const struct of_device_id qcom_smmu_client_of_match[] __maybe_unused = { { .compatible = "qcom,sdm670-mdss" }, { .compatible = "qcom,sdm845-mdss" }, { .compatible = "qcom,sdm845-mss-pil" }, + { .compatible = "qcom,sm6115-mdss" }, { .compatible = "qcom,sm6350-mdss" }, { .compatible = "qcom,sm6375-mdss" }, { .compatible = "qcom,sm8150-mdss" }, -- 2.47.2

5 months, 3 weeks

2
2
0 0

[PATCH 2/2] drm/amdgpu: Dirty cleared blocks on allocation

by Natalie Vock

If we hand out cleared blocks to users, they are expected to write at least some non-zero values somewhere. If we keep the CLEAR bit set on the block, amdgpu_fill_buffer will assume there is nothing to do and incorrectly skip clearing the block. Ultimately, the (still dirty) block will be reused as if it were cleared, without any wiping of the memory contents. Most severely, this means that any buffer allocated with AMDGPU_GEM_CREATE_VRAM_CLEARED | AMDGPU_GEM_CREATE_WIPE_ON_RELEASE (which is the case for **all userspace buffers**) are neither guaranteed to contain cleared VRAM, nor are they being wiped on release, potentially leaking application memory to arbitrary other applications. Fixes: a68c7eaa7a8ff ("drm/amdgpu: Enable clear page functionality") Cc: stable(a)vger.kernel.org Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 Signed-off-by: Natalie Vock <natalie.vock(a)gmx.de> --- drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c index 2d7f82e98df9..cecc67d0f0b8 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c @@ -591,6 +591,13 @@ static int amdgpu_vram_mgr_new(struct ttm_resource_manager *man, list_for_each_entry(block, &vres->blocks, link) { unsigned long start; + /* + * Allocated blocks may be dirtied as soon as we return. + * Mark all blocks as dirty here, otherwise we might + * incorrectly assume the memory is still zeroed. + */ + drm_buddy_block_set_dirty(block); + start = amdgpu_vram_mgr_block_start(block) + amdgpu_vram_mgr_block_size(block); start >>= PAGE_SHIFT; -- 2.49.0

5 months, 3 weeks

4
6
0 0

FAILED: patch "[PATCH] can: kvaser_pciefd: Force IRQ edge in case of nested IRQ" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9176bd205ee0b2cd35073a9973c2a0936bcb579e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052430-customary-paramount-b71a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9176bd205ee0b2cd35073a9973c2a0936bcb579e Mon Sep 17 00:00:00 2001 From: Axel Forsman <axfo(a)kvaser.com> Date: Tue, 20 May 2025 13:43:30 +0200 Subject: [PATCH] can: kvaser_pciefd: Force IRQ edge in case of nested IRQ Avoid the driver missing IRQs by temporarily masking IRQs in the ISR to enforce an edge even if a different IRQ is signalled before handled IRQs are cleared. Fixes: 48f827d4f48f ("can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR") Cc: stable(a)vger.kernel.org Signed-off-by: Axel Forsman <axfo(a)kvaser.com> Tested-by: Jimmy Assarsson <extja(a)kvaser.com> Reviewed-by: Jimmy Assarsson <extja(a)kvaser.com> Link: https://patch.msgid.link/20250520114332.8961-2-axfo@kvaser.com Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index cf0d51805272..9cc9176c2058 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -1646,24 +1646,28 @@ static int kvaser_pciefd_read_buffer(struct kvaser_pciefd *pcie, int dma_buf) return res; } -static u32 kvaser_pciefd_receive_irq(struct kvaser_pciefd *pcie) +static void kvaser_pciefd_receive_irq(struct kvaser_pciefd *pcie) { + void __iomem *srb_cmd_reg = KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG; u32 irq = ioread32(KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - if (irq & KVASER_PCIEFD_SRB_IRQ_DPD0) - kvaser_pciefd_read_buffer(pcie, 0); + iowrite32(irq, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - if (irq & KVASER_PCIEFD_SRB_IRQ_DPD1) + if (irq & KVASER_PCIEFD_SRB_IRQ_DPD0) { + kvaser_pciefd_read_buffer(pcie, 0); + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB0, srb_cmd_reg); /* Rearm buffer */ + } + + if (irq & KVASER_PCIEFD_SRB_IRQ_DPD1) { kvaser_pciefd_read_buffer(pcie, 1); + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1, srb_cmd_reg); /* Rearm buffer */ + } if (unlikely(irq & KVASER_PCIEFD_SRB_IRQ_DOF0 || irq & KVASER_PCIEFD_SRB_IRQ_DOF1 || irq & KVASER_PCIEFD_SRB_IRQ_DUF0 || irq & KVASER_PCIEFD_SRB_IRQ_DUF1)) dev_err(&pcie->pci->dev, "DMA IRQ error 0x%08X\n", irq); - - iowrite32(irq, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - return irq; } static void kvaser_pciefd_transmit_irq(struct kvaser_pciefd_can *can) @@ -1691,29 +1695,22 @@ static irqreturn_t kvaser_pciefd_irq_handler(int irq, void *dev) struct kvaser_pciefd *pcie = (struct kvaser_pciefd *)dev; const struct kvaser_pciefd_irq_mask *irq_mask = pcie->driver_data->irq_mask; u32 pci_irq = ioread32(KVASER_PCIEFD_PCI_IRQ_ADDR(pcie)); - u32 srb_irq = 0; - u32 srb_release = 0; int i; if (!(pci_irq & irq_mask->all)) return IRQ_NONE; + iowrite32(0, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); + if (pci_irq & irq_mask->kcan_rx0) - srb_irq = kvaser_pciefd_receive_irq(pcie); + kvaser_pciefd_receive_irq(pcie); for (i = 0; i < pcie->nr_channels; i++) { if (pci_irq & irq_mask->kcan_tx[i]) kvaser_pciefd_transmit_irq(pcie->can[i]); } - if (srb_irq & KVASER_PCIEFD_SRB_IRQ_DPD0) - srb_release |= KVASER_PCIEFD_SRB_CMD_RDB0; - - if (srb_irq & KVASER_PCIEFD_SRB_IRQ_DPD1) - srb_release |= KVASER_PCIEFD_SRB_CMD_RDB1; - - if (srb_release) - iowrite32(srb_release, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG); + iowrite32(irq_mask->all, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); return IRQ_HANDLED; } @@ -1733,13 +1730,22 @@ static void kvaser_pciefd_teardown_can_ctrls(struct kvaser_pciefd *pcie) } } +static void kvaser_pciefd_disable_irq_srcs(struct kvaser_pciefd *pcie) +{ + unsigned int i; + + /* Masking PCI_IRQ is insufficient as running ISR will unmask it */ + iowrite32(0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IEN_REG); + for (i = 0; i < pcie->nr_channels; ++i) + iowrite32(0, pcie->can[i]->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); +} + static int kvaser_pciefd_probe(struct pci_dev *pdev, const struct pci_device_id *id) { int ret; struct kvaser_pciefd *pcie; const struct kvaser_pciefd_irq_mask *irq_mask; - void __iomem *irq_en_base; pcie = devm_kzalloc(&pdev->dev, sizeof(*pcie), GFP_KERNEL); if (!pcie) @@ -1805,8 +1811,7 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IEN_REG); /* Enable PCI interrupts */ - irq_en_base = KVASER_PCIEFD_PCI_IEN_ADDR(pcie); - iowrite32(irq_mask->all, irq_en_base); + iowrite32(irq_mask->all, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); /* Ready the DMA buffers */ iowrite32(KVASER_PCIEFD_SRB_CMD_RDB0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG); @@ -1820,8 +1825,7 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, return 0; err_free_irq: - /* Disable PCI interrupts */ - iowrite32(0, irq_en_base); + kvaser_pciefd_disable_irq_srcs(pcie); free_irq(pcie->pci->irq, pcie); err_pci_free_irq_vectors: @@ -1844,35 +1848,26 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, return ret; } -static void kvaser_pciefd_remove_all_ctrls(struct kvaser_pciefd *pcie) -{ - int i; - - for (i = 0; i < pcie->nr_channels; i++) { - struct kvaser_pciefd_can *can = pcie->can[i]; - - if (can) { - iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); - unregister_candev(can->can.dev); - timer_delete(&can->bec_poll_timer); - kvaser_pciefd_pwm_stop(can); - free_candev(can->can.dev); - } - } -} - static void kvaser_pciefd_remove(struct pci_dev *pdev) { struct kvaser_pciefd *pcie = pci_get_drvdata(pdev); + unsigned int i; - kvaser_pciefd_remove_all_ctrls(pcie); + for (i = 0; i < pcie->nr_channels; ++i) { + struct kvaser_pciefd_can *can = pcie->can[i]; - /* Disable interrupts */ - iowrite32(0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CTRL_REG); - iowrite32(0, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); + unregister_candev(can->can.dev); + timer_delete(&can->bec_poll_timer); + kvaser_pciefd_pwm_stop(can); + } + kvaser_pciefd_disable_irq_srcs(pcie); free_irq(pcie->pci->irq, pcie); pci_free_irq_vectors(pcie->pci); + + for (i = 0; i < pcie->nr_channels; ++i) + free_candev(pcie->can[i]->can.dev); + pci_iounmap(pdev, pcie->reg_base); pci_release_regions(pdev); pci_disable_device(pdev);

5 months, 3 weeks

2
1
0 0

[PATCH v4] usb: dwc3: Abort suspend on soft disconnect failure

by Kuen-Han Tsai

When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") CC: stable(a)vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> --- Kernel panic - not syncing: Asynchronous SError Interrupt Workqueue: events vbus_event_work Call trace: dump_backtrace+0xf4/0x118 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c panic+0x16c/0x390 nmi_panic+0xa4/0xa8 arm64_serror_panic+0x6c/0x94 do_serror+0xc4/0xd0 el1h_64_error_handler+0x34/0x48 el1h_64_error+0x68/0x6c readl+0x4c/0x8c __dwc3_gadget_ep_disable+0x48/0x230 dwc3_gadget_ep_disable+0x50/0xc0 usb_ep_disable+0x44/0xe4 ffs_func_eps_disable+0x64/0xc8 ffs_func_set_alt+0x74/0x368 ffs_func_disable+0x18/0x28 composite_disconnect+0x90/0xec configfs_composite_disconnect+0x64/0x88 usb_gadget_disconnect_locked+0xc0/0x168 vbus_event_work+0x3c/0x58 process_one_work+0x1e4/0x43c worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 --- Changelog: v4: - correct the mistake where semicolon was forgotten - return -EAGAIN upon dwc3_gadget_suspend() failure v3: - change the Fixes tag v2: - move declarations in separate lines - add the Fixes tag --- drivers/usb/dwc3/core.c | 9 +++++++-- drivers/usb/dwc3/gadget.c | 22 +++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 66a08b527165..f36bc933c55b 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2388,6 +2388,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2406,7 +2407,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2441,7 +2444,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89a4dc8ebf94..630fd5f0ce97 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4776,26 +4776,22 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; - - spin_lock_irqsave(&dwc->lock, flags); - if (dwc->gadget_driver) - dwc3_disconnect_gadget(dwc); - spin_unlock_irqrestore(&dwc->lock, flags); - - return 0; - -err: /* * Attempt to reset the controller's state. Likely no * communication can be established until the host * performs a port reset. */ - if (dwc->softconnect) + if (ret && dwc->softconnect) { dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } - return ret; + spin_lock_irqsave(&dwc->lock, flags); + if (dwc->gadget_driver) + dwc3_disconnect_gadget(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; } int dwc3_gadget_resume(struct dwc3 *dwc) -- 2.49.0.604.gff1f9ca942-goog

5 months, 3 weeks

3
8
0 0

[PATCH v5] usb: dwc3: Abort suspend on soft disconnect failure

by Kuen-Han Tsai

When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume") CC: stable(a)vger.kernel.org Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> --- Kernel panic - not syncing: Asynchronous SError Interrupt Workqueue: events vbus_event_work Call trace: dump_backtrace+0xf4/0x118 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c panic+0x16c/0x390 nmi_panic+0xa4/0xa8 arm64_serror_panic+0x6c/0x94 do_serror+0xc4/0xd0 el1h_64_error_handler+0x34/0x48 el1h_64_error+0x68/0x6c readl+0x4c/0x8c __dwc3_gadget_ep_disable+0x48/0x230 dwc3_gadget_ep_disable+0x50/0xc0 usb_ep_disable+0x44/0xe4 ffs_func_eps_disable+0x64/0xc8 ffs_func_set_alt+0x74/0x368 ffs_func_disable+0x18/0x28 composite_disconnect+0x90/0xec configfs_composite_disconnect+0x64/0x88 usb_gadget_disconnect_locked+0xc0/0x168 vbus_event_work+0x3c/0x58 process_one_work+0x1e4/0x43c worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 --- Changelog: v5: - add the Acked-by tag v4: - correct the mistake where semicolon was forgotten - return -EAGAIN upon dwc3_gadget_suspend() failure v3: - change the Fixes tag v2: - move declarations in separate lines - add the Fixes tag --- drivers/usb/dwc3/core.c | 9 +++++++-- drivers/usb/dwc3/gadget.c | 22 +++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 66a08b527165..f36bc933c55b 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2388,6 +2388,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2406,7 +2407,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2441,7 +2444,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 321361288935..b6b63b530148 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4821,26 +4821,22 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; - - spin_lock_irqsave(&dwc->lock, flags); - if (dwc->gadget_driver) - dwc3_disconnect_gadget(dwc); - spin_unlock_irqrestore(&dwc->lock, flags); - - return 0; - -err: /* * Attempt to reset the controller's state. Likely no * communication can be established until the host * performs a port reset. */ - if (dwc->softconnect) + if (ret && dwc->softconnect) { dwc3_gadget_soft_connect(dwc); + return -EAGAIN; + } - return ret; + spin_lock_irqsave(&dwc->lock, flags); + if (dwc->gadget_driver) + dwc3_disconnect_gadget(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; } int dwc3_gadget_resume(struct dwc3 *dwc) -- 2.49.0.1164.gab81da1b16-goog

5 months, 3 weeks

1
0
0 0

[PATCH] accel/ivpu: Use firmware names from upstream repo

by Jacek Lawrynowicz

Use FW names from linux-firmware repo instead of deprecated ones. Fixes: c140244f0cfb ("accel/ivpu: Add initial Panther Lake support") Cc: <stable(a)vger.kernel.org> # v6.13+ Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_fw.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/accel/ivpu/ivpu_fw.c b/drivers/accel/ivpu/ivpu_fw.c index ccaaf6c100c02..9db741695401e 100644 --- a/drivers/accel/ivpu/ivpu_fw.c +++ b/drivers/accel/ivpu/ivpu_fw.c @@ -55,18 +55,18 @@ static struct { int gen; const char *name; } fw_names[] = { - { IVPU_HW_IP_37XX, "vpu_37xx.bin" }, + { IVPU_HW_IP_37XX, "intel/vpu/vpu_37xx_v1.bin" }, { IVPU_HW_IP_37XX, "intel/vpu/vpu_37xx_v0.0.bin" }, - { IVPU_HW_IP_40XX, "vpu_40xx.bin" }, + { IVPU_HW_IP_40XX, "intel/vpu/vpu_40xx_v1.bin" }, { IVPU_HW_IP_40XX, "intel/vpu/vpu_40xx_v0.0.bin" }, - { IVPU_HW_IP_50XX, "vpu_50xx.bin" }, + { IVPU_HW_IP_50XX, "intel/vpu/vpu_50xx_v1.bin" }, { IVPU_HW_IP_50XX, "intel/vpu/vpu_50xx_v0.0.bin" }, }; /* Production fw_names from the table above */ -MODULE_FIRMWARE("intel/vpu/vpu_37xx_v0.0.bin"); -MODULE_FIRMWARE("intel/vpu/vpu_40xx_v0.0.bin"); -MODULE_FIRMWARE("intel/vpu/vpu_50xx_v0.0.bin"); +MODULE_FIRMWARE("intel/vpu/vpu_37xx_v1.bin"); +MODULE_FIRMWARE("intel/vpu/vpu_40xx_v1.bin"); +MODULE_FIRMWARE("intel/vpu/vpu_50xx_v1.bin"); static int ivpu_fw_request(struct ivpu_device *vdev) { -- 2.45.1

5 months, 3 weeks

3
5
0 0

[PATCH] accel/ivpu: Improve buffer object logging

by Jacek Lawrynowicz

- Fix missing alloc log when drm_gem_handle_create() fails in drm_vma_node_allow() and open callback is not called - Add ivpu_bo->ctx_id that enables to log the actual context id instead of using 0 as default - Add couple WARNs and errors so we can catch more memory corruption issues Fixes: 37dee2a2f433 ("accel/ivpu: Improve buffer object debug logs") Cc: <stable(a)vger.kernel.org> # v6.8+ Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> --- drivers/accel/ivpu/ivpu_gem.c | 25 +++++++++++++++++-------- drivers/accel/ivpu/ivpu_gem.h | 1 + 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/drivers/accel/ivpu/ivpu_gem.c b/drivers/accel/ivpu/ivpu_gem.c index e0d242d9f3e50..a76cbf4761f8c 100644 --- a/drivers/accel/ivpu/ivpu_gem.c +++ b/drivers/accel/ivpu/ivpu_gem.c @@ -28,7 +28,7 @@ static inline void ivpu_dbg_bo(struct ivpu_device *vdev, struct ivpu_bo *bo, con { ivpu_dbg(vdev, BO, "%6s: bo %8p vpu_addr %9llx size %8zu ctx %d has_pages %d dma_mapped %d mmu_mapped %d wc %d imported %d\n", - action, bo, bo->vpu_addr, ivpu_bo_size(bo), bo->ctx ? bo->ctx->id : 0, + action, bo, bo->vpu_addr, ivpu_bo_size(bo), bo->ctx_id, (bool)bo->base.pages, (bool)bo->base.sgt, bo->mmu_mapped, bo->base.map_wc, (bool)drm_gem_is_imported(&bo->base.base)); } @@ -94,8 +94,6 @@ ivpu_bo_alloc_vpu_addr(struct ivpu_bo *bo, struct ivpu_mmu_context *ctx, ivpu_err(vdev, "Failed to add BO to context %u: %d\n", ctx->id, ret); } - ivpu_dbg_bo(vdev, bo, "alloc"); - mutex_unlock(&bo->lock); drm_dev_exit(idx); @@ -215,7 +213,7 @@ struct drm_gem_object *ivpu_gem_prime_import(struct drm_device *dev, return ERR_PTR(ret); } -static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 flags) +static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 flags, u32 ctx_id) { struct drm_gem_shmem_object *shmem; struct ivpu_bo *bo; @@ -233,6 +231,7 @@ static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 fla return ERR_CAST(shmem); bo = to_ivpu_bo(&shmem->base); + bo->ctx_id = ctx_id; bo->base.map_wc = flags & DRM_IVPU_BO_WC; bo->flags = flags; @@ -240,6 +239,8 @@ static struct ivpu_bo *ivpu_bo_alloc(struct ivpu_device *vdev, u64 size, u32 fla list_add_tail(&bo->bo_list_node, &vdev->bo_list); mutex_unlock(&vdev->bo_list_lock); + ivpu_dbg_bo(vdev, bo, "alloc"); + return bo; } @@ -278,8 +279,13 @@ static void ivpu_gem_bo_free(struct drm_gem_object *obj) mutex_unlock(&vdev->bo_list_lock); drm_WARN_ON(&vdev->drm, !dma_resv_test_signaled(obj->resv, DMA_RESV_USAGE_READ)); + drm_WARN_ON(&vdev->drm, ivpu_bo_size(bo) == 0); + drm_WARN_ON(&vdev->drm, bo->base.vaddr); ivpu_bo_unbind_locked(bo); + drm_WARN_ON(&vdev->drm, bo->mmu_mapped); + drm_WARN_ON(&vdev->drm, bo->ctx); + mutex_destroy(&bo->lock); drm_WARN_ON(obj->dev, refcount_read(&bo->base.pages_use_count) > 1); @@ -314,7 +320,7 @@ int ivpu_bo_create_ioctl(struct drm_device *dev, void *data, struct drm_file *fi if (size == 0) return -EINVAL; - bo = ivpu_bo_alloc(vdev, size, args->flags); + bo = ivpu_bo_alloc(vdev, size, args->flags, file_priv->ctx.id); if (IS_ERR(bo)) { ivpu_err(vdev, "Failed to allocate BO: %pe (ctx %u size %llu flags 0x%x)", bo, file_priv->ctx.id, args->size, args->flags); @@ -322,7 +328,10 @@ int ivpu_bo_create_ioctl(struct drm_device *dev, void *data, struct drm_file *fi } ret = drm_gem_handle_create(file, &bo->base.base, &args->handle); - if (!ret) + if (ret) + ivpu_err(vdev, "Failed to create handle for BO: %pe (ctx %u size %llu flags 0x%x)", + bo, file_priv->ctx.id, args->size, args->flags); + else args->vpu_addr = bo->vpu_addr; drm_gem_object_put(&bo->base.base); @@ -345,7 +354,7 @@ ivpu_bo_create(struct ivpu_device *vdev, struct ivpu_mmu_context *ctx, drm_WARN_ON(&vdev->drm, !PAGE_ALIGNED(range->end)); drm_WARN_ON(&vdev->drm, !PAGE_ALIGNED(size)); - bo = ivpu_bo_alloc(vdev, size, flags); + bo = ivpu_bo_alloc(vdev, size, flags, IVPU_GLOBAL_CONTEXT_MMU_SSID); if (IS_ERR(bo)) { ivpu_err(vdev, "Failed to allocate BO: %pe (vpu_addr 0x%llx size %llu flags 0x%x)", bo, range->start, size, flags); @@ -452,7 +461,7 @@ static void ivpu_bo_print_info(struct ivpu_bo *bo, struct drm_printer *p) mutex_lock(&bo->lock); drm_printf(p, "%-9p %-3u 0x%-12llx %-10lu 0x%-8x %-4u", - bo, bo->ctx ? bo->ctx->id : 0, bo->vpu_addr, bo->base.base.size, + bo, bo->ctx_id, bo->vpu_addr, bo->base.base.size, bo->flags, kref_read(&bo->base.base.refcount)); if (bo->base.pages) diff --git a/drivers/accel/ivpu/ivpu_gem.h b/drivers/accel/ivpu/ivpu_gem.h index a222a9ec9d611..0c93118c85bd3 100644 --- a/drivers/accel/ivpu/ivpu_gem.h +++ b/drivers/accel/ivpu/ivpu_gem.h @@ -21,6 +21,7 @@ struct ivpu_bo { u64 vpu_addr; u32 flags; u32 job_status; /* Valid only for command buffer */ + u32 ctx_id; bool mmu_mapped; }; -- 2.45.1

5 months, 3 weeks

3
3
0 0

[PATCH 2/5] mm/filemap: use filemap_end_dropbehind() for read invalidation

by Jens Axboe

Use the filemap_end_dropbehind() helper rather than calling folio_unmap_invalidate() directly, as we need to check if the folio has been redirtied or marked for writeback once the folio lock has been re-acquired. Cc: stable(a)vger.kernel.org Reported-by: Trond Myklebust <trondmy(a)hammerspace.com> Fixes: 8026e49bff9b ("mm/filemap: add read support for RWF_DONTCACHE") Link: https://lore.kernel.org/linux-fsdevel/ba8a9805331ce258a622feaca266b163db681… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- mm/filemap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mm/filemap.c b/mm/filemap.c index 008a55290f34..6af6d8f2929c 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2644,8 +2644,7 @@ static inline bool pos_same_folio(loff_t pos1, loff_t pos2, struct folio *folio) return (pos1 >> shift == pos2 >> shift); } -static void filemap_end_dropbehind_read(struct address_space *mapping, - struct folio *folio) +static void filemap_end_dropbehind_read(struct folio *folio) { if (!folio_test_dropbehind(folio)) return; @@ -2653,7 +2652,7 @@ static void filemap_end_dropbehind_read(struct address_space *mapping, return; if (folio_trylock(folio)) { if (folio_test_clear_dropbehind(folio)) - folio_unmap_invalidate(mapping, folio, 0); + filemap_end_dropbehind(folio); folio_unlock(folio); } } @@ -2774,7 +2773,7 @@ ssize_t filemap_read(struct kiocb *iocb, struct iov_iter *iter, for (i = 0; i < folio_batch_count(&fbatch); i++) { struct folio *folio = fbatch.folios[i]; - filemap_end_dropbehind_read(mapping, folio); + filemap_end_dropbehind_read(folio); folio_put(folio); } folio_batch_init(&fbatch); -- 2.49.0

5 months, 3 weeks

2
1
0 0

[PATCH 1/5] mm/filemap: gate dropbehind invalidate on folio !dirty && !writeback

by Jens Axboe

It's possible for the folio to either get marked for writeback or redirtied. Add a helper, filemap_end_dropbehind(), which guards the folio_unmap_invalidate() call behind check for the folio being both non-dirty and not under writeback AFTER the folio lock has been acquired. Use this helper folio_end_dropbehind_write(). Cc: stable(a)vger.kernel.org Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Fixes: fb7d3bc41493 ("mm/filemap: drop streaming/uncached pages when writeback completes") Link: https://lore.kernel.org/linux-fsdevel/20250525083209.GS2023217@ZenIV/ Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- mm/filemap.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/mm/filemap.c b/mm/filemap.c index 7b90cbeb4a1a..008a55290f34 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -1589,6 +1589,16 @@ int folio_wait_private_2_killable(struct folio *folio) } EXPORT_SYMBOL(folio_wait_private_2_killable); +static void filemap_end_dropbehind(struct folio *folio) +{ + struct address_space *mapping = folio->mapping; + + VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); + + if (mapping && !folio_test_writeback(folio) && !folio_test_dirty(folio)) + folio_unmap_invalidate(mapping, folio, 0); +} + /* * If folio was marked as dropbehind, then pages should be dropped when writeback * completes. Do that now. If we fail, it's likely because of a big folio - @@ -1604,8 +1614,7 @@ static void folio_end_dropbehind_write(struct folio *folio) * invalidation in that case. */ if (in_task() && folio_trylock(folio)) { - if (folio->mapping) - folio_unmap_invalidate(folio->mapping, folio, 0); + filemap_end_dropbehind(folio); folio_unlock(folio); } } -- 2.49.0

5 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] can: kvaser_pciefd: Force IRQ edge in case of nested IRQ" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9176bd205ee0b2cd35073a9973c2a0936bcb579e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052430-pettiness-opponent-56cd@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9176bd205ee0b2cd35073a9973c2a0936bcb579e Mon Sep 17 00:00:00 2001 From: Axel Forsman <axfo(a)kvaser.com> Date: Tue, 20 May 2025 13:43:30 +0200 Subject: [PATCH] can: kvaser_pciefd: Force IRQ edge in case of nested IRQ Avoid the driver missing IRQs by temporarily masking IRQs in the ISR to enforce an edge even if a different IRQ is signalled before handled IRQs are cleared. Fixes: 48f827d4f48f ("can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR") Cc: stable(a)vger.kernel.org Signed-off-by: Axel Forsman <axfo(a)kvaser.com> Tested-by: Jimmy Assarsson <extja(a)kvaser.com> Reviewed-by: Jimmy Assarsson <extja(a)kvaser.com> Link: https://patch.msgid.link/20250520114332.8961-2-axfo@kvaser.com Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index cf0d51805272..9cc9176c2058 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -1646,24 +1646,28 @@ static int kvaser_pciefd_read_buffer(struct kvaser_pciefd *pcie, int dma_buf) return res; } -static u32 kvaser_pciefd_receive_irq(struct kvaser_pciefd *pcie) +static void kvaser_pciefd_receive_irq(struct kvaser_pciefd *pcie) { + void __iomem *srb_cmd_reg = KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG; u32 irq = ioread32(KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - if (irq & KVASER_PCIEFD_SRB_IRQ_DPD0) - kvaser_pciefd_read_buffer(pcie, 0); + iowrite32(irq, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - if (irq & KVASER_PCIEFD_SRB_IRQ_DPD1) + if (irq & KVASER_PCIEFD_SRB_IRQ_DPD0) { + kvaser_pciefd_read_buffer(pcie, 0); + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB0, srb_cmd_reg); /* Rearm buffer */ + } + + if (irq & KVASER_PCIEFD_SRB_IRQ_DPD1) { kvaser_pciefd_read_buffer(pcie, 1); + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1, srb_cmd_reg); /* Rearm buffer */ + } if (unlikely(irq & KVASER_PCIEFD_SRB_IRQ_DOF0 || irq & KVASER_PCIEFD_SRB_IRQ_DOF1 || irq & KVASER_PCIEFD_SRB_IRQ_DUF0 || irq & KVASER_PCIEFD_SRB_IRQ_DUF1)) dev_err(&pcie->pci->dev, "DMA IRQ error 0x%08X\n", irq); - - iowrite32(irq, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - return irq; } static void kvaser_pciefd_transmit_irq(struct kvaser_pciefd_can *can) @@ -1691,29 +1695,22 @@ static irqreturn_t kvaser_pciefd_irq_handler(int irq, void *dev) struct kvaser_pciefd *pcie = (struct kvaser_pciefd *)dev; const struct kvaser_pciefd_irq_mask *irq_mask = pcie->driver_data->irq_mask; u32 pci_irq = ioread32(KVASER_PCIEFD_PCI_IRQ_ADDR(pcie)); - u32 srb_irq = 0; - u32 srb_release = 0; int i; if (!(pci_irq & irq_mask->all)) return IRQ_NONE; + iowrite32(0, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); + if (pci_irq & irq_mask->kcan_rx0) - srb_irq = kvaser_pciefd_receive_irq(pcie); + kvaser_pciefd_receive_irq(pcie); for (i = 0; i < pcie->nr_channels; i++) { if (pci_irq & irq_mask->kcan_tx[i]) kvaser_pciefd_transmit_irq(pcie->can[i]); } - if (srb_irq & KVASER_PCIEFD_SRB_IRQ_DPD0) - srb_release |= KVASER_PCIEFD_SRB_CMD_RDB0; - - if (srb_irq & KVASER_PCIEFD_SRB_IRQ_DPD1) - srb_release |= KVASER_PCIEFD_SRB_CMD_RDB1; - - if (srb_release) - iowrite32(srb_release, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG); + iowrite32(irq_mask->all, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); return IRQ_HANDLED; } @@ -1733,13 +1730,22 @@ static void kvaser_pciefd_teardown_can_ctrls(struct kvaser_pciefd *pcie) } } +static void kvaser_pciefd_disable_irq_srcs(struct kvaser_pciefd *pcie) +{ + unsigned int i; + + /* Masking PCI_IRQ is insufficient as running ISR will unmask it */ + iowrite32(0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IEN_REG); + for (i = 0; i < pcie->nr_channels; ++i) + iowrite32(0, pcie->can[i]->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); +} + static int kvaser_pciefd_probe(struct pci_dev *pdev, const struct pci_device_id *id) { int ret; struct kvaser_pciefd *pcie; const struct kvaser_pciefd_irq_mask *irq_mask; - void __iomem *irq_en_base; pcie = devm_kzalloc(&pdev->dev, sizeof(*pcie), GFP_KERNEL); if (!pcie) @@ -1805,8 +1811,7 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IEN_REG); /* Enable PCI interrupts */ - irq_en_base = KVASER_PCIEFD_PCI_IEN_ADDR(pcie); - iowrite32(irq_mask->all, irq_en_base); + iowrite32(irq_mask->all, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); /* Ready the DMA buffers */ iowrite32(KVASER_PCIEFD_SRB_CMD_RDB0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG); @@ -1820,8 +1825,7 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, return 0; err_free_irq: - /* Disable PCI interrupts */ - iowrite32(0, irq_en_base); + kvaser_pciefd_disable_irq_srcs(pcie); free_irq(pcie->pci->irq, pcie); err_pci_free_irq_vectors: @@ -1844,35 +1848,26 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, return ret; } -static void kvaser_pciefd_remove_all_ctrls(struct kvaser_pciefd *pcie) -{ - int i; - - for (i = 0; i < pcie->nr_channels; i++) { - struct kvaser_pciefd_can *can = pcie->can[i]; - - if (can) { - iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); - unregister_candev(can->can.dev); - timer_delete(&can->bec_poll_timer); - kvaser_pciefd_pwm_stop(can); - free_candev(can->can.dev); - } - } -} - static void kvaser_pciefd_remove(struct pci_dev *pdev) { struct kvaser_pciefd *pcie = pci_get_drvdata(pdev); + unsigned int i; - kvaser_pciefd_remove_all_ctrls(pcie); + for (i = 0; i < pcie->nr_channels; ++i) { + struct kvaser_pciefd_can *can = pcie->can[i]; - /* Disable interrupts */ - iowrite32(0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CTRL_REG); - iowrite32(0, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); + unregister_candev(can->can.dev); + timer_delete(&can->bec_poll_timer); + kvaser_pciefd_pwm_stop(can); + } + kvaser_pciefd_disable_irq_srcs(pcie); free_irq(pcie->pci->irq, pcie); pci_free_irq_vectors(pcie->pci); + + for (i = 0; i < pcie->nr_channels; ++i) + free_candev(pcie->can[i]->can.dev); + pci_iounmap(pdev, pcie->reg_base); pci_release_regions(pdev); pci_disable_device(pdev);

5 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] can: kvaser_pciefd: Force IRQ edge in case of nested IRQ" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 9176bd205ee0b2cd35073a9973c2a0936bcb579e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052429-stadium-triage-c0af@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9176bd205ee0b2cd35073a9973c2a0936bcb579e Mon Sep 17 00:00:00 2001 From: Axel Forsman <axfo(a)kvaser.com> Date: Tue, 20 May 2025 13:43:30 +0200 Subject: [PATCH] can: kvaser_pciefd: Force IRQ edge in case of nested IRQ Avoid the driver missing IRQs by temporarily masking IRQs in the ISR to enforce an edge even if a different IRQ is signalled before handled IRQs are cleared. Fixes: 48f827d4f48f ("can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR") Cc: stable(a)vger.kernel.org Signed-off-by: Axel Forsman <axfo(a)kvaser.com> Tested-by: Jimmy Assarsson <extja(a)kvaser.com> Reviewed-by: Jimmy Assarsson <extja(a)kvaser.com> Link: https://patch.msgid.link/20250520114332.8961-2-axfo@kvaser.com Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c index cf0d51805272..9cc9176c2058 100644 --- a/drivers/net/can/kvaser_pciefd.c +++ b/drivers/net/can/kvaser_pciefd.c @@ -1646,24 +1646,28 @@ static int kvaser_pciefd_read_buffer(struct kvaser_pciefd *pcie, int dma_buf) return res; } -static u32 kvaser_pciefd_receive_irq(struct kvaser_pciefd *pcie) +static void kvaser_pciefd_receive_irq(struct kvaser_pciefd *pcie) { + void __iomem *srb_cmd_reg = KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG; u32 irq = ioread32(KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - if (irq & KVASER_PCIEFD_SRB_IRQ_DPD0) - kvaser_pciefd_read_buffer(pcie, 0); + iowrite32(irq, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - if (irq & KVASER_PCIEFD_SRB_IRQ_DPD1) + if (irq & KVASER_PCIEFD_SRB_IRQ_DPD0) { + kvaser_pciefd_read_buffer(pcie, 0); + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB0, srb_cmd_reg); /* Rearm buffer */ + } + + if (irq & KVASER_PCIEFD_SRB_IRQ_DPD1) { kvaser_pciefd_read_buffer(pcie, 1); + iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1, srb_cmd_reg); /* Rearm buffer */ + } if (unlikely(irq & KVASER_PCIEFD_SRB_IRQ_DOF0 || irq & KVASER_PCIEFD_SRB_IRQ_DOF1 || irq & KVASER_PCIEFD_SRB_IRQ_DUF0 || irq & KVASER_PCIEFD_SRB_IRQ_DUF1)) dev_err(&pcie->pci->dev, "DMA IRQ error 0x%08X\n", irq); - - iowrite32(irq, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IRQ_REG); - return irq; } static void kvaser_pciefd_transmit_irq(struct kvaser_pciefd_can *can) @@ -1691,29 +1695,22 @@ static irqreturn_t kvaser_pciefd_irq_handler(int irq, void *dev) struct kvaser_pciefd *pcie = (struct kvaser_pciefd *)dev; const struct kvaser_pciefd_irq_mask *irq_mask = pcie->driver_data->irq_mask; u32 pci_irq = ioread32(KVASER_PCIEFD_PCI_IRQ_ADDR(pcie)); - u32 srb_irq = 0; - u32 srb_release = 0; int i; if (!(pci_irq & irq_mask->all)) return IRQ_NONE; + iowrite32(0, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); + if (pci_irq & irq_mask->kcan_rx0) - srb_irq = kvaser_pciefd_receive_irq(pcie); + kvaser_pciefd_receive_irq(pcie); for (i = 0; i < pcie->nr_channels; i++) { if (pci_irq & irq_mask->kcan_tx[i]) kvaser_pciefd_transmit_irq(pcie->can[i]); } - if (srb_irq & KVASER_PCIEFD_SRB_IRQ_DPD0) - srb_release |= KVASER_PCIEFD_SRB_CMD_RDB0; - - if (srb_irq & KVASER_PCIEFD_SRB_IRQ_DPD1) - srb_release |= KVASER_PCIEFD_SRB_CMD_RDB1; - - if (srb_release) - iowrite32(srb_release, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG); + iowrite32(irq_mask->all, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); return IRQ_HANDLED; } @@ -1733,13 +1730,22 @@ static void kvaser_pciefd_teardown_can_ctrls(struct kvaser_pciefd *pcie) } } +static void kvaser_pciefd_disable_irq_srcs(struct kvaser_pciefd *pcie) +{ + unsigned int i; + + /* Masking PCI_IRQ is insufficient as running ISR will unmask it */ + iowrite32(0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IEN_REG); + for (i = 0; i < pcie->nr_channels; ++i) + iowrite32(0, pcie->can[i]->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); +} + static int kvaser_pciefd_probe(struct pci_dev *pdev, const struct pci_device_id *id) { int ret; struct kvaser_pciefd *pcie; const struct kvaser_pciefd_irq_mask *irq_mask; - void __iomem *irq_en_base; pcie = devm_kzalloc(&pdev->dev, sizeof(*pcie), GFP_KERNEL); if (!pcie) @@ -1805,8 +1811,7 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_IEN_REG); /* Enable PCI interrupts */ - irq_en_base = KVASER_PCIEFD_PCI_IEN_ADDR(pcie); - iowrite32(irq_mask->all, irq_en_base); + iowrite32(irq_mask->all, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); /* Ready the DMA buffers */ iowrite32(KVASER_PCIEFD_SRB_CMD_RDB0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CMD_REG); @@ -1820,8 +1825,7 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, return 0; err_free_irq: - /* Disable PCI interrupts */ - iowrite32(0, irq_en_base); + kvaser_pciefd_disable_irq_srcs(pcie); free_irq(pcie->pci->irq, pcie); err_pci_free_irq_vectors: @@ -1844,35 +1848,26 @@ static int kvaser_pciefd_probe(struct pci_dev *pdev, return ret; } -static void kvaser_pciefd_remove_all_ctrls(struct kvaser_pciefd *pcie) -{ - int i; - - for (i = 0; i < pcie->nr_channels; i++) { - struct kvaser_pciefd_can *can = pcie->can[i]; - - if (can) { - iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG); - unregister_candev(can->can.dev); - timer_delete(&can->bec_poll_timer); - kvaser_pciefd_pwm_stop(can); - free_candev(can->can.dev); - } - } -} - static void kvaser_pciefd_remove(struct pci_dev *pdev) { struct kvaser_pciefd *pcie = pci_get_drvdata(pdev); + unsigned int i; - kvaser_pciefd_remove_all_ctrls(pcie); + for (i = 0; i < pcie->nr_channels; ++i) { + struct kvaser_pciefd_can *can = pcie->can[i]; - /* Disable interrupts */ - iowrite32(0, KVASER_PCIEFD_SRB_ADDR(pcie) + KVASER_PCIEFD_SRB_CTRL_REG); - iowrite32(0, KVASER_PCIEFD_PCI_IEN_ADDR(pcie)); + unregister_candev(can->can.dev); + timer_delete(&can->bec_poll_timer); + kvaser_pciefd_pwm_stop(can); + } + kvaser_pciefd_disable_irq_srcs(pcie); free_irq(pcie->pci->irq, pcie); pci_free_irq_vectors(pcie->pci); + + for (i = 0; i < pcie->nr_channels; ++i) + free_candev(pcie->can[i]->can.dev); + pci_iounmap(pdev, pcie->reg_base); pci_release_regions(pdev); pci_disable_device(pdev);

5 months, 3 weeks

2
1
0 0

[PATCH 1/6] pinctrl: airoha: fix wrong PHY LED mux value for LED1 GPIO46

by Christian Marangi

In all the MUX value for LED1 GPIO46 there is a Copy-Paste error where the MUX value is set to LED0_MODE_MASK instead of LED1_MODE_MASK. This wasn't notice as there were no board that made use of the secondary PHY LED but looking at the internal Documentation the actual value should be LED1_MODE_MASK similar to the other GPIO entry. Fix the wrong value to apply the correct MUX configuration. Cc: stable(a)vger.kernel.org Fixes: 1c8ace2d0725 ("pinctrl: airoha: Add support for EN7581 SoC") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/pinctrl/mediatek/pinctrl-airoha.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/pinctrl/mediatek/pinctrl-airoha.c b/drivers/pinctrl/mediatek/pinctrl-airoha.c index b97b28ebb37a..8ef7f88477aa 100644 --- a/drivers/pinctrl/mediatek/pinctrl-airoha.c +++ b/drivers/pinctrl/mediatek/pinctrl-airoha.c @@ -1752,8 +1752,8 @@ static const struct airoha_pinctrl_func_group phy1_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, @@ -1816,8 +1816,8 @@ static const struct airoha_pinctrl_func_group phy2_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, @@ -1880,8 +1880,8 @@ static const struct airoha_pinctrl_func_group phy3_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, @@ -1944,8 +1944,8 @@ static const struct airoha_pinctrl_func_group phy4_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, -- 2.48.1

5 months, 3 weeks

2
1
0 0

Recall: [PATCH] selftests/vm: fix split huge page tests

by Wang, Guangming

Guangming.Wang(a)windriver.com would like to recall the message, "[PATCH] selftests/vm: fix split huge page tests".

5 months, 3 weeks

1
0
0 0

[PATCH] selftests/vm: fix split huge page tests

by wndgwang4

Fix two inputs to check_anon_huge() and one if condition, so the tests work as expected. Link: https://lkml.kernel.org/r/20230306160907.16804-1-zi.yan@sent.com Fixes: c07c343cda8e ("selftests/vm: dedup THP helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Zach O'Keefe <zokeefe(a)google.com> Tested-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: wndgwang4 <guangming.wang(a)windriver.com> --- tools/testing/selftests/vm/split_huge_page_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/vm/split_huge_page_test.c b/tools/testing/selftests/vm/split_huge_page_test.c index 76e1c36dd..b8558c7f1 100644 --- a/tools/testing/selftests/vm/split_huge_page_test.c +++ b/tools/testing/selftests/vm/split_huge_page_test.c @@ -106,7 +106,7 @@ void split_pmd_thp(void) for (i = 0; i < len; i++) one_page[i] = (char)i; - if (!check_huge_anon(one_page, 1, pmd_pagesize)) { + if (!check_huge_anon(one_page, 4, pmd_pagesize)) { printf("No THP is allocated\n"); exit(EXIT_FAILURE); } @@ -122,7 +122,7 @@ void split_pmd_thp(void) } - if (check_huge_anon(one_page, 0, pmd_pagesize)) { + if (!check_huge_anon(one_page, 0, pmd_pagesize)) { printf("Still AnonHugePages not split\n"); exit(EXIT_FAILURE); } @@ -169,7 +169,7 @@ void split_pte_mapped_thp(void) for (i = 0; i < len; i++) one_page[i] = (char)i; - if (!check_huge_anon(one_page, 1, pmd_pagesize)) { + if (!check_huge_anon(one_page, 4, pmd_pagesize)) { printf("No THP is allocated\n"); exit(EXIT_FAILURE); } -- 2.34.1

5 months, 3 weeks

1
0
0 0

[PATCH 09/24] drm/amd/display: Correct non-OLED pre_T11_delay.

by Wayne Lin

From: Zhongwei Zhang <Zhongwei.Zhang(a)amd.com> [Why] Only OLED panels require non-zero pre_T11_delay defaultly. Others should be controlled by power sequence. [How] For non OLED, pre_T11_delay delay in code should be zero. Also post_T7_delay. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Signed-off-by: Zhongwei Zhang <Zhongwei.Zhang(a)amd.com> Signed-off-by: Wayne Lin <wayne.lin(a)amd.com> --- drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c index 28f37437176e..a8174669bc49 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c @@ -953,8 +953,8 @@ void dce110_edp_backlight_control( struct dc_context *ctx = link->ctx; struct bp_transmitter_control cntl = { 0 }; uint8_t pwrseq_instance = 0; - unsigned int pre_T11_delay = OLED_PRE_T11_DELAY; - unsigned int post_T7_delay = OLED_POST_T7_DELAY; + unsigned int pre_T11_delay = (link->dpcd_sink_ext_caps.bits.oled ? OLED_PRE_T11_DELAY : 0); + unsigned int post_T7_delay = (link->dpcd_sink_ext_caps.bits.oled ? OLED_POST_T7_DELAY : 0); if (dal_graphics_object_id_get_connector_id(link->link_enc->connector) != CONNECTOR_ID_EDP) { @@ -1070,7 +1070,8 @@ void dce110_edp_backlight_control( if (!enable) { /*follow oem panel config's requirement*/ pre_T11_delay += link->panel_config.pps.extra_pre_t11_ms; - msleep(pre_T11_delay); + if (pre_T11_delay) + msleep(pre_T11_delay); } } -- 2.43.0

5 months, 3 weeks

1
0
0 0

[PATCH 08/24] drm/amd/display: Call setup_stream_attribute after stream enc clk is ungated

by Wayne Lin

From: Michael Strauss <michael.strauss(a)amd.com> [WHY] If symclk RCO is enabled, stream encoder may not be receiving an ungated clock by the time we attempt to set stream attributes when setting dpms on. Since the clock is gated, register writes to the stream encoder fail. [HOW] Move set_stream_attribute call into enable_stream, just after the point where symclk32_se is ungated. Logically there is no need to set stream attributes as early as is currently done in link_set_dpms_on, so this should have no impact beyond the RCO fix. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Wenjing Liu <wenjing.liu(a)amd.com> Signed-off-by: Michael Strauss <michael.strauss(a)amd.com> Signed-off-by: Wayne Lin <wayne.lin(a)amd.com> --- drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 + drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 ++ drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 ++ drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 --- .../drm/amd/display/dc/virtual/virtual_stream_encoder.c | 7 +++++++ 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c index 23bec5d25ed6..28f37437176e 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c @@ -671,6 +671,7 @@ void dce110_enable_stream(struct pipe_ctx *pipe_ctx) uint32_t early_control = 0; struct timing_generator *tg = pipe_ctx->stream_res.tg; + link_hwss->setup_stream_attribute(pipe_ctx); link_hwss->setup_stream_encoder(pipe_ctx); dc->hwss.update_info_frame(pipe_ctx); diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c index 4ea3b4ad179b..9f082a4c2610 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c @@ -3046,6 +3046,8 @@ void dcn20_enable_stream(struct pipe_ctx *pipe_ctx) link_enc->transmitter - TRANSMITTER_UNIPHY_A); } + link_hwss->setup_stream_attribute(pipe_ctx); + if (dc->res_pool->dccg->funcs->set_pixel_rate_div) dc->res_pool->dccg->funcs->set_pixel_rate_div( dc->res_pool->dccg, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c index ea28c75fdace..82b13cc7a262 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c @@ -967,6 +967,8 @@ void dcn401_enable_stream(struct pipe_ctx *pipe_ctx) } } + link_hwss->setup_stream_attribute(pipe_ctx); + if (dc->res_pool->dccg->funcs->set_pixel_rate_div) { dc->res_pool->dccg->funcs->set_pixel_rate_div( dc->res_pool->dccg, diff --git a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c index 273a3be6d593..f1b8f8f7b3a4 100644 --- a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c +++ b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c @@ -2458,7 +2458,6 @@ void link_set_dpms_on( struct link_encoder *link_enc = pipe_ctx->link_res.dio_link_enc; enum otg_out_mux_dest otg_out_dest = OUT_MUX_DIO; struct vpg *vpg = pipe_ctx->stream_res.stream_enc->vpg; - const struct link_hwss *link_hwss = get_link_hwss(link, &pipe_ctx->link_res); bool apply_edp_fast_boot_optimization = pipe_ctx->stream->apply_edp_fast_boot_optimization; @@ -2502,8 +2501,6 @@ void link_set_dpms_on( pipe_ctx->stream_res.tg->funcs->set_out_mux(pipe_ctx->stream_res.tg, otg_out_dest); } - link_hwss->setup_stream_attribute(pipe_ctx); - pipe_ctx->stream->apply_edp_fast_boot_optimization = false; // Enable VPG before building infoframe diff --git a/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c index ad088d70e189..6ffc74fc9dcd 100644 --- a/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c +++ b/drivers/gpu/drm/amd/display/dc/virtual/virtual_stream_encoder.c @@ -44,6 +44,11 @@ static void virtual_stream_encoder_dvi_set_stream_attribute( struct dc_crtc_timing *crtc_timing, bool is_dual_link) {} +static void virtual_stream_encoder_lvds_set_stream_attribute( + struct stream_encoder *enc, + struct dc_crtc_timing *crtc_timing) +{} + static void virtual_stream_encoder_set_throttled_vcp_size( struct stream_encoder *enc, struct fixed31_32 avg_time_slots_per_mtp) @@ -115,6 +120,8 @@ static const struct stream_encoder_funcs virtual_str_enc_funcs = { virtual_stream_encoder_hdmi_set_stream_attribute, .dvi_set_stream_attribute = virtual_stream_encoder_dvi_set_stream_attribute, + .lvds_set_stream_attribute = + virtual_stream_encoder_lvds_set_stream_attribute, .set_throttled_vcp_size = virtual_stream_encoder_set_throttled_vcp_size, .update_hdmi_info_packets = -- 2.43.0

5 months, 3 weeks

1
0
0 0

[PATCH] binder: fix yet another UAF in binder_devices

by Carlos Llamas

Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed. Cc: stable(a)vger.kernel.org Fixes: 12d909cac1e1 ("binderfs: add new binder devices to binder_devices") Reported-by: syzbot+4af454407ec393de51d6(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4af454407ec393de51d6 Tested-by: syzbot+4af454407ec393de51d6(a)syzkaller.appspotmail.com Signed-off-by: Carlos Llamas <cmllamas(a)google.com> --- drivers/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 682bbe4ad550..c463ca4a8fff 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -5241,6 +5241,7 @@ static void binder_free_proc(struct binder_proc *proc) __func__, proc->outstanding_txns); device = container_of(proc->context, struct binder_device, context); if (refcount_dec_and_test(&device->ref)) { + binder_remove_device(device); kfree(proc->context->name); kfree(device); } -- 2.49.0.1151.ga128411c76-goog

5 months, 3 weeks

3
2
0 0

[PATCH net v5] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()

by Wentao Liang

The function mlx5_query_nic_vport_node_guid() calls the function mlx5_query_nic_vport_context() but does not check its return value. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v5: Remove error tag. v4: Fix code error. v3: Explicitly mention target branch. Change improper code. v2: Remove redundant reassignment. Fix typo error. drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 0d5f750faa45..c34cd9a1a79b 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -465,19 +465,22 @@ int mlx5_query_nic_vport_node_guid(struct mlx5_core_dev *mdev, u64 *node_guid) { u32 *out; int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int err; out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + err = mlx5_query_nic_vport_context(mdev, 0, out); + if (err) + goto out; *node_guid = MLX5_GET64(query_nic_vport_context_out, out, nic_vport_context.node_guid); - +out: kvfree(out); - return 0; + return err; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); -- 2.42.0.windows.2

5 months, 3 weeks

3
2
0 0

+ fs-dax-fix-dont-skip-locked-entries-when-scanning-entries.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/dax: fix "don't skip locked entries when scanning entries" has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-dax-fix-dont-skip-locked-entries-when-scanning-entries.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Alistair Popple <apopple(a)nvidia.com> Subject: fs/dax: fix "don't skip locked entries when scanning entries" Date: Fri, 23 May 2025 14:37:49 +1000 Commit 6be3e21d25ca ("fs/dax: don't skip locked entries when scanning entries") introduced a new function, wait_entry_unlocked_exclusive(), which waits for the current entry to become unlocked without advancing the XArray iterator state. Waiting for the entry to become unlocked requires dropping the XArray lock. This requires calling xas_pause() prior to dropping the lock which leaves the xas in a suitable state for the next iteration. However this has the side-effect of advancing the xas state to the next index. Normally this isn't an issue because xas_for_each() contains code to detect this state and thus avoid advancing the index a second time on the next loop iteration. However both callers of and wait_entry_unlocked_exclusive() itself subsequently use the xas state to reload the entry. As xas_pause() updated the state to the next index this will cause the current entry which is being waited on to be skipped. This caused the following warning to fire intermittently when running xftest generic/068 on an XFS filesystem with FS DAX enabled: [ 35.067397] ------------[ cut here ]------------ [ 35.068229] WARNING: CPU: 21 PID: 1640 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xd8/0x1e0 [ 35.069717] Modules linked in: nd_pmem dax_pmem nd_btt nd_e820 libnvdimm [ 35.071006] CPU: 21 UID: 0 PID: 1640 Comm: fstest Not tainted 6.15.0-rc7+ #77 PREEMPT(voluntary) [ 35.072613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/204 [ 35.074845] RIP: 0010:truncate_folio_batch_exceptionals+0xd8/0x1e0 [ 35.075962] Code: a1 00 00 00 f6 47 0d 20 0f 84 97 00 00 00 4c 63 e8 41 39 c4 7f 0b eb 61 49 83 c5 01 45 39 ec 7e 58 42 f68 [ 35.079522] RSP: 0018:ffffb04e426c7850 EFLAGS: 00010202 [ 35.080359] RAX: 0000000000000000 RBX: ffff9d21e3481908 RCX: ffffb04e426c77f4 [ 35.081477] RDX: ffffb04e426c79e8 RSI: ffffb04e426c79e0 RDI: ffff9d21e34816e8 [ 35.082590] RBP: ffffb04e426c79e0 R08: 0000000000000001 R09: 0000000000000003 [ 35.083733] R10: 0000000000000000 R11: 822b53c0f7a49868 R12: 000000000000001f [ 35.084850] R13: 0000000000000000 R14: ffffb04e426c78e8 R15: fffffffffffffffe [ 35.085953] FS: 00007f9134c87740(0000) GS:ffff9d22abba0000(0000) knlGS:0000000000000000 [ 35.087346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.088244] CR2: 00007f9134c86000 CR3: 000000040afff000 CR4: 00000000000006f0 [ 35.089354] Call Trace: [ 35.089749] <TASK> [ 35.090168] truncate_inode_pages_range+0xfc/0x4d0 [ 35.091078] truncate_pagecache+0x47/0x60 [ 35.091735] xfs_setattr_size+0xc7/0x3e0 [ 35.092648] xfs_vn_setattr+0x1ea/0x270 [ 35.093437] notify_change+0x1f4/0x510 [ 35.094219] ? do_truncate+0x97/0xe0 [ 35.094879] do_truncate+0x97/0xe0 [ 35.095640] path_openat+0xabd/0xca0 [ 35.096278] do_filp_open+0xd7/0x190 [ 35.096860] do_sys_openat2+0x8a/0xe0 [ 35.097459] __x64_sys_openat+0x6d/0xa0 [ 35.098076] do_syscall_64+0xbb/0x1d0 [ 35.098647] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 35.099444] RIP: 0033:0x7f9134d81fc1 [ 35.100033] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff5 [ 35.102993] RSP: 002b:00007ffcd41e0d10 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 35.104263] RAX: ffffffffffffffda RBX: 0000000000000242 RCX: 00007f9134d81fc1 [ 35.105452] RDX: 0000000000000242 RSI: 00007ffcd41e1200 RDI: 00000000ffffff9c [ 35.106663] RBP: 00007ffcd41e1200 R08: 0000000000000000 R09: 0000000000000064 [ 35.107923] R10: 00000000000001a4 R11: 0000000000000202 R12: 0000000000000066 [ 35.109112] R13: 0000000000100000 R14: 0000000000100000 R15: 0000000000000400 [ 35.110357] </TASK> [ 35.110769] irq event stamp: 8415587 [ 35.111486] hardirqs last enabled at (8415599): [<ffffffff8d74b562>] __up_console_sem+0x52/0x60 [ 35.113067] hardirqs last disabled at (8415610): [<ffffffff8d74b547>] __up_console_sem+0x37/0x60 [ 35.114575] softirqs last enabled at (8415300): [<ffffffff8d6ac625>] handle_softirqs+0x315/0x3f0 [ 35.115933] softirqs last disabled at (8415291): [<ffffffff8d6ac811>] __irq_exit_rcu+0xa1/0xc0 [ 35.117316] ---[ end trace 0000000000000000 ]--- Fix this by using xas_reset() instead, which is equivalent in implementation to xas_pause() but does not advance the XArray state. Link: https://lkml.kernel.org/r/20250523043749.1460780-1-apopple@nvidia.com Fixes: 6be3e21d25ca ("fs/dax: don't skip locked entries when scanning entries") Signed-off-by: Alistair Popple <apopple(a)nvidia.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Cc: Alison Schofield <alison.schofield(a)intel.com> Cc: Matthew Wilcow (Oracle) <willy(a)infradead.org> Cc: Balbir Singh <balbirs(a)nvidia.com> Cc: "Darrick J. Wong" <djwong(a)kernel.org> Cc: Dave Chinner <david(a)fromorbit.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Ted Ts'o <tytso(a)mit.edu> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/dax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/dax.c~fs-dax-fix-dont-skip-locked-entries-when-scanning-entries +++ a/fs/dax.c @@ -257,7 +257,7 @@ static void *wait_entry_unlocked_exclusi wq = dax_entry_waitqueue(xas, entry, &ewait.key); prepare_to_wait_exclusive(wq, &ewait.wait, TASK_UNINTERRUPTIBLE); - xas_pause(xas); + xas_reset(xas); xas_unlock_irq(xas); schedule(); finish_wait(wq, &ewait.wait); _ Patches currently in -mm which might be from apopple(a)nvidia.com are fs-dax-fix-dont-skip-locked-entries-when-scanning-entries.patch

5 months, 3 weeks

1
0
0 0

+ mm-khugepaged-fix-race-with-folio-split-free-using-temporary-reference.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/khugepaged: fix race with folio split/free using temporary reference has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-khugepaged-fix-race-with-folio-split-free-using-temporary-reference.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Shivank Garg <shivankg(a)amd.com> Subject: mm/khugepaged: fix race with folio split/free using temporary reference Date: Mon, 26 May 2025 18:28:18 +0000 hpage_collapse_scan_file() calls is_refcount_suitable(), which in turn calls folio_mapcount(). folio_mapcount() checks folio_test_large() before proceeding to folio_large_mapcount(), but there is a race window where the folio may get split/freed between these checks, triggering: VM_WARN_ON_FOLIO(!folio_test_large(folio), folio) Take a temporary reference to the folio in hpage_collapse_scan_file(). This stabilizes the folio during refcount check and prevents incorrect large folio detection due to concurrent split/free. Use helper folio_expected_ref_count() + 1 to compare with folio_ref_count() instead of using is_refcount_suitable(). Link: https://lkml.kernel.org/r/20250526182818.37978-1-shivankg@amd.com Fixes: 05c5323b2a34 ("mm: track mapcount of large folios in single value") Signed-off-by: Shivank Garg <shivankg(a)amd.com> Reported-by: syzbot+2b99589e33edbe9475ca(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6828470d.a70a0220.38f255.000c.GAE@google.com Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Dev Jain <dev.jain(a)arm.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Bharata B Rao <bharata(a)amd.com> Cc: Fengwei Yin <fengwei.yin(a)intel.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/khugepaged.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) --- a/mm/khugepaged.c~mm-khugepaged-fix-race-with-folio-split-free-using-temporary-reference +++ a/mm/khugepaged.c @@ -2295,6 +2295,17 @@ static int hpage_collapse_scan_file(stru continue; } + if (!folio_try_get(folio)) { + xas_reset(&xas); + continue; + } + + if (unlikely(folio != xas_reload(&xas))) { + folio_put(folio); + xas_reset(&xas); + continue; + } + if (folio_order(folio) == HPAGE_PMD_ORDER && folio->index == start) { /* Maybe PMD-mapped */ @@ -2305,23 +2316,27 @@ static int hpage_collapse_scan_file(stru * it's safe to skip LRU and refcount checks before * returning. */ + folio_put(folio); break; } node = folio_nid(folio); if (hpage_collapse_scan_abort(node, cc)) { result = SCAN_SCAN_ABORT; + folio_put(folio); break; } cc->node_load[node]++; if (!folio_test_lru(folio)) { result = SCAN_PAGE_LRU; + folio_put(folio); break; } - if (!is_refcount_suitable(folio)) { + if (folio_expected_ref_count(folio) + 1 != folio_ref_count(folio)) { result = SCAN_PAGE_COUNT; + folio_put(folio); break; } @@ -2333,6 +2348,7 @@ static int hpage_collapse_scan_file(stru */ present += folio_nr_pages(folio); + folio_put(folio); if (need_resched()) { xas_pause(&xas); _ Patches currently in -mm which might be from shivankg(a)amd.com are mm-khugepaged-fix-race-with-folio-split-free-using-temporary-reference.patch mm-khugepaged-clean-up-refcount-check-using-folio_expected_ref_count.patch

5 months, 3 weeks

1
0
0 0

[PATCH] block: Fix a deadlock related freezing zoned storage devices

by Bart Van Assche

blk_mq_freeze_queue() never terminates if one or more bios are on the plug list and if the block device driver defines a .submit_bio() method. This is the case for device mapper drivers. The deadlock happens because blk_mq_freeze_queue() waits for q_usage_counter to drop to zero, because a queue reference is held by bios on the plug list and because the __bio_queue_enter() call in __submit_bio() waits for the queue to be unfrozen. This patch fixes the following deadlock: Workqueue: dm-51_zwplugs blk_zone_wplug_bio_work Call trace: __schedule+0xb08/0x1160 schedule+0x48/0xc8 __bio_queue_enter+0xcc/0x1d0 __submit_bio+0x100/0x1b0 submit_bio_noacct_nocheck+0x230/0x49c blk_zone_wplug_bio_work+0x168/0x250 process_one_work+0x26c/0x65c worker_thread+0x33c/0x498 kthread+0x110/0x134 ret_from_fork+0x10/0x20 Call trace: __switch_to+0x230/0x410 __schedule+0xb08/0x1160 schedule+0x48/0xc8 blk_mq_freeze_queue_wait+0x78/0xb8 blk_mq_freeze_queue+0x90/0xa4 queue_attr_store+0x7c/0xf0 sysfs_kf_write+0x98/0xc8 kernfs_fop_write_iter+0x12c/0x1d4 vfs_write+0x340/0x3ac ksys_write+0x78/0xe8 Cc: Christoph Hellwig <hch(a)lst.de> Cc: Damien Le Moal <dlemoal(a)kernel.org> Cc: Yu Kuai <yukuai1(a)huaweicloud.com> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: dd291d77cc90 ("block: Introduce zone write plugging") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- Changes compared to v1: fixed a race condition. Call bio_zone_write_plugging() only before submitting the bio and not after it has been submitted. block/blk-core.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/block/blk-core.c b/block/blk-core.c index b862c66018f2..713fb3865260 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -621,6 +621,13 @@ static inline blk_status_t blk_check_zone_append(struct request_queue *q, return BLK_STS_OK; } +/* + * Do not call bio_queue_enter() if the BIO_ZONE_WRITE_PLUGGING flag has been + * set because this causes blk_mq_freeze_queue() to deadlock if + * blk_zone_wplug_bio_work() submits a bio. Calling bio_queue_enter() for bios + * on the plug list is not necessary since a q_usage_counter reference is held + * while a bio is on the plug list. + */ static void __submit_bio(struct bio *bio) { /* If plug is not used, add new plug here to cache nsecs time. */ @@ -633,8 +640,12 @@ static void __submit_bio(struct bio *bio) if (!bdev_test_flag(bio->bi_bdev, BD_HAS_SUBMIT_BIO)) { blk_mq_submit_bio(bio); - } else if (likely(bio_queue_enter(bio) == 0)) { + } else { struct gendisk *disk = bio->bi_bdev->bd_disk; + bool zwp = bio_zone_write_plugging(bio); + + if (unlikely(!zwp && bio_queue_enter(bio) != 0)) + goto finish_plug; if ((bio->bi_opf & REQ_POLLED) && !(disk->queue->limits.features & BLK_FEAT_POLL)) { @@ -643,9 +654,12 @@ static void __submit_bio(struct bio *bio) } else { disk->fops->submit_bio(bio); } - blk_queue_exit(disk->queue); + + if (!zwp) + blk_queue_exit(disk->queue); } +finish_plug: blk_finish_plug(&plug); }

5 months, 3 weeks

5
15
0 0

[PATCH 1/2] drm/buddy: Add public helper to dirty blocks

by Natalie Vock

Cleared blocks that are handed out to users after allocation cannot be presumed to remain cleared. Thus, allocators using drm_buddy need to dirty all blocks on the allocation success path. Provide a helper for them to use. Fixes: 96950929eb232 ("drm/buddy: Implement tracking clear page feature") Cc: stable(a)vger.kernel.org Signed-off-by: Natalie Vock <natalie.vock(a)gmx.de> --- include/drm/drm_buddy.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 9689a7c5dd36..48628ff1c24f 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -142,6 +142,12 @@ drm_buddy_block_size(struct drm_buddy *mm, return mm->chunk_size << drm_buddy_block_order(block); } +static inline void +drm_buddy_block_set_dirty(struct drm_buddy_block *block) +{ + block->header &= ~DRM_BUDDY_HEADER_CLEAR; +} + int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size); void drm_buddy_fini(struct drm_buddy *mm); -- 2.49.0

5 months, 3 weeks

1
0
0 0

[PATCH v2] drm/xe/sched: stop re-submitting signalled jobs

by Matthew Auld

Customer is reporting a really subtle issue where we get random DMAR faults, hangs and other nasties for kernel migration jobs when stressing stuff like s2idle/s3/s4. The explosions seems to happen somewhere after resuming the system with splats looking something like: PM: suspend exit rfkill: input handler disabled xe 0000:00:02.0: [drm] GT0: Engine reset: engine_class=bcs, logical_mask: 0x2, guc_id=0 xe 0000:00:02.0: [drm] GT0: Timedout job: seqno=24496, lrc_seqno=24496, guc_id=0, flags=0x13 in no process [-1] xe 0000:00:02.0: [drm] GT0: Kernel-submitted job timed out The likely cause appears to be a race between suspend cancelling the worker that processes the free_job()'s, such that we still have pending jobs to be freed after the cancel. Following from this, on resume the pending_list will now contain at least one already complete job, but it looks like we call drm_sched_resubmit_jobs(), which will then call run_job() on everything still on the pending_list. But if the job was already complete, then all the resources tied to the job, like the bb itself, any memory that is being accessed, the iommu mappings etc. might be long gone since those are usually tied to the fence signalling. This scenario can be seen in ftrace when running a slightly modified xe_pm (kernel was only modified to inject artificial latency into free_job to make the race easier to hit): xe_sched_job_run: dev=0000:00:02.0, fence=0xffff888276cc8540, seqno=0, lrc_seqno=0, gt=0, guc_id=0, batch_addr=0x000000146910 ... xe_exec_queue_stop: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x0, flags=0x13 xe_exec_queue_stop: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=1, guc_state=0x0, flags=0x4 xe_exec_queue_stop: dev=0000:00:02.0, 4:0x1, gt=1, width=1, guc_id=0, guc_state=0x0, flags=0x3 xe_exec_queue_stop: dev=0000:00:02.0, 1:0x1, gt=1, width=1, guc_id=1, guc_state=0x0, flags=0x3 xe_exec_queue_stop: dev=0000:00:02.0, 4:0x1, gt=1, width=1, guc_id=2, guc_state=0x0, flags=0x3 xe_exec_queue_resubmit: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x0, flags=0x13 xe_sched_job_run: dev=0000:00:02.0, fence=0xffff888276cc8540, seqno=0, lrc_seqno=0, gt=0, guc_id=0, batch_addr=0x000000146910 ... ..... xe_exec_queue_memory_cat_error: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x3, flags=0x13 So the job_run() is clearly triggered twice for the same job, even though the first must have already signalled to completion during suspend. We can also see a CAT error after the re-submit. To prevent this try to call xe_sched_stop() to forcefully remove anything on the pending_list that has already signalled, before we re-submit. v2: - Make sure to re-arm the fence callbacks with sched_start(). Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4856 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: William Tseng <william.tseng(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_gpu_scheduler.h b/drivers/gpu/drm/xe/xe_gpu_scheduler.h index c250ea773491..0c8fe0461df9 100644 --- a/drivers/gpu/drm/xe/xe_gpu_scheduler.h +++ b/drivers/gpu/drm/xe/xe_gpu_scheduler.h @@ -51,7 +51,9 @@ static inline void xe_sched_tdr_queue_imm(struct xe_gpu_scheduler *sched) static inline void xe_sched_resubmit_jobs(struct xe_gpu_scheduler *sched) { + drm_sched_stop(&sched->base, NULL); /* remove completed jobs */ drm_sched_resubmit_jobs(&sched->base); + drm_sched_start(&sched->base, 0); /* re-add fence callback for pending jobs */ } static inline bool -- 2.49.0

5 months, 3 weeks

2
1
0 0

[PATCH 0/3] ASoC: codecs: wcd93xx: Few regulator supplies fixes

by Krzysztof Kozlowski

Fix cleanup paths in wcd9335 and wcd937x codec drivers. Best regards, Krzysztof --- Krzysztof Kozlowski (3): ASoC: codecs: wcd9335: Fix missing free of regulator supplies ASoC: codecs: wcd937x: Drop unused buck_supply ASoC: codecs: wcd9375: Fix double free of regulator supplies sound/soc/codecs/wcd9335.c | 25 +++++++------------------ sound/soc/codecs/wcd937x.c | 7 +------ 2 files changed, 8 insertions(+), 24 deletions(-) --- base-commit: 393d0c54cae31317deaa9043320c5fd9454deabc change-id: 20250526-b4-b4-asoc-wcd9395-vdd-px-fixes-0ce64398f9cc Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

5 months, 3 weeks

2
4
0 0

Re: Patch "libbpf: Pass BPF token from find_prog_btf_id to BPF_BTF_GET_FD_BY_ID" has been added to the 6

by Pascal Ernster

[2025-05-22 23:08] Sasha Levin: > This is a note to let you know that I've just added the patch titled > > libbpf: Pass BPF token from find_prog_btf_id to BPF_BTF_GET_FD_BY_ID > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > libbpf-pass-bpf-token-from-find_prog_btf_id-to-bpf_b.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 7a8beec7026564efe57ebf9c4c568ed0071f2e39 > Author: Mykyta Yatsenko <yatsenko(a)meta.com> > Date: Mon Mar 17 17:40:38 2025 +0000 > > libbpf: Pass BPF token from find_prog_btf_id to BPF_BTF_GET_FD_BY_ID > > [ Upstream commit 974ef9f0d23edc1a802691c585b84514b414a96d ] > > Pass BPF token from bpf_program__set_attach_target to > BPF_BTF_GET_FD_BY_ID bpf command. > When freplace program attaches to target program, it needs to look up > for BTF of the target, this may require BPF token, if, for example, > running from user namespace. > > Signed-off-by: Mykyta Yatsenko <yatsenko(a)meta.com> > Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> > Acked-by: Yonghong Song <yonghong.song(a)linux.dev> > Link: https://lore.kernel.org/bpf/20250317174039.161275-4-mykyta.yatsenko5@gmail.… > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c > index 359f73ead6137..a9c3e33d0f8a9 100644 > --- a/tools/lib/bpf/bpf.c > +++ b/tools/lib/bpf/bpf.c > @@ -1097,7 +1097,7 @@ int bpf_map_get_fd_by_id(__u32 id) > int bpf_btf_get_fd_by_id_opts(__u32 id, > const struct bpf_get_fd_by_id_opts *opts) > { > - const size_t attr_sz = offsetofend(union bpf_attr, open_flags); > + const size_t attr_sz = offsetofend(union bpf_attr, fd_by_id_token_fd); > union bpf_attr attr; > int fd; > > @@ -1107,6 +1107,7 @@ int bpf_btf_get_fd_by_id_opts(__u32 id, > memset(&attr, 0, attr_sz); > attr.btf_id = id; > attr.open_flags = OPTS_GET(opts, open_flags, 0); > + attr.fd_by_id_token_fd = OPTS_GET(opts, token_fd, 0); > > fd = sys_bpf_fd(BPF_BTF_GET_FD_BY_ID, &attr, attr_sz); > return libbpf_err_errno(fd); > diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h > index 435da95d20589..777627d33d257 100644 > --- a/tools/lib/bpf/bpf.h > +++ b/tools/lib/bpf/bpf.h > @@ -487,9 +487,10 @@ LIBBPF_API int bpf_link_get_next_id(__u32 start_id, __u32 *next_id); > struct bpf_get_fd_by_id_opts { > size_t sz; /* size of this struct for forward/backward compatibility */ > __u32 open_flags; /* permissions requested for the operation on fd */ > + __u32 token_fd; > size_t :0; > }; > -#define bpf_get_fd_by_id_opts__last_field open_flags > +#define bpf_get_fd_by_id_opts__last_field token_fd > > LIBBPF_API int bpf_prog_get_fd_by_id(__u32 id); > LIBBPF_API int bpf_prog_get_fd_by_id_opts(__u32 id, > diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c > index 560b519f820e2..03cc7c46c16b5 100644 > --- a/tools/lib/bpf/btf.c > +++ b/tools/lib/bpf/btf.c > @@ -1619,12 +1619,18 @@ struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf) > return btf; > } > > -struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) > +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd) > { > struct btf *btf; > int btf_fd; > + LIBBPF_OPTS(bpf_get_fd_by_id_opts, opts); > + > + if (token_fd) { > + opts.open_flags |= BPF_F_TOKEN_FD; > + opts.token_fd = token_fd; > + } > > - btf_fd = bpf_btf_get_fd_by_id(id); > + btf_fd = bpf_btf_get_fd_by_id_opts(id, &opts); > if (btf_fd < 0) > return libbpf_err_ptr(-errno); > > @@ -1634,6 +1640,11 @@ struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) > return libbpf_ptr(btf); > } > > +struct btf *btf__load_from_kernel_by_id_split(__u32 id, struct btf *base_btf) > +{ > + return btf_load_from_kernel(id, base_btf, 0); > +} > + > struct btf *btf__load_from_kernel_by_id(__u32 id) > { > return btf__load_from_kernel_by_id_split(id, NULL); > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c > index 194809da51725..6b436ec872b0f 100644 > --- a/tools/lib/bpf/libbpf.c > +++ b/tools/lib/bpf/libbpf.c > @@ -9959,7 +9959,7 @@ int libbpf_find_vmlinux_btf_id(const char *name, > return libbpf_err(err); > } > > -static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) > +static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd, int token_fd) > { > struct bpf_prog_info info; > __u32 info_len = sizeof(info); > @@ -9979,7 +9979,7 @@ static int libbpf_find_prog_btf_id(const char *name, __u32 attach_prog_fd) > pr_warn("The target program doesn't have BTF\n"); > goto out; > } > - btf = btf__load_from_kernel_by_id(info.btf_id); > + btf = btf_load_from_kernel(info.btf_id, NULL, token_fd); > err = libbpf_get_error(btf); > if (err) { > pr_warn("Failed to get BTF %d of the program: %s\n", info.btf_id, errstr(err)); > @@ -10062,7 +10062,7 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac > pr_warn("prog '%s': attach program FD is not set\n", prog->name); > return -EINVAL; > } > - err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd); > + err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd, prog->obj->token_fd); > if (err < 0) { > pr_warn("prog '%s': failed to find BPF program (FD %d) BTF ID for '%s': %s\n", > prog->name, attach_prog_fd, attach_name, errstr(err)); > @@ -12858,7 +12858,7 @@ struct bpf_link *bpf_program__attach_freplace(const struct bpf_program *prog, > if (target_fd) { > LIBBPF_OPTS(bpf_link_create_opts, target_opts); > > - btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd); > + btf_id = libbpf_find_prog_btf_id(attach_func_name, target_fd, prog->obj->token_fd); > if (btf_id < 0) > return libbpf_err_ptr(btf_id); > > @@ -13679,7 +13679,7 @@ int bpf_program__set_attach_target(struct bpf_program *prog, > > if (attach_prog_fd) { > btf_id = libbpf_find_prog_btf_id(attach_func_name, > - attach_prog_fd); > + attach_prog_fd, prog->obj->token_fd); > if (btf_id < 0) > return libbpf_err(btf_id); > } else { > diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h > index de498e2dd6b0b..76669c73dcd16 100644 > --- a/tools/lib/bpf/libbpf_internal.h > +++ b/tools/lib/bpf/libbpf_internal.h > @@ -409,6 +409,7 @@ int libbpf__load_raw_btf(const char *raw_types, size_t types_len, > int btf_load_into_kernel(struct btf *btf, > char *log_buf, size_t log_sz, __u32 log_level, > int token_fd); > +struct btf *btf_load_from_kernel(__u32 id, struct btf *base_btf, int token_fd); > > struct btf *btf_get_from_fd(int btf_fd, struct btf *base_btf); > void btf_get_kernel_prefix_kind(enum bpf_attach_type attach_type, Hi, this patch breaks the build for Kernel 6.14.8 with all the other patches from https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tre… applied on top. A backported version of the same patch is also in queue-6.12, but I haven't tested if that one also breaks the build for Kernel 6.12.30. Regards Pascal

5 months, 3 weeks

2
4
0 0

[PATCH v2 net 0/1] e1000e: fix heap overflow in e1000_set_eeprom()

by Mikael Wessel

v2: patch the correct write helper and add bounds-checking; v1 mistakenly guarded e1000_get_eeprom() (read path). --- Mikael Wessel (1): e1000e: fix heap overflow in e1000_set_eeprom() drivers/net/ethernet/intel/e1000e/ethtool.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.48.1

5 months, 3 weeks

4
5
0 0

Series for -Wunterminated-string-initialization in 6.14 and 6.12

by Nathan Chancellor

Hi Greg and Sasha, Please find attatched backports for 6.14 and 6.12 (which have -Wextra enabled by default) to turn off a new warning from -Wextra in GCC 15 and Clang 21, -Wunterminated-string-initialization, which is fatal when CONFIG_WERROR is enabled. Please let me know if there are any issues or questions. Cheers, Nathan

5 months, 3 weeks

2
1
0 0

[SRU] [Noble] [PATCH 1/1] net: usb: usbnet: restore usb%d name exception for local mac addresses

by Jianlin Lv

From: Dominique Martinet <dominique.martinet(a)atmark-techno.com> BugLink: https://bugs.launchpad.net/bugs/2111592 commit 8a7d12d674ac ("net: usb: usbnet: fix name regression") assumed that local addresses always came from the kernel, but some devices hand out local mac addresses so we ended up with point-to-point devices with a mac set by the driver, renaming to eth%d when they used to be named usb%d. Userspace should not rely on device name, but for the sake of stability restore the local mac address check portion of the naming exception: point to point devices which either have no mac set by the driver or have a local mac handed out by the driver will keep the usb%d name. (some USB LTE modems are known to hand out a stable mac from the locally administered range; that mac appears to be random (different for mulitple devices) and can be reset with device-specific commands, so while such devices would benefit from getting a OUI reserved, we have to deal with these and might as well preserve the existing behavior to avoid breaking fragile openwrt configurations and such on upgrade.) Link: https://lkml.kernel.org/r/20241203130457.904325-1-asmadeus@codewreck.org Fixes: 8a7d12d674ac ("net: usb: usbnet: fix name regression") Cc: stable(a)vger.kernel.org Tested-by: Ahmed Naseef <naseefkm(a)gmail.com> Signed-off-by: Dominique Martinet <dominique.martinet(a)atmark-techno.com> Acked-by: Oliver Neukum <oneukum(a)suse.com> Link: https://patch.msgid.link/20250326-usbnet_rename-v2-1-57eb21fcff26@atmark-te… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> (cherry picked from commit 2ea396448f26d0d7d66224cb56500a6789c7ed07) Signed-off-by: Jianlin Lv <iecedge(a)gmail.com> --- drivers/net/usb/usbnet.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 9f66c47dc58b..08cbc8e4b361 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -178,6 +178,17 @@ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress) } EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr); +static bool usbnet_needs_usb_name_format(struct usbnet *dev, struct net_device *net) +{ + /* Point to point devices which don't have a real MAC address + * (or report a fake local one) have historically used the usb%d + * naming. Preserve this.. + */ + return (dev->driver_info->flags & FLAG_POINTTOPOINT) != 0 && + (is_zero_ether_addr(net->dev_addr) || + is_local_ether_addr(net->dev_addr)); +} + static void intr_complete (struct urb *urb) { struct usbnet *dev = urb->context; @@ -1766,13 +1777,11 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) if (status < 0) goto out1; - // heuristic: "usb%d" for links we know are two-host, - // else "eth%d" when there's reasonable doubt. userspace - // can rename the link if it knows better. + /* heuristic: rename to "eth%d" if we are not sure this link + * is two-host (these links keep "usb%d") + */ if ((dev->driver_info->flags & FLAG_ETHER) != 0 && - ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || - /* somebody touched it*/ - !is_zero_ether_addr(net->dev_addr))) + !usbnet_needs_usb_name_format(dev, net)) strscpy(net->name, "eth%d", sizeof(net->name)); /* WLAN devices should always be named "wlan%d" */ if ((dev->driver_info->flags & FLAG_WLAN) != 0) -- 2.34.1

5 months, 3 weeks

2
1
0 0

Re: Patch "btrfs: properly limit inline data extent according to block size" has been added to the 6.12-stable tree

by Qu Wenruo

在 2025/5/23 07:31, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: properly limit inline data extent according to block size > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-properly-limit-inline-data-extent-according-to.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch from all stable trees. This is only for a debug feature, 2K block size, and it will never be exposed to end users (only to allow people without a 64K page sized system to test subpage routine on x86_64). Thanks, Qu > > > > commit a5afc96d757771c992eb3af4629a562ec52ba1dc > Author: Qu Wenruo <wqu(a)suse.com> > Date: Tue Feb 25 14:30:44 2025 +1030 > > btrfs: properly limit inline data extent according to block size > > [ Upstream commit 23019d3e6617a8ec99a8d2f5947aa3dd8a74a1b8 ] > > Btrfs utilizes inline data extent for the following cases: > > - Regular small files > - Symlinks > > And "btrfs check" detects any file extents that are too large as an > error. > > It's not a problem for 4K block size, but for the incoming smaller > block sizes (2K), it can cause problems due to bad limits: > > - Non-compressed inline data extents > We do not allow a non-compressed inline data extent to be as large as > block size. > > - Symlinks > Currently the only real limit on symlinks are 4K, which can be larger > than 2K block size. > > These will result btrfs-check to report too large file extents. > > Fix it by adding proper size checks for the above cases. > > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Reviewed-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 9ce1270addb04..0da2611fb9c85 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -623,6 +623,10 @@ static bool can_cow_file_range_inline(struct btrfs_inode *inode, > if (size > fs_info->sectorsize) > return false; > > + /* We do not allow a non-compressed extent to be as large as block size. */ > + if (data_len >= fs_info->sectorsize) > + return false; > + > /* We cannot exceed the maximum inline data size. */ > if (data_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info)) > return false; > @@ -8691,7 +8695,12 @@ static int btrfs_symlink(struct mnt_idmap *idmap, struct inode *dir, > struct extent_buffer *leaf; > > name_len = strlen(symname); > - if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info)) > + /* > + * Symlinks utilize uncompressed inline extent data, which should not > + * reach block size. > + */ > + if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info) || > + name_len >= fs_info->sectorsize) > return -ENAMETOOLONG; > > inode = new_inode(dir->i_sb);

5 months, 3 weeks

2
1
0 0

Re: Patch "btrfs: zoned: exit btrfs_can_activate_zone if BTRFS_FS_NEED_ZONE_FINISH is set" has been added to the 6.14-stable tree

by Johannes Thumshirn

On 22.05.25 23:06, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > btrfs: zoned: exit btrfs_can_activate_zone if BTRFS_FS_NEED_ZONE_FINISH is set > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-zoned-exit-btrfs_can_activate_zone-if-btrfs_fs.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > Hey Sasha, this patch is just a readability cleanup, no reason to backport it. Thanks, Johannes > > > commit 1136d333d91088ecf2d5189367540a84e60449a0 > Author: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> > Date: Wed Feb 12 15:05:00 2025 +0100 > > btrfs: zoned: exit btrfs_can_activate_zone if BTRFS_FS_NEED_ZONE_FINISH is set > > [ Upstream commit 26b38e28162ef4ceb1e0482299820fbbd7dbcd92 ] > > If BTRFS_FS_NEED_ZONE_FINISH is already set for the whole filesystem, exit > early in btrfs_can_activate_zone(). There's no need to check if > BTRFS_FS_NEED_ZONE_FINISH needs to be set if it is already set. > > Reviewed-by: Naohiro Aota <naohiro.aota(a)wdc.com> > Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> > Reviewed-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c > index f39656668967c..4a3e02b49f295 100644 > --- a/fs/btrfs/zoned.c > +++ b/fs/btrfs/zoned.c > @@ -2344,6 +2344,9 @@ bool btrfs_can_activate_zone(struct btrfs_fs_devices *fs_devices, u64 flags) > if (!btrfs_is_zoned(fs_info)) > return true; > > + if (test_bit(BTRFS_FS_NEED_ZONE_FINISH, &fs_info->flags)) > + return false; > + > /* Check if there is a device with active zones left */ > mutex_lock(&fs_info->chunk_mutex); > spin_lock(&fs_info->zone_active_bgs_lock); >

5 months, 3 weeks

2
1
0 0

[SRU] [Noble] [PATCH 1/1] net: usb: usbnet: restore usb%d name exception for local mac addresses

by Jianlin Lv

From: Dominique Martinet <dominique.martinet(a)atmark-techno.com> commit 8a7d12d674ac ("net: usb: usbnet: fix name regression") assumed that local addresses always came from the kernel, but some devices hand out local mac addresses so we ended up with point-to-point devices with a mac set by the driver, renaming to eth%d when they used to be named usb%d. Userspace should not rely on device name, but for the sake of stability restore the local mac address check portion of the naming exception: point to point devices which either have no mac set by the driver or have a local mac handed out by the driver will keep the usb%d name. (some USB LTE modems are known to hand out a stable mac from the locally administered range; that mac appears to be random (different for mulitple devices) and can be reset with device-specific commands, so while such devices would benefit from getting a OUI reserved, we have to deal with these and might as well preserve the existing behavior to avoid breaking fragile openwrt configurations and such on upgrade.) Link: https://lkml.kernel.org/r/20241203130457.904325-1-asmadeus@codewreck.org Fixes: 8a7d12d674ac ("net: usb: usbnet: fix name regression") Cc: stable(a)vger.kernel.org Tested-by: Ahmed Naseef <naseefkm(a)gmail.com> Signed-off-by: Dominique Martinet <dominique.martinet(a)atmark-techno.com> Acked-by: Oliver Neukum <oneukum(a)suse.com> Link: https://patch.msgid.link/20250326-usbnet_rename-v2-1-57eb21fcff26@atmark-te… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> (cherry picked from commit 2ea396448f26d0d7d66224cb56500a6789c7ed07) Signed-off-by: Jianlin Lv <iecedge(a)gmail.com> --- drivers/net/usb/usbnet.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 9f66c47dc58b..08cbc8e4b361 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -178,6 +178,17 @@ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress) } EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr); +static bool usbnet_needs_usb_name_format(struct usbnet *dev, struct net_device *net) +{ + /* Point to point devices which don't have a real MAC address + * (or report a fake local one) have historically used the usb%d + * naming. Preserve this.. + */ + return (dev->driver_info->flags & FLAG_POINTTOPOINT) != 0 && + (is_zero_ether_addr(net->dev_addr) || + is_local_ether_addr(net->dev_addr)); +} + static void intr_complete (struct urb *urb) { struct usbnet *dev = urb->context; @@ -1766,13 +1777,11 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) if (status < 0) goto out1; - // heuristic: "usb%d" for links we know are two-host, - // else "eth%d" when there's reasonable doubt. userspace - // can rename the link if it knows better. + /* heuristic: rename to "eth%d" if we are not sure this link + * is two-host (these links keep "usb%d") + */ if ((dev->driver_info->flags & FLAG_ETHER) != 0 && - ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || - /* somebody touched it*/ - !is_zero_ether_addr(net->dev_addr))) + !usbnet_needs_usb_name_format(dev, net)) strscpy(net->name, "eth%d", sizeof(net->name)); /* WLAN devices should always be named "wlan%d" */ if ((dev->driver_info->flags & FLAG_WLAN) != 0) -- 2.34.1

5 months, 3 weeks

2
1
0 0

About patch "remoteproc: qcom_wcnss: Handle platforms with only single power domain" in stable queue

by Matti Lehtimäki

Hi Patch "remoteproc: qcom_wcnss: Handle platforms with only single power domain" was added to stable queue for 6.14, 6.12, 6.6, 6.1 and 5.15 but the patch has an issue which was fixed in upstream commit 4ca45af0a56d00b86285d6fdd720dca3215059a7 (https://lore.kernel.org/linux-arm-msm/20250511234026.94735-1-matti.lehtimak…). Either the patch"remoteproc: qcom_wcnss: Handle platforms with only single power domain" should not be included in stable releases or the fix should be included as well. Adding "remoteproc: qcom_wcnss: Handle platforms with only single power domain" to stable releases is probably not really necessary anyway. Thanks, Matti

5 months, 3 weeks

2
1
0 0

Re: Patch "bpf: Prevent unsafe access to the sock fields in the BPF timestamping callback" has been added to the 6.1-stable tree

by Jason Xing

On Fri, May 23, 2025 at 7:17 AM Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > bpf: Prevent unsafe access to the sock fields in the BPF timestamping callback > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bpf-prevent-unsafe-access-to-the-sock-fields-in-the-.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi, I'm notified that this patch has been added into many branches, which is against my expectations. The BPF timestaping feature was implemented in 6.14 and the patch you are handling is just one of them. The function of this patch prevents unexpected bpf programs using this feature from triggering fatal problems. So, IMHO, we don't need this patch in all the older/stable branches:) Thanks, Jason > > > > commit 00b709040e0fdf5949dfbf02f38521e0b10943ac > Author: Jason Xing <kerneljasonxing(a)gmail.com> > Date: Thu Feb 20 15:29:31 2025 +0800 > > bpf: Prevent unsafe access to the sock fields in the BPF timestamping callback > > [ Upstream commit fd93eaffb3f977b23bc0a48d4c8616e654fcf133 ] > > The subsequent patch will implement BPF TX timestamping. It will > call the sockops BPF program without holding the sock lock. > > This breaks the current assumption that all sock ops programs will > hold the sock lock. The sock's fields of the uapi's bpf_sock_ops > requires this assumption. > > To address this, a new "u8 is_locked_tcp_sock;" field is added. This > patch sets it in the current sock_ops callbacks. The "is_fullsock" > test is then replaced by the "is_locked_tcp_sock" test during > sock_ops_convert_ctx_access(). > > The new TX timestamping callbacks added in the subsequent patch will > not have this set. This will prevent unsafe access from the new > timestamping callbacks. > > Potentially, we could allow read-only access. However, this would > require identifying which callback is read-safe-only and also requires > additional BPF instruction rewrites in the covert_ctx. Since the BPF > program can always read everything from a socket (e.g., by using > bpf_core_cast), this patch keeps it simple and disables all read > and write access to any socket fields through the bpf_sock_ops > UAPI from the new TX timestamping callback. > > Moreover, note that some of the fields in bpf_sock_ops are specific > to tcp_sock, and sock_ops currently only supports tcp_sock. In > the future, UDP timestamping will be added, which will also break > this assumption. The same idea used in this patch will be reused. > Considering that the current sock_ops only supports tcp_sock, the > variable is named is_locked_"tcp"_sock. > > Signed-off-by: Jason Xing <kerneljasonxing(a)gmail.com> > Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> > Link: https://patch.msgid.link/20250220072940.99994-4-kerneljasonxing@gmail.com > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/include/linux/filter.h b/include/linux/filter.h > index f3ef1a8965bb2..09cc8fb735f02 100644 > --- a/include/linux/filter.h > +++ b/include/linux/filter.h > @@ -1319,6 +1319,7 @@ struct bpf_sock_ops_kern { > void *skb_data_end; > u8 op; > u8 is_fullsock; > + u8 is_locked_tcp_sock; > u8 remaining_opt_len; > u64 temp; /* temp and everything after is not > * initialized to 0 before calling > diff --git a/include/net/tcp.h b/include/net/tcp.h > index 83e0362e3b721..63caa3181dfe6 100644 > --- a/include/net/tcp.h > +++ b/include/net/tcp.h > @@ -2409,6 +2409,7 @@ static inline int tcp_call_bpf(struct sock *sk, int op, u32 nargs, u32 *args) > memset(&sock_ops, 0, offsetof(struct bpf_sock_ops_kern, temp)); > if (sk_fullsock(sk)) { > sock_ops.is_fullsock = 1; > + sock_ops.is_locked_tcp_sock = 1; > sock_owned_by_me(sk); > } > > diff --git a/net/core/filter.c b/net/core/filter.c > index 497b41ac399da..5c9f3fcb957bb 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -10240,10 +10240,10 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, > } \ > *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ > struct bpf_sock_ops_kern, \ > - is_fullsock), \ > + is_locked_tcp_sock), \ > fullsock_reg, si->src_reg, \ > offsetof(struct bpf_sock_ops_kern, \ > - is_fullsock)); \ > + is_locked_tcp_sock)); \ > *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \ > if (si->dst_reg == si->src_reg) \ > *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \ > @@ -10328,10 +10328,10 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, > temp)); \ > *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ > struct bpf_sock_ops_kern, \ > - is_fullsock), \ > + is_locked_tcp_sock), \ > reg, si->dst_reg, \ > offsetof(struct bpf_sock_ops_kern, \ > - is_fullsock)); \ > + is_locked_tcp_sock)); \ > *insn++ = BPF_JMP_IMM(BPF_JEQ, reg, 0, 2); \ > *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \ > struct bpf_sock_ops_kern, sk),\ > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > index db1a99df29d55..16f4a41a068e4 100644 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c > @@ -168,6 +168,7 @@ static void bpf_skops_parse_hdr(struct sock *sk, struct sk_buff *skb) > memset(&sock_ops, 0, offsetof(struct bpf_sock_ops_kern, temp)); > sock_ops.op = BPF_SOCK_OPS_PARSE_HDR_OPT_CB; > sock_ops.is_fullsock = 1; > + sock_ops.is_locked_tcp_sock = 1; > sock_ops.sk = sk; > bpf_skops_init_skb(&sock_ops, skb, tcp_hdrlen(skb)); > > @@ -184,6 +185,7 @@ static void bpf_skops_established(struct sock *sk, int bpf_op, > memset(&sock_ops, 0, offsetof(struct bpf_sock_ops_kern, temp)); > sock_ops.op = bpf_op; > sock_ops.is_fullsock = 1; > + sock_ops.is_locked_tcp_sock = 1; > sock_ops.sk = sk; > /* sk with TCP_REPAIR_ON does not have skb in tcp_finish_connect */ > if (skb) > diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c > index 40568365cdb3b..2f109f1968253 100644 > --- a/net/ipv4/tcp_output.c > +++ b/net/ipv4/tcp_output.c > @@ -509,6 +509,7 @@ static void bpf_skops_hdr_opt_len(struct sock *sk, struct sk_buff *skb, > sock_owned_by_me(sk); > > sock_ops.is_fullsock = 1; > + sock_ops.is_locked_tcp_sock = 1; > sock_ops.sk = sk; > } > > @@ -554,6 +555,7 @@ static void bpf_skops_write_hdr_opt(struct sock *sk, struct sk_buff *skb, > sock_owned_by_me(sk); > > sock_ops.is_fullsock = 1; > + sock_ops.is_locked_tcp_sock = 1; > sock_ops.sk = sk; > } >

5 months, 3 weeks

3
2
0 0

[ANNOUNCE] AUTOSEL: Modern AI-powered Linux Kernel Stable Backport Classifier

by Sasha Levin

Hello folks, I'm pleased to announce the release of AUTOSEL, a complete rewrite of the stable kernel patch selection tool that Julia Lawall and I presented back in 2018[1]. Unlike the previous version that relied on word statistics and older neural network techniques, AUTOSEL leverages modern large language models and embedding technology to provide significantly more accurate recommendations. ## What is AUTOSEL? AUTOSEL automatically analyzes Linux kernel commits to determine whether they should be backported to stable kernel trees. It examines commit messages, code changes, and historical backporting patterns to make intelligent recommendations. This is a complete rewrite of the original tool[1], with several major improvements: 1. Uses large language models (Claude, OpenAI, NVIDIA models) for semantic understanding 2. Implements embeddings-based similar commit retrieval for better context 3. Provides detailed explanations for each recommendation 4. Supports batch processing for efficient analysis of multiple commits ## Key Features - Support for multiple LLM providers (Claude, OpenAI, NVIDIA) - Self-contained embeddings using Candle - Optional CUDA acceleration for faster analysis - Detailed explanations of backporting decisions - Extensive test coverage and validation ## Getting Started ``` git clone https://git.sr.ht/~sashal/autosel cd autosel cargo build --release ``` To analyze a specific commit: ``` ./target/release/autosel --kernel-repo ~/linux --models claude --commit <SHA> ``` For more information, see the README.md file in the repository. [1] https://lwn.net/Articles/764647/ -- Thanks, Sasha

5 months, 3 weeks

2
4
0 0

stable-rc/queue/6.14: S390: devres.h:111:16: error: implicit declaration of function 'IOMEM_ERR_PTR' [-Werror=implicit-function-declaration]

by Naresh Kamboju

Regressions on S390 tinyconfig builds failing with gcc-13, gcc-8 and clang-20 and clang-nightly tool chains on the stable-rc/queue/6.14. Regression Analysis: - New regression? Yes - Reproducible? Yes Build regression: S390 tinyconfig devres.h 'devm_ioremap_resource' implicit declaration of function 'IOMEM_ERR_PTR' Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Build log: --------- In file included from include/linux/device.h:31, from include/linux/node.h:18, from include/linux/cpu.h:17, from arch/s390/kernel/traps.c:28: include/linux/device/devres.h: In function 'devm_ioremap_resource': include/linux/device/devres.h:111:16: error: implicit declaration of function 'IOMEM_ERR_PTR' [-Werror=implicit-function-declaration] 111 | return IOMEM_ERR_PTR(-EINVAL); | ^~~~~~~~~~~~~ ## Source * kernel version: 6.14.8 * git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stabl… * git sha: 3413aa4d097e291186719c26f341c52f8550e22c * git describe: v6.14.8-756-g3413aa4d097e * project details: https://qa-reports.linaro.org/lkft/linux-stable-rc-queues-queue_6.14/build/… * architecture: S390 * toolchain: gcc-8, gcc-13, clang-20, clang-nightly * config : tinyconfig * Build config: https://storage.tuxsuite.com/public/linaro/lkft/builds/2xbEAey3MY3M8lp7doND… * Build: https://storage.tuxsuite.com/public/linaro/lkft/builds/2xbEAey3MY3M8lp7doND… ## Boot log * Build log: https://qa-reports.linaro.org/lkft/linux-stable-rc-queues-queue_6.14/build/… * Build details: https://qa-reports.linaro.org/lkft/linux-stable-rc-queues-queue_6.14/build/… * Build history: https://qa-reports.linaro.org/lkft/linux-stable-rc-queues-queue_6.14/build/… ## Steps to reproduce - tuxmake --runtime podman --target-arch s390 --toolchain gcc-13 --kconfig tinyconfig -- Linaro LKFT https://lkft.linaro.org

5 months, 3 weeks

3
2
0 0

[PATCH] ice: Fix a null pointer dereference in ice_copy_and_init_pkg()

by Haoxiang Li

Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. Fixes: 2ffd87d38d6b ("ice: Move support DDP code out of ice_flex_pipe.c") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/net/ethernet/intel/ice/ice_ddp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/intel/ice/ice_ddp.c b/drivers/net/ethernet/intel/ice/ice_ddp.c index 59323c019544..351824dc3c62 100644 --- a/drivers/net/ethernet/intel/ice/ice_ddp.c +++ b/drivers/net/ethernet/intel/ice/ice_ddp.c @@ -2301,6 +2301,8 @@ enum ice_ddp_state ice_copy_and_init_pkg(struct ice_hw *hw, const u8 *buf, return ICE_DDP_PKG_ERR; buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL); + if (!buf_copy) + return ICE_DDP_PKG_ERR; state = ice_init_pkg(hw, buf_copy, len); if (!ice_is_init_pkg_successful(state)) { -- 2.25.1

5 months, 3 weeks

3
2
0 0

[PATCH v2] riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot

by Jingwei Wang

The riscv_hwprobe vDSO data is populated by init_hwprobe_vdso_data(), an arch_initcall_sync. However, underlying data for some keys, like RISCV_HWPROBE_KEY_MISALIGNED_VECTOR_PERF, is determined asynchronously. Specifically, the per_cpu(vector_misaligned_access, cpu) values are set by the vec_check_unaligned_access_speed_all_cpus kthread. This kthread is spawned by an earlier arch_initcall (check_unaligned_access_all_cpus) and may complete its benchmark *after* init_hwprobe_vdso_data() has already populated the vDSO with default/stale values. So, refresh the vDSO data for specified keys (e.g., MISALIGNED_VECTOR_PERF) ensuring it reflects the final boot-time values. Test by comparing vDSO and syscall results for affected keys (e.g., MISALIGNED_VECTOR_PERF), which now match their final boot-time values. Reported-by: Tsukasa OI <research_trasio(a)irq.a4lg.com> Closes: https://lore.kernel.org/linux-riscv/760d637b-b13b-4518-b6bf-883d55d44e7f@ir… Fixes: e7c9d66e313b ("RISC-V: Report vector unaligned access speed hwprobe") Cc: stable(a)vger.kernel.org Signed-off-by: Jingwei Wang <wangjingwei(a)iscas.ac.cn> --- Changes in v2: - Addressed feedback from Yixun's regarding #ifdef CONFIG_MMU usage. - Updated commit message to provide a high-level summary. - Added Fixes tag for commit e7c9d66e313b. v1: https://lore.kernel.org/linux-riscv/20250521052754.185231-1-wangjingwei@isc… arch/riscv/include/asm/hwprobe.h | 6 ++++++ arch/riscv/kernel/sys_hwprobe.c | 16 ++++++++++++++++ arch/riscv/kernel/unaligned_access_speed.c | 2 +- 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/hwprobe.h b/arch/riscv/include/asm/hwprobe.h index 1f690fea0e03de6a..58dc847d86c7f2b0 100644 --- a/arch/riscv/include/asm/hwprobe.h +++ b/arch/riscv/include/asm/hwprobe.h @@ -40,4 +40,10 @@ static inline bool riscv_hwprobe_pair_cmp(struct riscv_hwprobe *pair, return pair->value == other_pair->value; } +#ifdef CONFIG_MMU +void riscv_hwprobe_vdso_sync(__s64 sync_key); +#else +static inline void riscv_hwprobe_vdso_sync(__s64 sync_key) { }; +#endif /* CONFIG_MMU */ + #endif diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c index 249aec8594a92a80..2e3e612b7ac6fd57 100644 --- a/arch/riscv/kernel/sys_hwprobe.c +++ b/arch/riscv/kernel/sys_hwprobe.c @@ -17,6 +17,7 @@ #include <asm/vector.h> #include <asm/vendor_extensions/thead_hwprobe.h> #include <vdso/vsyscall.h> +#include <vdso/datapage.h> static void hwprobe_arch_id(struct riscv_hwprobe *pair, @@ -500,6 +501,21 @@ static int __init init_hwprobe_vdso_data(void) arch_initcall_sync(init_hwprobe_vdso_data); +void riscv_hwprobe_vdso_sync(__s64 sync_key) +{ + struct vdso_arch_data *avd = vdso_k_arch_data; + struct riscv_hwprobe pair; + + pair.key = sync_key; + hwprobe_one_pair(&pair, cpu_online_mask); + /* + * Update vDSO data for the given key. + * Currently for non-ID key updates (e.g. MISALIGNED_VECTOR_PERF), + * so 'homogeneous_cpus' is not re-evaluated here. + */ + avd->all_cpu_hwprobe_values[sync_key] = pair.value; +} + #endif /* CONFIG_MMU */ SYSCALL_DEFINE5(riscv_hwprobe, struct riscv_hwprobe __user *, pairs, diff --git a/arch/riscv/kernel/unaligned_access_speed.c b/arch/riscv/kernel/unaligned_access_speed.c index 585d2dcf2dab1ccb..81bc4997350acc87 100644 --- a/arch/riscv/kernel/unaligned_access_speed.c +++ b/arch/riscv/kernel/unaligned_access_speed.c @@ -375,7 +375,7 @@ static void check_vector_unaligned_access(struct work_struct *work __always_unus static int __init vec_check_unaligned_access_speed_all_cpus(void *unused __always_unused) { schedule_on_each_cpu(check_vector_unaligned_access); - + riscv_hwprobe_vdso_sync(RISCV_HWPROBE_KEY_MISALIGNED_VECTOR_PERF); return 0; } #else /* CONFIG_RISCV_PROBE_VECTOR_UNALIGNED_ACCESS */ -- 2.49.0

5 months, 3 weeks

3
2
0 0

[PATCH] Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1"

by Joonas Lahtinen

This reverts commit d6e020819612a4a06207af858e0978be4d3e3140. The IS_DGFX check was put in place because error capture of buffer objects is expected to be broken on devices with VRAM. We seem to have already submitted the userspace fix to remove that flag, so lets just rely on that for DG1. Cc: stable(a)vger.kernel.org # v6.0+ Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Andi Shyti <andi.shyti(a)linux.intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Tvrtko Ursulin <tursulin(a)ursulin.net> Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> --- drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c index 7d44aadcd5a5..02c59808cbe4 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c @@ -2013,7 +2013,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb) continue; if (i915_gem_context_is_recoverable(eb->gem_context) && - GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10)) + (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0))) return -EINVAL; for_each_batch_create_order(eb, j) { -- 2.49.0

5 months, 3 weeks

3
4
0 0

[PATCH] Bluetooth: hci_qca: move the SoC type check to the right place

by Bartosz Golaszewski

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Commit 3d05fc82237a ("Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()") accidentally changed the prevous behavior where power control would be disabled without the BT_EN GPIO only on QCA_WCN6750 and QCA_WCN6855 while also getting the error check wrong. We should treat every IS_ERR() return value from devm_gpiod_get_optional() as a reason to bail-out while we should only set power_ctrl_enabled to false on the two models mentioned above. While at it: use dev_err_probe() to save a LOC. Cc: stable(a)vger.kernel.org Fixes: 3d05fc82237a ("Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional()") Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/bluetooth/hci_qca.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index e00590ba24fdb..a2dc39c005f4f 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -2415,14 +2415,14 @@ static int qca_serdev_probe(struct serdev_device *serdev) qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable", GPIOD_OUT_LOW); - if (IS_ERR(qcadev->bt_en) && - (data->soc_type == QCA_WCN6750 || - data->soc_type == QCA_WCN6855)) { - dev_err(&serdev->dev, "failed to acquire BT_EN gpio\n"); - return PTR_ERR(qcadev->bt_en); - } + if (IS_ERR(qcadev->bt_en)) + return dev_err_probe(&serdev->dev, + PTR_ERR(qcadev->bt_en), + "failed to acquire BT_EN gpio\n"); - if (!qcadev->bt_en) + if (!qcadev->bt_en && + (data->soc_type == QCA_WCN6750 || + data->soc_type == QCA_WCN6855)) power_ctrl_enabled = false; qcadev->sw_ctrl = devm_gpiod_get_optional(&serdev->dev, "swctrl", -- 2.48.1

5 months, 3 weeks

4
3
0 0

[PATCH] Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano

by Zenm Chen

Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano which is based on a Realtek RTL8851BU chip. The information in /sys/kernel/debug/usb/devices about the Bluetooth device is listed as the below: T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=3625 ProdID=010b Rev= 0.00 S: Manufacturer=Realtek S: Product=802.11ax WLAN Adapter S: SerialNumber=00e04c000001 C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8851bu E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: stable(a)vger.kernel.org Signed-off-by: Zenm Chen <zenmchen(a)gmail.com> --- drivers/bluetooth/btusb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 9ab661d2d1e6..3016ee9f2932 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -516,6 +516,10 @@ static const struct usb_device_id quirks_table[] = { { USB_DEVICE(0x0bda, 0xb850), .driver_info = BTUSB_REALTEK }, { USB_DEVICE(0x13d3, 0x3600), .driver_info = BTUSB_REALTEK }, + /* Realtek 8851BU Bluetooth devices */ + { USB_DEVICE(0x3625, 0x010b), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + /* Realtek 8852AE Bluetooth devices */ { USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, -- 2.49.0

5 months, 3 weeks

2
1
0 0

[PATCH] mm/hugetlb: fix a deadlock with pagecache_folio and hugetlb_fault_mutex_table

by Gavin Guo

The patch fixes a deadlock which can be triggered by an internal syzkaller [1] reproducer and captured by bpftrace script [2] and its log [3] in this scenario: Process 1 Process 2 --- --- hugetlb_fault mutex_lock(B) // take B filemap_lock_hugetlb_folio filemap_lock_folio __filemap_get_folio folio_lock(A) // take A hugetlb_wp mutex_unlock(B) // release B ... hugetlb_fault ... mutex_lock(B) // take B filemap_lock_hugetlb_folio filemap_lock_folio __filemap_get_folio folio_lock(A) // blocked unmap_ref_private ... mutex_lock(B) // retake and blocked This is a ABBA deadlock involving two locks: - Lock A: pagecache_folio lock - Lock B: hugetlb_fault_mutex_table lock The deadlock occurs between two processes as follows: 1. The first process (let’s call it Process 1) is handling a copy-on-write (COW) operation on a hugepage via hugetlb_wp. Due to insufficient reserved hugetlb pages, Process 1, owner of the reserved hugetlb page, attempts to unmap a hugepage owned by another process (non-owner) to satisfy the reservation. Before unmapping, Process 1 acquires lock B (hugetlb_fault_mutex_table lock) and then lock A (pagecache_folio lock). To proceed with the unmap, it releases Lock B but retains Lock A. After the unmap, Process 1 tries to reacquire Lock B. However, at this point, Lock B has already been acquired by another process. 2. The second process (Process 2) enters the hugetlb_fault handler during the unmap operation. It successfully acquires Lock B (hugetlb_fault_mutex_table lock) that was just released by Process 1, but then attempts to acquire Lock A (pagecache_folio lock), which is still held by Process 1. As a result, Process 1 (holding Lock A) is blocked waiting for Lock B (held by Process 2), while Process 2 (holding Lock B) is blocked waiting for Lock A (held by Process 1), constructing a ABBA deadlock scenario. The solution here is to unlock the pagecache_folio and provide the pagecache_folio_unlocked variable to the caller to have the visibility over the pagecache_folio status for subsequent handling. The error message: INFO: task repro_20250402_:13229 blocked for more than 64 seconds. Not tainted 6.15.0-rc3+ #24 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:repro_20250402_ state:D stack:25856 pid:13229 tgid:13228 ppid:3513 task_flags:0x400040 flags:0x00004006 Call Trace: <TASK> __schedule+0x1755/0x4f50 schedule+0x158/0x330 schedule_preempt_disabled+0x15/0x30 __mutex_lock+0x75f/0xeb0 hugetlb_wp+0xf88/0x3440 hugetlb_fault+0x14c8/0x2c30 trace_clock_x86_tsc+0x20/0x20 do_user_addr_fault+0x61d/0x1490 exc_page_fault+0x64/0x100 asm_exc_page_fault+0x26/0x30 RIP: 0010:__put_user_4+0xd/0x20 copy_process+0x1f4a/0x3d60 kernel_clone+0x210/0x8f0 __x64_sys_clone+0x18d/0x1f0 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x41b26d </TASK> INFO: task repro_20250402_:13229 is blocked on a mutex likely owned by task repro_20250402_:13250. task:repro_20250402_ state:D stack:28288 pid:13250 tgid:13228 ppid:3513 task_flags:0x400040 flags:0x00000006 Call Trace: <TASK> __schedule+0x1755/0x4f50 schedule+0x158/0x330 io_schedule+0x92/0x110 folio_wait_bit_common+0x69a/0xba0 __filemap_get_folio+0x154/0xb70 hugetlb_fault+0xa50/0x2c30 trace_clock_x86_tsc+0x20/0x20 do_user_addr_fault+0xace/0x1490 exc_page_fault+0x64/0x100 asm_exc_page_fault+0x26/0x30 RIP: 0033:0x402619 </TASK> INFO: task repro_20250402_:13250 blocked for more than 65 seconds. Not tainted 6.15.0-rc3+ #24 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:repro_20250402_ state:D stack:28288 pid:13250 tgid:13228 ppid:3513 task_flags:0x400040 flags:0x00000006 Call Trace: <TASK> __schedule+0x1755/0x4f50 schedule+0x158/0x330 io_schedule+0x92/0x110 folio_wait_bit_common+0x69a/0xba0 __filemap_get_folio+0x154/0xb70 hugetlb_fault+0xa50/0x2c30 trace_clock_x86_tsc+0x20/0x20 do_user_addr_fault+0xace/0x1490 exc_page_fault+0x64/0x100 asm_exc_page_fault+0x26/0x30 RIP: 0033:0x402619 </TASK> Showing all locks held in the system: 1 lock held by khungtaskd/35: #0: ffffffff879a7440 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x30/0x180 2 locks held by repro_20250402_/13229: #0: ffff888017d801e0 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x37/0x300 #1: ffff888000fec848 (&hugetlb_fault_mutex_table[i]){+.+.}-{4:4}, at: hugetlb_wp+0xf88/0x3440 3 locks held by repro_20250402_/13250: #0: ffff8880177f3d08 (vm_lock){++++}-{0:0}, at: do_user_addr_fault+0x41b/0x1490 #1: ffff888000fec848 (&hugetlb_fault_mutex_table[i]){+.+.}-{4:4}, at: hugetlb_fault+0x3b8/0x2c30 #2: ffff8880129500e8 (&resv_map->rw_sema){++++}-{4:4}, at: hugetlb_fault+0x494/0x2c30 Link: https://drive.google.com/file/d/1DVRnIW-vSayU5J1re9Ct_br3jJQU6Vpb/view?usp=… [1] Link: https://github.com/bboymimi/bpftracer/blob/master/scripts/hugetlb_lock_debu… [2] Link: https://drive.google.com/file/d/1bWq2-8o-BJAuhoHWX7zAhI6ggfhVzQUI/view?usp=… [3] Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Cc: <stable(a)vger.kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Florent Revest <revest(a)google.com> Cc: Gavin Shan <gshan(a)redhat.com> Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> --- mm/hugetlb.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index e3e6ac991b9c..ad54a74aa563 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6115,7 +6115,8 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma, * Keep the pte_same checks anyway to make transition from the mutex easier. */ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio, - struct vm_fault *vmf) + struct vm_fault *vmf, + bool *pagecache_folio_unlocked) { struct vm_area_struct *vma = vmf->vma; struct mm_struct *mm = vma->vm_mm; @@ -6212,6 +6213,22 @@ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio, u32 hash; folio_put(old_folio); + /* + * The pagecache_folio needs to be unlocked to avoid + * deadlock and we won't re-lock it in hugetlb_wp(). The + * pagecache_folio could be truncated after being + * unlocked. So its state should not be relied + * subsequently. + * + * Setting *pagecache_folio_unlocked to true allows the + * caller to handle any necessary logic related to the + * folio's unlocked state. + */ + if (pagecache_folio) { + folio_unlock(pagecache_folio); + if (pagecache_folio_unlocked) + *pagecache_folio_unlocked = true; + } /* * Drop hugetlb_fault_mutex and vma_lock before * unmapping. unmapping needs to hold vma_lock @@ -6566,7 +6583,7 @@ static vm_fault_t hugetlb_no_page(struct address_space *mapping, hugetlb_count_add(pages_per_huge_page(h), mm); if ((vmf->flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) { /* Optimization, do the COW without a second fault */ - ret = hugetlb_wp(folio, vmf); + ret = hugetlb_wp(folio, vmf, NULL); } spin_unlock(vmf->ptl); @@ -6638,6 +6655,7 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, struct hstate *h = hstate_vma(vma); struct address_space *mapping; int need_wait_lock = 0; + bool pagecache_folio_unlocked = false; struct vm_fault vmf = { .vma = vma, .address = address & huge_page_mask(h), @@ -6792,7 +6810,8 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (flags & (FAULT_FLAG_WRITE|FAULT_FLAG_UNSHARE)) { if (!huge_pte_write(vmf.orig_pte)) { - ret = hugetlb_wp(pagecache_folio, &vmf); + ret = hugetlb_wp(pagecache_folio, &vmf, + &pagecache_folio_unlocked); goto out_put_page; } else if (likely(flags & FAULT_FLAG_WRITE)) { vmf.orig_pte = huge_pte_mkdirty(vmf.orig_pte); @@ -6809,10 +6828,14 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, out_ptl: spin_unlock(vmf.ptl); - if (pagecache_folio) { + /* + * If the pagecache_folio is unlocked in hugetlb_wp(), we skip + * folio_unlock() here. + */ + if (pagecache_folio && !pagecache_folio_unlocked) folio_unlock(pagecache_folio); + if (pagecache_folio) folio_put(pagecache_folio); - } out_mutex: hugetlb_vma_unlock_read(vma); base-commit: d76bb1ebb5587f66b0f8b8099bfbb44722bc08b3 -- 2.43.0

5 months, 3 weeks

5
13
0 0

Re: [PATCH v2] virtio_blk: Fix disk deletion hang on device surprise removal

by Michael S. Tsirkin

On Mon, May 26, 2025 at 02:40:33PM +0000, Parav Pandit wrote: > When the PCI device is surprise-removed, requests may not complete on > the device as the VQ is marked as broken. As a result, disk deletion > hangs. > > Fix it by aborting the requests when the VQ is broken. > > With this fix now fio completes swiftly. > An alternative of IO timeout has been considered, however > when the driver knows about unresponsive block device, swiftly clearing > them enables users and upper layers to react quickly. > > Verified with multiple device unplug iterations with pending requests in > virtio used ring and some pending with the device. > > Fixes: 43bb40c5b926 ("virtio_pci: Support surprise removal of virtio pci device") > Cc: stable(a)vger.kernel.org > Reported-by: Li RongQing <lirongqing(a)baidu.com> > Closes: https://lore.kernel.org/virtualization/c45dd68698cd47238c55fb73ca9b4741@bai… > Reviewed-by: Max Gurtovoy <mgurtovoy(a)nvidia.com> > Reviewed-by: Israel Rukshin <israelr(a)nvidia.com> > Signed-off-by: Parav Pandit <parav(a)nvidia.com> Thanks! I like the patch. Yes something to improve: > --- > v1->v2: > - Addressed comments from Stephan > - fixed spelling to 'waiting' > - Addressed comments from Michael > - Dropped checking broken vq from queue_rq() and queue_rqs() > because it is checked in lower layer routines in virtio core > > v0->v1: > - Fixed comments from Stefan to rename a cleanup function > - Improved logic for handling any outstanding requests > in bio layer > - improved cancel callback to sync with ongoing done() > --- > drivers/block/virtio_blk.c | 83 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 83 insertions(+) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 7cffea01d868..12f31e6c00cb 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -1554,6 +1554,87 @@ static int virtblk_probe(struct virtio_device *vdev) > return err; > } > > +static bool virtblk_request_cancel(struct request *rq, void *data) > +{ > + struct virtblk_req *vbr = blk_mq_rq_to_pdu(rq); > + struct virtio_blk *vblk = data; > + struct virtio_blk_vq *vq; > + unsigned long flags; > + > + vq = &vblk->vqs[rq->mq_hctx->queue_num]; > + > + spin_lock_irqsave(&vq->lock, flags); > + > + vbr->in_hdr.status = VIRTIO_BLK_S_IOERR; My undertanding is that this is only safe to call when device is not accessing the vq anymore? Right? otherwise device can overwrite the status? But I am not sure I understand what guarantees this. Is there an assumption here that if vq is broken and we are on remove path then device is already gone? It seems to hold but I'd prefer something that makes this guarantee at the API level. > + if (blk_mq_request_started(rq) && !blk_mq_request_completed(rq)) > + blk_mq_complete_request(rq); > + > + spin_unlock_irqrestore(&vq->lock, flags); > + return true; > +} > + > +static void virtblk_broken_device_cleanup(struct virtio_blk *vblk) > +{ > + struct request_queue *q = vblk->disk->queue; > + > + if (!virtqueue_is_broken(vblk->vqs[0].vq)) > + return; can marking vqs broken be in progress such that 0 is already broken but another one is not, yet? if not pls add a comment explainging why. > + > + /* Start freezing the queue, so that new requests keeps waiting at the > + * door of bio_queue_enter(). We cannot fully freeze the queue because > + * freezed queue is an empty queue and there are pending requests, so > + * only start freezing it. > + */ > + blk_freeze_queue_start(q); > + > + /* When quiescing completes, all ongoing dispatches have completed > + * and no new dispatch will happen towards the driver. > + * This ensures that later when cancel is attempted, then are not > + * getting processed by the queue_rq() or queue_rqs() handlers. > + */ > + blk_mq_quiesce_queue(q); > + > + /* > + * Synchronize with any ongoing VQ callbacks, effectively quiescing > + * the device and preventing it from completing further requests > + * to the block layer. Any outstanding, incomplete requests will be > + * completed by virtblk_request_cancel(). I think what you really mean is: finish processing in callbacks, that might have started before vqs were marked as broken. > + */ > + virtio_synchronize_cbs(vblk->vdev); > + > + /* At this point, no new requests can enter the queue_rq() and > + * completion routine will not complete any new requests either for the > + * broken vq. Hence, it is safe to cancel all requests which are > + * started. > + */ > + blk_mq_tagset_busy_iter(&vblk->tag_set, virtblk_request_cancel, vblk); > + blk_mq_tagset_wait_completed_request(&vblk->tag_set); > + > + /* All pending requests are cleaned up. Time to resume so that disk > + * deletion can be smooth. Start the HW queues so that when queue is > + * unquiesced requests can again enter the driver. > + */ > + blk_mq_start_stopped_hw_queues(q, true); > + > + /* Unquiescing will trigger dispatching any pending requests to the > + * driver which has crossed bio_queue_enter() to the driver. > + */ > + blk_mq_unquiesce_queue(q); > + > + /* Wait for all pending dispatches to terminate which may have been > + * initiated after unquiescing. > + */ > + blk_mq_freeze_queue_wait(q); > + > + /* Mark the disk dead so that once queue unfreeze, the requests > + * waiting at the door of bio_queue_enter() can be aborted right away. > + */ > + blk_mark_disk_dead(vblk->disk); > + > + /* Unfreeze the queue so that any waiting requests will be aborted. */ > + blk_mq_unfreeze_queue_nomemrestore(q); > +} > + > static void virtblk_remove(struct virtio_device *vdev) > { > struct virtio_blk *vblk = vdev->priv; > @@ -1561,6 +1642,8 @@ static void virtblk_remove(struct virtio_device *vdev) > /* Make sure no work handler is accessing the device. */ > flush_work(&vblk->config_work); > > + virtblk_broken_device_cleanup(vblk); > + > del_gendisk(vblk->disk); > blk_mq_free_tag_set(&vblk->tag_set); > > -- > 2.34.1

5 months, 3 weeks

2
2
0 0

[PATCH] drm/amd/display: Add null pointer check for get_first_active_display()

by Wentao Liang

The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference in mod_hdcp_hdcp2_enable_encryption(). Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null. Fixes: 2deade5ede56 ("drm/amd/display: Remove hdcp display state with mst fix") Cc: stable(a)vger.kernel.org # v5.8 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c index 8c137d7c032e..e58e7b93810b 100644 --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c @@ -368,6 +368,9 @@ enum mod_hdcp_status mod_hdcp_hdcp1_enable_encryption(struct mod_hdcp *hdcp) struct mod_hdcp_display *display = get_first_active_display(hdcp); enum mod_hdcp_status status = MOD_HDCP_STATUS_SUCCESS; + if (!display) + return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND; + mutex_lock(&psp->hdcp_context.mutex); hdcp_cmd = (struct ta_hdcp_shared_memory *)psp->hdcp_context.context.mem_context.shared_buf; memset(hdcp_cmd, 0, sizeof(struct ta_hdcp_shared_memory)); -- 2.42.0.windows.2

5 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 5.4 1/2] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index 80929380ec7e3..04ccfdd99e277 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -102,7 +102,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -450,7 +454,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -474,6 +478,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -511,6 +527,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
1
0 0

[PATCH AUTOSEL 5.10 1/2] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index 80929380ec7e3..04ccfdd99e277 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -102,7 +102,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -450,7 +454,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -474,6 +478,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -511,6 +527,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
1
0 0

[PATCH AUTOSEL 5.15 1/2] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index 80929380ec7e3..04ccfdd99e277 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -102,7 +102,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -450,7 +454,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -474,6 +478,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -511,6 +527,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
1
0 0

[PATCH AUTOSEL 6.1 1/3] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index b543d117b12c7..259eb2a2858f8 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -102,7 +102,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -450,7 +454,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -474,6 +478,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -511,6 +527,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 6.6 1/4] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index 085e044e888e4..d7ef4f046d99b 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -102,7 +102,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -450,7 +454,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -474,6 +478,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -511,6 +527,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
3
0 0

[PATCH AUTOSEL 6.12 1/5] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index ae992ac1ab4ac..6d5300c54a421 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -107,7 +107,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -560,7 +564,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -584,6 +588,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -621,6 +637,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
4
0 0

[PATCH AUTOSEL 6.14 1/5] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys

by Sasha Levin

From: Valtteri Koskivuori <vkoskiv(a)gmail.com> [ Upstream commit a7e255ff9fe4d9b8b902023aaf5b7a673786bb50 ] The S2110 has an additional set of media playback control keys enabled by a hardware toggle button that switches the keys between "Application" and "Player" modes. Toggling "Player" mode just shifts the scancode of each hotkey up by 4. Add defines for new scancodes, and a keymap and dmi id for the S2110. Tested on a Fujitsu Lifebook S2110. Signed-off-by: Valtteri Koskivuori <vkoskiv(a)gmail.com> Acked-by: Jonathan Woithe <jwoithe(a)just42.net> Link: https://lore.kernel.org/r/20250509184251.713003-1-vkoskiv@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/platform/x86/fujitsu-laptop.c | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/fujitsu-laptop.c b/drivers/platform/x86/fujitsu-laptop.c index a0eae24ca9e60..162809140f68a 100644 --- a/drivers/platform/x86/fujitsu-laptop.c +++ b/drivers/platform/x86/fujitsu-laptop.c @@ -17,13 +17,13 @@ /* * fujitsu-laptop.c - Fujitsu laptop support, providing access to additional * features made available on a range of Fujitsu laptops including the - * P2xxx/P5xxx/S6xxx/S7xxx series. + * P2xxx/P5xxx/S2xxx/S6xxx/S7xxx series. * * This driver implements a vendor-specific backlight control interface for * Fujitsu laptops and provides support for hotkeys present on certain Fujitsu * laptops. * - * This driver has been tested on a Fujitsu Lifebook S6410, S7020 and + * This driver has been tested on a Fujitsu Lifebook S2110, S6410, S7020 and * P8010. It should work on most P-series and S-series Lifebooks, but * YMMV. * @@ -107,7 +107,11 @@ #define KEY2_CODE 0x411 #define KEY3_CODE 0x412 #define KEY4_CODE 0x413 -#define KEY5_CODE 0x420 +#define KEY5_CODE 0x414 +#define KEY6_CODE 0x415 +#define KEY7_CODE 0x416 +#define KEY8_CODE 0x417 +#define KEY9_CODE 0x420 /* Hotkey ringbuffer limits */ #define MAX_HOTKEY_RINGBUFFER_SIZE 100 @@ -560,7 +564,7 @@ static const struct key_entry keymap_default[] = { { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, { KE_KEY, KEY3_CODE, { KEY_PROG3 } }, { KE_KEY, KEY4_CODE, { KEY_PROG4 } }, - { KE_KEY, KEY5_CODE, { KEY_RFKILL } }, + { KE_KEY, KEY9_CODE, { KEY_RFKILL } }, /* Soft keys read from status flags */ { KE_KEY, FLAG_RFKILL, { KEY_RFKILL } }, { KE_KEY, FLAG_TOUCHPAD_TOGGLE, { KEY_TOUCHPAD_TOGGLE } }, @@ -584,6 +588,18 @@ static const struct key_entry keymap_p8010[] = { { KE_END, 0 } }; +static const struct key_entry keymap_s2110[] = { + { KE_KEY, KEY1_CODE, { KEY_PROG1 } }, /* "A" */ + { KE_KEY, KEY2_CODE, { KEY_PROG2 } }, /* "B" */ + { KE_KEY, KEY3_CODE, { KEY_WWW } }, /* "Internet" */ + { KE_KEY, KEY4_CODE, { KEY_EMAIL } }, /* "E-mail" */ + { KE_KEY, KEY5_CODE, { KEY_STOPCD } }, + { KE_KEY, KEY6_CODE, { KEY_PLAYPAUSE } }, + { KE_KEY, KEY7_CODE, { KEY_PREVIOUSSONG } }, + { KE_KEY, KEY8_CODE, { KEY_NEXTSONG } }, + { KE_END, 0 } +}; + static const struct key_entry *keymap = keymap_default; static int fujitsu_laptop_dmi_keymap_override(const struct dmi_system_id *id) @@ -621,6 +637,15 @@ static const struct dmi_system_id fujitsu_laptop_dmi_table[] = { }, .driver_data = (void *)keymap_p8010 }, + { + .callback = fujitsu_laptop_dmi_keymap_override, + .ident = "Fujitsu LifeBook S2110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU SIEMENS"), + DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK S2110"), + }, + .driver_data = (void *)keymap_s2110 + }, {} }; -- 2.39.5

5 months, 3 weeks

1
4
0 0

RE: [PATCH v1] net/ncsi: fix buffer overflow in getting version id

by Jerry C Chen/WYHQ/Wiwynn

Hi Paul, Sorry for late replay, it takes some effort to change company policy of the proprietary. For the questions: 1. What upstream tree did you intend it for and why? - Linux mainline We are developing openBMC with kernel-6.6. For submitting patch to kernel-6.6 stable tree, it should exist in mainline first. Reference: https://github.com/openbmc/linux/commits/dev-6.6/ 2. Have you seen such cards in the wild? It wouldn't harm mentioning specific examples in the commit message to probably help people searching for problems specific to them later. You can also consider adding Fixes: and Cc: stable tags if this bugfix solves a real issue and should be backported to stable kernels. - This NIC is developed by META terminus team and the problematic string is: The channel Version Str : 24.12.08-000 I will update it to commit message later. > -----Original Message----- > From: Paul Fertser <fercerpav(a)gmail.com> > Sent: Thursday, May 15, 2025 5:04 PM > To: Jerry C Chen/WYHQ/Wiwynn <Jerry_C_Chen(a)wiwynn.com> > Cc: patrick(a)stwcx.xyz; Samuel Mendoza-Jonas <sam(a)mendozajonas.com>; > David S. Miller <davem(a)davemloft.net>; Eric Dumazet > <edumazet(a)google.com>; Jakub Kicinski <kuba(a)kernel.org>; Paolo Abeni > <pabeni(a)redhat.com>; Simon Horman <horms(a)kernel.org>; > netdev(a)vger.kernel.org; linux-kernel(a)vger.kernel.org > Subject: Re: [PATCH v1] net/ncsi: fix buffer overflow in getting version id > > [External Sender] > > Hello Jerry, > > This looks like an updated version of your previous patch[0] but you have > forgotten to increase the number in the Subject. You have also forgotten to > reply and take into account /some/ of the points I raised in the review. > > On Thu, May 15, 2025 at 04:34:47PM +0800, Jerry C Chen wrote: > > In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't need to > > be null terminated while its size occupies the full size of the field. > > Fix the buffer overflow issue by adding one additional byte for null > > terminator. > ... > > Please give an answer to every comment I made for your previous patch > version and either make a corresponding change or explain why exactly you > disagree. > > Also please stop sending any and all "proprietary or confidential information". > > [0] > https://urldefense.com/v3/__https://patchwork.kernel.org/project/netdevbpf/p > atch/20250227055044.3878374-1-Jerry_C_Chen(a)wiwynn.com/__;!!ObgLwW8 > oGsQ!nQ0Zkq6AxOKAJHbUUrTRnNI8fJNt7itufBwUXkkZU1-yfFo3h6Vm55K_mqr > 5Ur5kw9wE9cMVgIdoGCL3u2DhhqA$

5 months, 3 weeks

2
2
0 0

[PATCH 6.14.y] drm/i915/dp: Fix determining SST/MST mode during MTP TU state computation

by Imre Deak

commit 732b87a409667a370b87955c518e5d004de740b5 upstream. Determining the SST/MST mode during state computation must be done based on the output type stored in the CRTC state, which in turn is set once based on the modeset connector's SST vs. MST type and will not change as long as the connector is using the CRTC. OTOH the MST mode indicated by the given connector's intel_dp::is_mst flag can change independently of the above output type, based on what sink is at any moment plugged to the connector. Fix the state computation accordingly. Cc: Jani Nikula <jani.nikula(a)intel.com> Fixes: f6971d7427c2 ("drm/i915/mst: adapt intel_dp_mtp_tu_compute_config() for 128b/132b SST") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4607 Reviewed-by: Jani Nikula <jani.nikula(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://lore.kernel.org/r/20250507151953.251846-1-imre.deak@intel.com (cherry picked from commit 0f45696ddb2b901fbf15cb8d2e89767be481d59f) Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> (cherry picked from commit 732b87a409667a370b87955c518e5d004de740b5) References: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14218 [Rebased on v6.14.8 and added References link. (Imre)] Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_dp_mst.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.c b/drivers/gpu/drm/i915/display/intel_dp_mst.c index 86d6185fda50a..8a6135b179d3b 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.c +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.c @@ -221,6 +221,7 @@ int intel_dp_mtp_tu_compute_config(struct intel_dp *intel_dp, to_intel_connector(conn_state->connector); const struct drm_display_mode *adjusted_mode = &crtc_state->hw.adjusted_mode; + bool is_mst = intel_crtc_has_type(crtc_state, INTEL_OUTPUT_DP_MST); fixed20_12 pbn_div; int bpp, slots = -EINVAL; int dsc_slice_count = 0; @@ -271,7 +272,7 @@ int intel_dp_mtp_tu_compute_config(struct intel_dp *intel_dp, link_bpp_x16, &crtc_state->dp_m_n); - if (intel_dp->is_mst) { + if (is_mst) { int remote_bw_overhead; int remote_tu; fixed20_12 pbn; -- 2.44.2

5 months, 3 weeks

1
0
0 0

[PATCH v3] iio: common: st_sensors: Fix use of uninitialize device structs

by Maud Spierings via B4 Relay

From: Maud Spierings <maudspierings(a)gocontroll.com> Throughout the various probe functions &indio_dev->dev is used before it is initialized. This caused a kernel panic in st_sensors_power_enable() when the call to devm_regulator_bulk_get_enable() fails and then calls dev_err_probe() with the uninitialized device. This seems to only cause a panic with dev_err_probe(), dev_err(), dev_warn() and dev_info() don't seem to cause a panic, but are fixed as well. The issue is reported and traced here: [1] [1]: https://lore.kernel.org/all/AM7P189MB100986A83D2F28AF3FFAF976E39EA@AM7P189M… Cc: stable(a)vger.kernel.org Signed-off-by: Maud Spierings <maudspierings(a)gocontroll.com> --- When I search for general &indio_dev->dev usage, I see quite a lot more hits, but I am not sure if there are issues with those too. This issue has existed for a long time it seems and therefore it is nearly impossible to find a proper fixes tag. I would love to see it at least backported to 6.12 as that is where I encountered it, and I believe the patch should apply without conflicts. --- Changes in v3: - Added the stable cc to the commit message - Move the link to the original issue to the commit message - Fix function notation in the commit message - Move some more of the dev_*() calls to one line - Link to v2: https://lore.kernel.org/r/20250522-st_iio_fix-v2-1-07a32655a996@gocontroll.… Changes in v2: - Added SoB in commit message - Link to v1: https://lore.kernel.org/r/20250522-st_iio_fix-v1-1-d689b35f1612@gocontroll.… --- drivers/iio/accel/st_accel_core.c | 10 +++--- drivers/iio/common/st_sensors/st_sensors_core.c | 36 ++++++++++------------ drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 ++++++------ 3 files changed, 31 insertions(+), 35 deletions(-) diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c index 99cb661fabb2d9cc1943fa8d0a6f3becb71126e6..a7961c610ed203d039bbf298c8883031a578fb0b 100644 --- a/drivers/iio/accel/st_accel_core.c +++ b/drivers/iio/accel/st_accel_core.c @@ -1353,6 +1353,7 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) union acpi_object *ont; union acpi_object *elements; acpi_status status; + struct device *parent = indio_dev->dev.parent; int ret = -EINVAL; unsigned int val; int i, j; @@ -1371,7 +1372,7 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) }; - adev = ACPI_COMPANION(indio_dev->dev.parent); + adev = ACPI_COMPANION(parent); if (!adev) return -ENXIO; @@ -1380,8 +1381,7 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) if (status == AE_NOT_FOUND) { return -ENXIO; } else if (ACPI_FAILURE(status)) { - dev_warn(&indio_dev->dev, "failed to execute _ONT: %d\n", - status); + dev_warn(parent, "failed to execute _ONT: %d\n", status); return status; } @@ -1457,12 +1457,12 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) } ret = 0; - dev_info(&indio_dev->dev, "computed mount matrix from ACPI\n"); + dev_info(parent, "computed mount matrix from ACPI\n"); out: kfree(buffer.pointer); if (ret) - dev_dbg(&indio_dev->dev, + dev_dbg(parent, "failed to apply ACPI orientation data: %d\n", ret); return ret; diff --git a/drivers/iio/common/st_sensors/st_sensors_core.c b/drivers/iio/common/st_sensors/st_sensors_core.c index 8ce1dccfea4f5aaff45d3d40f6542323dd1f0b09..dac593be56958fd0be92e13f628350fcfd0f040d 100644 --- a/drivers/iio/common/st_sensors/st_sensors_core.c +++ b/drivers/iio/common/st_sensors/st_sensors_core.c @@ -154,7 +154,7 @@ static int st_sensors_set_fullscale(struct iio_dev *indio_dev, unsigned int fs) return err; st_accel_set_fullscale_error: - dev_err(&indio_dev->dev, "failed to set new fullscale.\n"); + dev_err(indio_dev->dev.parent, "failed to set new fullscale.\n"); return err; } @@ -231,8 +231,7 @@ int st_sensors_power_enable(struct iio_dev *indio_dev) ARRAY_SIZE(regulator_names), regulator_names); if (err) - return dev_err_probe(&indio_dev->dev, err, - "unable to enable supplies\n"); + return dev_err_probe(parent, err, "unable to enable supplies\n"); return 0; } @@ -241,13 +240,14 @@ EXPORT_SYMBOL_NS(st_sensors_power_enable, "IIO_ST_SENSORS"); static int st_sensors_set_drdy_int_pin(struct iio_dev *indio_dev, struct st_sensors_platform_data *pdata) { + struct device *parent = indio_dev->dev.parent; struct st_sensor_data *sdata = iio_priv(indio_dev); /* Sensor does not support interrupts */ if (!sdata->sensor_settings->drdy_irq.int1.addr && !sdata->sensor_settings->drdy_irq.int2.addr) { if (pdata->drdy_int_pin) - dev_info(&indio_dev->dev, + dev_info(parent, "DRDY on pin INT%d specified, but sensor does not support interrupts\n", pdata->drdy_int_pin); return 0; @@ -256,29 +256,27 @@ static int st_sensors_set_drdy_int_pin(struct iio_dev *indio_dev, switch (pdata->drdy_int_pin) { case 1: if (!sdata->sensor_settings->drdy_irq.int1.mask) { - dev_err(&indio_dev->dev, - "DRDY on INT1 not available.\n"); + dev_err(parent, "DRDY on INT1 not available.\n"); return -EINVAL; } sdata->drdy_int_pin = 1; break; case 2: if (!sdata->sensor_settings->drdy_irq.int2.mask) { - dev_err(&indio_dev->dev, - "DRDY on INT2 not available.\n"); + dev_err(parent, "DRDY on INT2 not available.\n"); return -EINVAL; } sdata->drdy_int_pin = 2; break; default: - dev_err(&indio_dev->dev, "DRDY on pdata not valid.\n"); + dev_err(parent, "DRDY on pdata not valid.\n"); return -EINVAL; } if (pdata->open_drain) { if (!sdata->sensor_settings->drdy_irq.int1.addr_od && !sdata->sensor_settings->drdy_irq.int2.addr_od) - dev_err(&indio_dev->dev, + dev_err(parent, "open drain requested but unsupported.\n"); else sdata->int_pin_open_drain = true; @@ -336,6 +334,7 @@ EXPORT_SYMBOL_NS(st_sensors_dev_name_probe, "IIO_ST_SENSORS"); int st_sensors_init_sensor(struct iio_dev *indio_dev, struct st_sensors_platform_data *pdata) { + struct device *parent = indio_dev->dev.parent; struct st_sensor_data *sdata = iio_priv(indio_dev); struct st_sensors_platform_data *of_pdata; int err = 0; @@ -343,7 +342,7 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, mutex_init(&sdata->odr_lock); /* If OF/DT pdata exists, it will take precedence of anything else */ - of_pdata = st_sensors_dev_probe(indio_dev->dev.parent, pdata); + of_pdata = st_sensors_dev_probe(parent, pdata); if (IS_ERR(of_pdata)) return PTR_ERR(of_pdata); if (of_pdata) @@ -370,7 +369,7 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, if (err < 0) return err; } else - dev_info(&indio_dev->dev, "Full-scale not possible\n"); + dev_info(parent, "Full-scale not possible\n"); err = st_sensors_set_odr(indio_dev, sdata->odr); if (err < 0) @@ -405,7 +404,7 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, mask = sdata->sensor_settings->drdy_irq.int2.mask_od; } - dev_info(&indio_dev->dev, + dev_info(parent, "set interrupt line to open drain mode on pin %d\n", sdata->drdy_int_pin); err = st_sensors_write_data_with_mask(indio_dev, addr, @@ -593,21 +592,20 @@ EXPORT_SYMBOL_NS(st_sensors_get_settings_index, "IIO_ST_SENSORS"); int st_sensors_verify_id(struct iio_dev *indio_dev) { struct st_sensor_data *sdata = iio_priv(indio_dev); + struct device *parent = indio_dev->dev.parent; int wai, err; if (sdata->sensor_settings->wai_addr) { err = regmap_read(sdata->regmap, sdata->sensor_settings->wai_addr, &wai); if (err < 0) { - dev_err(&indio_dev->dev, - "failed to read Who-Am-I register.\n"); - return err; + return dev_err_probe(parent, err, + "failed to read Who-Am-I register.\n"); } if (sdata->sensor_settings->wai != wai) { - dev_warn(&indio_dev->dev, - "%s: WhoAmI mismatch (0x%x).\n", - indio_dev->name, wai); + dev_warn(parent, "%s: WhoAmI mismatch (0x%x).\n", + indio_dev->name, wai); } } diff --git a/drivers/iio/common/st_sensors/st_sensors_trigger.c b/drivers/iio/common/st_sensors/st_sensors_trigger.c index 9d4bf822a15dfcdd6c2835f6b9d7698cd3cb0b08..8a8ab688d7980f6dd43c660f90a0eba32c38388b 100644 --- a/drivers/iio/common/st_sensors/st_sensors_trigger.c +++ b/drivers/iio/common/st_sensors/st_sensors_trigger.c @@ -127,7 +127,7 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, sdata->trig = devm_iio_trigger_alloc(parent, "%s-trigger", indio_dev->name); if (sdata->trig == NULL) { - dev_err(&indio_dev->dev, "failed to allocate iio trigger.\n"); + dev_err(parent, "failed to allocate iio trigger.\n"); return -ENOMEM; } @@ -143,7 +143,7 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, case IRQF_TRIGGER_FALLING: case IRQF_TRIGGER_LOW: if (!sdata->sensor_settings->drdy_irq.addr_ihl) { - dev_err(&indio_dev->dev, + dev_err(parent, "falling/low specified for IRQ but hardware supports only rising/high: will request rising/high\n"); if (irq_trig == IRQF_TRIGGER_FALLING) irq_trig = IRQF_TRIGGER_RISING; @@ -156,21 +156,19 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, sdata->sensor_settings->drdy_irq.mask_ihl, 1); if (err < 0) return err; - dev_info(&indio_dev->dev, + dev_info(parent, "interrupts on the falling edge or active low level\n"); } break; case IRQF_TRIGGER_RISING: - dev_info(&indio_dev->dev, - "interrupts on the rising edge\n"); + dev_info(parent, "interrupts on the rising edge\n"); break; case IRQF_TRIGGER_HIGH: - dev_info(&indio_dev->dev, - "interrupts active high level\n"); + dev_info(parent, "interrupts active high level\n"); break; default: /* This is the most preferred mode, if possible */ - dev_err(&indio_dev->dev, + dev_err(parent, "unsupported IRQ trigger specified (%lx), enforce rising edge\n", irq_trig); irq_trig = IRQF_TRIGGER_RISING; } @@ -179,7 +177,7 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, if (irq_trig == IRQF_TRIGGER_FALLING || irq_trig == IRQF_TRIGGER_RISING) { if (!sdata->sensor_settings->drdy_irq.stat_drdy.addr) { - dev_err(&indio_dev->dev, + dev_err(parent, "edge IRQ not supported w/o stat register.\n"); return -EOPNOTSUPP; } @@ -214,13 +212,13 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, sdata->trig->name, sdata->trig); if (err) { - dev_err(&indio_dev->dev, "failed to request trigger IRQ.\n"); + dev_err(parent, "failed to request trigger IRQ.\n"); return err; } err = devm_iio_trigger_register(parent, sdata->trig); if (err < 0) { - dev_err(&indio_dev->dev, "failed to register iio trigger.\n"); + dev_err(parent, "failed to register iio trigger.\n"); return err; } indio_dev->trig = iio_trigger_get(sdata->trig); --- base-commit: 7bac2c97af4078d7a627500c9bcdd5b033f97718 change-id: 20250522-st_iio_fix-1c58fdd4d420 Best regards, -- Maud Spierings <maudspierings(a)gocontroll.com>

5 months, 3 weeks

2
1
0 0

[PATCH v3] net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr()

by Wentao Liang

The function mlx5_query_nic_vport_qkey_viol_cntr() calls the function mlx5_query_nic_vport_context() but does not check its return value. This could lead to undefined behavior if the query fails. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Target: net Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v3: Explicitly mention target branch. Change improper code. v2: Remove redundant reassignment. Fix RCT. drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 66e44905c1f0..e4b86633d2fe 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -522,19 +522,22 @@ int mlx5_query_nic_vport_qkey_viol_cntr(struct mlx5_core_dev *mdev, { u32 *out; int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int err; out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + err = mlx5_query_nic_vport_context(mdev, 0, out); + if (err) + goto out; *qkey_viol_cntr = MLX5_GET(query_nic_vport_context_out, out, nic_vport_context.qkey_violation_counter); - +out: kvfree(out); - return 0; + return err; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_qkey_viol_cntr); -- 2.42.0.windows.2

5 months, 3 weeks

4
3
0 0

[PATCH] regulator: max14577: Add error check for max14577_read_reg()

by Wentao Liang

The function max14577_reg_get_current_limit() calls the function max14577_read_reg(), but does not check its return value. A proper implementation can be found in max14577_get_online(). Add a error check for the max14577_read_reg() and return error code if the function fails. Fixes: b0902bbeb768 ("regulator: max14577: Add regulator driver for Maxim 14577") Cc: stable(a)vger.kernel.org # v3.14 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/regulator/max14577-regulator.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/regulator/max14577-regulator.c b/drivers/regulator/max14577-regulator.c index 5e7171b9065a..41fd15adfd1f 100644 --- a/drivers/regulator/max14577-regulator.c +++ b/drivers/regulator/max14577-regulator.c @@ -40,11 +40,14 @@ static int max14577_reg_get_current_limit(struct regulator_dev *rdev) struct max14577 *max14577 = rdev_get_drvdata(rdev); const struct maxim_charger_current *limits = &maxim_charger_currents[max14577->dev_type]; + int ret; if (rdev_get_id(rdev) != MAX14577_CHARGER) return -EINVAL; - max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, &reg_data); + ret = max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, &reg_data); + if (ret < 0) + return ret; if ((reg_data & CHGCTRL4_MBCICHWRCL_MASK) == 0) return limits->min; -- 2.42.0.windows.2

5 months, 3 weeks

2
1
0 0

[PATCH] firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info)

by Jaroslav Kysela

KASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(), because the source string length was rounded up to the allocation size. Cc: Simon Trimmer <simont(a)opensource.cirrus.com> Cc: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: Richard Fitzgerald <rf(a)opensource.cirrus.com> Cc: patches(a)opensource.cirrus.com Cc: stable(a)vger.kernel.org Signed-off-by: Jaroslav Kysela <perex(a)perex.cz> --- drivers/firmware/cirrus/test/cs_dsp_mock_wmfw.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/cirrus/test/cs_dsp_mock_wmfw.c b/drivers/firmware/cirrus/test/cs_dsp_mock_wmfw.c index 5a3ac03ac37f..4fa74550dafd 100644 --- a/drivers/firmware/cirrus/test/cs_dsp_mock_wmfw.c +++ b/drivers/firmware/cirrus/test/cs_dsp_mock_wmfw.c @@ -133,10 +133,11 @@ void cs_dsp_mock_wmfw_add_info(struct cs_dsp_mock_wmfw_builder *builder, if (info_len % 4) { /* Create a padded string with length a multiple of 4 */ + size_t copy_len = info_len; info_len = round_up(info_len, 4); tmp = kunit_kzalloc(builder->test_priv->test, info_len, GFP_KERNEL); KUNIT_ASSERT_NOT_ERR_OR_NULL(builder->test_priv->test, tmp); - memcpy(tmp, info, info_len); + memcpy(tmp, info, copy_len); info = tmp; } -- 2.49.0

5 months, 3 weeks

3
2
0 0

[PATCH] firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache)

by Jaroslav Kysela

KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets(). The code uses mock_coeff_template.length_bytes (4 bytes) for register value allocations. But later, this length is set to 8 bytes which causes test code failures. As fix, just remove the lenght override, keeping the original value 4 for all operations. Cc: Simon Trimmer <simont(a)opensource.cirrus.com> Cc: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: Richard Fitzgerald <rf(a)opensource.cirrus.com> Cc: patches(a)opensource.cirrus.com Cc: stable(a)vger.kernel.org Signed-off-by: Jaroslav Kysela <perex(a)perex.cz> --- drivers/firmware/cirrus/test/cs_dsp_test_control_cache.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/firmware/cirrus/test/cs_dsp_test_control_cache.c b/drivers/firmware/cirrus/test/cs_dsp_test_control_cache.c index 83386cc978e3..ebca3a4ab0f1 100644 --- a/drivers/firmware/cirrus/test/cs_dsp_test_control_cache.c +++ b/drivers/firmware/cirrus/test/cs_dsp_test_control_cache.c @@ -776,7 +776,6 @@ static void cs_dsp_ctl_cache_init_multiple_offsets(struct kunit *test) "dummyalg", NULL); /* Create controls identical except for offset */ - def.length_bytes = 8; def.offset_dsp_words = 0; def.shortname = "CtlA"; cs_dsp_mock_wmfw_add_coeff_desc(local->wmfw_builder, &def); -- 2.49.0

5 months, 3 weeks

3
2
0 0

[PATCH v4] fs: minix: Fix handling of corrupted directories

by Andrey Kriulin

If the directory is corrupted and the number of nlinks is less than 2 (valid nlinks have at least 2), then when the directory is deleted, the minix_rmdir will try to reduce the nlinks(unsigned int) to a negative value. Make nlinks validity check for directories. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Andrey Kriulin <kitotavrik.s(a)gmail.com> --- v4: Add nlinks check for parent dirictory to minix_rmdir per Jan Kara <jack(a)suse.cz> request. v3: Move nlinks validaty check to minix_rmdir and minix_rename per Jan Kara <jack(a)suse.cz> request. v2: Move nlinks validaty check to V[12]_minix_iget() per Jan Kara <jack(a)suse.cz> request. Change return error code to EUCLEAN. Don't block directory in r/o mode per Al Viro <viro(a)zeniv.linux.org.uk> request. fs/minix/namei.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/minix/namei.c b/fs/minix/namei.c index 8938536d8d3c..ab86fd16e548 100644 --- a/fs/minix/namei.c +++ b/fs/minix/namei.c @@ -161,8 +161,12 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry) static int minix_rmdir(struct inode * dir, struct dentry *dentry) { struct inode * inode = d_inode(dentry); - int err = -ENOTEMPTY; + int err = -EUCLEAN; + if (inode->i_nlink < 2 || dir->i_nlink <= 2) + return err; + + err = -ENOTEMPTY; if (minix_empty_dir(inode)) { err = minix_unlink(dir, dentry); if (!err) { @@ -235,6 +239,10 @@ static int minix_rename(struct mnt_idmap *idmap, mark_inode_dirty(old_inode); if (dir_de) { + if (old_dir->i_nlink <= 2) { + err = -EUCLEAN; + goto out_dir; + } err = minix_set_link(dir_de, dir_folio, new_dir); if (!err) inode_dec_link_count(old_dir); -- 2.47.2

5 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] highmem: add folio_test_partial_kmap()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 97dfbbd135cb5e4426f37ca53a8fa87eaaa4e376 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052622-segment-presuming-e4c6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 97dfbbd135cb5e4426f37ca53a8fa87eaaa4e376 Mon Sep 17 00:00:00 2001 From: "Matthew Wilcox (Oracle)" <willy(a)infradead.org> Date: Wed, 14 May 2025 18:06:02 +0100 Subject: [PATCH] highmem: add folio_test_partial_kmap() In commit c749d9b7ebbc ("iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP"), Hugh correctly noted that if KMAP_LOCAL_FORCE_MAP is enabled, we must limit ourselves to PAGE_SIZE bytes per call to kmap_local(). The same problem exists in memcpy_from_folio(), memcpy_to_folio(), folio_zero_tail(), folio_fill_tail() and memcpy_from_file_folio(), so add folio_test_partial_kmap() to do this more succinctly. Link: https://lkml.kernel.org/r/20250514170607.3000994-2-willy@infradead.org Fixes: 00cdf76012ab ("mm: add memcpy_from_file_folio()") Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/highmem.h b/include/linux/highmem.h index 5c6bea81a90e..c698f8415675 100644 --- a/include/linux/highmem.h +++ b/include/linux/highmem.h @@ -461,7 +461,7 @@ static inline void memcpy_from_folio(char *to, struct folio *folio, const char *from = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -489,7 +489,7 @@ static inline void memcpy_to_folio(struct folio *folio, size_t offset, char *to = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -522,7 +522,7 @@ static inline __must_check void *folio_zero_tail(struct folio *folio, { size_t len = folio_size(folio) - offset; - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -560,7 +560,7 @@ static inline void folio_fill_tail(struct folio *folio, size_t offset, VM_BUG_ON(offset + len > folio_size(folio)); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -597,7 +597,7 @@ static inline size_t memcpy_from_file_folio(char *to, struct folio *folio, size_t offset = offset_in_folio(folio, pos); char *from = kmap_local_folio(folio, offset); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { offset = offset_in_page(offset); len = min_t(size_t, len, PAGE_SIZE - offset); } else diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index e6a21b62dcce..3b814ce08331 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -615,6 +615,13 @@ FOLIO_FLAG(dropbehind, FOLIO_HEAD_PAGE) PAGEFLAG_FALSE(HighMem, highmem) #endif +/* Does kmap_local_folio() only allow access to one page of the folio? */ +#ifdef CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP +#define folio_test_partial_kmap(f) true +#else +#define folio_test_partial_kmap(f) folio_test_highmem(f) +#endif + #ifdef CONFIG_SWAP static __always_inline bool folio_test_swapcache(const struct folio *folio) {

5 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052601-directive-strep-6b85@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

3
2
0 0

[PATCH] ext4: inline: do not convert when writing to memory map

by Thadeu Lima de Souza Cascardo

inline data handling has a race between writing and writing to a memory map. When ext4_page_mkwrite is called, it calls ext4_convert_inline_data, which destroys the inline data, but if block allocation fails, restores the inline data. In that process, we could have: CPU1 CPU2 destroy_inline_data write_begin (does not see inline data) restory_inline_data write_end (sees inline data) This leads to bugs like the one below, as write_begin did not prepare for the case of inline data, which is expected by the write_end side of it. ------------[ cut here ]------------ kernel BUG at fs/ext4/inline.c:235! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 UID: 0 PID: 5838 Comm: syz-executor110 Not tainted 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:ext4_write_inline_data fs/ext4/inline.c:235 [inline] RIP: 0010:ext4_write_inline_data_end+0xdc7/0xdd0 fs/ext4/inline.c:774 Code: 47 1d 8c e8 4b 3a 91 ff 90 0f 0b e8 63 7a 47 ff 48 8b 7c 24 10 48 c7 c6 e0 47 1d 8c e8 32 3a 91 ff 90 0f 0b e8 4a 7a 47 ff 90 <0f> 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc900031c7320 EFLAGS: 00010293 RAX: ffffffff8257f9a6 RBX: 000000000000005a RCX: ffff888012968000 RDX: 0000000000000000 RSI: 000000000000005a RDI: 000000000000005b RBP: ffffc900031c7448 R08: ffffffff8257ef87 R09: 1ffff11006806070 R10: dffffc0000000000 R11: ffffed1006806071 R12: 000000000000005a R13: dffffc0000000000 R14: ffff888076b65bd8 R15: 000000000000005b FS: 00007f5c6bacf6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000a00 CR3: 0000000073fb6000 CR4: 0000000000350ef0 Call Trace: <TASK> generic_perform_write+0x6f8/0x990 mm/filemap.c:4070 ext4_buffered_write_iter+0xc5/0x350 fs/ext4/file.c:299 ext4_file_write_iter+0x892/0x1c50 iter_file_splice_write+0xbfc/0x1510 fs/splice.c:743 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0x11d/0x220 fs/splice.c:1164 splice_direct_to_actor+0x588/0xc80 fs/splice.c:1108 do_splice_direct_actor fs/splice.c:1207 [inline] do_splice_direct+0x289/0x3e0 fs/splice.c:1233 do_sendfile+0x564/0x8a0 fs/read_write.c:1363 __do_sys_sendfile64 fs/read_write.c:1424 [inline] __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5c6bb18d09 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5c6bacf218 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f5c6bba0708 RCX: 00007f5c6bb18d09 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 RBP: 00007f5c6bba0700 R08: 0000000000000000 R09: 0000000000000000 R10: 000080001d00c0d0 R11: 0000000000000246 R12: 00007f5c6bb6d620 R13: 00007f5c6bb6d0c0 R14: 0031656c69662f2e R15: 8088e3ad122bc192 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- This happens because ext4_page_mkwrite is not protected by the inode_lock. The xattr semaphore is not sufficient to protect inline data handling in a sane way, so we need to rely on the inode_lock. Adding the inode_lock to ext4_page_mkwrite is not an option, otherwise lock-ordering problems with mmap_lock may arise. The conversion inside ext4_page_mkwrite was introduced at commit 7b4cc9787fe3 ("ext4: evict inline data when writing to memory map"). This fixes a documented bug in the commit message, which suggests some alternatives fixes. The alternative of keeping the data inline is left as an exercise for the reader. Instead, block allocation still happens, just as it does right now. But removal of the inline data is only done when pages are written back. Fixes: 7b4cc9787fe3 ("ext4: evict inline data when writing to memory map") Reported-by: syzbot+0c89d865531d053abb2d(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0c89d865531d053abb2d Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Cc: stable(a)vger.kernel.org --- fs/ext4/inode.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 94c7d2d828a64e42ded09c82497ed7617071aa19..38653d5c8b32ede2b130285ab13ef1e96b1ba783 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -2620,8 +2620,7 @@ static int ext4_do_writepages(struct mpage_da_data *mpd) ret = PTR_ERR(handle); goto out_writepages; } - BUG_ON(ext4_test_inode_state(inode, - EXT4_STATE_MAY_INLINE_DATA)); + ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); ext4_destroy_inline_data(handle, inode); ext4_journal_stop(handle); } @@ -6222,10 +6221,6 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf) filemap_invalidate_lock_shared(mapping); - err = ext4_convert_inline_data(inode); - if (err) - goto out_ret; - /* * On data journalling we skip straight to the transaction handle: * there's no delalloc; page truncated will be checked later; the --- base-commit: a5806cd506af5a7c19bcd596e4708b5c464bfd21 change-id: 20250519-ext4_inline_page_mkwrite-c42ca1f02295 Best regards, -- Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com>

5 months, 3 weeks

3
4
0 0

Request to backport b3bee1e7c3f2b1b77182302c7b2131c804175870 (x86/boot: Compile boot code with -std=gnu11 too)

by Hendrik Donner

Hello, with gcc 15.1.1 i see the following build issue on 6.6.91: CC arch/x86/boot/a20.o In file included from ./include/uapi/linux/posix_types.h:5, from ./include/uapi/linux/types.h:14, from ./include/linux/types.h:6, from arch/x86/boot/boot.h:22, from arch/x86/boot/a20.c:14: ./include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant 11 | false = 0, | ^~~~~ ./include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards ./include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef' 35 | typedef _Bool bool; | ^~~~ ./include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards ./include/linux/types.h:35:1: warning: useless type name in empty declaration 35 | typedef _Bool bool; | ^~~~~~~ make[2]: *** [scripts/Makefile.build:243: arch/x86/boot/a20.o] Error 1 make[1]: *** [arch/x86/Makefile:284: bzImage] Error 2 Fixed by b3bee1e7c3f2b1b77182302c7b2131c804175870 (x86/boot: Compile boot code with -std=gnu11 too), which hasn't been backported yet. Should probably go into all stable trees. Regards, Hendrik

5 months, 3 weeks

2
2
0 0

[PATCH v5 0/4] media: uvcvideo: Introduce V4L2_META_FMT_UVC_MSXU_1_5 + other meta fixes

by Ricardo Ribalda

This series introduces a new metadata format for UVC cameras and adds a couple of improvements to the UVC metadata handling. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v5: - Fix codestyle and kerneldoc warnings reported by media-ci - Link to v4: https://lore.kernel.org/r/20250403-uvc-meta-v4-0-877aa6475975@chromium.org Changes in v4: - Rename format to V4L2_META_FMT_UVC_MSXU_1_5 (Thanks Mauro) - Flag the new format with a quirk. - Autodetect MSXU devices. - Link to v3: https://lore.kernel.org/linux-media/20250313-uvc-metadata-v3-0-c467af869c60… Changes in v3: - Fix doc syntax errors. - Link to v2: https://lore.kernel.org/r/20250306-uvc-metadata-v2-0-7e939857cad5@chromium.… Changes in v2: - Add metadata invalid fix - Move doc note to a separate patch - Introuce V4L2_META_FMT_UVC_CUSTOM (thanks HdG!). - Link to v1: https://lore.kernel.org/r/20250226-uvc-metadata-v1-1-6cd6fe5ec2cb@chromium.… --- Ricardo Ribalda (4): media: uvcvideo: Do not mark valid metadata as invalid media: Documentation: Add note about UVCH length field media: uvcvideo: Introduce V4L2_META_FMT_UVC_MSXU_1_5 media: uvcvideo: Auto-set UVC_QUIRK_MSXU_META .../userspace-api/media/v4l/meta-formats.rst | 1 + .../media/v4l/metafmt-uvc-msxu-1-5.rst | 23 +++++ .../userspace-api/media/v4l/metafmt-uvc.rst | 4 +- MAINTAINERS | 1 + drivers/media/usb/uvc/uvc_metadata.c | 97 ++++++++++++++++++++-- drivers/media/usb/uvc/uvc_video.c | 12 +-- drivers/media/usb/uvc/uvcvideo.h | 1 + drivers/media/v4l2-core/v4l2-ioctl.c | 1 + include/linux/usb/uvc.h | 3 + include/uapi/linux/videodev2.h | 1 + 10 files changed, 131 insertions(+), 13 deletions(-) --- base-commit: 4e82c87058f45e79eeaa4d5bcc3b38dd3dce7209 change-id: 20250403-uvc-meta-e556773d12ae Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

5 months, 3 weeks

3
4
0 0

[PATCH 6.1 1/1] erofs: get rid of z_erofs_fill_inode()

by d.privalov

From: Gao Xiang <hsiangkao(a)linux.alibaba.com> commit 4fdadd5b0f0c723c812842454f8cca1619f2e731 upstream. Prior to big pclusters, non-compact compression indexes could have empty headers. Let's just avoid the legacy path since it can be handled properly as a specific compression header with z_erofs_fill_inode_lazy() too. Tested with erofs-utils exist versions. Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> Reviewed-by: Yue Hu <huyue2(a)coolpad.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Link: https://lore.kernel.org/r/20230413092241.73829-1-hsiangkao@linux.alibaba.com Signed-off-by: Dmitriy Privalov <d.privalov(a)omp.ru> --- fs/erofs/inode.c | 12 ++++++++---- fs/erofs/internal.h | 2 -- fs/erofs/zmap.c | 18 ------------------ 3 files changed, 8 insertions(+), 24 deletions(-) diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c index 7dcf350b9fef9..550b93fd12031 100644 --- a/fs/erofs/inode.c +++ b/fs/erofs/inode.c @@ -283,11 +283,15 @@ static int erofs_fill_inode(struct inode *inode) } if (erofs_inode_is_data_compressed(vi->datalayout)) { +#ifdef CONFIG_EROFS_FS_ZIP if (!erofs_is_fscache_mode(inode->i_sb) && - inode->i_sb->s_blocksize_bits == PAGE_SHIFT) - err = z_erofs_fill_inode(inode); - else - err = -EOPNOTSUPP; + inode->i_sb->s_blocksize_bits == PAGE_SHIFT) { + inode->i_mapping->a_ops = &z_erofs_aops; + err = 0; + goto out_unlock; + } +#endif + err = -EOPNOTSUPP; goto out_unlock; } inode->i_mapping->a_ops = &erofs_raw_access_aops; diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h index d7cd1e619d46f..161317f8fe266 100644 --- a/fs/erofs/internal.h +++ b/fs/erofs/internal.h @@ -425,12 +425,10 @@ enum { extern const struct iomap_ops z_erofs_iomap_report_ops; #ifdef CONFIG_EROFS_FS_ZIP -int z_erofs_fill_inode(struct inode *inode); int z_erofs_map_blocks_iter(struct inode *inode, struct erofs_map_blocks *map, int flags); #else -static inline int z_erofs_fill_inode(struct inode *inode) { return -EOPNOTSUPP; } static inline int z_erofs_map_blocks_iter(struct inode *inode, struct erofs_map_blocks *map, int flags) diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 2cd70cf4c8b27..b030a04bdd283 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -7,24 +7,6 @@ #include <asm/unaligned.h> #include <trace/events/erofs.h> -int z_erofs_fill_inode(struct inode *inode) -{ - struct erofs_inode *const vi = EROFS_I(inode); - struct erofs_sb_info *sbi = EROFS_SB(inode->i_sb); - - if (!erofs_sb_has_big_pcluster(sbi) && - !erofs_sb_has_ztailpacking(sbi) && !erofs_sb_has_fragments(sbi) && - vi->datalayout == EROFS_INODE_COMPRESSED_FULL) { - vi->z_advise = 0; - vi->z_algorithmtype[0] = 0; - vi->z_algorithmtype[1] = 0; - vi->z_logical_clusterbits = inode->i_sb->s_blocksize_bits; - set_bit(EROFS_I_Z_INITED_BIT, &vi->flags); - } - inode->i_mapping->a_ops = &z_erofs_aops; - return 0; -} - struct z_erofs_maprecorder { struct inode *inode; struct erofs_map_blocks *map; -- 2.34.1

5 months, 3 weeks

1
0
0 0

Re: [PATCH v1] virtio_blk: Fix disk deletion hang on device surprise removal

by Stefan Hajnoczi

On Wed, May 21, 2025 at 06:37:41AM +0000, Parav Pandit wrote: > When the PCI device is surprise removed, requests may not complete > the device as the VQ is marked as broken. Due to this, the disk > deletion hangs. > > Fix it by aborting the requests when the VQ is broken. > > With this fix now fio completes swiftly. > An alternative of IO timeout has been considered, however > when the driver knows about unresponsive block device, swiftly clearing > them enables users and upper layers to react quickly. > > Verified with multiple device unplug iterations with pending requests in > virtio used ring and some pending with the device. > > Fixes: 43bb40c5b926 ("virtio_pci: Support surprise removal of virtio pci device") > Cc: stable(a)vger.kernel.org > Reported-by: lirongqing(a)baidu.com > Closes: https://lore.kernel.org/virtualization/c45dd68698cd47238c55fb73ca9b4741@bai… > Reviewed-by: Max Gurtovoy <mgurtovoy(a)nvidia.com> > Reviewed-by: Israel Rukshin <israelr(a)nvidia.com> > Signed-off-by: Parav Pandit <parav(a)nvidia.com> > --- > changelog: > v0->v1: > - Fixed comments from Stefan to rename a cleanup function > - Improved logic for handling any outstanding requests > in bio layer > - improved cancel callback to sync with ongoing done() > > --- > drivers/block/virtio_blk.c | 95 ++++++++++++++++++++++++++++++++++++++ > 1 file changed, 95 insertions(+) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 7cffea01d868..5212afdbd3c7 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -435,6 +435,13 @@ static blk_status_t virtio_queue_rq(struct blk_mq_hw_ctx *hctx, > blk_status_t status; > int err; > > + /* Immediately fail all incoming requests if the vq is broken. > + * Once the queue is unquiesced, upper block layer flushes any pending > + * queued requests; fail them right away. > + */ > + if (unlikely(virtqueue_is_broken(vblk->vqs[qid].vq))) > + return BLK_STS_IOERR; > + > status = virtblk_prep_rq(hctx, vblk, req, vbr); > if (unlikely(status)) > return status; > @@ -508,6 +515,11 @@ static void virtio_queue_rqs(struct rq_list *rqlist) > while ((req = rq_list_pop(rqlist))) { > struct virtio_blk_vq *this_vq = get_virtio_blk_vq(req->mq_hctx); > > + if (unlikely(virtqueue_is_broken(this_vq->vq))) { > + rq_list_add_tail(&requeue_list, req); > + continue; > + } > + > if (vq && vq != this_vq) > virtblk_add_req_batch(vq, &submit_list); > vq = this_vq; > @@ -1554,6 +1566,87 @@ static int virtblk_probe(struct virtio_device *vdev) > return err; > } > > +static bool virtblk_request_cancel(struct request *rq, void *data) > +{ > + struct virtblk_req *vbr = blk_mq_rq_to_pdu(rq); > + struct virtio_blk *vblk = data; > + struct virtio_blk_vq *vq; > + unsigned long flags; > + > + vq = &vblk->vqs[rq->mq_hctx->queue_num]; > + > + spin_lock_irqsave(&vq->lock, flags); > + > + vbr->in_hdr.status = VIRTIO_BLK_S_IOERR; > + if (blk_mq_request_started(rq) && !blk_mq_request_completed(rq)) > + blk_mq_complete_request(rq); > + > + spin_unlock_irqrestore(&vq->lock, flags); > + return true; > +} > + > +static void virtblk_broken_device_cleanup(struct virtio_blk *vblk) > +{ > + struct request_queue *q = vblk->disk->queue; > + > + if (!virtqueue_is_broken(vblk->vqs[0].vq)) > + return; Can a subset of virtqueues be broken? If so, then this code doesn't handle it. > + > + /* Start freezing the queue, so that new requests keeps waitng at the s/waitng/waiting/ > + * door of bio_queue_enter(). We cannot fully freeze the queue because > + * freezed queue is an empty queue and there are pending requests, so > + * only start freezing it. > + */ > + blk_freeze_queue_start(q); > + > + /* When quiescing completes, all ongoing dispatches have completed > + * and no new dispatch will happen towards the driver. > + * This ensures that later when cancel is attempted, then are not > + * getting processed by the queue_rq() or queue_rqs() handlers. > + */ > + blk_mq_quiesce_queue(q); > + > + /* > + * Synchronize with any ongoing VQ callbacks, effectively quiescing > + * the device and preventing it from completing further requests > + * to the block layer. Any outstanding, incomplete requests will be > + * completed by virtblk_request_cancel(). > + */ > + virtio_synchronize_cbs(vblk->vdev); > + > + /* At this point, no new requests can enter the queue_rq() and > + * completion routine will not complete any new requests either for the > + * broken vq. Hence, it is safe to cancel all requests which are > + * started. > + */ > + blk_mq_tagset_busy_iter(&vblk->tag_set, virtblk_request_cancel, vblk); Although virtio_synchronize_cbs() was called, a broken/malicious device can still raise IRQs. Would that lead to use-after-free or similar undefined behavior for requests that have been submitted to the device? It seems safer to reset the device before marking the requests as failed. > + blk_mq_tagset_wait_completed_request(&vblk->tag_set); > + > + /* All pending requests are cleaned up. Time to resume so that disk > + * deletion can be smooth. Start the HW queues so that when queue is > + * unquiesced requests can again enter the driver. > + */ > + blk_mq_start_stopped_hw_queues(q, true); > + > + /* Unquiescing will trigger dispatching any pending requests to the > + * driver which has crossed bio_queue_enter() to the driver. > + */ > + blk_mq_unquiesce_queue(q); > + > + /* Wait for all pending dispatches to terminate which may have been > + * initiated after unquiescing. > + */ > + blk_mq_freeze_queue_wait(q); > + > + /* Mark the disk dead so that once queue unfreeze, the requests > + * waiting at the door of bio_queue_enter() can be aborted right away. > + */ > + blk_mark_disk_dead(vblk->disk); > + > + /* Unfreeze the queue so that any waiting requests will be aborted. */ > + blk_mq_unfreeze_queue_nomemrestore(q); > +} > + > static void virtblk_remove(struct virtio_device *vdev) > { > struct virtio_blk *vblk = vdev->priv; > @@ -1561,6 +1654,8 @@ static void virtblk_remove(struct virtio_device *vdev) > /* Make sure no work handler is accessing the device. */ > flush_work(&vblk->config_work); > > + virtblk_broken_device_cleanup(vblk); > + > del_gendisk(vblk->disk); > blk_mq_free_tag_set(&vblk->tag_set); > > -- > 2.34.1 >

5 months, 3 weeks

3
7
0 0

FAILED: patch "[PATCH] kasan: avoid sleepable page allocation from atomic context" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052647-paprika-unsterile-4753@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Thu, 15 May 2025 15:55:38 +0200 Subject: [PATCH] kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range. Link: https://lkml.kernel.org/r/c61d3560297c93ed044f0b1af085610353a06a58.17473169… Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Suggested-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: Daniel Axtens <dja(a)axtens.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index 88d1c9dcb507..d2c70cd2afb1 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -292,33 +292,99 @@ void __init __weak kasan_populate_early_vm_area_shadow(void *start, { } +struct vmalloc_populate_data { + unsigned long start; + struct page **pages; +}; + static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, - void *unused) + void *_data) { - unsigned long page; + struct vmalloc_populate_data *data = _data; + struct page *page; pte_t pte; + int index; if (likely(!pte_none(ptep_get(ptep)))) return 0; - page = __get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); - pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); + index = PFN_DOWN(addr - data->start); + page = data->pages[index]; + __memset(page_to_virt(page), KASAN_VMALLOC_INVALID, PAGE_SIZE); + pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL); spin_lock(&init_mm.page_table_lock); if (likely(pte_none(ptep_get(ptep)))) { set_pte_at(&init_mm, addr, ptep, pte); - page = 0; + data->pages[index] = NULL; } spin_unlock(&init_mm.page_table_lock); - if (page) - free_page(page); + return 0; } +static void ___free_pages_bulk(struct page **pages, int nr_pages) +{ + int i; + + for (i = 0; i < nr_pages; i++) { + if (pages[i]) { + __free_pages(pages[i], 0); + pages[i] = NULL; + } + } +} + +static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +{ + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { + nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; + } + pages += nr_populated; + nr_pages -= nr_populated; + } + + return 0; +} + +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +{ + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; + int ret = 0; + + data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); + ret = ___alloc_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + data.start = start; + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + start += nr_pages * PAGE_SIZE; + nr_total -= nr_pages; + } + + free_page((unsigned long)data.pages); + + return ret; +} + int kasan_populate_vmalloc(unsigned long addr, unsigned long size) { unsigned long shadow_start, shadow_end; @@ -348,9 +414,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = apply_to_page_range(&init_mm, shadow_start, - shadow_end - shadow_start, - kasan_populate_vmalloc_pte, NULL); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end); if (ret) return ret;

5 months, 3 weeks

1
0
0 0

[PATCH] mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios

by yangge1116＠126.com

From: Ge Yang <yangge1116(a)126.com> A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: <TASK> replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL. Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") Signed-off-by: Ge Yang <yangge1116(a)126.com> Cc: <stable(a)vger.kernel.org> --- mm/hugetlb.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 3d3ca6b..6c2e007 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2924,12 +2924,20 @@ int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn) while (start_pfn < end_pfn) { folio = pfn_folio(start_pfn); + + /* + * The folio might have been dissolved from under our feet, so make sure + * to carefully check the state under the lock. + */ + spin_lock_irq(&hugetlb_lock); if (folio_test_hugetlb(folio)) { h = folio_hstate(folio); } else { + spin_unlock_irq(&hugetlb_lock); start_pfn++; continue; } + spin_unlock_irq(&hugetlb_lock); if (!folio_ref_count(folio)) { ret = alloc_and_dissolve_hugetlb_folio(h, folio, -- 2.7.4

5 months, 3 weeks

5
17
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052659-snugly-tag-6f43@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052654-retired-handling-209f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052652-bloated-preoccupy-3ffb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052651-capably-displease-37db@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052649-cymbal-eggplant-f524@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: fix copy_vma() error handling for hugetlb mappings" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x ee40c9920ac286c5bfe7c811e66ff899266d2582 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052647-jokester-paralyses-8a1a@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee40c9920ac286c5bfe7c811e66ff899266d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn(a)igalia.com> Date: Fri, 23 May 2025 14:19:10 +0200 Subject: [PATCH] mm: fix copy_vma() error handling for hugetlb mappings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 8f3ac832ee7f..4861a7e304bb 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm_area_struct *vma, bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(struct mm_struct *mm, static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 55e6796b24d0..6a3cf7935c14 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_area_struct *vma) /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} diff --git a/mm/mremap.c b/mm/mremap.c index 7db9da609c84..0d4948b720e2 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_remap_struct *vrm, mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c88..a468d4c29c0c 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file)

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] kasan: avoid sleepable page allocation from atomic context" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052642-trustful-pardon-7433@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Thu, 15 May 2025 15:55:38 +0200 Subject: [PATCH] kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range. Link: https://lkml.kernel.org/r/c61d3560297c93ed044f0b1af085610353a06a58.17473169… Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Suggested-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: Daniel Axtens <dja(a)axtens.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index 88d1c9dcb507..d2c70cd2afb1 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -292,33 +292,99 @@ void __init __weak kasan_populate_early_vm_area_shadow(void *start, { } +struct vmalloc_populate_data { + unsigned long start; + struct page **pages; +}; + static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, - void *unused) + void *_data) { - unsigned long page; + struct vmalloc_populate_data *data = _data; + struct page *page; pte_t pte; + int index; if (likely(!pte_none(ptep_get(ptep)))) return 0; - page = __get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); - pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); + index = PFN_DOWN(addr - data->start); + page = data->pages[index]; + __memset(page_to_virt(page), KASAN_VMALLOC_INVALID, PAGE_SIZE); + pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL); spin_lock(&init_mm.page_table_lock); if (likely(pte_none(ptep_get(ptep)))) { set_pte_at(&init_mm, addr, ptep, pte); - page = 0; + data->pages[index] = NULL; } spin_unlock(&init_mm.page_table_lock); - if (page) - free_page(page); + return 0; } +static void ___free_pages_bulk(struct page **pages, int nr_pages) +{ + int i; + + for (i = 0; i < nr_pages; i++) { + if (pages[i]) { + __free_pages(pages[i], 0); + pages[i] = NULL; + } + } +} + +static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +{ + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { + nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; + } + pages += nr_populated; + nr_pages -= nr_populated; + } + + return 0; +} + +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +{ + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; + int ret = 0; + + data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); + ret = ___alloc_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + data.start = start; + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + start += nr_pages * PAGE_SIZE; + nr_total -= nr_pages; + } + + free_page((unsigned long)data.pages); + + return ret; +} + int kasan_populate_vmalloc(unsigned long addr, unsigned long size) { unsigned long shadow_start, shadow_end; @@ -348,9 +414,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = apply_to_page_range(&init_mm, shadow_start, - shadow_end - shadow_start, - kasan_populate_vmalloc_pte, NULL); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end); if (ret) return ret;

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] kasan: avoid sleepable page allocation from atomic context" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052641-magnetize-unethical-6fd1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Thu, 15 May 2025 15:55:38 +0200 Subject: [PATCH] kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range. Link: https://lkml.kernel.org/r/c61d3560297c93ed044f0b1af085610353a06a58.17473169… Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Suggested-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: Daniel Axtens <dja(a)axtens.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index 88d1c9dcb507..d2c70cd2afb1 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -292,33 +292,99 @@ void __init __weak kasan_populate_early_vm_area_shadow(void *start, { } +struct vmalloc_populate_data { + unsigned long start; + struct page **pages; +}; + static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, - void *unused) + void *_data) { - unsigned long page; + struct vmalloc_populate_data *data = _data; + struct page *page; pte_t pte; + int index; if (likely(!pte_none(ptep_get(ptep)))) return 0; - page = __get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); - pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); + index = PFN_DOWN(addr - data->start); + page = data->pages[index]; + __memset(page_to_virt(page), KASAN_VMALLOC_INVALID, PAGE_SIZE); + pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL); spin_lock(&init_mm.page_table_lock); if (likely(pte_none(ptep_get(ptep)))) { set_pte_at(&init_mm, addr, ptep, pte); - page = 0; + data->pages[index] = NULL; } spin_unlock(&init_mm.page_table_lock); - if (page) - free_page(page); + return 0; } +static void ___free_pages_bulk(struct page **pages, int nr_pages) +{ + int i; + + for (i = 0; i < nr_pages; i++) { + if (pages[i]) { + __free_pages(pages[i], 0); + pages[i] = NULL; + } + } +} + +static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +{ + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { + nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; + } + pages += nr_populated; + nr_pages -= nr_populated; + } + + return 0; +} + +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +{ + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; + int ret = 0; + + data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); + ret = ___alloc_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + data.start = start; + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + start += nr_pages * PAGE_SIZE; + nr_total -= nr_pages; + } + + free_page((unsigned long)data.pages); + + return ret; +} + int kasan_populate_vmalloc(unsigned long addr, unsigned long size) { unsigned long shadow_start, shadow_end; @@ -348,9 +414,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = apply_to_page_range(&init_mm, shadow_start, - shadow_end - shadow_start, - kasan_populate_vmalloc_pte, NULL); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end); if (ret) return ret;

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] kasan: avoid sleepable page allocation from atomic context" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052640-nintendo-dosage-797e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Thu, 15 May 2025 15:55:38 +0200 Subject: [PATCH] kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range. Link: https://lkml.kernel.org/r/c61d3560297c93ed044f0b1af085610353a06a58.17473169… Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Suggested-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: Daniel Axtens <dja(a)axtens.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index 88d1c9dcb507..d2c70cd2afb1 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -292,33 +292,99 @@ void __init __weak kasan_populate_early_vm_area_shadow(void *start, { } +struct vmalloc_populate_data { + unsigned long start; + struct page **pages; +}; + static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, - void *unused) + void *_data) { - unsigned long page; + struct vmalloc_populate_data *data = _data; + struct page *page; pte_t pte; + int index; if (likely(!pte_none(ptep_get(ptep)))) return 0; - page = __get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); - pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); + index = PFN_DOWN(addr - data->start); + page = data->pages[index]; + __memset(page_to_virt(page), KASAN_VMALLOC_INVALID, PAGE_SIZE); + pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL); spin_lock(&init_mm.page_table_lock); if (likely(pte_none(ptep_get(ptep)))) { set_pte_at(&init_mm, addr, ptep, pte); - page = 0; + data->pages[index] = NULL; } spin_unlock(&init_mm.page_table_lock); - if (page) - free_page(page); + return 0; } +static void ___free_pages_bulk(struct page **pages, int nr_pages) +{ + int i; + + for (i = 0; i < nr_pages; i++) { + if (pages[i]) { + __free_pages(pages[i], 0); + pages[i] = NULL; + } + } +} + +static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +{ + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { + nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; + } + pages += nr_populated; + nr_pages -= nr_populated; + } + + return 0; +} + +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +{ + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; + int ret = 0; + + data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); + ret = ___alloc_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + data.start = start; + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + start += nr_pages * PAGE_SIZE; + nr_total -= nr_pages; + } + + free_page((unsigned long)data.pages); + + return ret; +} + int kasan_populate_vmalloc(unsigned long addr, unsigned long size) { unsigned long shadow_start, shadow_end; @@ -348,9 +414,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = apply_to_page_range(&init_mm, shadow_start, - shadow_end - shadow_start, - kasan_populate_vmalloc_pte, NULL); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end); if (ret) return ret;

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] kasan: avoid sleepable page allocation from atomic context" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052639-retold-smuggling-fedb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c Mon Sep 17 00:00:00 2001 From: Alexander Gordeev <agordeev(a)linux.ibm.com> Date: Thu, 15 May 2025 15:55:38 +0200 Subject: [PATCH] kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range. Link: https://lkml.kernel.org/r/c61d3560297c93ed044f0b1af085610353a06a58.17473169… Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory") Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Suggested-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Reviewed-by: Harry Yoo <harry.yoo(a)oracle.com> Cc: Daniel Axtens <dja(a)axtens.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c index 88d1c9dcb507..d2c70cd2afb1 100644 --- a/mm/kasan/shadow.c +++ b/mm/kasan/shadow.c @@ -292,33 +292,99 @@ void __init __weak kasan_populate_early_vm_area_shadow(void *start, { } +struct vmalloc_populate_data { + unsigned long start; + struct page **pages; +}; + static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, - void *unused) + void *_data) { - unsigned long page; + struct vmalloc_populate_data *data = _data; + struct page *page; pte_t pte; + int index; if (likely(!pte_none(ptep_get(ptep)))) return 0; - page = __get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - __memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE); - pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL); + index = PFN_DOWN(addr - data->start); + page = data->pages[index]; + __memset(page_to_virt(page), KASAN_VMALLOC_INVALID, PAGE_SIZE); + pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL); spin_lock(&init_mm.page_table_lock); if (likely(pte_none(ptep_get(ptep)))) { set_pte_at(&init_mm, addr, ptep, pte); - page = 0; + data->pages[index] = NULL; } spin_unlock(&init_mm.page_table_lock); - if (page) - free_page(page); + return 0; } +static void ___free_pages_bulk(struct page **pages, int nr_pages) +{ + int i; + + for (i = 0; i < nr_pages; i++) { + if (pages[i]) { + __free_pages(pages[i], 0); + pages[i] = NULL; + } + } +} + +static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +{ + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { + nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; + } + pages += nr_populated; + nr_pages -= nr_populated; + } + + return 0; +} + +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +{ + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; + int ret = 0; + + data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); + ret = ___alloc_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + data.start = start; + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; + + start += nr_pages * PAGE_SIZE; + nr_total -= nr_pages; + } + + free_page((unsigned long)data.pages); + + return ret; +} + int kasan_populate_vmalloc(unsigned long addr, unsigned long size) { unsigned long shadow_start, shadow_end; @@ -348,9 +414,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = apply_to_page_range(&init_mm, shadow_start, - shadow_end - shadow_start, - kasan_populate_vmalloc_pte, NULL); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end); if (ret) return ret;

5 months, 3 weeks

1
0
0 0

[PATCH v2] mac80211: Add null pointer check for ieee80211_link_get_chanctx()

by Wentao Liang

The function ieee80211_chsw_switch_vifs() calls the function ieee80211_link_get_chanctx(), but does not check its return value. The return value is a null pointer if the ieee80211_link_get_chanctx() fails. This will lead to a null pointer dereference in the following code "&old_ctx->conf". A proper implementation can be found in ieee80211_link_use_reserved_assign(). Add a null pointer check and goto error handling path if the function fails. Fixes: 5d52ee811019 ("mac80211: allow reservation of a running chanctx") Cc: stable(a)vger.kernel.org # v3.16 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v2: Fix code error. net/mac80211/chan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index a442cb667520..c9b703c283e7 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -1503,6 +1503,10 @@ static int ieee80211_chsw_switch_vifs(struct ieee80211_local *local, continue; old_ctx = ieee80211_link_get_chanctx(link); + if (WARN_ON(!old_ctx)) { + err = -EINVAL; + goto out; + } vif_chsw[i].vif = &link->sdata->vif; vif_chsw[i].old_ctx = &old_ctx->conf; vif_chsw[i].new_ctx = &ctx->conf; -- 2.42.0.windows.2

5 months, 3 weeks

3
5
0 0

[PATCH] mtd: nand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk

by Wentao Liang

The function sunxi_nfc_hw_ecc_write_chunk() calls the sunxi_nfc_hw_ecc_write_chunk(), but does not call the configuration function sunxi_nfc_randomizer_config(). Consequently, the randomization might not conduct correctly, which will affect the lifespan of NAND flash. A proper implementation can be found in sunxi_nfc_hw_ecc_write_page_dma(). Add the sunxi_nfc_randomizer_config() to config randomizer. Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support") Cc: stable(a)vger.kernel.org # v4.6 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/mtd/nand/raw/sunxi_nand.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c index 9179719f639e..162cd5f4f234 100644 --- a/drivers/mtd/nand/raw/sunxi_nand.c +++ b/drivers/mtd/nand/raw/sunxi_nand.c @@ -1050,6 +1050,7 @@ static int sunxi_nfc_hw_ecc_write_chunk(struct nand_chip *nand, if (ret) return ret; + sunxi_nfc_randomizer_config(nand, page, false); sunxi_nfc_randomizer_enable(nand); sunxi_nfc_hw_ecc_set_prot_oob_bytes(nand, oob, 0, bbm, page); -- 2.42.0.windows.2

5 months, 3 weeks

2
2
0 0

[PATCH] bus: fsl-mc: Fix an API misuse in fsl_mc_device_add()

by Haoxiang Li

In fsl_mc_device_add(), use put_device() to give up the device reference instead of kfree(). Fixes: bbf9d17d9875 ("staging: fsl-mc: Freescale Management Complex (fsl-mc) bus driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/bus/fsl-mc/fsl-mc-bus.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c index a8be8cf246fb..dfd79ecf65b6 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -905,9 +905,7 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc, return 0; error_cleanup_dev: - kfree(mc_dev->regions); - kfree(mc_bus); - kfree(mc_dev); + put_device(&mc_dev->dev); return error; } -- 2.25.1

5 months, 3 weeks

2
1
0 0

[PATCH] mac80211: Add null pointer check for ieee80211_link_get_chanctx()

by Wentao Liang

The function ieee80211_chsw_switch_vifs() calls the function ieee80211_link_get_chanctx(), but does not check its return value. The return value is a null pointer if the ieee80211_link_get_chanctx() fails. This will lead to a null pointer dereference in the following code "&old_ctx->conf". A proper implementation can be found in ieee80211_link_use_reserved_assign(). Add a null pointer check and goto error handling path if the function fails. Fixes: 5d52ee811019 ("mac80211: allow reservation of a running chanctx") Cc: stable(a)vger.kernel.org # v3.16 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- net/mac80211/chan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index a442cb667520..9e6235001e0a 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -1503,6 +1503,10 @@ static int ieee80211_chsw_switch_vifs(struct ieee80211_local *local, continue; old_ctx = ieee80211_link_get_chanctx(link); + if (WARN_ON(old_ctx)) { + err = -EINVAL; + goto out; + } vif_chsw[i].vif = &link->sdata->vif; vif_chsw[i].old_ctx = &old_ctx->conf; vif_chsw[i].new_ctx = &ctx->conf; -- 2.42.0.windows.2

5 months, 3 weeks

2
1
0 0

IPC drop down on AMD epyc 7702P

by Jean-Baptiste Roquefere

Hi, We (Ateme, a video encoding company) may have found an unwanted behavior in the scheduler since 5.10 (commit 16b0a7a1a0af), then 5.16 (commit c5b0a7eefc70), then 5.19 (commit not found yet), then maybe some other commits from 5.19 to 6.12, with a consequence of IPC decrease. Problem still appears on lasts 6.12, 6.13 and 6.14 We have reverted both 16b0a7a1a0af and c5b0a7eefc70 commits that reduce our performances (see fair.patch attached, applicable on 6.12.17). Performances increase but still doesnt reach our reference on 5.4.152. Instead of trying to find every single commits from 5.18 to 6.12 that could decrease our performance, I chosed to bench 5.4.152 versus 6.12.17 with and without fair.patch. The problem appeared clear : a lot of CPU migrations go out of CCX, then L3 miss, then IPC decrease. Context of our bench: video decoder which work at a regulated speed, 1 process, 21 main threads, everyone of them creates 10 threads, 8 of them have a fine granularity, meaning they go to sleep quite often, giving the scheduler a lot of opportunities to act). Hardware is an AMD Epyc 7702P, 128 cores, grouped by shared LLC 4 cores +4 hyperthreaded cores. NUMA topology is set by the BIOS to 1 node per socket. Every pthread are created with default attributes. I use AMDuProf (-C -A system -a -m ipc,l1,l2,l3,memory) for CPU Utilization (%), CPU effective freq, IPC, L2 access (pti), L2 miss (pti), L3 miss (absolute) and Mem (GB/s, and perf (stat -d -d -d -a) for Context switches, CPU migrations and Real time (s). We noted that upgrade 5.4.152 to 6.12.17 without any special preempt configuration : Two fold increase in CPU migration 30% memory bandwidth increase 20% L3 cache misses increase 10% IPC decrease With the attached fair.patch applied to 6.12.17 (reminder : this patch reverts one commit appeared in 5.10 and another in 5.16) we managed to reduce CPU migrations and increase IPC but not as much as we had on 5.4.152. Our goal is to keep kernel "clean" without any patch (we don't want to apply and maintain fair.patch) then for the rest of my email we will consider stock kernel 6.12.17. I've reduced the "sub threads count" to stays below 128 threads. Then still 21 main threads and instead of 10 worker per main thread I set 5 workers (4 of them with fine granularity) giving 105 pthreads -> everything goes fine in 6.12.17, no extra CPU migration, no extra memory bandwidth... But as soon as we increase worker threads count (10 instead of 5) the problem appears. We know our decoder may have too many threads but that's out of our scope, it has been designed like that some years ago and moving from "lot of small threads to few of big thread" is for now not possible. We have a work around : we group threads using pthread affinities. Every main thread (and by inheritance of affinities every worker threads) on a single CCX so we reduce the L3 miss for them, then decrease memory bandwidth, then finally increasing IPC. With that solution, we go above our original performances, for both kernels, and they perform at the same level. However, it is impractical to productize as such. I've tried many kernel build configurations (CONFIG_PREMPT_*, CONFIG_SCHEDULER_*, tuning of fair.c:sysctl_sched_migration_cost) on 6.12.17, 6.12.21 (longterm), 6.13.9 (mainline), and 6.14.0 Nothing changes. Q: Is there anyway to tune the kernel so we can get our performance back without using the pthread affinities work around ? Feel free to ask an archive containing binaries and payload. I first posted on https://bugzilla.kernel.org/show_bug.cgi?id=220000 but one told me the best way to get answers where these mailing lists Regards, Jean-Baptiste Roquefere, Ateme Attached bench.tar.gz : * bench/fair.patch * bench/bench.ods with 2 sheets : - regulated : decoder speed is regulated to keep real time constant - no regul : decoder speed is not regulated and uses from 1 to 76 main threads with 10 worker per main thread * bench/regulated.csv : bench.ods:regulated exported in csv format * bench/not-regulated : bench.ods:no regul exported in csv format

5 months, 3 weeks

5
15
0 0

[PATCH v3 1/2] iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]

by Fabio Estevam

From: Fabio Estevam <festevam(a)denx.de> Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"), booting a board populated with a MAX11601 results in a flood of warnings: max1363 1-0064: available_scan_mask 8 subset of 0. Never used max1363 1-0064: available_scan_mask 9 subset of 0. Never used max1363 1-0064: available_scan_mask 10 subset of 0. Never used max1363 1-0064: available_scan_mask 11 subset of 0. Never used max1363 1-0064: available_scan_mask 12 subset of 0. Never used max1363 1-0064: available_scan_mask 13 subset of 0. Never used ... These warnings are caused by incorrect offsets used for differential channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros. The max1363_mode_table[] defines the differential channel mappings as follows: MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12), MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13), MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14), MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15), MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16), MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17), MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18), MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19), MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20), MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21), MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22), MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23), Update the macros to follow this same pattern, ensuring that the scan masks are valid and preventing the warnings. Cc: <stable(a)vger.kernel.org> #6.12 Suggested-by: Jonathan Cameron <jic23(a)kernel.org> Signed-off-by: Fabio Estevam <festevam(a)denx.de> --- Changes since v2: - Removed incorrect Fixes: tag (Matti) Changes since v1: - Fix the problem by changing the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros. (Jonathan) drivers/iio/adc/max1363.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/iio/adc/max1363.c b/drivers/iio/adc/max1363.c index a7e9912fb44a..bc44b4604ef4 100644 --- a/drivers/iio/adc/max1363.c +++ b/drivers/iio/adc/max1363.c @@ -511,10 +511,10 @@ static const struct iio_event_spec max1363_events[] = { MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \ MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \ MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \ IIO_CHAN_SOFT_TIMESTAMP(8) \ } @@ -609,14 +609,14 @@ static const enum max1363_modes max11608_mode_list[] = { MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \ MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \ MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \ - MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \ - MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \ - MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \ - MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \ - MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \ - MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \ - MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \ - MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \ + MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \ + MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \ + MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \ + MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \ + MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \ + MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \ + MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \ + MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \ IIO_CHAN_SOFT_TIMESTAMP(16) \ } static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8); -- 2.34.1

5 months, 3 weeks

3
3
0 0

iommu crash when boot kernel 5.15.179 on DELL R7715/AMD 9015

by Wang Yugui

Hi, iommu crash when kernel 5.15.179 boot on DELL R7715/AMD 9015. but kernel 6.1.133/6.6.86 boot well. It is the first time to boot kernel 5.15.y on DELL R7715/AMD 9015, so yet no more info about other 5.15.y kernel version. It seems iommu related, but seems no relationship to 5.15.181 iommu-amd-return-an-error-if-vcpu-affinity-is-set-fo.patch 5.15.182 iommu-amd-fix-potential-buffer-overflow-in-parse_ivrs_acpihid.patch dmesg output: [ 4.658313] Trying to unpack rootfs image as initramfs... [ 4.663349] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 4.664346] #PF: supervisor read access in kernel mode [ 4.664346] #PF: error_code(0x0000) - not-present page [ 4.664346] PGD 0 [ 4.664346] Oops: 0000 [#1] SMP NOPTI [ 4.664346] CPU: 8 PID: 1 Comm: swapper/0 Not tainted 5.15.179-1.el9.x86_64 #1 [ 4.664346] Hardware name: Dell Inc. PowerEdge R7715/0KRFPX, BIOS 1.1.2 02/20/2025 [ 4.664346] RIP: 0010:sysfs_add_link_to_group+0x12/0x60 [ 4.664346] Code: cb ff ff 48 89 ef 5d 41 5c e9 ca b4 ff ff 5d 41 5c c3 cc cc cc cc 66 90 0f 1f 44 00 00 41 55 49 89 cd 41 54 49 89 d4 31 d2 55 <48> 8b 7f 30 e8 a5 b2 ff ff 48 85 c0 74 29 48 89 c5 4c 89 e6 48 89 [ 4.664346] RSP: 0018:ff3f20b800047c28 EFLAGS: 00010246 [ 4.664346] RAX: 0000000000000001 RBX: ff25a0fc800530a8 RCX: ff25a0fc82cdb410 [ 4.664346] RDX: 0000000000000000 RSI: ffffffff904726e7 RDI: 0000000000000000 [ 4.664346] RBP: ff25a0fc801320d0 R08: ff3f20b800047d00 R09: ff3f20b800047d00 [ 4.664346] R10: 0720072007200720 R11: 0720072007200720 R12: ff25a0fc801320d0 [ 4.664346] R13: ff25a0fc82cdb410 R14: ff3f20b800047d00 R15: 0000000000000000 [ 4.664346] FS: 0000000000000000(0000) GS:ff25a10c1d400000(0000) knlGS:0000000000000000 [ 4.664346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4.664346] CR2: 0000000000000030 CR3: 0000001036a10001 CR4: 0000000000771ee0 [ 4.664346] PKRU: 55555554 [ 4.664346] Call Trace: [ 4.664346] <TASK> [ 4.664346] ? show_trace_log_lvl+0x1c1/0x2d9 [ 4.664346] ? show_trace_log_lvl+0x1c1/0x2d9 [ 4.664346] ? iommu_device_link+0x3f/0xb0 [ 4.664346] ? __die_body.cold+0x8/0xd [ 4.664346] ? page_fault_oops+0xac/0x140 [ 4.664346] ? exc_page_fault+0x62/0x130 [ 4.664346] ? asm_exc_page_fault+0x22/0x30 [ 4.664346] ? sysfs_add_link_to_group+0x12/0x60 [ 4.664346] iommu_device_link+0x3f/0xb0 [ 4.664346] __iommu_probe_device+0x188/0x260 [ 4.664346] ? __iommu_probe_device+0x260/0x260 [ 4.664346] probe_iommu_group+0x31/0x40 [ 4.664346] bus_for_each_dev+0x75/0xc0 [ 4.664346] bus_iommu_probe+0x48/0x2c0 [ 4.664346] ? kmem_cache_alloc_trace+0x165/0x290 [ 4.664346] ? __cond_resched+0x16/0x50 [ 4.664346] bus_set_iommu+0x8c/0xe0 [ 4.664346] amd_iommu_init_api+0x18/0x34 [ 4.664346] amd_iommu_init_pci+0x56/0x21c [ 4.664346] ? e820__memblock_setup+0x7d/0x7d [ 4.664346] state_next+0x19a/0x2d4 [ 4.664346] ? blake2s_update+0x48/0xc0 [ 4.664346] ? e820__memblock_setup+0x7d/0x7d [ 4.664346] iommu_go_to_state+0x24/0x2c [ 4.664346] amd_iommu_init+0xf/0x29 [ 4.664346] pci_iommu_init+0x16/0x43 [ 4.664346] do_one_initcall+0x41/0x1d0 [ 4.664346] do_initcalls+0xc6/0xdf [ 4.664346] kernel_init_freeable+0x14e/0x19d [ 4.664346] ? rest_init+0xc0/0xc0 [ 4.664346] kernel_init+0x16/0x130 [ 4.664346] ret_from_fork+0x1f/0x30 [ 4.664346] </TASK> [ 4.664346] Modules linked in: [ 4.664346] CR2: 0000000000000030 [ 4.664346] ---[ end trace 9672514da279163d ]--- [ 4.664346] RIP: 0010:sysfs_add_link_to_group+0x12/0x60 [ 4.664346] Code: cb ff ff 48 89 ef 5d 41 5c e9 ca b4 ff ff 5d 41 5c c3 cc cc cc cc 66 90 0f 1f 44 00 00 41 55 49 89 cd 41 54 49 89 d4 31 d2 55 <48> 8b 7f 30 e8 a5 b2 ff ff 48 85 c0 74 29 48 89 c5 4c 89 e6 48 89 [ 4.664346] RSP: 0018:ff3f20b800047c28 EFLAGS: 00010246 [ 4.664346] RAX: 0000000000000001 RBX: ff25a0fc800530a8 RCX: ff25a0fc82cdb410 [ 4.664346] RDX: 0000000000000000 RSI: ffffffff904726e7 RDI: 0000000000000000 [ 4.664346] RBP: ff25a0fc801320d0 R08: ff3f20b800047d00 R09: ff3f20b800047d00 [ 4.664346] R10: 0720072007200720 R11: 0720072007200720 R12: ff25a0fc801320d0 [ 4.664346] R13: ff25a0fc82cdb410 R14: ff3f20b800047d00 R15: 0000000000000000 [ 4.664346] FS: 0000000000000000(0000) GS:ff25a10c1d400000(0000) knlGS:0000000000000000 [ 4.664346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4.664346] CR2: 0000000000000030 CR3: 0000001036a10001 CR4: 0000000000771ee0 [ 4.664346] PKRU: 55555554 [ 4.664346] Kernel panic - not syncing: Fatal exception [ 4.664346] Rebooting in 15 seconds.. Best Regards Wang Yugui (wangyugui(a)e16-tech.com) 2025/05/18

5 months, 3 weeks

2
2
0 0

[PATCH] x86/pmem: Fix a null pointer dereference in register_e820_pmem()

by Haoxiang Li

Add check for the return value of platform_device_alloc() to prevent null pointer dereference. Fixes: 7a67832c7e44 ("libnvdimm, e820: make CONFIG_X86_PMEM_LEGACY a tristate option") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- arch/x86/kernel/pmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kernel/pmem.c b/arch/x86/kernel/pmem.c index 23154d24b117..04fb221716ff 100644 --- a/arch/x86/kernel/pmem.c +++ b/arch/x86/kernel/pmem.c @@ -27,6 +27,8 @@ static __init int register_e820_pmem(void) * simply here to trigger the module to load on demand. */ pdev = platform_device_alloc("e820_pmem", -1); + if (!pdev) + return -ENOMEM; rc = platform_device_add(pdev); if (rc) -- 2.25.1

5 months, 3 weeks

1
0
0 0

[PATCH] rust: compile libcore with edition 2024 for 1.87+

by Gary Guo

Rust 1.87 (released on 2025-05-15) compiles core library with edition 2024 instead of 2021 [1]. Ensure that the edition matches libcore's expectation to avoid potential breakage. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: https://github.com/rust-lang/rust/pull/138162 [1] Closes: https://github.com/Rust-for-Linux/linux/issues/1163 Signed-off-by: Gary Guo <gary(a)garyguo.net> --- rust/Makefile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rust/Makefile b/rust/Makefile index 3aca903a7d08..9e7f1ec06181 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -60,6 +60,12 @@ endif core-cfgs = \ --cfg no_fp_fmt_parse +ifeq ($(call rustc-min-version,108700),y) +core-cfgs += --edition=2024 +else +core-cfgs += --edition=2021 +endif + # `rustc` recognizes `--remap-path-prefix` since 1.26.0, but `rustdoc` only # since Rust 1.81.0. Moreover, `rustdoc` ICEs on out-of-tree builds since Rust # 1.82.0 (https://github.com/rust-lang/rust/issues/138520). Thus workaround both @@ -106,7 +112,7 @@ rustdoc-macros: $(src)/macros/lib.rs FORCE # Starting with Rust 1.82.0, skipping `-Wrustdoc::unescaped_backticks` should # not be needed -- see https://github.com/rust-lang/rust/pull/128307. -rustdoc-core: private skip_flags = -Wrustdoc::unescaped_backticks +rustdoc-core: private skip_flags = -Wrustdoc::unescaped_backticks --edition=2021 rustdoc-core: private rustc_target_flags = $(core-cfgs) rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs FORCE +$(call if_changed,rustdoc) @@ -416,7 +422,7 @@ quiet_cmd_rustc_library = $(if $(skip_clippy),RUSTC,$(RUSTC_OR_CLIPPY_QUIET)) L cmd_rustc_library = \ OBJTREE=$(abspath $(objtree)) \ $(if $(skip_clippy),$(RUSTC),$(RUSTC_OR_CLIPPY)) \ - $(filter-out $(skip_flags),$(rust_flags) $(rustc_target_flags)) \ + $(filter-out $(skip_flags),$(rust_flags)) $(rustc_target_flags) \ --emit=dep-info=$(depfile) --emit=obj=$@ \ --emit=metadata=$(dir $@)$(patsubst %.o,lib%.rmeta,$(notdir $@)) \ --crate-type rlib -L$(objtree)/$(obj) \ @@ -483,7 +489,7 @@ $(obj)/helpers/helpers.o: $(src)/helpers/helpers.c $(recordmcount_source) FORCE $(obj)/exports.o: private skip_gendwarfksyms = 1 $(obj)/core.o: private skip_clippy = 1 -$(obj)/core.o: private skip_flags = -Wunreachable_pub +$(obj)/core.o: private skip_flags = -Wunreachable_pub --edition=2021 $(obj)/core.o: private rustc_objcopy = $(foreach sym,$(redirect-intrinsics),--redefine-sym $(sym)=__rust$(sym)) $(obj)/core.o: private rustc_target_flags = $(core-cfgs) $(obj)/core.o: $(RUST_LIB_SRC)/core/src/lib.rs \ base-commit: 172a9d94339cea832d89630b89d314e41d622bd8 -- 2.47.2

5 months, 3 weeks

3
3
0 0

[PATCH v2 1/2] iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]

by Fabio Estevam

From: Fabio Estevam <festevam(a)denx.de> Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"), booting a board populated with a MAX11601 results in a flood of warnings: max1363 1-0064: available_scan_mask 8 subset of 0. Never used max1363 1-0064: available_scan_mask 9 subset of 0. Never used max1363 1-0064: available_scan_mask 10 subset of 0. Never used max1363 1-0064: available_scan_mask 11 subset of 0. Never used max1363 1-0064: available_scan_mask 12 subset of 0. Never used max1363 1-0064: available_scan_mask 13 subset of 0. Never used ... These warnings are caused by incorrect offsets used for differential channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros. The max1363_mode_table[] defines the differential channel mappings as follows: MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12), MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13), MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14), MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15), MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16), MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17), MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18), MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19), MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20), MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21), MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22), MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23), Update the macros to follow this same pattern, ensuring that the scan masks are valid and preventing the warnings. Cc: stable(a)vger.kernel.org Fixes: 2718f15403fb ("iio: sanity check available_scan_masks array") Suggested-by: Jonathan Cameron <jic23(a)kernel.org> Signed-off-by: Fabio Estevam <festevam(a)denx.de> --- Changes since v1: - Fix the problem by changing the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros. (Jonathan) drivers/iio/adc/max1363.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/iio/adc/max1363.c b/drivers/iio/adc/max1363.c index a7e9912fb44a..bc44b4604ef4 100644 --- a/drivers/iio/adc/max1363.c +++ b/drivers/iio/adc/max1363.c @@ -511,10 +511,10 @@ static const struct iio_event_spec max1363_events[] = { MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \ MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \ MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \ - MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \ IIO_CHAN_SOFT_TIMESTAMP(8) \ } @@ -609,14 +609,14 @@ static const enum max1363_modes max11608_mode_list[] = { MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \ MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \ MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \ - MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \ - MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \ - MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \ - MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \ - MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \ - MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \ - MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \ - MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \ + MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \ + MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \ + MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \ + MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \ + MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \ + MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \ + MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \ + MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \ IIO_CHAN_SOFT_TIMESTAMP(16) \ } static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8); -- 2.34.1

5 months, 3 weeks

3
6
0 0

FAILED: patch "[PATCH] mmc: sdhci-of-dwcmshc: add PD workaround on RK3576" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 08f959759e1e6e9c4b898c51a7d387ac3480630b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052516-factsheet-coagulant-3fb0@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 08f959759e1e6e9c4b898c51a7d387ac3480630b Mon Sep 17 00:00:00 2001 From: Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> Date: Wed, 23 Apr 2025 09:53:32 +0200 Subject: [PATCH] mmc: sdhci-of-dwcmshc: add PD workaround on RK3576 RK3576's power domains have a peculiar design where the PD_NVM power domain, of which the sdhci controller is a part, seemingly does not have idempotent runtime disable/enable. The end effect is that if PD_NVM gets turned off by the generic power domain logic because all the devices depending on it are suspended, then the next time the sdhci device is unsuspended, it'll hang the SoC as soon as it tries accessing the CQHCI registers. RK3576's UFS support needed a new dev_pm_genpd_rpm_always_on function added to the generic power domains API to handle what appears to be a similar hardware design. Use this new function to ask for the same treatment in the sdhci controller by giving rk3576 its own platform data with its own postinit function. The benefit of doing this instead of marking the power domains always on in the power domain core is that we only do this if we know the platform we're running on actually uses the sdhci controller. For others, keeping PD_NVM always on would be a waste, as they won't run into this specific issue. The only other IP in PD_NVM that could be affected is FSPI0. If it gets a mainline driver, it will probably want to do the same thing. Acked-by: Adrian Hunter <adrian.hunter(a)intel.com> Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> Reviewed-by: Shawn Lin <shawn.lin(a)rock-chips.com> Fixes: cfee1b507758 ("pmdomain: rockchip: Add support for RK3576 SoC") Cc: <stable(a)vger.kernel.org> # v6.15+ Link: https://lore.kernel.org/r/20250423-rk3576-emmc-fix-v3-1-0bf80e29967f@collab… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/sdhci-of-dwcmshc.c b/drivers/mmc/host/sdhci-of-dwcmshc.c index 09b9ab15e499..a20d03fdd6a9 100644 --- a/drivers/mmc/host/sdhci-of-dwcmshc.c +++ b/drivers/mmc/host/sdhci-of-dwcmshc.c @@ -17,6 +17,7 @@ #include <linux/module.h> #include <linux/of.h> #include <linux/platform_device.h> +#include <linux/pm_domain.h> #include <linux/pm_runtime.h> #include <linux/reset.h> #include <linux/sizes.h> @@ -745,6 +746,29 @@ static void dwcmshc_rk35xx_postinit(struct sdhci_host *host, struct dwcmshc_priv } } +static void dwcmshc_rk3576_postinit(struct sdhci_host *host, struct dwcmshc_priv *dwc_priv) +{ + struct device *dev = mmc_dev(host->mmc); + int ret; + + /* + * This works around the design of the RK3576's power domains, which + * makes the PD_NVM power domain, which the sdhci controller on the + * RK3576 is in, never come back the same way once it's run-time + * suspended once. This can happen during early kernel boot if no driver + * is using either PD_NVM or its child power domain PD_SDGMAC for a + * short moment, leading to it being turned off to save power. By + * keeping it on, sdhci suspending won't lead to PD_NVM becoming a + * candidate for getting turned off. + */ + ret = dev_pm_genpd_rpm_always_on(dev, true); + if (ret && ret != -EOPNOTSUPP) + dev_warn(dev, "failed to set PD rpm always on, SoC may hang later: %pe\n", + ERR_PTR(ret)); + + dwcmshc_rk35xx_postinit(host, dwc_priv); +} + static int th1520_execute_tuning(struct sdhci_host *host, u32 opcode) { struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); @@ -1176,6 +1200,18 @@ static const struct dwcmshc_pltfm_data sdhci_dwcmshc_rk35xx_pdata = { .postinit = dwcmshc_rk35xx_postinit, }; +static const struct dwcmshc_pltfm_data sdhci_dwcmshc_rk3576_pdata = { + .pdata = { + .ops = &sdhci_dwcmshc_rk35xx_ops, + .quirks = SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN | + SDHCI_QUIRK_BROKEN_TIMEOUT_VAL, + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | + SDHCI_QUIRK2_CLOCK_DIV_ZERO_BROKEN, + }, + .init = dwcmshc_rk35xx_init, + .postinit = dwcmshc_rk3576_postinit, +}; + static const struct dwcmshc_pltfm_data sdhci_dwcmshc_th1520_pdata = { .pdata = { .ops = &sdhci_dwcmshc_th1520_ops, @@ -1274,6 +1310,10 @@ static const struct of_device_id sdhci_dwcmshc_dt_ids[] = { .compatible = "rockchip,rk3588-dwcmshc", .data = &sdhci_dwcmshc_rk35xx_pdata, }, + { + .compatible = "rockchip,rk3576-dwcmshc", + .data = &sdhci_dwcmshc_rk3576_pdata, + }, { .compatible = "rockchip,rk3568-dwcmshc", .data = &sdhci_dwcmshc_rk35xx_pdata,

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mmc: sdhci-of-dwcmshc: add PD workaround on RK3576" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 08f959759e1e6e9c4b898c51a7d387ac3480630b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052515-headdress-overcome-c741@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 08f959759e1e6e9c4b898c51a7d387ac3480630b Mon Sep 17 00:00:00 2001 From: Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> Date: Wed, 23 Apr 2025 09:53:32 +0200 Subject: [PATCH] mmc: sdhci-of-dwcmshc: add PD workaround on RK3576 RK3576's power domains have a peculiar design where the PD_NVM power domain, of which the sdhci controller is a part, seemingly does not have idempotent runtime disable/enable. The end effect is that if PD_NVM gets turned off by the generic power domain logic because all the devices depending on it are suspended, then the next time the sdhci device is unsuspended, it'll hang the SoC as soon as it tries accessing the CQHCI registers. RK3576's UFS support needed a new dev_pm_genpd_rpm_always_on function added to the generic power domains API to handle what appears to be a similar hardware design. Use this new function to ask for the same treatment in the sdhci controller by giving rk3576 its own platform data with its own postinit function. The benefit of doing this instead of marking the power domains always on in the power domain core is that we only do this if we know the platform we're running on actually uses the sdhci controller. For others, keeping PD_NVM always on would be a waste, as they won't run into this specific issue. The only other IP in PD_NVM that could be affected is FSPI0. If it gets a mainline driver, it will probably want to do the same thing. Acked-by: Adrian Hunter <adrian.hunter(a)intel.com> Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> Reviewed-by: Shawn Lin <shawn.lin(a)rock-chips.com> Fixes: cfee1b507758 ("pmdomain: rockchip: Add support for RK3576 SoC") Cc: <stable(a)vger.kernel.org> # v6.15+ Link: https://lore.kernel.org/r/20250423-rk3576-emmc-fix-v3-1-0bf80e29967f@collab… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/sdhci-of-dwcmshc.c b/drivers/mmc/host/sdhci-of-dwcmshc.c index 09b9ab15e499..a20d03fdd6a9 100644 --- a/drivers/mmc/host/sdhci-of-dwcmshc.c +++ b/drivers/mmc/host/sdhci-of-dwcmshc.c @@ -17,6 +17,7 @@ #include <linux/module.h> #include <linux/of.h> #include <linux/platform_device.h> +#include <linux/pm_domain.h> #include <linux/pm_runtime.h> #include <linux/reset.h> #include <linux/sizes.h> @@ -745,6 +746,29 @@ static void dwcmshc_rk35xx_postinit(struct sdhci_host *host, struct dwcmshc_priv } } +static void dwcmshc_rk3576_postinit(struct sdhci_host *host, struct dwcmshc_priv *dwc_priv) +{ + struct device *dev = mmc_dev(host->mmc); + int ret; + + /* + * This works around the design of the RK3576's power domains, which + * makes the PD_NVM power domain, which the sdhci controller on the + * RK3576 is in, never come back the same way once it's run-time + * suspended once. This can happen during early kernel boot if no driver + * is using either PD_NVM or its child power domain PD_SDGMAC for a + * short moment, leading to it being turned off to save power. By + * keeping it on, sdhci suspending won't lead to PD_NVM becoming a + * candidate for getting turned off. + */ + ret = dev_pm_genpd_rpm_always_on(dev, true); + if (ret && ret != -EOPNOTSUPP) + dev_warn(dev, "failed to set PD rpm always on, SoC may hang later: %pe\n", + ERR_PTR(ret)); + + dwcmshc_rk35xx_postinit(host, dwc_priv); +} + static int th1520_execute_tuning(struct sdhci_host *host, u32 opcode) { struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); @@ -1176,6 +1200,18 @@ static const struct dwcmshc_pltfm_data sdhci_dwcmshc_rk35xx_pdata = { .postinit = dwcmshc_rk35xx_postinit, }; +static const struct dwcmshc_pltfm_data sdhci_dwcmshc_rk3576_pdata = { + .pdata = { + .ops = &sdhci_dwcmshc_rk35xx_ops, + .quirks = SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN | + SDHCI_QUIRK_BROKEN_TIMEOUT_VAL, + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | + SDHCI_QUIRK2_CLOCK_DIV_ZERO_BROKEN, + }, + .init = dwcmshc_rk35xx_init, + .postinit = dwcmshc_rk3576_postinit, +}; + static const struct dwcmshc_pltfm_data sdhci_dwcmshc_th1520_pdata = { .pdata = { .ops = &sdhci_dwcmshc_th1520_ops, @@ -1274,6 +1310,10 @@ static const struct of_device_id sdhci_dwcmshc_dt_ids[] = { .compatible = "rockchip,rk3588-dwcmshc", .data = &sdhci_dwcmshc_rk35xx_pdata, }, + { + .compatible = "rockchip,rk3576-dwcmshc", + .data = &sdhci_dwcmshc_rk3576_pdata, + }, { .compatible = "rockchip,rk3568-dwcmshc", .data = &sdhci_dwcmshc_rk35xx_pdata,

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] Input: synaptics-rmi - fix crash with unsupported versions of" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052509-resisting-guise-ad21@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Date: Mon, 5 May 2025 15:49:59 -0700 Subject: [PATCH] Input: synaptics-rmi - fix crash with unsupported versions of F34 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sysfs interface for updating firmware for RMI devices is available even when F34 probe fails. The code checks for presence of F34 "container" pointer and then tries to use the function data attached to the sub-device. F34 assigns the function data early, before it knows if probe will succeed, leaving behind a stale pointer. Fix this by expanding checks to not only test for presence of F34 "container" but also check if there is driver data assigned to the sub-device, and call dev_set_drvdata() only after we are certain that probe is successful. This is not a complete fix, since F34 will be freed during firmware update, so there is still a race when fetching and accessing this pointer. This race will be addressed in follow-up changes. Reported-by: Hanno Böck <hanno(a)hboeck.de> Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c index d760af4cc12e..f1947f03b06a 100644 --- a/drivers/input/rmi4/rmi_f34.c +++ b/drivers/input/rmi4/rmi_f34.c @@ -4,6 +4,7 @@ * Copyright (C) 2016 Zodiac Inflight Innovations */ +#include "linux/device.h" #include <linux/kernel.h> #include <linux/rmi.h> #include <linux/firmware.h> @@ -289,39 +290,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34, return rmi_f34_flash_firmware(f34, syn_fw); } -static int rmi_f34_status(struct rmi_function *fn) -{ - struct f34_data *f34 = dev_get_drvdata(&fn->dev); - - /* - * The status is the percentage complete, or once complete, - * zero for success or a negative return code. - */ - return f34->update_status; -} - static ssize_t rmi_driver_bootloader_id_show(struct device *dev, struct device_attribute *dattr, char *buf) { struct rmi_driver_data *data = dev_get_drvdata(dev); - struct rmi_function *fn = data->f34_container; + struct rmi_function *fn; struct f34_data *f34; - if (fn) { - f34 = dev_get_drvdata(&fn->dev); + fn = data->f34_container; + if (!fn) + return -ENODEV; - if (f34->bl_version == 5) - return sysfs_emit(buf, "%c%c\n", - f34->bootloader_id[0], - f34->bootloader_id[1]); - else - return sysfs_emit(buf, "V%d.%d\n", - f34->bootloader_id[1], - f34->bootloader_id[0]); - } + f34 = dev_get_drvdata(&fn->dev); + if (!f34) + return -ENODEV; - return 0; + if (f34->bl_version == 5) + return sysfs_emit(buf, "%c%c\n", + f34->bootloader_id[0], + f34->bootloader_id[1]); + else + return sysfs_emit(buf, "V%d.%d\n", + f34->bootloader_id[1], + f34->bootloader_id[0]); } static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL); @@ -334,13 +326,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev, struct rmi_function *fn = data->f34_container; struct f34_data *f34; - if (fn) { - f34 = dev_get_drvdata(&fn->dev); + fn = data->f34_container; + if (!fn) + return -ENODEV; - return sysfs_emit(buf, "%s\n", f34->configuration_id); - } + f34 = dev_get_drvdata(&fn->dev); + if (!f34) + return -ENODEV; - return 0; + + return sysfs_emit(buf, "%s\n", f34->configuration_id); } static DEVICE_ATTR(configuration_id, 0444, @@ -356,10 +351,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data, if (!data->f34_container) { dev_warn(dev, "%s: No F34 present!\n", __func__); - return -EINVAL; + return -ENODEV; } f34 = dev_get_drvdata(&data->f34_container->dev); + if (!f34) { + dev_warn(dev, "%s: No valid F34 present!\n", __func__); + return -ENODEV; + } if (f34->bl_version >= 7) { if (data->pdt_props & HAS_BSR) { @@ -485,10 +484,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev, char *buf) { struct rmi_driver_data *data = dev_get_drvdata(dev); - int update_status = 0; + struct f34_data *f34; + int update_status = -ENODEV; - if (data->f34_container) - update_status = rmi_f34_status(data->f34_container); + /* + * The status is the percentage complete, or once complete, + * zero for success or a negative return code. + */ + if (data->f34_container) { + f34 = dev_get_drvdata(&data->f34_container->dev); + if (f34) + update_status = f34->update_status; + } return sysfs_emit(buf, "%d\n", update_status); } @@ -508,33 +515,21 @@ static const struct attribute_group rmi_firmware_attr_group = { .attrs = rmi_firmware_attrs, }; -static int rmi_f34_probe(struct rmi_function *fn) +static int rmi_f34v5_probe(struct f34_data *f34) { - struct f34_data *f34; - unsigned char f34_queries[9]; + struct rmi_function *fn = f34->fn; + u8 f34_queries[9]; bool has_config_id; - u8 version = fn->fd.function_version; - int ret; - - f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); - if (!f34) - return -ENOMEM; - - f34->fn = fn; - dev_set_drvdata(&fn->dev, f34); - - /* v5 code only supported version 0, try V7 probe */ - if (version > 0) - return rmi_f34v7_probe(f34); + int error; f34->bl_version = 5; - ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, - f34_queries, sizeof(f34_queries)); - if (ret) { + error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, + f34_queries, sizeof(f34_queries)); + if (error) { dev_err(&fn->dev, "%s: Failed to query properties\n", __func__); - return ret; + return error; } snprintf(f34->bootloader_id, sizeof(f34->bootloader_id), @@ -560,11 +555,11 @@ static int rmi_f34_probe(struct rmi_function *fn) f34->v5.config_blocks); if (has_config_id) { - ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, - f34_queries, sizeof(f34_queries)); - if (ret) { + error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, + f34_queries, sizeof(f34_queries)); + if (error) { dev_err(&fn->dev, "Failed to read F34 config ID\n"); - return ret; + return error; } snprintf(f34->configuration_id, sizeof(f34->configuration_id), @@ -573,12 +568,34 @@ static int rmi_f34_probe(struct rmi_function *fn) f34_queries[2], f34_queries[3]); rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n", - f34->configuration_id); + f34->configuration_id); } return 0; } +static int rmi_f34_probe(struct rmi_function *fn) +{ + struct f34_data *f34; + u8 version = fn->fd.function_version; + int error; + + f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); + if (!f34) + return -ENOMEM; + + f34->fn = fn; + + /* v5 code only supported version 0 */ + error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34); + if (error) + return error; + + dev_set_drvdata(&fn->dev, f34); + + return 0; +} + int rmi_f34_create_sysfs(struct rmi_device *rmi_dev) { return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] Input: synaptics-rmi - fix crash with unsupported versions of" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052509-groom-ogle-5cfa@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Date: Mon, 5 May 2025 15:49:59 -0700 Subject: [PATCH] Input: synaptics-rmi - fix crash with unsupported versions of F34 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sysfs interface for updating firmware for RMI devices is available even when F34 probe fails. The code checks for presence of F34 "container" pointer and then tries to use the function data attached to the sub-device. F34 assigns the function data early, before it knows if probe will succeed, leaving behind a stale pointer. Fix this by expanding checks to not only test for presence of F34 "container" but also check if there is driver data assigned to the sub-device, and call dev_set_drvdata() only after we are certain that probe is successful. This is not a complete fix, since F34 will be freed during firmware update, so there is still a race when fetching and accessing this pointer. This race will be addressed in follow-up changes. Reported-by: Hanno Böck <hanno(a)hboeck.de> Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c index d760af4cc12e..f1947f03b06a 100644 --- a/drivers/input/rmi4/rmi_f34.c +++ b/drivers/input/rmi4/rmi_f34.c @@ -4,6 +4,7 @@ * Copyright (C) 2016 Zodiac Inflight Innovations */ +#include "linux/device.h" #include <linux/kernel.h> #include <linux/rmi.h> #include <linux/firmware.h> @@ -289,39 +290,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34, return rmi_f34_flash_firmware(f34, syn_fw); } -static int rmi_f34_status(struct rmi_function *fn) -{ - struct f34_data *f34 = dev_get_drvdata(&fn->dev); - - /* - * The status is the percentage complete, or once complete, - * zero for success or a negative return code. - */ - return f34->update_status; -} - static ssize_t rmi_driver_bootloader_id_show(struct device *dev, struct device_attribute *dattr, char *buf) { struct rmi_driver_data *data = dev_get_drvdata(dev); - struct rmi_function *fn = data->f34_container; + struct rmi_function *fn; struct f34_data *f34; - if (fn) { - f34 = dev_get_drvdata(&fn->dev); + fn = data->f34_container; + if (!fn) + return -ENODEV; - if (f34->bl_version == 5) - return sysfs_emit(buf, "%c%c\n", - f34->bootloader_id[0], - f34->bootloader_id[1]); - else - return sysfs_emit(buf, "V%d.%d\n", - f34->bootloader_id[1], - f34->bootloader_id[0]); - } + f34 = dev_get_drvdata(&fn->dev); + if (!f34) + return -ENODEV; - return 0; + if (f34->bl_version == 5) + return sysfs_emit(buf, "%c%c\n", + f34->bootloader_id[0], + f34->bootloader_id[1]); + else + return sysfs_emit(buf, "V%d.%d\n", + f34->bootloader_id[1], + f34->bootloader_id[0]); } static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL); @@ -334,13 +326,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev, struct rmi_function *fn = data->f34_container; struct f34_data *f34; - if (fn) { - f34 = dev_get_drvdata(&fn->dev); + fn = data->f34_container; + if (!fn) + return -ENODEV; - return sysfs_emit(buf, "%s\n", f34->configuration_id); - } + f34 = dev_get_drvdata(&fn->dev); + if (!f34) + return -ENODEV; - return 0; + + return sysfs_emit(buf, "%s\n", f34->configuration_id); } static DEVICE_ATTR(configuration_id, 0444, @@ -356,10 +351,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data, if (!data->f34_container) { dev_warn(dev, "%s: No F34 present!\n", __func__); - return -EINVAL; + return -ENODEV; } f34 = dev_get_drvdata(&data->f34_container->dev); + if (!f34) { + dev_warn(dev, "%s: No valid F34 present!\n", __func__); + return -ENODEV; + } if (f34->bl_version >= 7) { if (data->pdt_props & HAS_BSR) { @@ -485,10 +484,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev, char *buf) { struct rmi_driver_data *data = dev_get_drvdata(dev); - int update_status = 0; + struct f34_data *f34; + int update_status = -ENODEV; - if (data->f34_container) - update_status = rmi_f34_status(data->f34_container); + /* + * The status is the percentage complete, or once complete, + * zero for success or a negative return code. + */ + if (data->f34_container) { + f34 = dev_get_drvdata(&data->f34_container->dev); + if (f34) + update_status = f34->update_status; + } return sysfs_emit(buf, "%d\n", update_status); } @@ -508,33 +515,21 @@ static const struct attribute_group rmi_firmware_attr_group = { .attrs = rmi_firmware_attrs, }; -static int rmi_f34_probe(struct rmi_function *fn) +static int rmi_f34v5_probe(struct f34_data *f34) { - struct f34_data *f34; - unsigned char f34_queries[9]; + struct rmi_function *fn = f34->fn; + u8 f34_queries[9]; bool has_config_id; - u8 version = fn->fd.function_version; - int ret; - - f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); - if (!f34) - return -ENOMEM; - - f34->fn = fn; - dev_set_drvdata(&fn->dev, f34); - - /* v5 code only supported version 0, try V7 probe */ - if (version > 0) - return rmi_f34v7_probe(f34); + int error; f34->bl_version = 5; - ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, - f34_queries, sizeof(f34_queries)); - if (ret) { + error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, + f34_queries, sizeof(f34_queries)); + if (error) { dev_err(&fn->dev, "%s: Failed to query properties\n", __func__); - return ret; + return error; } snprintf(f34->bootloader_id, sizeof(f34->bootloader_id), @@ -560,11 +555,11 @@ static int rmi_f34_probe(struct rmi_function *fn) f34->v5.config_blocks); if (has_config_id) { - ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, - f34_queries, sizeof(f34_queries)); - if (ret) { + error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, + f34_queries, sizeof(f34_queries)); + if (error) { dev_err(&fn->dev, "Failed to read F34 config ID\n"); - return ret; + return error; } snprintf(f34->configuration_id, sizeof(f34->configuration_id), @@ -573,12 +568,34 @@ static int rmi_f34_probe(struct rmi_function *fn) f34_queries[2], f34_queries[3]); rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n", - f34->configuration_id); + f34->configuration_id); } return 0; } +static int rmi_f34_probe(struct rmi_function *fn) +{ + struct f34_data *f34; + u8 version = fn->fd.function_version; + int error; + + f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); + if (!f34) + return -ENOMEM; + + f34->fn = fn; + + /* v5 code only supported version 0 */ + error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34); + if (error) + return error; + + dev_set_drvdata(&fn->dev, f34); + + return 0; +} + int rmi_f34_create_sysfs(struct rmi_device *rmi_dev) { return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group);

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] Input: synaptics-rmi - fix crash with unsupported versions of" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052508-annuity-untapped-8fb8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Date: Mon, 5 May 2025 15:49:59 -0700 Subject: [PATCH] Input: synaptics-rmi - fix crash with unsupported versions of F34 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sysfs interface for updating firmware for RMI devices is available even when F34 probe fails. The code checks for presence of F34 "container" pointer and then tries to use the function data attached to the sub-device. F34 assigns the function data early, before it knows if probe will succeed, leaving behind a stale pointer. Fix this by expanding checks to not only test for presence of F34 "container" but also check if there is driver data assigned to the sub-device, and call dev_set_drvdata() only after we are certain that probe is successful. This is not a complete fix, since F34 will be freed during firmware update, so there is still a race when fetching and accessing this pointer. This race will be addressed in follow-up changes. Reported-by: Hanno Böck <hanno(a)hboeck.de> Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c index d760af4cc12e..f1947f03b06a 100644 --- a/drivers/input/rmi4/rmi_f34.c +++ b/drivers/input/rmi4/rmi_f34.c @@ -4,6 +4,7 @@ * Copyright (C) 2016 Zodiac Inflight Innovations */ +#include "linux/device.h" #include <linux/kernel.h> #include <linux/rmi.h> #include <linux/firmware.h> @@ -289,39 +290,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34, return rmi_f34_flash_firmware(f34, syn_fw); } -static int rmi_f34_status(struct rmi_function *fn) -{ - struct f34_data *f34 = dev_get_drvdata(&fn->dev); - - /* - * The status is the percentage complete, or once complete, - * zero for success or a negative return code. - */ - return f34->update_status; -} - static ssize_t rmi_driver_bootloader_id_show(struct device *dev, struct device_attribute *dattr, char *buf) { struct rmi_driver_data *data = dev_get_drvdata(dev); - struct rmi_function *fn = data->f34_container; + struct rmi_function *fn; struct f34_data *f34; - if (fn) { - f34 = dev_get_drvdata(&fn->dev); + fn = data->f34_container; + if (!fn) + return -ENODEV; - if (f34->bl_version == 5) - return sysfs_emit(buf, "%c%c\n", - f34->bootloader_id[0], - f34->bootloader_id[1]); - else - return sysfs_emit(buf, "V%d.%d\n", - f34->bootloader_id[1], - f34->bootloader_id[0]); - } + f34 = dev_get_drvdata(&fn->dev); + if (!f34) + return -ENODEV; - return 0; + if (f34->bl_version == 5) + return sysfs_emit(buf, "%c%c\n", + f34->bootloader_id[0], + f34->bootloader_id[1]); + else + return sysfs_emit(buf, "V%d.%d\n", + f34->bootloader_id[1], + f34->bootloader_id[0]); } static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL); @@ -334,13 +326,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev, struct rmi_function *fn = data->f34_container; struct f34_data *f34; - if (fn) { - f34 = dev_get_drvdata(&fn->dev); + fn = data->f34_container; + if (!fn) + return -ENODEV; - return sysfs_emit(buf, "%s\n", f34->configuration_id); - } + f34 = dev_get_drvdata(&fn->dev); + if (!f34) + return -ENODEV; - return 0; + + return sysfs_emit(buf, "%s\n", f34->configuration_id); } static DEVICE_ATTR(configuration_id, 0444, @@ -356,10 +351,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data, if (!data->f34_container) { dev_warn(dev, "%s: No F34 present!\n", __func__); - return -EINVAL; + return -ENODEV; } f34 = dev_get_drvdata(&data->f34_container->dev); + if (!f34) { + dev_warn(dev, "%s: No valid F34 present!\n", __func__); + return -ENODEV; + } if (f34->bl_version >= 7) { if (data->pdt_props & HAS_BSR) { @@ -485,10 +484,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev, char *buf) { struct rmi_driver_data *data = dev_get_drvdata(dev); - int update_status = 0; + struct f34_data *f34; + int update_status = -ENODEV; - if (data->f34_container) - update_status = rmi_f34_status(data->f34_container); + /* + * The status is the percentage complete, or once complete, + * zero for success or a negative return code. + */ + if (data->f34_container) { + f34 = dev_get_drvdata(&data->f34_container->dev); + if (f34) + update_status = f34->update_status; + } return sysfs_emit(buf, "%d\n", update_status); } @@ -508,33 +515,21 @@ static const struct attribute_group rmi_firmware_attr_group = { .attrs = rmi_firmware_attrs, }; -static int rmi_f34_probe(struct rmi_function *fn) +static int rmi_f34v5_probe(struct f34_data *f34) { - struct f34_data *f34; - unsigned char f34_queries[9]; + struct rmi_function *fn = f34->fn; + u8 f34_queries[9]; bool has_config_id; - u8 version = fn->fd.function_version; - int ret; - - f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); - if (!f34) - return -ENOMEM; - - f34->fn = fn; - dev_set_drvdata(&fn->dev, f34); - - /* v5 code only supported version 0, try V7 probe */ - if (version > 0) - return rmi_f34v7_probe(f34); + int error; f34->bl_version = 5; - ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, - f34_queries, sizeof(f34_queries)); - if (ret) { + error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr, + f34_queries, sizeof(f34_queries)); + if (error) { dev_err(&fn->dev, "%s: Failed to query properties\n", __func__); - return ret; + return error; } snprintf(f34->bootloader_id, sizeof(f34->bootloader_id), @@ -560,11 +555,11 @@ static int rmi_f34_probe(struct rmi_function *fn) f34->v5.config_blocks); if (has_config_id) { - ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, - f34_queries, sizeof(f34_queries)); - if (ret) { + error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr, + f34_queries, sizeof(f34_queries)); + if (error) { dev_err(&fn->dev, "Failed to read F34 config ID\n"); - return ret; + return error; } snprintf(f34->configuration_id, sizeof(f34->configuration_id), @@ -573,12 +568,34 @@ static int rmi_f34_probe(struct rmi_function *fn) f34_queries[2], f34_queries[3]); rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n", - f34->configuration_id); + f34->configuration_id); } return 0; } +static int rmi_f34_probe(struct rmi_function *fn) +{ + struct f34_data *f34; + u8 version = fn->fd.function_version; + int error; + + f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL); + if (!f34) + return -ENOMEM; + + f34->fn = fn; + + /* v5 code only supported version 0 */ + error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34); + if (error) + return error; + + dev_set_drvdata(&fn->dev, f34); + + return 0; +} + int rmi_f34_create_sysfs(struct rmi_device *rmi_dev) { return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group);

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-fix-copy_vma-error-handling-for-hugetlb-mappings.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix copy_vma() error handling for hugetlb mappings has been removed from the -mm tree. Its filename was mm-fix-copy_vma-error-handling-for-hugetlb-mappings.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ricardo Ca��uelo Navarro <rcn(a)igalia.com> Subject: mm: fix copy_vma() error handling for hugetlb mappings Date: Fri, 23 May 2025 14:19:10 +0200 If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Ca��uelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/hugetlb.h | 5 +++++ mm/hugetlb.c | 16 +++++++++++++++- mm/mremap.c | 3 +-- mm/vma.c | 1 + 4 files changed, 22 insertions(+), 3 deletions(-) --- a/include/linux/hugetlb.h~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(s static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write --- a/mm/hugetlb.c~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_a /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_ hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} --- a/mm/mremap.c~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_ mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) --- a/mm/vma.c~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct v return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file) _ Patches currently in -mm which might be from rcn(a)igalia.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] memcg-always-call-cond_resched-after-fn.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: memcg: always call cond_resched() after fn() has been removed from the -mm tree. Its filename was memcg-always-call-cond_resched-after-fn.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Breno Leitao <leitao(a)debian.org> Subject: memcg: always call cond_resched() after fn() Date: Fri, 23 May 2025 10:21:06 -0700 I am seeing soft lockup on certain machine types when a cgroup OOMs. This is happening because killing the process in certain machine might be very slow, which causes the soft lockup and RCU stalls. This happens usually when the cgroup has MANY processes and memory.oom.group is set. Example I am seeing in real production: [462012.244552] Memory cgroup out of memory: Killed process 3370438 (crosvm) .... .... [462037.318059] Memory cgroup out of memory: Killed process 4171372 (adb) .... [462037.348314] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [stat_manager-ag:1618982] .... Quick look at why this is so slow, it seems to be related to serial flush for certain machine types. For all the crashes I saw, the target CPU was at console_flush_all(). In the case above, there are thousands of processes in the cgroup, and it is soft locking up before it reaches the 1024 limit in the code (which would call the cond_resched()). So, cond_resched() in 1024 blocks is not sufficient. Remove the counter-based conditional rescheduling logic and call cond_resched() unconditionally after each task iteration, after fn() is called. This avoids the lockup independently of how slow fn() is. Link: https://lkml.kernel.org/r/20250523-memcg_fix-v1-1-ad3eafb60477@debian.org Fixes: ade81479c7dd ("memcg: fix soft lockup in the OOM process") Signed-off-by: Breno Leitao <leitao(a)debian.org> Suggested-by: Rik van Riel <riel(a)surriel.com> Acked-by: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Michael van der Westhuizen <rmikey(a)meta.com> Cc: Usama Arif <usamaarif642(a)gmail.com> Cc: Pavel Begunkov <asml.silence(a)gmail.com> Cc: Chen Ridong <chenridong(a)huawei.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/mm/memcontrol.c~memcg-always-call-cond_resched-after-fn +++ a/mm/memcontrol.c @@ -1168,7 +1168,6 @@ void mem_cgroup_scan_tasks(struct mem_cg { struct mem_cgroup *iter; int ret = 0; - int i = 0; BUG_ON(mem_cgroup_is_root(memcg)); @@ -1178,10 +1177,9 @@ void mem_cgroup_scan_tasks(struct mem_cg css_task_iter_start(&iter->css, CSS_TASK_ITER_PROCS, &it); while (!ret && (task = css_task_iter_next(&it))) { - /* Avoid potential softlockup warning */ - if ((++i & 1023) == 0) - cond_resched(); ret = fn(task, arg); + /* Avoid potential softlockup warning */ + cond_resched(); } css_task_iter_end(&it); if (ret) { _ Patches currently in -mm which might be from leitao(a)debian.org are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios has been removed from the -mm tree. Its filename was mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ge Yang <yangge1116(a)126.com> Subject: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios Date: Thu, 22 May 2025 11:22:17 +0800 A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: <TASK> replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL. Link: https://lkml.kernel.org/r/1747884137-26685-1-git-send-email-yangge1116@126.… Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") Signed-off-by: Ge Yang <yangge1116(a)126.com> Reviewed-by: Muchun Song <muchun.song(a)linux.dev> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <21cnbao(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/mm/hugetlb.c~mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios +++ a/mm/hugetlb.c @@ -2949,12 +2949,20 @@ int replace_free_hugepage_folios(unsigne while (start_pfn < end_pfn) { folio = pfn_folio(start_pfn); + + /* + * The folio might have been dissolved from under our feet, so make sure + * to carefully check the state under the lock. + */ + spin_lock_irq(&hugetlb_lock); if (folio_test_hugetlb(folio)) { h = folio_hstate(folio); } else { + spin_unlock_irq(&hugetlb_lock); start_pfn++; continue; } + spin_unlock_irq(&hugetlb_lock); if (!folio_ref_count(folio)) { ret = alloc_and_dissolve_hugetlb_folio(h, folio, _ Patches currently in -mm which might be from yangge1116(a)126.com are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-vmalloc-only-zero-init-on-vrealloc-shrink.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmalloc: only zero-init on vrealloc shrink has been removed from the -mm tree. Its filename was mm-vmalloc-only-zero-init-on-vrealloc-shrink.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kees Cook <kees(a)kernel.org> Subject: mm: vmalloc: only zero-init on vrealloc shrink Date: Thu, 15 May 2025 14:42:16 -0700 The common case is to grow reallocations, and since init_on_alloc will have already zeroed the whole allocation, we only need to zero when shrinking the allocation. Link: https://lkml.kernel.org/r/20250515214217.619685-2-kees@kernel.org Fixes: a0309faf1cb0 ("mm: vmalloc: support more granular vrealloc() sizing") Signed-off-by: Kees Cook <kees(a)kernel.org> Tested-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Eduard Zingerman <eddyz87(a)gmail.com> Cc: "Erhard F." <erhard_f(a)mailbox.org> Cc: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/mm/vmalloc.c~mm-vmalloc-only-zero-init-on-vrealloc-shrink +++ a/mm/vmalloc.c @@ -4093,8 +4093,8 @@ void *vrealloc_noprof(const void *p, siz * would be a good heuristic for when to shrink the vm_area? */ if (size <= old_size) { - /* Zero out "freed" memory. */ - if (want_init_on_free()) + /* Zero out "freed" memory, potentially for future realloc. */ + if (want_init_on_free() || want_init_on_alloc(flags)) memset((void *)p + size, 0, old_size - size); vm->requested_size = size; kasan_poison_vmalloc(p + size, old_size - size); @@ -4107,9 +4107,11 @@ void *vrealloc_noprof(const void *p, siz if (size <= alloced_size) { kasan_unpoison_vmalloc(p + old_size, size - old_size, KASAN_VMALLOC_PROT_NORMAL); - /* Zero out "alloced" memory. */ - if (want_init_on_alloc(flags)) - memset((void *)p + old_size, 0, size - old_size); + /* + * No need to zero memory here, as unused memory will have + * already been zeroed at initial allocation time or during + * realloc shrink time. + */ vm->requested_size = size; return (void *)p; } _ Patches currently in -mm which might be from kees(a)kernel.org are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-vmalloc-actually-use-the-in-place-vrealloc-region.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: vmalloc: actually use the in-place vrealloc region has been removed from the -mm tree. Its filename was mm-vmalloc-actually-use-the-in-place-vrealloc-region.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kees Cook <kees(a)kernel.org> Subject: mm: vmalloc: actually use the in-place vrealloc region Date: Thu, 15 May 2025 14:42:15 -0700 Patch series "mm: vmalloc: Actually use the in-place vrealloc region". This fixes a performance regression[1] with vrealloc()[1]. The refactoring to not build a new vmalloc region only actually worked when shrinking. Actually return the resized area when it grows. Ugh. Link: https://lkml.kernel.org/r/20250515214217.619685-1-kees@kernel.org Fixes: a0309faf1cb0 ("mm: vmalloc: support more granular vrealloc() sizing") Signed-off-by: Kees Cook <kees(a)kernel.org> Reported-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> Closes: https://lore.kernel.org/all/20250515-bpf-verifier-slowdown-vwo2meju4cgp2su5… [1] Tested-by: Eduard Zingerman <eddyz87(a)gmail.com> Tested-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Tested-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> Reviewed-by: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Reviewed-by: Danilo Krummrich <dakr(a)kernel.org> Cc: "Erhard F." <erhard_f(a)mailbox.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmalloc.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/vmalloc.c~mm-vmalloc-actually-use-the-in-place-vrealloc-region +++ a/mm/vmalloc.c @@ -4111,6 +4111,7 @@ void *vrealloc_noprof(const void *p, siz if (want_init_on_alloc(flags)) memset((void *)p + old_size, 0, size - old_size); vm->requested_size = size; + return (void *)p; } /* TODO: Grow the vm_area, i.e. allocate and map additional pages. */ _ Patches currently in -mm which might be from kees(a)kernel.org are

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] alloc_tag-allocate-percpu-counters-for-module-tags-dynamically.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: alloc_tag: allocate percpu counters for module tags dynamically has been removed from the -mm tree. Its filename was alloc_tag-allocate-percpu-counters-for-module-tags-dynamically.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Suren Baghdasaryan <surenb(a)google.com> Subject: alloc_tag: allocate percpu counters for module tags dynamically Date: Fri, 16 May 2025 17:07:39 -0700 When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu counters for module allocation tags dynamically and we keep it alive for tags which are still in use after module unloading. This also removes the requirement of a larger PERCPU_MODULE_RESERVE when memory allocation profiling is enabled because percpu memory for counters does not need to be reserved anymore. Link: https://lkml.kernel.org/r/20250517000739.5930-1-surenb@google.com Fixes: 0db6f8d7820a ("alloc_tag: load module tags into separate contiguous memory") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/ Tested-by: David Wang <00107082(a)163.com> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/alloc_tag.h | 12 ++++ include/linux/codetag.h | 8 +-- include/linux/percpu.h | 4 - lib/alloc_tag.c | 89 ++++++++++++++++++++++++++++-------- lib/codetag.c | 5 +- 5 files changed, 89 insertions(+), 29 deletions(-) --- a/include/linux/alloc_tag.h~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/include/linux/alloc_tag.h @@ -104,6 +104,16 @@ DECLARE_PER_CPU(struct alloc_tag_counter #else /* ARCH_NEEDS_WEAK_PER_CPU */ +#ifdef MODULE + +#define DEFINE_ALLOC_TAG(_alloc_tag) \ + static struct alloc_tag _alloc_tag __used __aligned(8) \ + __section(ALLOC_TAG_SECTION_NAME) = { \ + .ct = CODE_TAG_INIT, \ + .counters = NULL }; + +#else /* MODULE */ + #define DEFINE_ALLOC_TAG(_alloc_tag) \ static DEFINE_PER_CPU(struct alloc_tag_counters, _alloc_tag_cntr); \ static struct alloc_tag _alloc_tag __used __aligned(8) \ @@ -111,6 +121,8 @@ DECLARE_PER_CPU(struct alloc_tag_counter .ct = CODE_TAG_INIT, \ .counters = &_alloc_tag_cntr }; +#endif /* MODULE */ + #endif /* ARCH_NEEDS_WEAK_PER_CPU */ DECLARE_STATIC_KEY_MAYBE(CONFIG_MEM_ALLOC_PROFILING_ENABLED_BY_DEFAULT, --- a/include/linux/codetag.h~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/include/linux/codetag.h @@ -36,10 +36,10 @@ union codetag_ref { struct codetag_type_desc { const char *section; size_t tag_size; - void (*module_load)(struct codetag_type *cttype, - struct codetag_module *cmod); - void (*module_unload)(struct codetag_type *cttype, - struct codetag_module *cmod); + void (*module_load)(struct module *mod, + struct codetag *start, struct codetag *end); + void (*module_unload)(struct module *mod, + struct codetag *start, struct codetag *end); #ifdef CONFIG_MODULES void (*module_replaced)(struct module *mod, struct module *new_mod); bool (*needs_section_mem)(struct module *mod, unsigned long size); --- a/include/linux/percpu.h~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/include/linux/percpu.h @@ -15,11 +15,7 @@ /* enough to cover all DEFINE_PER_CPUs in modules */ #ifdef CONFIG_MODULES -#ifdef CONFIG_MEM_ALLOC_PROFILING -#define PERCPU_MODULE_RESERVE (8 << 13) -#else #define PERCPU_MODULE_RESERVE (8 << 10) -#endif #else #define PERCPU_MODULE_RESERVE 0 #endif --- a/lib/alloc_tag.c~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/lib/alloc_tag.c @@ -350,18 +350,28 @@ static bool needs_section_mem(struct mod return size >= sizeof(struct alloc_tag); } -static struct alloc_tag *find_used_tag(struct alloc_tag *from, struct alloc_tag *to) +static bool clean_unused_counters(struct alloc_tag *start_tag, + struct alloc_tag *end_tag) { - while (from <= to) { + struct alloc_tag *tag; + bool ret = true; + + for (tag = start_tag; tag <= end_tag; tag++) { struct alloc_tag_counters counter; - counter = alloc_tag_read(from); - if (counter.bytes) - return from; - from++; + if (!tag->counters) + continue; + + counter = alloc_tag_read(tag); + if (!counter.bytes) { + free_percpu(tag->counters); + tag->counters = NULL; + } else { + ret = false; + } } - return NULL; + return ret; } /* Called with mod_area_mt locked */ @@ -371,12 +381,16 @@ static void clean_unused_module_areas_lo struct module *val; mas_for_each(&mas, val, module_tags.size) { + struct alloc_tag *start_tag; + struct alloc_tag *end_tag; + if (val != &unloaded_mod) continue; /* Release area if all tags are unused */ - if (!find_used_tag((struct alloc_tag *)(module_tags.start_addr + mas.index), - (struct alloc_tag *)(module_tags.start_addr + mas.last))) + start_tag = (struct alloc_tag *)(module_tags.start_addr + mas.index); + end_tag = (struct alloc_tag *)(module_tags.start_addr + mas.last); + if (clean_unused_counters(start_tag, end_tag)) mas_erase(&mas); } } @@ -561,7 +575,8 @@ unlock: static void release_module_tags(struct module *mod, bool used) { MA_STATE(mas, &mod_area_mt, module_tags.size, module_tags.size); - struct alloc_tag *tag; + struct alloc_tag *start_tag; + struct alloc_tag *end_tag; struct module *val; mas_lock(&mas); @@ -575,15 +590,22 @@ static void release_module_tags(struct m if (!used) goto release_area; - /* Find out if the area is used */ - tag = find_used_tag((struct alloc_tag *)(module_tags.start_addr + mas.index), - (struct alloc_tag *)(module_tags.start_addr + mas.last)); - if (tag) { - struct alloc_tag_counters counter = alloc_tag_read(tag); - - pr_info("%s:%u module %s func:%s has %llu allocated at module unload\n", - tag->ct.filename, tag->ct.lineno, tag->ct.modname, - tag->ct.function, counter.bytes); + start_tag = (struct alloc_tag *)(module_tags.start_addr + mas.index); + end_tag = (struct alloc_tag *)(module_tags.start_addr + mas.last); + if (!clean_unused_counters(start_tag, end_tag)) { + struct alloc_tag *tag; + + for (tag = start_tag; tag <= end_tag; tag++) { + struct alloc_tag_counters counter; + + if (!tag->counters) + continue; + + counter = alloc_tag_read(tag); + pr_info("%s:%u module %s func:%s has %llu allocated at module unload\n", + tag->ct.filename, tag->ct.lineno, tag->ct.modname, + tag->ct.function, counter.bytes); + } } else { used = false; } @@ -596,6 +618,34 @@ out: mas_unlock(&mas); } +static void load_module(struct module *mod, struct codetag *start, struct codetag *stop) +{ + /* Allocate module alloc_tag percpu counters */ + struct alloc_tag *start_tag; + struct alloc_tag *stop_tag; + struct alloc_tag *tag; + + if (!mod) + return; + + start_tag = ct_to_alloc_tag(start); + stop_tag = ct_to_alloc_tag(stop); + for (tag = start_tag; tag < stop_tag; tag++) { + WARN_ON(tag->counters); + tag->counters = alloc_percpu(struct alloc_tag_counters); + if (!tag->counters) { + while (--tag >= start_tag) { + free_percpu(tag->counters); + tag->counters = NULL; + } + shutdown_mem_profiling(true); + pr_err("Failed to allocate memory for allocation tag percpu counters in the module %s. Memory allocation profiling is disabled!\n", + mod->name); + break; + } + } +} + static void replace_module(struct module *mod, struct module *new_mod) { MA_STATE(mas, &mod_area_mt, 0, module_tags.size); @@ -757,6 +807,7 @@ static int __init alloc_tag_init(void) .needs_section_mem = needs_section_mem, .alloc_section_mem = reserve_module_tags, .free_section_mem = release_module_tags, + .module_load = load_module, .module_replaced = replace_module, #endif }; --- a/lib/codetag.c~alloc_tag-allocate-percpu-counters-for-module-tags-dynamically +++ a/lib/codetag.c @@ -194,7 +194,7 @@ static int codetag_module_init(struct co if (err >= 0) { cttype->count += range_size(cttype, &range); if (cttype->desc.module_load) - cttype->desc.module_load(cttype, cmod); + cttype->desc.module_load(mod, range.start, range.stop); } up_write(&cttype->mod_lock); @@ -333,7 +333,8 @@ void codetag_unload_module(struct module } if (found) { if (cttype->desc.module_unload) - cttype->desc.module_unload(cttype, cmod); + cttype->desc.module_unload(cmod->mod, + cmod->range.start, cmod->range.stop); cttype->count -= range_size(cttype, &cmod->range); idr_remove(&cttype->mod_idr, mod_id); _ Patches currently in -mm which might be from surenb(a)google.com are alloc_tag-handle-module-codetag-load-errors-as-module-load-failures.patch

5 months, 3 weeks

1
0
0 0

[merged mm-hotfixes-stable] module-release-codetag-section-when-module-load-fails.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: module: release codetag section when module load fails has been removed from the -mm tree. Its filename was module-release-codetag-section-when-module-load-fails.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: David Wang <00107082(a)163.com> Subject: module: release codetag section when module load fails Date: Tue, 20 May 2025 00:38:23 +0800 When module load fails after memory for codetag section is ready, codetag section memory will not be properly released. This causes memory leak, and if next module load happens to get the same module address, codetag may pick the uninitialized section when manipulating tags during module unload, and leads to "unable to handle page fault" BUG. Link: https://lkml.kernel.org/r/20250519163823.7540-1-00107082@163.com Fixes: 0db6f8d7820a ("alloc_tag: load module tags into separate contiguous memory") Closes: https://lore.kernel.org/all/20250516131246.6244-1-00107082@163.com/ Signed-off-by: David Wang <00107082(a)163.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Petr Pavlu <petr.pavlu(a)suse.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/module/main.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/module/main.c~module-release-codetag-section-when-module-load-fails +++ a/kernel/module/main.c @@ -2829,6 +2829,7 @@ static void module_deallocate(struct mod { percpu_modfree(mod); module_arch_freeing_init(mod); + codetag_free_module_sections(mod); free_mod_mem(mod); } _ Patches currently in -mm which might be from 00107082(a)163.com are

5 months, 3 weeks

1
0
0 0

[PATCH 1/2] wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()

by Deren Wu

From: Deren Wu <deren.wu(a)mediatek.com> Add a NULL check for msta->vif before accessing its members to prevent a kernel panic in AP mode deployment. This also fix the issue reported in [1]. The crash occurs when this function is triggered before the station is fully initialized. The call trace shows a page fault at mt7925_sta_set_decap_offload() due to accessing resources when msta->vif is NULL. Fix this by adding an early return if msta->vif is NULL and also check wcid.sta is ready. This ensures we only proceed with decap offload configuration when the station's state is properly initialized. [14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0 [14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G [14739.821394] Tainted: [C]=CRAP, [O]=OOT_MODULE [14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) [14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [14739.838538] pc : mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.845271] lr : mt7925_sta_set_decap_offload+0x58/0x1b8 [mt7925_common] [14739.851985] sp : ffffffc085efb500 [14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158 [14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001 [14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88 [14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000 [14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080 [14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000 [14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0 [14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100 [14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000 [14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8 [14739.926686] Call trace: [14739.929130] mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.935505] ieee80211_check_fast_rx+0x19c/0x510 [mac80211] [14739.941344] _sta_info_move_state+0xe4/0x510 [mac80211] [14739.946860] sta_info_move_state+0x1c/0x30 [mac80211] [14739.952116] sta_apply_auth_flags.constprop.0+0x90/0x1b0 [mac80211] [14739.958708] sta_apply_parameters+0x234/0x5e0 [mac80211] [14739.964332] ieee80211_add_station+0xdc/0x190 [mac80211] [14739.969950] nl80211_new_station+0x46c/0x670 [cfg80211] [14739.975516] genl_family_rcv_msg_doit+0xdc/0x150 [14739.980158] genl_rcv_msg+0x218/0x298 [14739.983830] netlink_rcv_skb+0x64/0x138 [14739.987670] genl_rcv+0x40/0x60 [14739.990816] netlink_unicast+0x314/0x380 [14739.994742] netlink_sendmsg+0x198/0x3f0 [14739.998664] __sock_sendmsg+0x64/0xc0 [14740.002324] ____sys_sendmsg+0x260/0x298 [14740.006242] ___sys_sendmsg+0xb4/0x110 Cc: stable(a)vger.kernel.org Link: https://github.com/morrownr/USB-WiFi/issues/603 [1] Fixes: b859ad65309a ("wifi: mt76: mt7925: add link handling in mt7925_sta_set_decap_offload") Signed-off-by: Deren Wu <deren.wu(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c index 94b0099dcd41..320011fc3073 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1603,6 +1603,9 @@ static void mt7925_sta_set_decap_offload(struct ieee80211_hw *hw, unsigned long valid = mvif->valid_links; u8 i; + if (!msta->vif) + return; + mt792x_mutex_acquire(dev); valid = ieee80211_vif_is_mld(vif) ? mvif->valid_links : BIT(0); @@ -1617,6 +1620,9 @@ static void mt7925_sta_set_decap_offload(struct ieee80211_hw *hw, else clear_bit(MT_WCID_FLAG_HDR_TRANS, &mlink->wcid.flags); + if (!mlink->wcid.sta) + continue; + mt7925_mcu_wtbl_update_hdr_trans(dev, vif, sta, i); } -- 2.18.0

5 months, 3 weeks

1
1
0 0

[PATCH V3] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg

by Huacai Chen

When building kernel with LLVM there are occasionally such errors: In file included from ./include/linux/spinlock.h:59: In file included from ./include/linux/irqflags.h:17: arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1 38 | "csrxchg %[val], %[mask], %[reg]\n\t" | ^ <inline asm>:1:16: note: instantiated into assembly here 1 | csrxchg $a1, $ra, 0 | ^ To prevent the compiler from allocating $r0 or $r1 for the "mask" of the csrxchg instruction, the 'q' constraint must be used but Clang < 21 does not support it. So force to use $t0 in the inline asm, in order to avoid using $r0/$r1 while keeping the backward compatibility. Cc: stable(a)vger.kernel.org Link: https://github.com/llvm/llvm-project/pull/141037 Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Suggested-by: WANG Rui <wangrui(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Update commit messages. V3: Update commit messages again. arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/arch/loongarch/include/asm/irqflags.h b/arch/loongarch/include/asm/irqflags.h index 319a8c616f1f..003172b8406b 100644 --- a/arch/loongarch/include/asm/irqflags.h +++ b/arch/loongarch/include/asm/irqflags.h @@ -14,40 +14,48 @@ static inline void arch_local_irq_enable(void) { u32 flags = CSR_CRMD_IE; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline void arch_local_irq_disable(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline unsigned long arch_local_irq_save(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); return flags; } static inline void arch_local_irq_restore(unsigned long flags) { + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } -- 2.47.1

5 months, 3 weeks

1
0
0 0

[PATCH V2] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg

by Huacai Chen

When building kernel with LLVM there are occasionally such errors: In file included from ./include/linux/spinlock.h:59: In file included from ./include/linux/irqflags.h:17: arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1 38 | "csrxchg %[val], %[mask], %[reg]\n\t" | ^ <inline asm>:1:16: note: instantiated into assembly here 1 | csrxchg $a1, $ra, 0 | ^ To prevent the compiler from allocating $r0 or $r1 for the "mask" of the csrxchg instruction, the 'q' constraint must be used but Clang < 22 does not support it. So force to use $t0 in the inline asm, in order to avoid using $r0/$r1 while keeping the backward compatibility. Cc: stable(a)vger.kernel.org Link: https://github.com/llvm/llvm-project/pull/141037 Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Suggested-by: WANG Rui <wangrui(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Update commit messages. arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/arch/loongarch/include/asm/irqflags.h b/arch/loongarch/include/asm/irqflags.h index 319a8c616f1f..003172b8406b 100644 --- a/arch/loongarch/include/asm/irqflags.h +++ b/arch/loongarch/include/asm/irqflags.h @@ -14,40 +14,48 @@ static inline void arch_local_irq_enable(void) { u32 flags = CSR_CRMD_IE; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline void arch_local_irq_disable(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline unsigned long arch_local_irq_save(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); return flags; } static inline void arch_local_irq_restore(unsigned long flags) { + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } -- 2.47.1

5 months, 3 weeks

3
2
0 0

Re: [syzbot] [kernel?] KASAN: slab-use-after-free Write in binder_remove_device

by syzbot

syzbot has bisected this issue to: commit 12d909cac1e1c4147cc3417fee804ee12fc6b984 Author: Li Li <dualli(a)google.com> Date: Wed Dec 18 21:29:34 2024 +0000 binderfs: add new binder devices to binder_devices bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=107228e8580000 start commit: 176e917e010c Add linux-next specific files for 20250523 git tree: linux-next final oops: https://syzkaller.appspot.com/x/report.txt?x=127228e8580000 console output: https://syzkaller.appspot.com/x/log.txt?x=147228e8580000 kernel config: https://syzkaller.appspot.com/x/.config?x=e7902c752bef748 dashboard link: https://syzkaller.appspot.com/bug?extid=4af454407ec393de51d6 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108b55f4580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1145e5f4580000 Reported-by: syzbot+4af454407ec393de51d6(a)syzkaller.appspotmail.com Fixes: 12d909cac1e1 ("binderfs: add new binder devices to binder_devices") For information about bisection process see: https://goo.gl/tpsmEJ#bisection

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu: Skip PASID validation for devices without PASID" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x b3f6fcd8404f9f92262303369bb877ec5d188a81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052454-kinship-reiterate-9e47@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b3f6fcd8404f9f92262303369bb877ec5d188a81 Mon Sep 17 00:00:00 2001 From: Tushar Dave <tdave(a)nvidia.com> Date: Mon, 19 May 2025 18:19:37 -0700 Subject: [PATCH] iommu: Skip PASID validation for devices without PASID capability Generally PASID support requires ACS settings that usually create single device groups, but there are some niche cases where we can get multi-device groups and still have working PASID support. The primary issue is that PCI switches are not required to treat PASID tagged TLPs specially so appropriate ACS settings are required to route all TLPs to the host bridge if PASID is going to work properly. pci_enable_pasid() does check that each device that will use PASID has the proper ACS settings to achieve this routing. However, no-PASID devices can be combined with PASID capable devices within the same topology using non-uniform ACS settings. In this case the no-PASID devices may not have strict route to host ACS flags and end up being grouped with the PASID devices. This configuration fails to allow use of the PASID within the iommu core code which wrongly checks if the no-PASID device supports PASID. Fix this by ignoring no-PASID devices during the PASID validation. They will never issue a PASID TLP anyhow so they can be ignored. Fixes: c404f55c26fc ("iommu: Validate the PASID in iommu_attach_device_pasid()") Cc: stable(a)vger.kernel.org Signed-off-by: Tushar Dave <tdave(a)nvidia.com> Reviewed-by: Lu Baolu <baolu.lu(a)linux.intel.com> Reviewed-by: Vasant Hegde <vasant.hegde(a)amd.com> Link: https://lore.kernel.org/r/20250520011937.3230557-1-tdave@nvidia.com Signed-off-by: Joerg Roedel <jroedel(a)suse.de> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..9d728800a862 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3366,10 +3366,12 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, int ret; for_each_group_device(group, device) { - ret = domain->ops->set_dev_pasid(domain, device->dev, - pasid, old); - if (ret) - goto err_revert; + if (device->dev->iommu->max_pasids > 0) { + ret = domain->ops->set_dev_pasid(domain, device->dev, + pasid, old); + if (ret) + goto err_revert; + } } return 0; @@ -3379,15 +3381,18 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, for_each_group_device(group, device) { if (device == last_gdev) break; - /* - * If no old domain, undo the succeeded devices/pasid. - * Otherwise, rollback the succeeded devices/pasid to the old - * domain. And it is a driver bug to fail attaching with a - * previously good domain. - */ - if (!old || WARN_ON(old->ops->set_dev_pasid(old, device->dev, + if (device->dev->iommu->max_pasids > 0) { + /* + * If no old domain, undo the succeeded devices/pasid. + * Otherwise, rollback the succeeded devices/pasid to + * the old domain. And it is a driver bug to fail + * attaching with a previously good domain. + */ + if (!old || + WARN_ON(old->ops->set_dev_pasid(old, device->dev, pasid, domain))) - iommu_remove_dev_pasid(device->dev, pasid, domain); + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } return ret; } @@ -3398,8 +3403,10 @@ static void __iommu_remove_group_pasid(struct iommu_group *group, { struct group_device *device; - for_each_group_device(group, device) - iommu_remove_dev_pasid(device->dev, pasid, domain); + for_each_group_device(group, device) { + if (device->dev->iommu->max_pasids > 0) + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } /* @@ -3440,7 +3447,13 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, mutex_lock(&group->mutex); for_each_group_device(group, device) { - if (pasid >= device->dev->iommu->max_pasids) { + /* + * Skip PASID validation for devices without PASID support + * (max_pasids = 0). These devices cannot issue transactions + * with PASID, so they don't affect group's PASID usage. + */ + if ((device->dev->iommu->max_pasids > 0) && + (pasid >= device->dev->iommu->max_pasids)) { ret = -EINVAL; goto out_unlock; }

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu: Skip PASID validation for devices without PASID" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x b3f6fcd8404f9f92262303369bb877ec5d188a81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052453-elastic-creature-b8c3@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b3f6fcd8404f9f92262303369bb877ec5d188a81 Mon Sep 17 00:00:00 2001 From: Tushar Dave <tdave(a)nvidia.com> Date: Mon, 19 May 2025 18:19:37 -0700 Subject: [PATCH] iommu: Skip PASID validation for devices without PASID capability Generally PASID support requires ACS settings that usually create single device groups, but there are some niche cases where we can get multi-device groups and still have working PASID support. The primary issue is that PCI switches are not required to treat PASID tagged TLPs specially so appropriate ACS settings are required to route all TLPs to the host bridge if PASID is going to work properly. pci_enable_pasid() does check that each device that will use PASID has the proper ACS settings to achieve this routing. However, no-PASID devices can be combined with PASID capable devices within the same topology using non-uniform ACS settings. In this case the no-PASID devices may not have strict route to host ACS flags and end up being grouped with the PASID devices. This configuration fails to allow use of the PASID within the iommu core code which wrongly checks if the no-PASID device supports PASID. Fix this by ignoring no-PASID devices during the PASID validation. They will never issue a PASID TLP anyhow so they can be ignored. Fixes: c404f55c26fc ("iommu: Validate the PASID in iommu_attach_device_pasid()") Cc: stable(a)vger.kernel.org Signed-off-by: Tushar Dave <tdave(a)nvidia.com> Reviewed-by: Lu Baolu <baolu.lu(a)linux.intel.com> Reviewed-by: Vasant Hegde <vasant.hegde(a)amd.com> Link: https://lore.kernel.org/r/20250520011937.3230557-1-tdave@nvidia.com Signed-off-by: Joerg Roedel <jroedel(a)suse.de> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..9d728800a862 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3366,10 +3366,12 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, int ret; for_each_group_device(group, device) { - ret = domain->ops->set_dev_pasid(domain, device->dev, - pasid, old); - if (ret) - goto err_revert; + if (device->dev->iommu->max_pasids > 0) { + ret = domain->ops->set_dev_pasid(domain, device->dev, + pasid, old); + if (ret) + goto err_revert; + } } return 0; @@ -3379,15 +3381,18 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, for_each_group_device(group, device) { if (device == last_gdev) break; - /* - * If no old domain, undo the succeeded devices/pasid. - * Otherwise, rollback the succeeded devices/pasid to the old - * domain. And it is a driver bug to fail attaching with a - * previously good domain. - */ - if (!old || WARN_ON(old->ops->set_dev_pasid(old, device->dev, + if (device->dev->iommu->max_pasids > 0) { + /* + * If no old domain, undo the succeeded devices/pasid. + * Otherwise, rollback the succeeded devices/pasid to + * the old domain. And it is a driver bug to fail + * attaching with a previously good domain. + */ + if (!old || + WARN_ON(old->ops->set_dev_pasid(old, device->dev, pasid, domain))) - iommu_remove_dev_pasid(device->dev, pasid, domain); + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } return ret; } @@ -3398,8 +3403,10 @@ static void __iommu_remove_group_pasid(struct iommu_group *group, { struct group_device *device; - for_each_group_device(group, device) - iommu_remove_dev_pasid(device->dev, pasid, domain); + for_each_group_device(group, device) { + if (device->dev->iommu->max_pasids > 0) + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } /* @@ -3440,7 +3447,13 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, mutex_lock(&group->mutex); for_each_group_device(group, device) { - if (pasid >= device->dev->iommu->max_pasids) { + /* + * Skip PASID validation for devices without PASID support + * (max_pasids = 0). These devices cannot issue transactions + * with PASID, so they don't affect group's PASID usage. + */ + if ((device->dev->iommu->max_pasids > 0) && + (pasid >= device->dev->iommu->max_pasids)) { ret = -EINVAL; goto out_unlock; }

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu: Skip PASID validation for devices without PASID" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x b3f6fcd8404f9f92262303369bb877ec5d188a81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052452-sputter-outmost-ef4f@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b3f6fcd8404f9f92262303369bb877ec5d188a81 Mon Sep 17 00:00:00 2001 From: Tushar Dave <tdave(a)nvidia.com> Date: Mon, 19 May 2025 18:19:37 -0700 Subject: [PATCH] iommu: Skip PASID validation for devices without PASID capability Generally PASID support requires ACS settings that usually create single device groups, but there are some niche cases where we can get multi-device groups and still have working PASID support. The primary issue is that PCI switches are not required to treat PASID tagged TLPs specially so appropriate ACS settings are required to route all TLPs to the host bridge if PASID is going to work properly. pci_enable_pasid() does check that each device that will use PASID has the proper ACS settings to achieve this routing. However, no-PASID devices can be combined with PASID capable devices within the same topology using non-uniform ACS settings. In this case the no-PASID devices may not have strict route to host ACS flags and end up being grouped with the PASID devices. This configuration fails to allow use of the PASID within the iommu core code which wrongly checks if the no-PASID device supports PASID. Fix this by ignoring no-PASID devices during the PASID validation. They will never issue a PASID TLP anyhow so they can be ignored. Fixes: c404f55c26fc ("iommu: Validate the PASID in iommu_attach_device_pasid()") Cc: stable(a)vger.kernel.org Signed-off-by: Tushar Dave <tdave(a)nvidia.com> Reviewed-by: Lu Baolu <baolu.lu(a)linux.intel.com> Reviewed-by: Vasant Hegde <vasant.hegde(a)amd.com> Link: https://lore.kernel.org/r/20250520011937.3230557-1-tdave@nvidia.com Signed-off-by: Joerg Roedel <jroedel(a)suse.de> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..9d728800a862 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3366,10 +3366,12 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, int ret; for_each_group_device(group, device) { - ret = domain->ops->set_dev_pasid(domain, device->dev, - pasid, old); - if (ret) - goto err_revert; + if (device->dev->iommu->max_pasids > 0) { + ret = domain->ops->set_dev_pasid(domain, device->dev, + pasid, old); + if (ret) + goto err_revert; + } } return 0; @@ -3379,15 +3381,18 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain, for_each_group_device(group, device) { if (device == last_gdev) break; - /* - * If no old domain, undo the succeeded devices/pasid. - * Otherwise, rollback the succeeded devices/pasid to the old - * domain. And it is a driver bug to fail attaching with a - * previously good domain. - */ - if (!old || WARN_ON(old->ops->set_dev_pasid(old, device->dev, + if (device->dev->iommu->max_pasids > 0) { + /* + * If no old domain, undo the succeeded devices/pasid. + * Otherwise, rollback the succeeded devices/pasid to + * the old domain. And it is a driver bug to fail + * attaching with a previously good domain. + */ + if (!old || + WARN_ON(old->ops->set_dev_pasid(old, device->dev, pasid, domain))) - iommu_remove_dev_pasid(device->dev, pasid, domain); + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } return ret; } @@ -3398,8 +3403,10 @@ static void __iommu_remove_group_pasid(struct iommu_group *group, { struct group_device *device; - for_each_group_device(group, device) - iommu_remove_dev_pasid(device->dev, pasid, domain); + for_each_group_device(group, device) { + if (device->dev->iommu->max_pasids > 0) + iommu_remove_dev_pasid(device->dev, pasid, domain); + } } /* @@ -3440,7 +3447,13 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, mutex_lock(&group->mutex); for_each_group_device(group, device) { - if (pasid >= device->dev->iommu->max_pasids) { + /* + * Skip PASID validation for devices without PASID support + * (max_pasids = 0). These devices cannot issue transactions + * with PASID, so they don't affect group's PASID usage. + */ + if ((device->dev->iommu->max_pasids > 0) && + (pasid >= device->dev->iommu->max_pasids)) { ret = -EINVAL; goto out_unlock; }

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: marvell: uDPU: define pinctrl state for alarm" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b04f0d89e880bc2cca6a5c73cf287082c91878da # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052403-postcard-ferocious-b503@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b04f0d89e880bc2cca6a5c73cf287082c91878da Mon Sep 17 00:00:00 2001 From: Gabor Juhos <j4g8y7(a)gmail.com> Date: Fri, 9 May 2025 15:48:52 +0200 Subject: [PATCH] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs The two alarm LEDs of on the uDPU board are stopped working since commit 78efa53e715e ("leds: Init leds class earlier"). The LEDs are driven by the GPIO{15,16} pins of the North Bridge GPIO controller. These pins are part of the 'spi_quad' pin group for which the 'spi' function is selected via the default pinctrl state of the 'spi' node. This is wrong however, since in order to allow controlling the LEDs, the pins should use the 'gpio' function. Before the commit mentined above, the 'spi' function is selected first by the pinctrl core before probing the spi driver, but then it gets overridden to 'gpio' implicitly via the devm_gpiod_get_index_optional() call from the 'leds-gpio' driver. After the commit, the LED subsystem gets initialized before the SPI subsystem, so the function of the pin group remains 'spi' which in turn prevents controlling of the LEDs. Despite the change of the initialization order, the root cause is that the pinctrl state definition is wrong since its initial commit 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board"), To fix the problem, override the function in the 'spi_quad_pins' node to 'gpio' and move the pinctrl state definition from the 'spi' node into the 'leds' node. Cc: stable(a)vger.kernel.org # needs adjustment for < 6.1 Fixes: 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board") Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> Signed-off-by: Imre Kaloz <kaloz(a)openwrt.org> Signed-off-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> diff --git a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi index 3a9b6907185d..242820845707 100644 --- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi +++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi @@ -26,6 +26,8 @@ memory@0 { leds { compatible = "gpio-leds"; + pinctrl-names = "default"; + pinctrl-0 = <&spi_quad_pins>; led-power1 { label = "udpu:green:power"; @@ -82,8 +84,6 @@ &sdhci0 { &spi0 { status = "okay"; - pinctrl-names = "default"; - pinctrl-0 = <&spi_quad_pins>; flash@0 { compatible = "jedec,spi-nor"; @@ -108,6 +108,10 @@ partition@180000 { }; }; +&spi_quad_pins { + function = "gpio"; +}; + &pinctrl_nb { i2c2_recovery_pins: i2c2-recovery-pins { groups = "i2c2";

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64: dts: marvell: uDPU: define pinctrl state for alarm" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b04f0d89e880bc2cca6a5c73cf287082c91878da # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052400-sneer-rendering-46c3@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b04f0d89e880bc2cca6a5c73cf287082c91878da Mon Sep 17 00:00:00 2001 From: Gabor Juhos <j4g8y7(a)gmail.com> Date: Fri, 9 May 2025 15:48:52 +0200 Subject: [PATCH] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs The two alarm LEDs of on the uDPU board are stopped working since commit 78efa53e715e ("leds: Init leds class earlier"). The LEDs are driven by the GPIO{15,16} pins of the North Bridge GPIO controller. These pins are part of the 'spi_quad' pin group for which the 'spi' function is selected via the default pinctrl state of the 'spi' node. This is wrong however, since in order to allow controlling the LEDs, the pins should use the 'gpio' function. Before the commit mentined above, the 'spi' function is selected first by the pinctrl core before probing the spi driver, but then it gets overridden to 'gpio' implicitly via the devm_gpiod_get_index_optional() call from the 'leds-gpio' driver. After the commit, the LED subsystem gets initialized before the SPI subsystem, so the function of the pin group remains 'spi' which in turn prevents controlling of the LEDs. Despite the change of the initialization order, the root cause is that the pinctrl state definition is wrong since its initial commit 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board"), To fix the problem, override the function in the 'spi_quad_pins' node to 'gpio' and move the pinctrl state definition from the 'spi' node into the 'leds' node. Cc: stable(a)vger.kernel.org # needs adjustment for < 6.1 Fixes: 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board") Signed-off-by: Gabor Juhos <j4g8y7(a)gmail.com> Signed-off-by: Imre Kaloz <kaloz(a)openwrt.org> Signed-off-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> diff --git a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi index 3a9b6907185d..242820845707 100644 --- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi +++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi @@ -26,6 +26,8 @@ memory@0 { leds { compatible = "gpio-leds"; + pinctrl-names = "default"; + pinctrl-0 = <&spi_quad_pins>; led-power1 { label = "udpu:green:power"; @@ -82,8 +84,6 @@ &sdhci0 { &spi0 { status = "okay"; - pinctrl-names = "default"; - pinctrl-0 = <&spi_quad_pins>; flash@0 { compatible = "jedec,spi-nor"; @@ -108,6 +108,10 @@ partition@180000 { }; }; +&spi_quad_pins { + function = "gpio"; +}; + &pinctrl_nb { i2c2_recovery_pins: i2c2-recovery-pins { groups = "i2c2";

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: core: Fix error checking in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052400-culinary-streak-b400@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)linaro.org> Date: Thu, 8 May 2025 09:29:23 +0300 Subject: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() The error checking for of_count_phandle_with_args() does not handle negative error codes correctly. The problem is that "index" is a u32 so in the condition "if (index >= num_domains)" negative error codes stored in "num_domains" are type promoted to very high positive values and "index" is always going to be valid. Test for negative error codes first and then test if "index" is valid. Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index 9b2f28b34bb5..d6c1ddb807b2 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -3126,7 +3126,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev, /* Verify that the index is within a valid range. */ num_domains = of_count_phandle_with_args(dev->of_node, "power-domains", "#power-domain-cells"); - if (index >= num_domains) + if (num_domains < 0 || index >= num_domains) return NULL; /* Allocate and register device on the genpd bus. */

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: core: Fix error checking in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052459-bully-agreeing-45f1@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)linaro.org> Date: Thu, 8 May 2025 09:29:23 +0300 Subject: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() The error checking for of_count_phandle_with_args() does not handle negative error codes correctly. The problem is that "index" is a u32 so in the condition "if (index >= num_domains)" negative error codes stored in "num_domains" are type promoted to very high positive values and "index" is always going to be valid. Test for negative error codes first and then test if "index" is valid. Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index 9b2f28b34bb5..d6c1ddb807b2 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -3126,7 +3126,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev, /* Verify that the index is within a valid range. */ num_domains = of_count_phandle_with_args(dev->of_node, "power-domains", "#power-domain-cells"); - if (index >= num_domains) + if (num_domains < 0 || index >= num_domains) return NULL; /* Allocate and register device on the genpd bus. */

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: core: Fix error checking in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052459-sleeve-rearrange-e01c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)linaro.org> Date: Thu, 8 May 2025 09:29:23 +0300 Subject: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() The error checking for of_count_phandle_with_args() does not handle negative error codes correctly. The problem is that "index" is a u32 so in the condition "if (index >= num_domains)" negative error codes stored in "num_domains" are type promoted to very high positive values and "index" is always going to be valid. Test for negative error codes first and then test if "index" is valid. Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index 9b2f28b34bb5..d6c1ddb807b2 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -3126,7 +3126,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev, /* Verify that the index is within a valid range. */ num_domains = of_count_phandle_with_args(dev->of_node, "power-domains", "#power-domain-cells"); - if (index >= num_domains) + if (num_domains < 0 || index >= num_domains) return NULL; /* Allocate and register device on the genpd bus. */

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: core: Fix error checking in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052458-fool-conflict-1a61@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)linaro.org> Date: Thu, 8 May 2025 09:29:23 +0300 Subject: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() The error checking for of_count_phandle_with_args() does not handle negative error codes correctly. The problem is that "index" is a u32 so in the condition "if (index >= num_domains)" negative error codes stored in "num_domains" are type promoted to very high positive values and "index" is always going to be valid. Test for negative error codes first and then test if "index" is valid. Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index 9b2f28b34bb5..d6c1ddb807b2 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -3126,7 +3126,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev, /* Verify that the index is within a valid range. */ num_domains = of_count_phandle_with_args(dev->of_node, "power-domains", "#power-domain-cells"); - if (index >= num_domains) + if (num_domains < 0 || index >= num_domains) return NULL; /* Allocate and register device on the genpd bus. */

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] pmdomain: core: Fix error checking in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052458-boogeyman-busily-acd9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)linaro.org> Date: Thu, 8 May 2025 09:29:23 +0300 Subject: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() The error checking for of_count_phandle_with_args() does not handle negative error codes correctly. The problem is that "index" is a u32 so in the condition "if (index >= num_domains)" negative error codes stored in "num_domains" are type promoted to very high positive values and "index" is always going to be valid. Test for negative error codes first and then test if "index" is valid. Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index 9b2f28b34bb5..d6c1ddb807b2 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -3126,7 +3126,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev, /* Verify that the index is within a valid range. */ num_domains = of_count_phandle_with_args(dev->of_node, "power-domains", "#power-domain-cells"); - if (index >= num_domains) + if (num_domains < 0 || index >= num_domains) return NULL; /* Allocate and register device on the genpd bus. */

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052431-padding-scalping-8aae@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 Mon Sep 17 00:00:00 2001 From: Stefan Binding <sbinding(a)opensource.cirrus.com> Date: Tue, 20 May 2025 13:47:43 +0100 Subject: [PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Add support for HP Agusta. Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C Signed-off-by: Stefan Binding <sbinding(a)opensource.cirrus.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520124757.12597-1-sbinding@opensource.cirrus.… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index a426d9882702..69788dd9a1ec 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10888,6 +10888,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3a, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3b, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e60, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e61, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e62, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052431-scorer-rebuild-b36a@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 Mon Sep 17 00:00:00 2001 From: Stefan Binding <sbinding(a)opensource.cirrus.com> Date: Tue, 20 May 2025 13:47:43 +0100 Subject: [PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Add support for HP Agusta. Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C Signed-off-by: Stefan Binding <sbinding(a)opensource.cirrus.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520124757.12597-1-sbinding@opensource.cirrus.… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index a426d9882702..69788dd9a1ec 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10888,6 +10888,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3a, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3b, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e60, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e61, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e62, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052430-reoccupy-unbroken-8b7d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 Mon Sep 17 00:00:00 2001 From: Stefan Binding <sbinding(a)opensource.cirrus.com> Date: Tue, 20 May 2025 13:47:43 +0100 Subject: [PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Add support for HP Agusta. Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C Signed-off-by: Stefan Binding <sbinding(a)opensource.cirrus.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520124757.12597-1-sbinding@opensource.cirrus.… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index a426d9882702..69788dd9a1ec 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10888,6 +10888,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3a, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3b, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e60, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e61, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e62, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052429-flame-quit-a059@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 Mon Sep 17 00:00:00 2001 From: Stefan Binding <sbinding(a)opensource.cirrus.com> Date: Tue, 20 May 2025 13:47:43 +0100 Subject: [PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Add support for HP Agusta. Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C Signed-off-by: Stefan Binding <sbinding(a)opensource.cirrus.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520124757.12597-1-sbinding@opensource.cirrus.… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index a426d9882702..69788dd9a1ec 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10888,6 +10888,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3a, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3b, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e60, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e61, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e62, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052429-paging-request-9169@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7150d57c370f9e61b7d0e82c58002f1c5a205ac4 Mon Sep 17 00:00:00 2001 From: Stefan Binding <sbinding(a)opensource.cirrus.com> Date: Tue, 20 May 2025 13:47:43 +0100 Subject: [PATCH] ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Add support for HP Agusta. Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C Signed-off-by: Stefan Binding <sbinding(a)opensource.cirrus.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520124757.12597-1-sbinding@opensource.cirrus.… Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index a426d9882702..69788dd9a1ec 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10888,6 +10888,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3a, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e3b, "HP Agusta", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e60, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e61, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e62, "HP Trekker ", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f709b78aecab519dbcefa9a6603b94ad18c553e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052421-wildness-crease-7ddd@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f709b78aecab519dbcefa9a6603b94ad18c553e3 Mon Sep 17 00:00:00 2001 From: Chris Chiu <chris.chiu(a)canonical.com> Date: Tue, 20 May 2025 21:21:01 +0800 Subject: [PATCH] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup New HP ZBook with Realtek HDA codec ALC3247 needs the quirk ALC236_FIXUP_HP_GPIO_LED to fix the micmute LED. Signed-off-by: Chris Chiu <chris.chiu(a)canonical.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520132101.120685-1-chris.chiu@canonical.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 69788dd9a1ec..20ab1fb2195f 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10885,6 +10885,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), SND_PCI_QUIRK(0x103c, 0x8e1b, "HP EliteBook G12", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), SND_PCI_QUIRK(0x103c, 0x8e1c, "HP EliteBook G12", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), + SND_PCI_QUIRK(0x103c, 0x8e1d, "HP ZBook X Gli 16 G12", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f709b78aecab519dbcefa9a6603b94ad18c553e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052414-bulge-curse-c065@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f709b78aecab519dbcefa9a6603b94ad18c553e3 Mon Sep 17 00:00:00 2001 From: Chris Chiu <chris.chiu(a)canonical.com> Date: Tue, 20 May 2025 21:21:01 +0800 Subject: [PATCH] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup New HP ZBook with Realtek HDA codec ALC3247 needs the quirk ALC236_FIXUP_HP_GPIO_LED to fix the micmute LED. Signed-off-by: Chris Chiu <chris.chiu(a)canonical.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520132101.120685-1-chris.chiu@canonical.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 69788dd9a1ec..20ab1fb2195f 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10885,6 +10885,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), SND_PCI_QUIRK(0x103c, 0x8e1b, "HP EliteBook G12", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), SND_PCI_QUIRK(0x103c, 0x8e1c, "HP EliteBook G12", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), + SND_PCI_QUIRK(0x103c, 0x8e1d, "HP ZBook X Gli 16 G12", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x f709b78aecab519dbcefa9a6603b94ad18c553e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025052414-rubbed-footing-28ca@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f709b78aecab519dbcefa9a6603b94ad18c553e3 Mon Sep 17 00:00:00 2001 From: Chris Chiu <chris.chiu(a)canonical.com> Date: Tue, 20 May 2025 21:21:01 +0800 Subject: [PATCH] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup New HP ZBook with Realtek HDA codec ALC3247 needs the quirk ALC236_FIXUP_HP_GPIO_LED to fix the micmute LED. Signed-off-by: Chris Chiu <chris.chiu(a)canonical.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20250520132101.120685-1-chris.chiu@canonical.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 69788dd9a1ec..20ab1fb2195f 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10885,6 +10885,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), SND_PCI_QUIRK(0x103c, 0x8e1b, "HP EliteBook G12", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), SND_PCI_QUIRK(0x103c, 0x8e1c, "HP EliteBook G12", ALC245_FIXUP_HP_ZBOOK_FIREFLY_G12A), + SND_PCI_QUIRK(0x103c, 0x8e1d, "HP ZBook X Gli 16 G12", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e2c, "HP EliteBook 16 G12", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8e36, "HP 14 Enstrom OmniBook X", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8e37, "HP 16 Piston OmniBook X", ALC287_FIXUP_CS35L41_I2C_2),

5 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] Input: iqs7222 - preserve system status register" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a2add513311b48cc924a699a8174db2c61ed5e8a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025031607-striking-creasing-c69c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2add513311b48cc924a699a8174db2c61ed5e8a Mon Sep 17 00:00:00 2001 From: Jeff LaBundy <jeff(a)labundy.com> Date: Sun, 9 Mar 2025 20:29:59 -0500 Subject: [PATCH] Input: iqs7222 - preserve system status register Some register groups reserve a byte at the end of their continuous address space. Depending on the variant of silicon, this field may share the same memory space as the lower byte of the system status register (0x10). In these cases, caching the reserved byte and writing it later may effectively reset the device depending on what happened in between the read and write operations. Solve this problem by avoiding any access to this last byte within offending register groups. This method replaces a workaround which attempted to write the reserved byte with up-to-date contents, but left a small window in which updates by the device could have been clobbered. Now that the driver does not touch these reserved bytes, the order in which the device's registers are written no longer matters, and they can be written in their natural order. The new method is also much more generic, and can be more easily extended to new variants of silicon with different register maps. As part of this change, the register read and write functions must be gently updated to support byte access instead of word access. Fixes: 2e70ef525b73 ("Input: iqs7222 - acknowledge reset before writing registers") Signed-off-by: Jeff LaBundy <jeff(a)labundy.com> Link: https://lore.kernel.org/r/Z85Alw+d9EHKXx2e@nixie71 Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c index 22022d11470d..80b917944b51 100644 --- a/drivers/input/misc/iqs7222.c +++ b/drivers/input/misc/iqs7222.c @@ -100,11 +100,11 @@ enum iqs7222_reg_key_id { enum iqs7222_reg_grp_id { IQS7222_REG_GRP_STAT, - IQS7222_REG_GRP_FILT, IQS7222_REG_GRP_CYCLE, IQS7222_REG_GRP_GLBL, IQS7222_REG_GRP_BTN, IQS7222_REG_GRP_CHAN, + IQS7222_REG_GRP_FILT, IQS7222_REG_GRP_SLDR, IQS7222_REG_GRP_TPAD, IQS7222_REG_GRP_GPIO, @@ -286,6 +286,7 @@ static const struct iqs7222_event_desc iqs7222_tp_events[] = { struct iqs7222_reg_grp_desc { u16 base; + u16 val_len; int num_row; int num_col; }; @@ -342,6 +343,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAC00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -400,6 +402,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAC00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -454,6 +457,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xC400, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -496,6 +500,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xC400, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -543,6 +548,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAA00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -600,6 +606,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAA00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -656,6 +663,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAE00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -712,6 +720,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAE00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -768,6 +777,7 @@ static const struct iqs7222_dev_desc iqs7222_devs[] = { }, [IQS7222_REG_GRP_FILT] = { .base = 0xAE00, + .val_len = 3, .num_row = 1, .num_col = 2, }, @@ -1604,7 +1614,7 @@ static int iqs7222_force_comms(struct iqs7222_private *iqs7222) } static int iqs7222_read_burst(struct iqs7222_private *iqs7222, - u16 reg, void *val, u16 num_val) + u16 reg, void *val, u16 val_len) { u8 reg_buf[sizeof(__be16)]; int ret, i; @@ -1619,7 +1629,7 @@ static int iqs7222_read_burst(struct iqs7222_private *iqs7222, { .addr = client->addr, .flags = I2C_M_RD, - .len = num_val * sizeof(__le16), + .len = val_len, .buf = (u8 *)val, }, }; @@ -1675,7 +1685,7 @@ static int iqs7222_read_word(struct iqs7222_private *iqs7222, u16 reg, u16 *val) __le16 val_buf; int error; - error = iqs7222_read_burst(iqs7222, reg, &val_buf, 1); + error = iqs7222_read_burst(iqs7222, reg, &val_buf, sizeof(val_buf)); if (error) return error; @@ -1685,10 +1695,9 @@ static int iqs7222_read_word(struct iqs7222_private *iqs7222, u16 reg, u16 *val) } static int iqs7222_write_burst(struct iqs7222_private *iqs7222, - u16 reg, const void *val, u16 num_val) + u16 reg, const void *val, u16 val_len) { int reg_len = reg > U8_MAX ? sizeof(reg) : sizeof(u8); - int val_len = num_val * sizeof(__le16); int msg_len = reg_len + val_len; int ret, i; struct i2c_client *client = iqs7222->client; @@ -1747,7 +1756,7 @@ static int iqs7222_write_word(struct iqs7222_private *iqs7222, u16 reg, u16 val) { __le16 val_buf = cpu_to_le16(val); - return iqs7222_write_burst(iqs7222, reg, &val_buf, 1); + return iqs7222_write_burst(iqs7222, reg, &val_buf, sizeof(val_buf)); } static int iqs7222_ati_trigger(struct iqs7222_private *iqs7222) @@ -1831,30 +1840,14 @@ static int iqs7222_dev_init(struct iqs7222_private *iqs7222, int dir) /* * Acknowledge reset before writing any registers in case the device - * suffers a spurious reset during initialization. Because this step - * may change the reserved fields of the second filter beta register, - * its cache must be updated. - * - * Writing the second filter beta register, in turn, may clobber the - * system status register. As such, the filter beta register pair is - * written first to protect against this hazard. + * suffers a spurious reset during initialization. */ if (dir == WRITE) { - u16 reg = dev_desc->reg_grps[IQS7222_REG_GRP_FILT].base + 1; - u16 filt_setup; - error = iqs7222_write_word(iqs7222, IQS7222_SYS_SETUP, iqs7222->sys_setup[0] | IQS7222_SYS_SETUP_ACK_RESET); if (error) return error; - - error = iqs7222_read_word(iqs7222, reg, &filt_setup); - if (error) - return error; - - iqs7222->filt_setup[1] &= GENMASK(7, 0); - iqs7222->filt_setup[1] |= (filt_setup & ~GENMASK(7, 0)); } /* @@ -1883,6 +1876,7 @@ static int iqs7222_dev_init(struct iqs7222_private *iqs7222, int dir) int num_col = dev_desc->reg_grps[i].num_col; u16 reg = dev_desc->reg_grps[i].base; __le16 *val_buf; + u16 val_len = dev_desc->reg_grps[i].val_len ? : num_col * sizeof(*val_buf); u16 *val; if (!num_col) @@ -1900,7 +1894,7 @@ static int iqs7222_dev_init(struct iqs7222_private *iqs7222, int dir) switch (dir) { case READ: error = iqs7222_read_burst(iqs7222, reg, - val_buf, num_col); + val_buf, val_len); for (k = 0; k < num_col; k++) val[k] = le16_to_cpu(val_buf[k]); break; @@ -1909,7 +1903,7 @@ static int iqs7222_dev_init(struct iqs7222_private *iqs7222, int dir) for (k = 0; k < num_col; k++) val_buf[k] = cpu_to_le16(val[k]); error = iqs7222_write_burst(iqs7222, reg, - val_buf, num_col); + val_buf, val_len); break; default: @@ -1962,7 +1956,7 @@ static int iqs7222_dev_info(struct iqs7222_private *iqs7222) int error, i; error = iqs7222_read_burst(iqs7222, IQS7222_PROD_NUM, dev_id, - ARRAY_SIZE(dev_id)); + sizeof(dev_id)); if (error) return error; @@ -2915,7 +2909,7 @@ static int iqs7222_report(struct iqs7222_private *iqs7222) __le16 status[IQS7222_MAX_COLS_STAT]; error = iqs7222_read_burst(iqs7222, IQS7222_SYS_STATUS, status, - num_stat); + num_stat * sizeof(*status)); if (error) return error;

5 months, 3 weeks

3
3
0 0

I need to talk to you about Investment in your country

by Widad Babikar Omar

Hello Dear, I hope this message finds you well, and let me extend my warmest wishes for a joyful, healthy, and prosperous 2025. My name is Widad Babikar Omar, and a politician/investor from Sudan. For some time now, I’ve been looking for a trustworthy individual or a company to guide me in placing a huge private investment funds into strong, growing business environments — and your region truly stood out to me as full of potential and a viable option. I’m interested in exploring a discreet, long-term investment opportunities outside of Sudan in any of these key sectors due to my background: - Real estate and Construction - Oil & Gas - Renewable energy - Manufacturing and Mining - Healthcare - Tech & innovation - Education and Agriculture My goal is to build a partnership based on trust, clarity, and mutual benefit. If you’re open to a conversation, I’d be glad to share more details and discuss how we might work together. Thank you for considering this opportunity. I understand this might be a significant decision, and I’ll fully respect whatever response you choose to give. Looking forward to hearing from you soon. Warm regards, Widad Babikar Omar

5 months, 3 weeks

1
0
0 0

[PATCH] drm: Fix potential null pointer dereference issues in drm_managed.c

by Haoxiang Li

Add check for the return value of kstrdup_const() in drm_managed.c to prevent potential null pointer dereference. Fixes: c6603c740e0e ("drm: add managed resources tied to drm_device") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/gpu/drm/drm_managed.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/drm_managed.c b/drivers/gpu/drm/drm_managed.c index cc4c463daae7..0ff8335a337b 100644 --- a/drivers/gpu/drm/drm_managed.c +++ b/drivers/gpu/drm/drm_managed.c @@ -151,6 +151,11 @@ int __drmm_add_action(struct drm_device *dev, } dr->node.name = kstrdup_const(name, GFP_KERNEL); + if (!dr->node.name) { + kfree(dr); + return -ENOMEM; + } + if (data) { void_ptr = (void **)&dr->data; *void_ptr = data; @@ -236,6 +241,10 @@ void *drmm_kmalloc(struct drm_device *dev, size_t size, gfp_t gfp) return NULL; } dr->node.name = kstrdup_const("kmalloc", gfp); + if (!dr->node.name) { + kfree(dr); + return NULL; + } add_dr(dev, dr); -- 2.25.1

5 months, 3 weeks

1
0
0 0

[PATCH] arm64: dts: rockchip: Remove workaround that prevented Turing RK1 GPU power regulator control

by Sam Edwards

The RK3588 GPU power domain cannot be activated unless the external power regulator is already on. When GPU support was added to this DT, we had no way to represent this requirement, so `regulator-always-on` was added to the `vdd_gpu_s0` regulator in order to ensure stability. A later patch series (see "Fixes:" commit) resolved this shortcoming, but that commit left the workaround -- and rendered the comment above it no longer correct. Remove the workaround to allow the GPU power regulator to power off, now that the DT includes the necessary information to power it back on correctly. Fixes: f94500eb7328b ("arm64: dts: rockchip: Add GPU power domain regulator dependency for RK3588") Signed-off-by: Sam Edwards <CFSworks(a)gmail.com> Cc: <stable(a)vger.kernel.org> --- arch/arm64/boot/dts/rockchip/rk3588-turing-rk1.dtsi | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3588-turing-rk1.dtsi b/arch/arm64/boot/dts/rockchip/rk3588-turing-rk1.dtsi index 60ad272982ad..6daea8961fdd 100644 --- a/arch/arm64/boot/dts/rockchip/rk3588-turing-rk1.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3588-turing-rk1.dtsi @@ -398,17 +398,6 @@ rk806_dvs3_null: dvs3-null-pins { regulators { vdd_gpu_s0: vdd_gpu_mem_s0: dcdc-reg1 { - /* - * RK3588's GPU power domain cannot be enabled - * without this regulator active, but it - * doesn't have to be on when the GPU PD is - * disabled. Because the PD binding does not - * currently allow us to express this - * relationship, we have no choice but to do - * this instead: - */ - regulator-always-on; - regulator-boot-on; regulator-min-microvolt = <550000>; regulator-max-microvolt = <950000>; -- 2.48.1

5 months, 3 weeks

1
0
0 0

+ mm-fix-copy_vma-error-handling-for-hugetlb-mappings.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: fix copy_vma() error handling for hugetlb mappings has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-fix-copy_vma-error-handling-for-hugetlb-mappings.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ricardo Ca��uelo Navarro <rcn(a)igalia.com> Subject: mm: fix copy_vma() error handling for hugetlb mappings Date: Fri, 23 May 2025 14:19:10 +0200 If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. This is also what copy_vma_and_data() does with the source vma if copy_vma() succeeds, so a helper function has been added to do the fixup in both functions. The issue was reported by a private syzbot instance and can be reproduced using the C reproducer in [1]. It's also a possible duplicate of public syzbot report [2]. The WARNING report is: ============================================================ page_counter underflow: -1024 nr_pages=1024 WARNING: CPU: 0 PID: 3287 at mm/page_counter.c:61 page_counter_cancel+0xf6/0x120 Modules linked in: CPU: 0 UID: 0 PID: 3287 Comm: repro__WARNING_ Not tainted 6.15.0-rc7+ #54 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:page_counter_cancel+0xf6/0x120 Code: ff 5b 41 5e 41 5f 5d c3 cc cc cc cc e8 f3 4f 8f ff c6 05 64 01 27 06 01 48 c7 c7 60 15 f8 85 48 89 de 4c 89 fa e8 2a a7 51 ff <0f> 0b e9 66 ff ff ff 44 89 f9 80 e1 07 38 c1 7c 9d 4c 81 RSP: 0018:ffffc900025df6a0 EFLAGS: 00010246 RAX: 2edfc409ebb44e00 RBX: fffffffffffffc00 RCX: ffff8880155f0000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff81c4a23c R09: 1ffff1100330482a R10: dffffc0000000000 R11: ffffed100330482b R12: 0000000000000000 R13: ffff888058a882c0 R14: ffff888058a882c0 R15: 0000000000000400 FS: 0000000000000000(0000) GS:ffff88808fc53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b33e0 CR3: 00000000076d6000 CR4: 00000000000006f0 Call Trace: <TASK> page_counter_uncharge+0x33/0x80 hugetlb_cgroup_uncharge_counter+0xcb/0x120 hugetlb_vm_op_close+0x579/0x960 ? __pfx_hugetlb_vm_op_close+0x10/0x10 remove_vma+0x88/0x130 exit_mmap+0x71e/0xe00 ? __pfx_exit_mmap+0x10/0x10 ? __mutex_unlock_slowpath+0x22e/0x7f0 ? __pfx_exit_aio+0x10/0x10 ? __up_read+0x256/0x690 ? uprobe_clear_state+0x274/0x290 ? mm_update_next_owner+0xa9/0x810 __mmput+0xc9/0x370 exit_mm+0x203/0x2f0 ? __pfx_exit_mm+0x10/0x10 ? taskstats_exit+0x32b/0xa60 do_exit+0x921/0x2740 ? do_raw_spin_lock+0x155/0x3b0 ? __pfx_do_exit+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0xc5/0x100 do_group_exit+0x20c/0x2c0 get_signal+0x168c/0x1720 ? __pfx_get_signal+0x10/0x10 ? schedule+0x165/0x360 arch_do_signal_or_restart+0x8e/0x7d0 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? __pfx___se_sys_futex+0x10/0x10 syscall_exit_to_user_mode+0xb8/0x2c0 do_syscall_64+0x75/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x422dcd Code: Unable to access opcode bytes at 0x422da3. RSP: 002b:00007ff266cdb208 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007ff266cdbcdc RCX: 0000000000422dcd RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004c7bec RBP: 00007ff266cdb220 R08: 203a6362696c6720 R09: 203a6362696c6720 R10: 0000200000c00000 R11: 0000000000000246 R12: ffffffffffffffd0 R13: 0000000000000002 R14: 00007ffe1cb5f520 R15: 00007ff266cbb000 </TASK> ============================================================ Link: https://lkml.kernel.org/r/20250523-warning_in_page_counter_cancel-v2-1-b6df… Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [2] Signed-off-by: Ricardo Ca��uelo Navarro <rcn(a)igalia.com> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Florent Revest <revest(a)google.com> Cc: Jann Horn <jannh(a)google.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/hugetlb.h | 5 +++++ mm/hugetlb.c | 16 +++++++++++++++- mm/mremap.c | 3 +-- mm/vma.c | 1 + 4 files changed, 22 insertions(+), 3 deletions(-) --- a/include/linux/hugetlb.h~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/include/linux/hugetlb.h @@ -275,6 +275,7 @@ long hugetlb_change_protection(struct vm bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); +void fixup_hugetlb_reservations(struct vm_area_struct *vma); #else /* !CONFIG_HUGETLB_PAGE */ @@ -468,6 +469,10 @@ static inline vm_fault_t hugetlb_fault(s static inline void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { } +static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ +} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write --- a/mm/hugetlb.c~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/mm/hugetlb.c @@ -1250,7 +1250,7 @@ void hugetlb_dup_vma_private(struct vm_a /* * Reset and decrement one ref on hugepage private reservation. * Called with mm->mmap_lock writer semaphore held. - * This function should be only used by move_vma() and operate on + * This function should be only used by mremap and operate on * same sized vma. It should never come here with last ref on the * reservation. */ @@ -7939,3 +7939,17 @@ void hugetlb_unshare_all_pmds(struct vm_ hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), ALIGN_DOWN(vma->vm_end, PUD_SIZE)); } + +/* + * For hugetlb, mremap() is an odd edge case - while the VMA copying is + * performed, we permit both the old and new VMAs to reference the same + * reservation. + * + * We fix this up after the operation succeeds, or if a newly allocated VMA + * is closed as a result of a failure to allocate memory. + */ +void fixup_hugetlb_reservations(struct vm_area_struct *vma) +{ + if (is_vm_hugetlb_page(vma)) + clear_vma_resv_huge_pages(vma); +} --- a/mm/mremap.c~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/mm/mremap.c @@ -1188,8 +1188,7 @@ static int copy_vma_and_data(struct vma_ mremap_userfaultfd_prep(new_vma, vrm->uf); } - if (is_vm_hugetlb_page(vma)) - clear_vma_resv_huge_pages(vma); + fixup_hugetlb_reservations(vma); /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) --- a/mm/vma.c~mm-fix-copy_vma-error-handling-for-hugetlb-mappings +++ a/mm/vma.c @@ -1834,6 +1834,7 @@ struct vm_area_struct *copy_vma(struct v return new_vma; out_vma_link: + fixup_hugetlb_reservations(new_vma); vma_close(new_vma); if (new_vma->vm_file) _ Patches currently in -mm which might be from rcn(a)igalia.com are mm-fix-copy_vma-error-handling-for-hugetlb-mappings.patch

5 months, 3 weeks

1
0
0 0

+ memcg-always-call-cond_resched-after-fn.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: memcg: always call cond_resched() after fn() has been added to the -mm mm-hotfixes-unstable branch. Its filename is memcg-always-call-cond_resched-after-fn.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Breno Leitao <leitao(a)debian.org> Subject: memcg: always call cond_resched() after fn() Date: Fri, 23 May 2025 10:21:06 -0700 I am seeing soft lockup on certain machine types when a cgroup OOMs. This is happening because killing the process in certain machine might be very slow, which causes the soft lockup and RCU stalls. This happens usually when the cgroup has MANY processes and memory.oom.group is set. Example I am seeing in real production: [462012.244552] Memory cgroup out of memory: Killed process 3370438 (crosvm) .... .... [462037.318059] Memory cgroup out of memory: Killed process 4171372 (adb) .... [462037.348314] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [stat_manager-ag:1618982] .... Quick look at why this is so slow, it seems to be related to serial flush for certain machine types. For all the crashes I saw, the target CPU was at console_flush_all(). In the case above, there are thousands of processes in the cgroup, and it is soft locking up before it reaches the 1024 limit in the code (which would call the cond_resched()). So, cond_resched() in 1024 blocks is not sufficient. Remove the counter-based conditional rescheduling logic and call cond_resched() unconditionally after each task iteration, after fn() is called. This avoids the lockup independently of how slow fn() is. Link: https://lkml.kernel.org/r/20250523-memcg_fix-v1-1-ad3eafb60477@debian.org Fixes: ade81479c7dd ("memcg: fix soft lockup in the OOM process") Signed-off-by: Breno Leitao <leitao(a)debian.org> Suggested-by: Rik van Riel <riel(a)surriel.com> Acked-by: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Michael van der Westhuizen <rmikey(a)meta.com> Cc: Usama Arif <usamaarif642(a)gmail.com> Cc: Pavel Begunkov <asml.silence(a)gmail.com> Cc: Chen Ridong <chenridong(a)huawei.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/mm/memcontrol.c~memcg-always-call-cond_resched-after-fn +++ a/mm/memcontrol.c @@ -1168,7 +1168,6 @@ void mem_cgroup_scan_tasks(struct mem_cg { struct mem_cgroup *iter; int ret = 0; - int i = 0; BUG_ON(mem_cgroup_is_root(memcg)); @@ -1178,10 +1177,9 @@ void mem_cgroup_scan_tasks(struct mem_cg css_task_iter_start(&iter->css, CSS_TASK_ITER_PROCS, &it); while (!ret && (task = css_task_iter_next(&it))) { - /* Avoid potential softlockup warning */ - if ((++i & 1023) == 0) - cond_resched(); ret = fn(task, arg); + /* Avoid potential softlockup warning */ + cond_resched(); } css_task_iter_end(&it); if (ret) { _ Patches currently in -mm which might be from leitao(a)debian.org are memcg-always-call-cond_resched-after-fn.patch

5 months, 3 weeks

1
0
0 0

[PATCH v2 net-next 4/7] smb: client: Add missing net_passive_dec().

by Kuniyuki Iwashima

While reverting commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod"), I should have added net_passive_dec(), which was added between the original commit and the revert by commit 5c70eb5c593d ("net: better track kernel sockets lifetime"). Let's call net_passive_dec() in generic_ip_connect(). Note that this commit is only needed for 6.14+. Fixes: 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") Cc: <stable(a)vger.kernel.org> # 6.14.x Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> --- fs/smb/client/connect.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 37a2ba38f10e..afac23a5a3ec 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -3359,6 +3359,7 @@ generic_ip_connect(struct TCP_Server_Info *server) sk = server->ssocket->sk; __netns_tracker_free(net, &sk->ns_tracker, false); + net_passive_dec(net); sk->sk_net_refcnt = 1; get_net_track(net, &sk->ns_tracker, GFP_KERNEL); sock_inuse_add(net, 1); -- 2.49.0

5 months, 3 weeks

1
0
0 0

[PATCH 6.6.y 0/1] pds_core: Prevent possible adminq overflow/stuck condition

by Alper Ak

The breaking commit has been present since v6.4. Although the fix is present in v6.15-rc4, v6.12.26 and v6.14.5 it is still missing in 6.6.y stable tree. Brett Creeley (1): pds_core: Prevent possible adminq overflow/stuck condition drivers/net/ethernet/amd/pds_core/core.c | 5 +---- drivers/net/ethernet/amd/pds_core/core.h | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) -- 2.43.0

5 months, 3 weeks

1
1
0 0

Re: [PATCH 1/4] arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency

by kernel test robot

Hi, Thanks for your patch. FYI: kernel test robot notices the stable kernel rule is not satisfied. The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opt… Rule: add the tag "Cc: stable(a)vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH 1/4] arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency Link: https://lore.kernel.org/stable/20250523173723.4167474-1-tharvey%40gateworks… -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

5 months, 3 weeks

1
0
0 0

[PATCH v2 1/1] x86/fred/signal: Prevent single-step upon ERETU completion

by Xin Li (Intel)

From: Xin Li <xin(a)zytor.com> Clear the software event flag in the augmented SS to prevent infinite SIGTRAP handler loop if TF is used without an external debugger. Following is a typical single-stepping flow for a user process: 1) The user process is prepared for single-stepping by setting RFLAGS.TF = 1. 2) When any instruction in user space completes, a #DB is triggered. 3) The kernel handles the #DB and returns to user space, invoking the SIGTRAP handler with RFLAGS.TF = 0. 4) After the SIGTRAP handler finishes, the user process performs a sigreturn syscall, restoring the original state, including RFLAGS.TF = 1. 5) Goto step 2. According to the FRED specification: A) Bit 17 in the augmented SS is designated as the software event flag, which is set to 1 for FRED event delivery of SYSCALL, SYSENTER, or INT n. B) If bit 17 of the augmented SS is 1 and ERETU would result in RFLAGS.TF = 1, a single-step trap will be pending upon completion of ERETU. In step 4) above, the software event flag is set upon the sigreturn syscall, and its corresponding ERETU would restore RFLAGS.TF = 1. This combination causes a pending single-step trap upon completion of ERETU. Therefore, another #DB is triggered before any user space instruction is executed, which leads to an infinite loop in which the SIGTRAP handler keeps being invoked on the same user space IP. Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: stable(a)vger.kernel.org --- Change in v2: *) Remove the check cpu_feature_enabled(X86_FEATURE_FRED), because regs->fred_ss.swevent will always be 0 otherwise (H. Peter Anvin). --- arch/x86/include/asm/sighandling.h | 19 +++++++++++++++++++ arch/x86/kernel/signal_32.c | 4 ++++ arch/x86/kernel/signal_64.c | 4 ++++ 3 files changed, 27 insertions(+) diff --git a/arch/x86/include/asm/sighandling.h b/arch/x86/include/asm/sighandling.h index e770c4fc47f4..637f7705f0b2 100644 --- a/arch/x86/include/asm/sighandling.h +++ b/arch/x86/include/asm/sighandling.h @@ -24,4 +24,23 @@ int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); +/* + * To prevent infinite SIGTRAP handler loop if TF is used without an external + * debugger, clear the software event flag in the augmented SS, ensuring no + * single-step trap is pending upon ERETU completion. + * + * Note, this function should be called in sigreturn() before the original state + * is restored to make sure the TF is read from the entry frame. + */ +static __always_inline void prevent_single_step_upon_eretu(struct pt_regs *regs) +{ + /* + * If the trap flag (TF) is set, i.e., the sigreturn() SYSCALL instruction + * is being single-stepped, do not clear the software event flag in the + * augmented SS, thus a debugger won't skip over the following instruction. + */ + if (IS_ENABLED(CONFIG_X86_FRED) && !(regs->flags & X86_EFLAGS_TF)) + regs->fred_ss.swevent = 0; +} + #endif /* _ASM_X86_SIGHANDLING_H */ diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index 98123ff10506..42bbc42bd350 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -152,6 +152,8 @@ SYSCALL32_DEFINE0(sigreturn) struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); sigset_t set; + prevent_single_step_upon_eretu(regs); + if (!access_ok(frame, sizeof(*frame))) goto badframe; if (__get_user(set.sig[0], &frame->sc.oldmask) @@ -175,6 +177,8 @@ SYSCALL32_DEFINE0(rt_sigreturn) struct rt_sigframe_ia32 __user *frame; sigset_t set; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); if (!access_ok(frame, sizeof(*frame))) diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index ee9453891901..d483b585c6c6 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -250,6 +250,8 @@ SYSCALL_DEFINE0(rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long)); if (!access_ok(frame, sizeof(*frame))) goto badframe; @@ -366,6 +368,8 @@ COMPAT_SYSCALL_DEFINE0(x32_rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8); if (!access_ok(frame, sizeof(*frame))) base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00 -- 2.49.0

5 months, 3 weeks

5
9
0 0

nfs mount failed with ipv6 addr

by Yan, Haixiao (CN)

On linux-5.10.y, my testcase run failed: root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# mount -t nfs [::1]:/mnt/nfs_root /mnt/v6 -o nfsvers=3 mount.nfs: requested NFS version or transport protocol is not supported The first bad commit is: commit 7229200f68662660bb4d55f19247eaf3c79a4217 Author: Chuck Lever <chuck.lever(a)oracle.com> Date: Mon Jun 3 10:35:02 2024 -0400 nfsd: don't allow nfsd threads to be signalled. [ Upstream commit 3903902401451b1cd9d797a8c79769eb26ac7fe5 ] Here is the test log: root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# dd if=/dev/zero of=/tmp/nfs.img bs=1M count=100 100+0 records in 100+0 records out 104857600 bytes (105 MB, 100 MiB) copied, 0.0386658 s, 2.7 GB/s root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# mkfs /tmp/nfs.img mke2fs 1.46.1 (9-Feb-2021) Discarding device blocks: 1024/102400 done Creating filesystem with 102400 1k blocks and 25688 inodes Filesystem UUID: 77e3bc56-46bb-4e5c-9619-d9a0c0999958 Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Allocating group tables: 0/13 done Writing inode tables: 0/13 done Writing superblocks and filesystem accounting information: 0/13 done root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# mount /tmp/nfs.img /mnt root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# mkdir /mnt/nfs_root root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# touch /etc/exports root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# echo '/mnt/nfs_root *(insecure,rw,async,no_root_squash)' >> /etc/exports root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# /opt/wr-test/bin/svcwp.sh nfsserver restart stopping mountd: done stopping nfsd: ..........failed using signal 9: ..........failed exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/mnt/nfs_root". Assuming default behaviour ('no_subtree_check'). NOTE: this default has changed since nfs-utils version 1.0.x starting 8 nfsd kernel threads: done starting mountd: done exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/mnt/nfs_root". Assuming default behaviour ('no_subtree_check'). NOTE: this default has changed since nfs-utils version 1.0.x root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# echo hello > /mnt/nfs_root/hello.txt root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# mkdir /mnt/v6 root@intel-x86-64:/opt/wr-test/testcases/userspace/nfs-utils_v6# mount -t nfs [::1]:/mnt/nfs_root /mnt/v6 -o nfsvers=3 mount.nfs: requested NFS version or transport protocol is not supported Thanks, Haixiao

5 months, 3 weeks

4
9
0 0

[PATCH v2] iio: common: st_sensors: Fix use of uninitialize device structs

by Maud Spierings via B4 Relay

From: Maud Spierings <maudspierings(a)gocontroll.com> Throughout the various probe functions &indio_dev->dev is used before it is initialized. This caused a kernel panic in st_sensors_power_enable when the call to devm_regulator_bulk_get_enable() fails and then calls dev_err_probe() with the uninitialized device. This seems to only cause a panic with dev_err_probe(), dev_err, dev_warn and dev_info don't seem to cause a panic, but are fixed as well. Signed-off-by: Maud Spierings <maudspierings(a)gocontroll.com> --- When I search for general &indio_dev->dev usage, I see quite a lot more hits, but I am not sure if there are issues with those too. This issue has existed for a long time it seems and therefore it is nearly impossible to find a proper fixes tag. I would love to see it at least backported to 6.12 as that is where I encountered it, and I believe the patch should apply without conflicts. The investigation into this issue can be found in this thread [1] [1]: https://lore.kernel.org/all/AM7P189MB100986A83D2F28AF3FFAF976E39EA@AM7P189M… --- Changes in v2: - Added SoB in commit message - Link to v1: https://lore.kernel.org/r/20250522-st_iio_fix-v1-1-d689b35f1612@gocontroll.… --- drivers/iio/accel/st_accel_core.c | 10 +++---- drivers/iio/common/st_sensors/st_sensors_core.c | 35 +++++++++++----------- drivers/iio/common/st_sensors/st_sensors_trigger.c | 18 +++++------ 3 files changed, 31 insertions(+), 32 deletions(-) diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c index 99cb661fabb2d9cc1943fa8d0a6f3becb71126e6..a7961c610ed203d039bbf298c8883031a578fb0b 100644 --- a/drivers/iio/accel/st_accel_core.c +++ b/drivers/iio/accel/st_accel_core.c @@ -1353,6 +1353,7 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) union acpi_object *ont; union acpi_object *elements; acpi_status status; + struct device *parent = indio_dev->dev.parent; int ret = -EINVAL; unsigned int val; int i, j; @@ -1371,7 +1372,7 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) }; - adev = ACPI_COMPANION(indio_dev->dev.parent); + adev = ACPI_COMPANION(parent); if (!adev) return -ENXIO; @@ -1380,8 +1381,7 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) if (status == AE_NOT_FOUND) { return -ENXIO; } else if (ACPI_FAILURE(status)) { - dev_warn(&indio_dev->dev, "failed to execute _ONT: %d\n", - status); + dev_warn(parent, "failed to execute _ONT: %d\n", status); return status; } @@ -1457,12 +1457,12 @@ static int apply_acpi_orientation(struct iio_dev *indio_dev) } ret = 0; - dev_info(&indio_dev->dev, "computed mount matrix from ACPI\n"); + dev_info(parent, "computed mount matrix from ACPI\n"); out: kfree(buffer.pointer); if (ret) - dev_dbg(&indio_dev->dev, + dev_dbg(parent, "failed to apply ACPI orientation data: %d\n", ret); return ret; diff --git a/drivers/iio/common/st_sensors/st_sensors_core.c b/drivers/iio/common/st_sensors/st_sensors_core.c index 8ce1dccfea4f5aaff45d3d40f6542323dd1f0b09..11cbf561b16d41f429745abb516c137cfbb302bb 100644 --- a/drivers/iio/common/st_sensors/st_sensors_core.c +++ b/drivers/iio/common/st_sensors/st_sensors_core.c @@ -154,7 +154,7 @@ static int st_sensors_set_fullscale(struct iio_dev *indio_dev, unsigned int fs) return err; st_accel_set_fullscale_error: - dev_err(&indio_dev->dev, "failed to set new fullscale.\n"); + dev_err(indio_dev->dev.parent, "failed to set new fullscale.\n"); return err; } @@ -231,7 +231,7 @@ int st_sensors_power_enable(struct iio_dev *indio_dev) ARRAY_SIZE(regulator_names), regulator_names); if (err) - return dev_err_probe(&indio_dev->dev, err, + return dev_err_probe(parent, err, "unable to enable supplies\n"); return 0; @@ -241,13 +241,14 @@ EXPORT_SYMBOL_NS(st_sensors_power_enable, "IIO_ST_SENSORS"); static int st_sensors_set_drdy_int_pin(struct iio_dev *indio_dev, struct st_sensors_platform_data *pdata) { + struct device *parent = indio_dev->dev.parent; struct st_sensor_data *sdata = iio_priv(indio_dev); /* Sensor does not support interrupts */ if (!sdata->sensor_settings->drdy_irq.int1.addr && !sdata->sensor_settings->drdy_irq.int2.addr) { if (pdata->drdy_int_pin) - dev_info(&indio_dev->dev, + dev_info(parent, "DRDY on pin INT%d specified, but sensor does not support interrupts\n", pdata->drdy_int_pin); return 0; @@ -256,29 +257,27 @@ static int st_sensors_set_drdy_int_pin(struct iio_dev *indio_dev, switch (pdata->drdy_int_pin) { case 1: if (!sdata->sensor_settings->drdy_irq.int1.mask) { - dev_err(&indio_dev->dev, - "DRDY on INT1 not available.\n"); + dev_err(parent, "DRDY on INT1 not available.\n"); return -EINVAL; } sdata->drdy_int_pin = 1; break; case 2: if (!sdata->sensor_settings->drdy_irq.int2.mask) { - dev_err(&indio_dev->dev, - "DRDY on INT2 not available.\n"); + dev_err(parent, "DRDY on INT2 not available.\n"); return -EINVAL; } sdata->drdy_int_pin = 2; break; default: - dev_err(&indio_dev->dev, "DRDY on pdata not valid.\n"); + dev_err(parent, "DRDY on pdata not valid.\n"); return -EINVAL; } if (pdata->open_drain) { if (!sdata->sensor_settings->drdy_irq.int1.addr_od && !sdata->sensor_settings->drdy_irq.int2.addr_od) - dev_err(&indio_dev->dev, + dev_err(parent, "open drain requested but unsupported.\n"); else sdata->int_pin_open_drain = true; @@ -336,6 +335,7 @@ EXPORT_SYMBOL_NS(st_sensors_dev_name_probe, "IIO_ST_SENSORS"); int st_sensors_init_sensor(struct iio_dev *indio_dev, struct st_sensors_platform_data *pdata) { + struct device *parent = indio_dev->dev.parent; struct st_sensor_data *sdata = iio_priv(indio_dev); struct st_sensors_platform_data *of_pdata; int err = 0; @@ -343,7 +343,7 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, mutex_init(&sdata->odr_lock); /* If OF/DT pdata exists, it will take precedence of anything else */ - of_pdata = st_sensors_dev_probe(indio_dev->dev.parent, pdata); + of_pdata = st_sensors_dev_probe(parent, pdata); if (IS_ERR(of_pdata)) return PTR_ERR(of_pdata); if (of_pdata) @@ -370,7 +370,7 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, if (err < 0) return err; } else - dev_info(&indio_dev->dev, "Full-scale not possible\n"); + dev_info(parent, "Full-scale not possible\n"); err = st_sensors_set_odr(indio_dev, sdata->odr); if (err < 0) @@ -405,7 +405,7 @@ int st_sensors_init_sensor(struct iio_dev *indio_dev, mask = sdata->sensor_settings->drdy_irq.int2.mask_od; } - dev_info(&indio_dev->dev, + dev_info(parent, "set interrupt line to open drain mode on pin %d\n", sdata->drdy_int_pin); err = st_sensors_write_data_with_mask(indio_dev, addr, @@ -593,21 +593,20 @@ EXPORT_SYMBOL_NS(st_sensors_get_settings_index, "IIO_ST_SENSORS"); int st_sensors_verify_id(struct iio_dev *indio_dev) { struct st_sensor_data *sdata = iio_priv(indio_dev); + struct device *parent = indio_dev->dev.parent; int wai, err; if (sdata->sensor_settings->wai_addr) { err = regmap_read(sdata->regmap, sdata->sensor_settings->wai_addr, &wai); if (err < 0) { - dev_err(&indio_dev->dev, - "failed to read Who-Am-I register.\n"); - return err; + return dev_err_probe(parent, err, + "failed to read Who-Am-I register.\n"); } if (sdata->sensor_settings->wai != wai) { - dev_warn(&indio_dev->dev, - "%s: WhoAmI mismatch (0x%x).\n", - indio_dev->name, wai); + dev_warn(parent, "%s: WhoAmI mismatch (0x%x).\n", + indio_dev->name, wai); } } diff --git a/drivers/iio/common/st_sensors/st_sensors_trigger.c b/drivers/iio/common/st_sensors/st_sensors_trigger.c index 9d4bf822a15dfcdd6c2835f6b9d7698cd3cb0b08..32c3278968089699dff5329e943d92b151b55fdf 100644 --- a/drivers/iio/common/st_sensors/st_sensors_trigger.c +++ b/drivers/iio/common/st_sensors/st_sensors_trigger.c @@ -127,7 +127,7 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, sdata->trig = devm_iio_trigger_alloc(parent, "%s-trigger", indio_dev->name); if (sdata->trig == NULL) { - dev_err(&indio_dev->dev, "failed to allocate iio trigger.\n"); + dev_err(parent, "failed to allocate iio trigger.\n"); return -ENOMEM; } @@ -143,7 +143,7 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, case IRQF_TRIGGER_FALLING: case IRQF_TRIGGER_LOW: if (!sdata->sensor_settings->drdy_irq.addr_ihl) { - dev_err(&indio_dev->dev, + dev_err(parent, "falling/low specified for IRQ but hardware supports only rising/high: will request rising/high\n"); if (irq_trig == IRQF_TRIGGER_FALLING) irq_trig = IRQF_TRIGGER_RISING; @@ -156,21 +156,21 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, sdata->sensor_settings->drdy_irq.mask_ihl, 1); if (err < 0) return err; - dev_info(&indio_dev->dev, + dev_info(parent, "interrupts on the falling edge or active low level\n"); } break; case IRQF_TRIGGER_RISING: - dev_info(&indio_dev->dev, + dev_info(parent, "interrupts on the rising edge\n"); break; case IRQF_TRIGGER_HIGH: - dev_info(&indio_dev->dev, + dev_info(parent, "interrupts active high level\n"); break; default: /* This is the most preferred mode, if possible */ - dev_err(&indio_dev->dev, + dev_err(parent, "unsupported IRQ trigger specified (%lx), enforce rising edge\n", irq_trig); irq_trig = IRQF_TRIGGER_RISING; } @@ -179,7 +179,7 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, if (irq_trig == IRQF_TRIGGER_FALLING || irq_trig == IRQF_TRIGGER_RISING) { if (!sdata->sensor_settings->drdy_irq.stat_drdy.addr) { - dev_err(&indio_dev->dev, + dev_err(parent, "edge IRQ not supported w/o stat register.\n"); return -EOPNOTSUPP; } @@ -214,13 +214,13 @@ int st_sensors_allocate_trigger(struct iio_dev *indio_dev, sdata->trig->name, sdata->trig); if (err) { - dev_err(&indio_dev->dev, "failed to request trigger IRQ.\n"); + dev_err(parent, "failed to request trigger IRQ.\n"); return err; } err = devm_iio_trigger_register(parent, sdata->trig); if (err < 0) { - dev_err(&indio_dev->dev, "failed to register iio trigger.\n"); + dev_err(parent, "failed to register iio trigger.\n"); return err; } indio_dev->trig = iio_trigger_get(sdata->trig); --- base-commit: 7bac2c97af4078d7a627500c9bcdd5b033f97718 change-id: 20250522-st_iio_fix-1c58fdd4d420 Best regards, -- Maud Spierings <maudspierings(a)gocontroll.com>

5 months, 3 weeks

5
5
0 0

[PATCH 6.12 000/122] 6.12.11-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.11 release. There are 122 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Jan 2025 17:45:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.11-rc1 Ryan Lee <ryan.lee(a)canonical.com> apparmor: allocate xmatch for nullpdb inside aa_alloc_null Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Validate mdoe under MST LCT=1 case as well Nicholas Susanto <Nicholas.Susanto(a)amd.com> Revert "drm/amd/display: Enable urgent latency adjustments for DCN35" Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Do not wait for PSR disable on vbl enable Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Disable replay and psr while VRR is enabled Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix PSR-SU not support but still call the amdgpu_dm_psr_enable Christian König <christian.koenig(a)amd.com> drm/amdgpu: always sync the GFX pipe on ctx switch Kenneth Feng <kenneth.feng(a)amd.com> drm/amdgpu: disable gfxoff with the compute workload on gfx12 Gui Chengming <Jack.Gui(a)amd.com> drm/amdgpu: fix fw attestation for MP0_14_0_{2/3} Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/smu13: update powersave optimizations Ashutosh Dixit <ashutosh.dixit(a)intel.com> drm/xe/oa: Add missing VISACTL mux registers Matthew Brost <matthew.brost(a)intel.com> drm/xe: Mark ComputeCS read mode as UC on iGPU Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Xin Li (Intel) <xin(a)zytor.com> x86/fred: Fix the FRED RSP0 MSR out of sync with its per-CPU cache Frederic Weisbecker <frederic(a)kernel.org> timers/migration: Enforce group initialization visibility to tree walkers Frederic Weisbecker <frederic(a)kernel.org> timers/migration: Fix another race between hotplug and idle entry/exit Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Tomas Krcka <krckatom(a)amazon.de> irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> irqchip: Plug a OF node reference leak in platform_irqchip_probe() Steven Rostedt <rostedt(a)goodmis.org> tracing: gfp: Fix the GFP enum values shown for user space tracing tools Donet Tom <donettom(a)linux.ibm.com> mm: vmscan : pgdemote vmstat is not getting updated when MGLRU is enabled. Ryan Roberts <ryan.roberts(a)arm.com> mm: clear uffd-wp PTE/PMD state on mremap() Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Do not elevate mem_type change to full update Ryan Roberts <ryan.roberts(a)arm.com> selftests/mm: set allocated memory to non-zero content in cow test Guo Weikang <guoweikang.kernel(a)gmail.com> mm/kmemleak: fix percpu memory leak detection failure Xiaolei Wang <xiaolei.wang(a)windriver.com> pmdomain: imx8mp-blk-ctrl: add missing loop break condition Suren Baghdasaryan <surenb(a)google.com> tools: fix atomic_set() definition to set the value correctly Sean Anderson <sean.anderson(a)linux.dev> gpio: xilinx: Convert gpio_lock to raw spinlock Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Paul Fertser <fercerpav(a)gmail.com> net/ncsi: fix locking in Get MAC Address handling Takashi Iwai <tiwai(a)suse.de> drm/nouveau/disp: Fix missing backlight control on Macbook 5,1 Dave Airlie <airlied(a)redhat.com> nouveau/fence: handle cross device fences properly Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Stefano Garzarella <sgarzare(a)redhat.com> vsock/bpf: return early if transport is not assigned Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: avoid spurious errors on disconnect Paolo Abeni <pabeni(a)redhat.com> mptcp: fix spurious wake-up on under memory pressure Paolo Abeni <pabeni(a)redhat.com> mptcp: be sure to send ack when mptcp-level window re-opens Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> i2c: atr: Fix client detach Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Luke D. Jones <luke(a)ljones.dev> ALSA: hda/realtek: fixup ASUS H7606W Luke D. Jones <luke(a)ljones.dev> ALSA: hda/realtek: fixup ASUS GA605W Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Peter Zijlstra <peterz(a)infradead.org> sched/fair: Fix update_cfs_group() vs DELAY_DEQUEUE Peter Zijlstra <peterz(a)infradead.org> sched/fair: Fix EEVDF entity placement bug causing scheduling lag Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Tejun Heo <tj(a)kernel.org> sched_ext: Fix dsq_local_on selftest Hongguang Gao <hongguang.gao(a)broadcom.com> RDMA/bnxt_re: Fix to export port num to ib_query_qp David Vernet <void(a)manifault.com> scx: Fix maximal BPF selftest prog Ihor Solodrai <ihor.solodrai(a)pm.me> selftests/sched_ext: fix build after renames in sched_ext API Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Lizhi Xu <lizhi.xu(a)windriver.com> afs: Fix merge preference rule failure condition Marco Nelissen <marco.nelissen(a)gmail.com> iomap: avoid avoid truncating 64-bit offset to 32 bits Henry Huang <henry.hj(a)antgroup.com> sched_ext: keep running prev when prev->scx.slice != 0 Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Add Clearwater Forest to support list Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel: power-domains: Add Clearwater Forest support Jakub Kicinski <kuba(a)kernel.org> selftests: tc-testing: reduce rshift value Koichiro Den <koichiro.den(a)canonical.com> gpio: sim: lock up configfs that an instantiated device depends on Koichiro Den <koichiro.den(a)canonical.com> gpio: virtuser: lock up configfs that an instantiated device depends on Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Max Kellermann <max.kellermann(a)ionos.com> cachefiles: Parse the "secctx" immediately David Howells <dhowells(a)redhat.com> netfs: Fix non-contiguous donation between completed reads David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Brahmajit Das <brahmajit.xyz(a)gmail.com> fs/qnx6: Fix building with GCC 15 Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Paulo Alcantara <pc(a)manguebit.com> smb: client: fix double free of TCP_Server_Info::hostname David Lechner <dlechner(a)baylibre.com> hwmon: (ltc2991) Fix mixed signed/unsigned in DIV_ROUND_CLOSEST Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: testunit: on errors, repeat NACK until STOP Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers Chenyuan Yang <chenyuan0y(a)gmail.com> platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race Chenyuan Yang <chenyuan0y(a)gmail.com> platform/x86: dell-uart-backlight: fix serdev race Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> i2c: core: fix reference leak in i2c_register_adapter() MD Danish Anwar <danishanwar(a)ti.com> soc: ti: pruss: Fix pruss APIs Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> reset: rzg2l-usbphy-ctrl: Assign proper of node to the allocated device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add new keep_resv BO param Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Unreserve BO on error Yu-Chun Lin <eleanor15x(a)gmail.com> drm/tests: helpers: Fix compiler warning Jakub Kicinski <kuba(a)kernel.org> netdev: avoid CFI problems with sock priv helpers Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Always start IPsec sequence number from 1 Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Rely on reqid in IPsec tunnel mode Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Mark Zhang <markzhang(a)nvidia.com> net/mlx5: Clear port select structure when fail to create Chris Mi <cmi(a)nvidia.com> net/mlx5: SF, Fix add port error handling Yishai Hadas <yishaih(a)nvidia.com> net/mlx5: Fix a lockdep warning as part of the write combining test Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Pavel Begunkov <asml.silence(a)gmail.com> net: make page_pool_ref_netmem work with net iovs Kevin Groeneveld <kgroeneveld(a)lenbrook.com> net: fec: handle page_pool_dev_alloc_pages error Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Move endif to the end of Kconfig file Kuniyuki Iwashima <kuniyu(a)amazon.com> pfcp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Qu Wenruo <wqu(a)suse.com> btrfs: add the missing error handling inside get_canonical_dev_path Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: teo: Update documentation after previous changes Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Add correct PHY lane assignment Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Use ice_adapter for PTP shared data instead of auxdev Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Add ice_get_ctrl_ptp() wrapper to simplify the code Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Introduce ice_get_phy_model() wrapper Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Fix ETH56G FC-FEC Rx offset value Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Fix quad registers read on E825 Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Fix E825 initialization Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Paul Barker <paul.barker.ct(a)bp.renesas.com> net: ravb: Fix max TX frame size for RZ/V2M Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: always recalculate features after XDP clearing, fix null-deref Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Ard Biesheuvel <ardb(a)kernel.org> efi/zboot: Limit compression options to GZIP and ZSTD ------------- Diffstat: Makefile | 4 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/kernel/fred.c | 8 +- drivers/acpi/resource.c | 6 +- drivers/block/zram/zram_drv.c | 1 + drivers/cpufreq/Kconfig | 4 +- drivers/cpuidle/governors/teo.c | 91 +++---- drivers/firmware/efi/Kconfig | 4 - drivers/firmware/efi/libstub/Makefile.zboot | 18 +- drivers/gpio/gpio-sim.c | 48 +++- drivers/gpio/gpio-virtuser.c | 49 +++- drivers/gpio/gpio-xilinx.c | 32 +-- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_fw_attestation.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 4 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 41 ++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 25 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 4 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.h | 2 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 14 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 35 ++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.h | 3 +- .../gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 11 +- drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 6 +- drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c | 1 + drivers/gpu/drm/tests/drm_kunit_helpers.c | 3 +- drivers/gpu/drm/v3d/v3d_irq.c | 4 + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 1 + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 20 +- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 5 +- drivers/gpu/drm/xe/xe_hw_engine.c | 2 +- drivers/gpu/drm/xe/xe_oa.c | 1 + drivers/hwmon/ltc2991.c | 2 +- drivers/hwmon/tmp513.c | 7 +- drivers/i2c/busses/i2c-rcar.c | 20 +- drivers/i2c/i2c-atr.c | 2 +- drivers/i2c/i2c-core-base.c | 1 + drivers/i2c/i2c-slave-testunit.c | 19 +- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 + drivers/irqchip/irq-gic-v3-its.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irqchip.c | 4 +- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 +- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 7 - drivers/net/ethernet/freescale/fec_main.c | 19 +- drivers/net/ethernet/intel/ice/ice.h | 5 + drivers/net/ethernet/intel/ice/ice_adapter.c | 6 + drivers/net/ethernet/intel/ice/ice_adapter.h | 22 +- drivers/net/ethernet/intel/ice/ice_adminq_cmd.h | 1 + drivers/net/ethernet/intel/ice/ice_common.c | 51 ++++ drivers/net/ethernet/intel/ice/ice_common.h | 1 + drivers/net/ethernet/intel/ice/ice_main.c | 6 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 165 +++++++----- drivers/net/ethernet/intel/ice/ice_ptp.h | 9 +- drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 2 +- drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 285 +++++++++++---------- drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 5 + drivers/net/ethernet/intel/ice/ice_type.h | 2 - .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 22 +- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 12 +- .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 + .../net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 +- .../net/ethernet/mellanox/mlx5/core/sf/devlink.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/wc.c | 24 +- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/renesas/ravb_main.c | 1 + drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 26 +- drivers/net/pfcp.c | 15 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/platform/x86/dell/dell-uart-backlight.c | 5 +- .../x86/intel/speed_select_if/isst_if_common.c | 1 + drivers/platform/x86/intel/tpmi_power_domains.c | 1 + .../x86/lenovo-yoga-tab2-pro-1380-fastcharger.c | 5 +- drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 2 +- drivers/reset/reset-rzg2l-usbphy-ctrl.c | 1 + drivers/ufs/core/ufshcd.c | 9 +- fs/afs/addr_prefs.c | 6 +- fs/btrfs/volumes.c | 4 + fs/cachefiles/daemon.c | 14 +- fs/cachefiles/internal.h | 3 +- fs/cachefiles/security.c | 6 +- fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/iomap/buffered-io.c | 2 +- fs/netfs/read_collect.c | 9 +- fs/proc/vmcore.c | 2 + fs/qnx6/inode.c | 11 +- fs/smb/client/connect.c | 3 +- include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 +- include/linux/pruss_driver.h | 12 +- include/linux/userfaultfd_k.h | 12 + include/net/page_pool/helpers.h | 2 +- include/trace/events/mmflags.h | 63 +++++ kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/sched/ext.c | 11 +- kernel/sched/fair.c | 151 ++--------- kernel/time/hrtimer.c | 11 +- kernel/time/timer_migration.c | 43 +++- mm/filemap.c | 2 +- mm/huge_memory.c | 12 + mm/hugetlb.c | 14 +- mm/kmemleak.c | 2 +- mm/mremap.c | 32 ++- mm/vmscan.c | 3 + net/core/filter.c | 30 ++- net/core/netdev-genl-gen.c | 14 +- net/core/pktgen.c | 6 +- net/mac802154/iface.c | 4 + net/mptcp/options.c | 6 +- net/mptcp/protocol.h | 9 +- net/ncsi/internal.h | 2 + net/ncsi/ncsi-manage.c | 16 +- net/ncsi/ncsi-rsp.c | 19 +- net/openvswitch/actions.c | 4 +- net/vmw_vsock/af_vsock.c | 18 ++ net/vmw_vsock/virtio_transport_common.c | 38 ++- net/vmw_vsock/vsock_bpf.c | 9 + security/apparmor/policy.c | 1 + sound/pci/hda/patch_realtek.c | 3 + tools/net/ynl/ynl-gen-c.py | 16 +- tools/testing/selftests/mm/cow.c | 8 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 +++- .../selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c | 2 +- .../selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c | 4 +- .../testing/selftests/sched_ext/dsp_local_on.bpf.c | 7 +- tools/testing/selftests/sched_ext/dsp_local_on.c | 5 +- .../selftests/sched_ext/enq_select_cpu_fails.bpf.c | 2 +- tools/testing/selftests/sched_ext/exit.bpf.c | 4 +- tools/testing/selftests/sched_ext/maximal.bpf.c | 8 +- .../selftests/sched_ext/select_cpu_dfl.bpf.c | 2 +- .../sched_ext/select_cpu_dfl_nodispatch.bpf.c | 2 +- .../selftests/sched_ext/select_cpu_dispatch.bpf.c | 2 +- .../sched_ext/select_cpu_dispatch_bad_dsq.bpf.c | 2 +- .../sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c | 4 +- .../selftests/sched_ext/select_cpu_vtime.bpf.c | 8 +- .../tc-testing/tc-tests/filters/flow.json | 4 +- tools/testing/shared/linux/maple_tree.h | 2 +- tools/testing/vma/linux/atomic.h | 2 +- 157 files changed, 1345 insertions(+), 766 deletions(-)

5 months, 3 weeks

18
145
0 0

[PATCH v2 1/1] Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests

by mhkelley58＠gmail.com

From: Michael Kelley <mhklinux(a)outlook.com> The Hyper-V host provides guest VMs with a range of MMIO addresses that guest VMBus drivers can use. The VMBus driver in Linux manages that MMIO space, and allocates portions to drivers upon request. As part of managing that MMIO space in a Generation 2 VM, the VMBus driver must reserve the portion of the MMIO space that Hyper-V has designated for the synthetic frame buffer, and not allocate this space to VMBus drivers other than graphics framebuffer drivers. The synthetic frame buffer MMIO area is described by the screen_info data structure that is passed to the Linux kernel at boot time, so the VMBus driver must access screen_info for Generation 2 VMs. (In Generation 1 VMs, the framebuffer MMIO space is communicated to the guest via a PCI pseudo-device, and access to screen_info is not needed.) In commit a07b50d80ab6 ("hyperv: avoid dependency on screen_info") the VMBus driver's access to screen_info is restricted to when CONFIG_SYSFB is enabled. CONFIG_SYSFB is typically enabled in kernels built for Hyper-V by virtue of having at least one of CONFIG_FB_EFI, CONFIG_FB_VESA, or CONFIG_SYSFB_SIMPLEFB enabled, so the restriction doesn't usually affect anything. But it's valid to have none of these enabled, in which case CONFIG_SYSFB is not enabled, and the VMBus driver is unable to properly reserve the framebuffer MMIO space for graphics framebuffer drivers. The framebuffer MMIO space may be assigned to some other VMBus driver, with undefined results. As an example, if a VM is using a PCI pass-thru NVMe controller to host the OS disk, the PCI NVMe controller is probed before any graphics devices, and the NVMe controller is assigned a portion of the framebuffer MMIO space. Hyper-V reports an error to Linux during the probe, and the OS disk fails to get setup. Then Linux fails to boot in the VM. Fix this by having CONFIG_HYPERV always select SYSFB. Then the VMBus driver in a Gen 2 VM can always reserve the MMIO space for the graphics framebuffer driver, and prevent the undefined behavior. But don't select SYSFB when building for HYPERV_VTL_MODE as VTLs other than VTL 0 don't have a framebuffer and aren't subject to the issue. Adding SYSFB in such cases is harmless, but would increase the image size for no purpose. Fixes: a07b50d80ab6 ("hyperv: avoid dependency on screen_info") Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> --- Changes in v2: * Made "select SYSFB" conditional on not being a build for VTL mode (Saurabh Sengar) drivers/hv/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig index eefa0b559b73..1cd188b73b74 100644 --- a/drivers/hv/Kconfig +++ b/drivers/hv/Kconfig @@ -9,6 +9,7 @@ config HYPERV select PARAVIRT select X86_HV_CALLBACK_VECTOR if X86 select OF_EARLY_FLATTREE if OF + select SYSFB if !HYPERV_VTL_MODE help Select this option to run Linux as a Hyper-V client operating system. -- 2.25.1

5 months, 3 weeks

3
2
0 0

Investment Help

by Calib Cassim

Good Day, How are you? My name is Calib Cassim from Eskom Holdings Ltd. SA. I got your email from my personal search. I have in my position an (over-invoice / over-estimated) contract amount executed by a Foreign Contractor through my Department, which the contractor has been paid, and left the remaining amount of $25.5M with the payment Management. So, I need your help to receive the amount on my behalf as a Co-contractor, I will obtain all the needed legal documents for the transfer to you for an investment in your area. If you can handle it, please reply with your phone number for more discussions and guidelines. Thanks, Mr. Calib

5 months, 3 weeks

1
0
0 0

[PATCH] firmware: cs_dsp: Fix OOB memory read access in KUnit test

by Jaroslav Kysela

KASAN reported out of bounds access - cs_dsp_mock_bin_add_name_or_info(), because the source string length was rounded up to the allocation size. Cc: Simon Trimmer <simont(a)opensource.cirrus.com> Cc: Charles Keepax <ckeepax(a)opensource.cirrus.com> Cc: Richard Fitzgerald <rf(a)opensource.cirrus.com> Cc: patches(a)opensource.cirrus.com Cc: stable(a)vger.kernel.org Signed-off-by: Jaroslav Kysela <perex(a)perex.cz> --- drivers/firmware/cirrus/test/cs_dsp_mock_bin.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/cirrus/test/cs_dsp_mock_bin.c b/drivers/firmware/cirrus/test/cs_dsp_mock_bin.c index 49d84f7e59e6..a0601b23b1bd 100644 --- a/drivers/firmware/cirrus/test/cs_dsp_mock_bin.c +++ b/drivers/firmware/cirrus/test/cs_dsp_mock_bin.c @@ -96,10 +96,11 @@ static void cs_dsp_mock_bin_add_name_or_info(struct cs_dsp_mock_bin_builder *bui if (info_len % 4) { /* Create a padded string with length a multiple of 4 */ + size_t copy_len = info_len; info_len = round_up(info_len, 4); tmp = kunit_kzalloc(builder->test_priv->test, info_len, GFP_KERNEL); KUNIT_ASSERT_NOT_ERR_OR_NULL(builder->test_priv->test, tmp); - memcpy(tmp, info, info_len); + memcpy(tmp, info, copy_len); info = tmp; } -- 2.49.0

5 months, 3 weeks

3
2
0 0

[PATCH V2] hfsplus: Return null terminated string from hfsplus_uni2asc()

by Aaro Mäkinen

In case hfsplus_uni2asc() is called with reused buffer there is a possibility that the buffer contains remains of the last string and the null character is only after that. This can and has caused problems in functions that call hfsplus_uni2asc(). Also correct the error handling for call to copy_name() where the above problem caused error to be not passed in hfsplus_listxattr(). Fixes: 7dcbf17e3f91 ("hfsplus: refactor copy_name to not use strncpy") Cc: stable(a)vger.kernel.org Cc: linux-fsdevel(a)vger.kernel.org Signed-off-by: Aaro Mäkinen <aaro(a)tuxera.com> Reviewed-by: Anton Altaparmakov <anton(a)tuxera.com> --- Changes in v2: - Add Cc tag to sign-off area --- fs/hfsplus/unicode.c | 1 + fs/hfsplus/xattr.c | 13 ++++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c index 73342c925a4b..1f122e3c9583 100644 --- a/fs/hfsplus/unicode.c +++ b/fs/hfsplus/unicode.c @@ -246,6 +246,7 @@ int hfsplus_uni2asc(struct super_block *sb, res = 0; out: *len_p = (char *)op - astr; + *op = '\0'; return res; } diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c index 9a1a93e3888b..f20487ad4e8a 100644 --- a/fs/hfsplus/xattr.c +++ b/fs/hfsplus/xattr.c @@ -746,9 +746,16 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size) if (size < (res + name_len(strbuf, xattr_name_len))) { res = -ERANGE; goto end_listxattr; - } else - res += copy_name(buffer + res, - strbuf, xattr_name_len); + } else { + err = copy_name(buffer + res, + strbuf, xattr_name_len); + if (err < 0) { + res = err; + goto end_listxattr; + } + else + res += err; + } } if (hfs_brec_goto(&fd, 1)) -- 2.43.0

5 months, 3 weeks

1
0
0 0

[PATCH net,v2] hv_netvsc: fix potential deadlock in netvsc_vf_setxdp()

by Saurabh Sengar

The MANA driver's probe registers netdevice via the following call chain: mana_probe() register_netdev() register_netdevice() register_netdevice() calls notifier callback for netvsc driver, holding the netdev mutex via netdev_lock_ops(). Further this netvsc notifier callback end up attempting to acquire the same lock again in dev_xdp_propagate() leading to deadlock. netvsc_netdev_event() netvsc_vf_setxdp() dev_xdp_propagate() This deadlock was not observed so far because net_shaper_ops was never set, and thus the lock was effectively a no-op in this case. Fix this by using netif_xdp_propagate() instead of dev_xdp_propagate() to avoid recursive locking in this path. Also, clean up the unregistration path by removing the unnecessary call to netvsc_vf_setxdp(), since unregister_netdevice_many_notify() already performs this cleanup via dev_xdp_uninstall(). Fixes: 97246d6d21c2 ("net: hold netdev instance lock during ndo_bpf") Cc: stable(a)vger.kernel.org Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Tested-by: Erni Sri Satya Vennela <ernis(a)linux.microsoft.com> Reviewed-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- [V2] - Modified commit message drivers/net/hyperv/netvsc_bpf.c | 2 +- drivers/net/hyperv/netvsc_drv.c | 2 -- net/core/dev.c | 1 + 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/hyperv/netvsc_bpf.c b/drivers/net/hyperv/netvsc_bpf.c index e01c5997a551..1dd3755d9e6d 100644 --- a/drivers/net/hyperv/netvsc_bpf.c +++ b/drivers/net/hyperv/netvsc_bpf.c @@ -183,7 +183,7 @@ int netvsc_vf_setxdp(struct net_device *vf_netdev, struct bpf_prog *prog) xdp.command = XDP_SETUP_PROG; xdp.prog = prog; - ret = dev_xdp_propagate(vf_netdev, &xdp); + ret = netif_xdp_propagate(vf_netdev, &xdp); if (ret && prog) bpf_prog_put(prog); diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index d8b169ac0343..ee3aaf9c10e6 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2462,8 +2462,6 @@ static int netvsc_unregister_vf(struct net_device *vf_netdev) netdev_info(ndev, "VF unregistering: %s\n", vf_netdev->name); - netvsc_vf_setxdp(vf_netdev, NULL); - reinit_completion(&net_device_ctx->vf_add); netdev_rx_handler_unregister(vf_netdev); netdev_upper_dev_unlink(vf_netdev, ndev); diff --git a/net/core/dev.c b/net/core/dev.c index fccf2167b235..8c6c9d7fba26 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -9953,6 +9953,7 @@ int netif_xdp_propagate(struct net_device *dev, struct netdev_bpf *bpf) return dev->netdev_ops->ndo_bpf(dev, bpf); } +EXPORT_SYMBOL_GPL(netif_xdp_propagate); u32 dev_xdp_prog_id(struct net_device *dev, enum bpf_xdp_mode mode) { -- 2.43.0

5 months, 3 weeks

4
4
0 0

Re: Patch "x86/relocs: Handle R_X86_64_REX_GOTPCRELX relocations" has been added to the 6.14-stable tree

by Nathan Chancellor

On Thu, May 22, 2025 at 05:30:09PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > x86/relocs: Handle R_X86_64_REX_GOTPCRELX relocations > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > x86-relocs-handle-r_x86_64_rex_gotpcrelx-relocations.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit d8e603969259e50aa632d1a3fde8883f41e26150 > Author: Brian Gerst <brgerst(a)gmail.com> > Date: Thu Jan 23 14:07:37 2025 -0500 > > x86/relocs: Handle R_X86_64_REX_GOTPCRELX relocations > > [ Upstream commit cb7927fda002ca49ae62e2782c1692acc7b80c67 ] > > Clang may produce R_X86_64_REX_GOTPCRELX relocations when redefining the > stack protector location. Treat them as another type of PC-relative > relocation. > > Signed-off-by: Brian Gerst <brgerst(a)gmail.com> > Signed-off-by: Ingo Molnar <mingo(a)kernel.org> > Reviewed-by: Ard Biesheuvel <ardb(a)kernel.org> > Cc: Linus Torvalds <torvalds(a)linux-foundation.org> > Link: https://lore.kernel.org/r/20250123190747.745588-6-brgerst@gmail.com > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c > index e937be979ec86..92a1e503305ef 100644 > --- a/arch/x86/tools/relocs.c > +++ b/arch/x86/tools/relocs.c > @@ -32,6 +32,11 @@ static struct relocs relocs32; > static struct relocs relocs32neg; > static struct relocs relocs64; > # define FMT PRIu64 > + > +#ifndef R_X86_64_REX_GOTPCRELX > +# define R_X86_64_REX_GOTPCRELX 42 > +#endif > + > #else > # define FMT PRIu32 > #endif > @@ -227,6 +232,7 @@ static const char *rel_type(unsigned type) > REL_TYPE(R_X86_64_PC16), > REL_TYPE(R_X86_64_8), > REL_TYPE(R_X86_64_PC8), > + REL_TYPE(R_X86_64_REX_GOTPCRELX), > #else > REL_TYPE(R_386_NONE), > REL_TYPE(R_386_32), > @@ -861,6 +867,7 @@ static int do_reloc64(struct section *sec, Elf_Rel *rel, ElfW(Sym) *sym, > > case R_X86_64_PC32: > case R_X86_64_PLT32: > + case R_X86_64_REX_GOTPCRELX: > /* > * PC relative relocations don't need to be adjusted unless > * referencing a percpu symbol. Didn't Ard just say this has no purpose in stable? https://lore.kernel.org/CAMj1kXGtasdqRPn8koNN095VEEU4K409QvieMdgGXNUK0kPgkw… Cheers, Nathan

5 months, 3 weeks

2
1
0 0

[PATCH] drm/xe/sched: stop re-submitting signalled jobs

by Matthew Auld

Customer is reporting a really subtle issue where we get random DMAR faults, hangs and other nasties for kernel migration jobs when stressing stuff like s2idle/s3/s4. The explosions seems to happen somewhere after resuming the system with splats looking something like: PM: suspend exit rfkill: input handler disabled xe 0000:00:02.0: [drm] GT0: Engine reset: engine_class=bcs, logical_mask: 0x2, guc_id=0 xe 0000:00:02.0: [drm] GT0: Timedout job: seqno=24496, lrc_seqno=24496, guc_id=0, flags=0x13 in no process [-1] xe 0000:00:02.0: [drm] GT0: Kernel-submitted job timed out The likely cause appears to be a race between suspend cancelling the worker that processes the free_job()'s, such that we still have pending jobs to be freed after the cancel. Following from this, on resume the pending_list will now contain at least one already complete job, but it looks like we call drm_sched_resubmit_jobs(), which will then call run_job() on everything still on the pending_list. But if the job was already complete, then all the resources tied to the job, like the bb itself, any memory that is being accessed, the iommu mappings etc. might be long gone since those are usually tied to the fence signalling. This scenario can be seen in ftrace when running a slightly modified xe_pm (kernel was only modified to inject artificial latency into free_job to make the race easier to hit): xe_sched_job_run: dev=0000:00:02.0, fence=0xffff888276cc8540, seqno=0, lrc_seqno=0, gt=0, guc_id=0, batch_addr=0x000000146910 ... xe_exec_queue_stop: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x0, flags=0x13 xe_exec_queue_stop: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=1, guc_state=0x0, flags=0x4 xe_exec_queue_stop: dev=0000:00:02.0, 4:0x1, gt=1, width=1, guc_id=0, guc_state=0x0, flags=0x3 xe_exec_queue_stop: dev=0000:00:02.0, 1:0x1, gt=1, width=1, guc_id=1, guc_state=0x0, flags=0x3 xe_exec_queue_stop: dev=0000:00:02.0, 4:0x1, gt=1, width=1, guc_id=2, guc_state=0x0, flags=0x3 xe_exec_queue_resubmit: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x0, flags=0x13 xe_sched_job_run: dev=0000:00:02.0, fence=0xffff888276cc8540, seqno=0, lrc_seqno=0, gt=0, guc_id=0, batch_addr=0x000000146910 ... ..... xe_exec_queue_memory_cat_error: dev=0000:00:02.0, 3:0x2, gt=0, width=1, guc_id=0, guc_state=0x3, flags=0x13 So the job_run() is clearly triggered twice, even though the first must have already signalled to completion during suspend. We can also see a CAT error after the re-submit. To prevent this try to call xe_sched_stop() to forcefully remove anything on the pending_list that has already signalled, before we re-submit. Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4856 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: William Tseng <william.tseng(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_gpu_scheduler.h | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/xe/xe_gpu_scheduler.h b/drivers/gpu/drm/xe/xe_gpu_scheduler.h index c250ea773491..9315da58d02d 100644 --- a/drivers/gpu/drm/xe/xe_gpu_scheduler.h +++ b/drivers/gpu/drm/xe/xe_gpu_scheduler.h @@ -51,6 +51,7 @@ static inline void xe_sched_tdr_queue_imm(struct xe_gpu_scheduler *sched) static inline void xe_sched_resubmit_jobs(struct xe_gpu_scheduler *sched) { + xe_sched_stop(sched); drm_sched_resubmit_jobs(&sched->base); } -- 2.49.0

5 months, 3 weeks

1
0
0 0

[PATCH] mm: fix copy_vma() error handling for hugetlb mappings

by Ricardo Cañuelo Navarro

If, during a mremap() operation for a hugetlb-backed memory mapping, copy_vma() fails after the source vma has been duplicated and opened (ie. vma_link() fails), the error is handled by closing the new vma. This updates the hugetlbfs reservation counter of the reservation map which at this point is referenced by both the source vma and the new copy. As a result, once the new vma has been freed and copy_vma() returns, the reservation counter for the source vma will be incorrect. This patch addresses this corner case by clearing the hugetlb private page reservation reference for the new vma and decrementing the reference before closing the vma, so that vma_close() won't update the reservation counter. The issue was reported by a private syzbot instance, see the error report log [1] and reproducer [2]. Possible duplicate of public syzbot report [3]. Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Cc: stable(a)vger.kernel.org # 6.12+ Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [1] Link: https://people.igalia.com/rcn/kernel_logs/20250422__WARNING_in_page_counter… [2] Link: https://lore.kernel.org/all/67000a50.050a0220.49194.048d.GAE@google.com/ [3] --- mm/vma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/vma.c b/mm/vma.c index 839d12f02c885d3338d8d233583eb302d82bb80b..9d9f699ace977c9c869e5da5f88f12be183adcfb 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -1834,6 +1834,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: + if (is_vm_hugetlb_page(new_vma)) + clear_vma_resv_huge_pages(new_vma); vma_close(new_vma); if (new_vma->vm_file) --- base-commit: 94305e83eccb3120c921cd3a015cd74731140bac change-id: 20250523-warning_in_page_counter_cancel-e8c71a6b4c88

5 months, 3 weeks

3
6
0 0

[PATCH] i2c: qup: Add error handling in qup_i2c_xfer_v2()

by Wentao Liang

The qup_i2c_xfer_v2() calls the qup_i2c_change_state() but does not check its return value. A proper implementation can be found in qup_i2c_xfer(). Add error handling for qup_i2c_change_state(). If the function fails, return the error code. Fixes: 7545c7dba169 ("i2c: qup: reorganization of driver code to remove polling for qup v2") Cc: stable(a)vger.kernel.org # v4.17 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/i2c/busses/i2c-qup.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c index da20b4487c9a..2477f570fe86 100644 --- a/drivers/i2c/busses/i2c-qup.c +++ b/drivers/i2c/busses/i2c-qup.c @@ -1538,7 +1538,7 @@ static int qup_i2c_xfer_v2(struct i2c_adapter *adap, int num) { struct qup_i2c_dev *qup = i2c_get_adapdata(adap); - int ret, idx = 0; + int ret, err, idx = 0; qup->bus_err = 0; qup->qup_err = 0; @@ -1588,7 +1588,9 @@ static int qup_i2c_xfer_v2(struct i2c_adapter *adap, ret = qup_i2c_bus_active(qup, ONE_BYTE); if (!ret) - qup_i2c_change_state(qup, QUP_RESET_STATE); + err = qup_i2c_change_state(qup, QUP_RESET_STATE); + if (err) + return err; if (ret == 0) ret = num; -- 2.42.0.windows.2

5 months, 3 weeks

5
5
0 0

[PATCH] drm/nouveau/mmu: fix potential overflow in PFN size calculation

by Alexey Nepomnyashih

On most Linux-supported platforms, `int` is 32-bit, making (1 << 47) undefined and potentially dangerous. To ensure defined behavior and correct 64-bit arithmetic, replace `1` with `1ULL`. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v5.1+ Fixes: a5ff307fe1f2 ("drm/nouveau/mmu: add a privileged method to directly manage PTEs") Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> --- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c index 9c97800fe037..29da1acbe3a8 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c @@ -1383,7 +1383,7 @@ nvkm_vmm_pfn_map(struct nvkm_vmm *vmm, u8 shift, u64 addr, u64 size, u64 *pfn) */ while (size) { pfn[pi++] = NVKM_VMM_PFN_NONE; - size -= 1 << page->shift; + size -= 1ULL << page->shift; } } else { pi += size >> page->shift; -- 2.43.0

5 months, 3 weeks

1
0
0 0

[PATCH] LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg

by Huacai Chen

When building kernel with LLVM there are occasionally such errors: In file included from ./include/linux/spinlock.h:59: In file included from ./include/linux/irqflags.h:17: arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1 38 | "csrxchg %[val], %[mask], %[reg]\n\t" | ^ <inline asm>:1:16: note: instantiated into assembly here 1 | csrxchg $a1, $ra, 0 | ^ The "mask" of the csrxchg instruction should not be $r0 or $r1, but the compiler cannot avoid generating such code currently. So force to use t0 in the inline asm, in order to avoid using $r0/$r1. Cc: stable(a)vger.kernel.org Suggested-by: WANG Rui <wangrui(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/arch/loongarch/include/asm/irqflags.h b/arch/loongarch/include/asm/irqflags.h index 319a8c616f1f..003172b8406b 100644 --- a/arch/loongarch/include/asm/irqflags.h +++ b/arch/loongarch/include/asm/irqflags.h @@ -14,40 +14,48 @@ static inline void arch_local_irq_enable(void) { u32 flags = CSR_CRMD_IE; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline void arch_local_irq_disable(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } static inline unsigned long arch_local_irq_save(void) { u32 flags = 0; + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); return flags; } static inline void arch_local_irq_restore(unsigned long flags) { + register u32 mask asm("t0") = CSR_CRMD_IE; + __asm__ __volatile__( "csrxchg %[val], %[mask], %[reg]\n\t" : [val] "+r" (flags) - : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) + : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) : "memory"); } -- 2.47.1

5 months, 3 weeks

4
3
0 0

[PATCH v1 1/1] x86/fred/signal: Prevent single-step upon ERETU completion

by Xin Li (Intel)

From: Xin Li <xin(a)zytor.com> Clear the software event flag in the augmented SS to prevent infinite SIGTRAP handler loop if TF is used without an external debugger. Following is a typical single-stepping flow for a user process: 1) The user process is prepared for single-stepping by setting RFLAGS.TF = 1. 2) When any instruction in user space completes, a #DB is triggered. 3) The kernel handles the #DB and returns to user space, invoking the SIGTRAP handler with RFLAGS.TF = 0. 4) After the SIGTRAP handler finishes, the user process performs a sigreturn syscall, restoring the original state, including RFLAGS.TF = 1. 5) Goto step 2. According to the FRED specification: A) Bit 17 in the augmented SS is designated as the software event flag, which is set to 1 for FRED event delivery of SYSCALL, SYSENTER, or INT n. B) If bit 17 of the augmented SS is 1 and ERETU would result in RFLAGS.TF = 1, a single-step trap will be pending upon completion of ERETU. In step 4) above, the software event flag is set upon the sigreturn syscall, and its corresponding ERETU would restore RFLAGS.TF = 1. This combination causes a pending single-step trap upon completion of ERETU. Therefore, another #DB is triggered before any user space instruction is executed, which leads to an infinite loop in which the SIGTRAP handler keeps being invoked on the same user space IP. Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: stable(a)vger.kernel.org --- arch/x86/include/asm/sighandling.h | 20 ++++++++++++++++++++ arch/x86/kernel/signal_32.c | 4 ++++ arch/x86/kernel/signal_64.c | 4 ++++ 3 files changed, 28 insertions(+) diff --git a/arch/x86/include/asm/sighandling.h b/arch/x86/include/asm/sighandling.h index e770c4fc47f4..ecb0411fe88c 100644 --- a/arch/x86/include/asm/sighandling.h +++ b/arch/x86/include/asm/sighandling.h @@ -24,4 +24,24 @@ int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); +/* + * To prevent infinite SIGTRAP handler loop if TF is used without an external + * debugger, clear the software event flag in the augmented SS, ensuring no + * single-step trap is pending upon ERETU completion. + * + * Note, this function should be called in sigreturn() before the original state + * is restored to make sure the TF is read from the entry frame. + */ +static __always_inline void prevent_single_step_upon_eretu(struct pt_regs *regs) +{ + /* + * If the trap flag (TF) is set, i.e., the sigreturn() SYSCALL instruction + * is being single-stepped, do not clear the software event flag in the + * augmented SS, thus a debugger won't skip over the following instruction. + */ + if (IS_ENABLED(CONFIG_X86_FRED) && cpu_feature_enabled(X86_FEATURE_FRED) && + !(regs->flags & X86_EFLAGS_TF)) + regs->fred_ss.swevent = 0; +} + #endif /* _ASM_X86_SIGHANDLING_H */ diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index 98123ff10506..42bbc42bd350 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -152,6 +152,8 @@ SYSCALL32_DEFINE0(sigreturn) struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); sigset_t set; + prevent_single_step_upon_eretu(regs); + if (!access_ok(frame, sizeof(*frame))) goto badframe; if (__get_user(set.sig[0], &frame->sc.oldmask) @@ -175,6 +177,8 @@ SYSCALL32_DEFINE0(rt_sigreturn) struct rt_sigframe_ia32 __user *frame; sigset_t set; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); if (!access_ok(frame, sizeof(*frame))) diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index ee9453891901..d483b585c6c6 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -250,6 +250,8 @@ SYSCALL_DEFINE0(rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long)); if (!access_ok(frame, sizeof(*frame))) goto badframe; @@ -366,6 +368,8 @@ COMPAT_SYSCALL_DEFINE0(x32_rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8); if (!access_ok(frame, sizeof(*frame))) base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00 -- 2.49.0

5 months, 3 weeks

6
8
0 0

[PATCH v3 1/1] x86/fred/signal: Prevent single-step upon ERETU completion

by Xin Li (Intel)

From: Xin Li <xin(a)zytor.com> Clear the software event flag in the augmented SS to prevent infinite SIGTRAP handler loop if TF is used without an external debugger. Following is a typical single-stepping flow for a user process: 1) The user process is prepared for single-stepping by setting RFLAGS.TF = 1. 2) When any instruction in user space completes, a #DB is triggered. 3) The kernel handles the #DB and returns to user space, invoking the SIGTRAP handler with RFLAGS.TF = 0. 4) After the SIGTRAP handler finishes, the user process performs a sigreturn syscall, restoring the original state, including RFLAGS.TF = 1. 5) Goto step 2. According to the FRED specification: A) Bit 17 in the augmented SS is designated as the software event flag, which is set to 1 for FRED event delivery of SYSCALL, SYSENTER, or INT n. B) If bit 17 of the augmented SS is 1 and ERETU would result in RFLAGS.TF = 1, a single-step trap will be pending upon completion of ERETU. In step 4) above, the software event flag is set upon the sigreturn syscall, and its corresponding ERETU would restore RFLAGS.TF = 1. This combination causes a pending single-step trap upon completion of ERETU. Therefore, another #DB is triggered before any user space instruction is executed, which leads to an infinite loop in which the SIGTRAP handler keeps being invoked on the same user space IP. Suggested-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: stable(a)vger.kernel.org --- Change in v3: *) Use "#ifdef CONFIG_X86_FRED" instead of IS_ENABLED(CONFIG_X86_FRED) (Intel LKP). Change in v2: *) Remove the check cpu_feature_enabled(X86_FEATURE_FRED), because regs->fred_ss.swevent will always be 0 otherwise (H. Peter Anvin). --- arch/x86/include/asm/sighandling.h | 21 +++++++++++++++++++++ arch/x86/kernel/signal_32.c | 4 ++++ arch/x86/kernel/signal_64.c | 4 ++++ 3 files changed, 29 insertions(+) diff --git a/arch/x86/include/asm/sighandling.h b/arch/x86/include/asm/sighandling.h index e770c4fc47f4..530eecc371fc 100644 --- a/arch/x86/include/asm/sighandling.h +++ b/arch/x86/include/asm/sighandling.h @@ -24,4 +24,25 @@ int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); +/* + * To prevent infinite SIGTRAP handler loop if TF is used without an external + * debugger, clear the software event flag in the augmented SS, ensuring no + * single-step trap is pending upon ERETU completion. + * + * Note, this function should be called in sigreturn() before the original state + * is restored to make sure the TF is read from the entry frame. + */ +static __always_inline void prevent_single_step_upon_eretu(struct pt_regs *regs) +{ + /* + * If the trap flag (TF) is set, i.e., the sigreturn() SYSCALL instruction + * is being single-stepped, do not clear the software event flag in the + * augmented SS, thus a debugger won't skip over the following instruction. + */ +#ifdef CONFIG_X86_FRED + if (!(regs->flags & X86_EFLAGS_TF)) + regs->fred_ss.swevent = 0; +#endif +} + #endif /* _ASM_X86_SIGHANDLING_H */ diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index 98123ff10506..42bbc42bd350 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -152,6 +152,8 @@ SYSCALL32_DEFINE0(sigreturn) struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); sigset_t set; + prevent_single_step_upon_eretu(regs); + if (!access_ok(frame, sizeof(*frame))) goto badframe; if (__get_user(set.sig[0], &frame->sc.oldmask) @@ -175,6 +177,8 @@ SYSCALL32_DEFINE0(rt_sigreturn) struct rt_sigframe_ia32 __user *frame; sigset_t set; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); if (!access_ok(frame, sizeof(*frame))) diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index ee9453891901..d483b585c6c6 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -250,6 +250,8 @@ SYSCALL_DEFINE0(rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long)); if (!access_ok(frame, sizeof(*frame))) goto badframe; @@ -366,6 +368,8 @@ COMPAT_SYSCALL_DEFINE0(x32_rt_sigreturn) sigset_t set; unsigned long uc_flags; + prevent_single_step_upon_eretu(regs); + frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8); if (!access_ok(frame, sizeof(*frame))) base-commit: 6a7c3c2606105a41dde81002c0037420bc1ddf00 -- 2.49.0

5 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: allow buffered write to avoid full page read if it's block aligned" has been added to the 6.14-stable tree

by Qu Wenruo

在 2025/5/23 06:35, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: allow buffered write to avoid full page read if it's block aligned > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-allow-buffered-write-to-avoid-full-page-read-i.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch from all stable branches. Although this patch mentions a failure in fstests, it acts more like an optimization for btrfs. Furthermore it relies quite some patches that may not be in stable kernels. Without all the dependency, this can lead to data corruption. Please drop this one from all stable kernels. Thanks, Qu > > > > commit de0860d610aaaee77a8c5c713c41fea584ac83b3 > Author: Qu Wenruo <wqu(a)suse.com> > Date: Wed Oct 30 17:04:02 2024 +1030 > > btrfs: allow buffered write to avoid full page read if it's block aligned > > [ Upstream commit 0d31ca6584f21821c708752d379871b9fce2dc48 ] > > [BUG] > Since the support of block size (sector size) < page size for btrfs, > test case generic/563 fails with 4K block size and 64K page size: > > --- tests/generic/563.out 2024-04-25 18:13:45.178550333 +0930 > +++ /home/adam/xfstests-dev/results//generic/563.out.bad 2024-09-30 09:09:16.155312379 +0930 > @@ -3,7 +3,8 @@ > read is in range > write is in range > write -> read/write > -read is in range > +read has value of 8388608 > +read is NOT in range -33792 .. 33792 > write is in range > ... > > [CAUSE] > The test case creates a 8MiB file, then does buffered write into the 8MiB > using 4K block size, to overwrite the whole file. > > On 4K page sized systems, since the write range covers the full block and > page, btrfs will not bother reading the page, just like what XFS and EXT4 > do. > > But on 64K page sized systems, although the 4K sized write is still block > aligned, it's not page aligned anymore, thus btrfs will read the full > page, which will be accounted by cgroup and fail the test. > > As the test case itself expects such 4K block aligned write should not > trigger any read. > > Such expected behavior is an optimization to reduce folio reads when > possible, and unfortunately btrfs does not implement such optimization. > > [FIX] > To skip the full page read, we need to do the following modification: > > - Do not trigger full page read as long as the buffered write is block > aligned > This is pretty simple by modifying the check inside > prepare_uptodate_page(). > > - Skip already uptodate blocks during full page read > Or we can lead to the following data corruption: > > 0 32K 64K > |///////| | > > Where the file range [0, 32K) is dirtied by buffered write, the > remaining range [32K, 64K) is not. > > When reading the full page, since [0,32K) is only dirtied but not > written back, there is no data extent map for it, but a hole covering > [0, 64k). > > If we continue reading the full page range [0, 64K), the dirtied range > will be filled with 0 (since there is only a hole covering the whole > range). > This causes the dirtied range to get lost. > > With this optimization, btrfs can pass generic/563 even if the page size > is larger than fs block size. > > Reviewed-by: Filipe Manana <fdmanana(a)suse.com> > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c > index 06922529f19dc..13b5359ea1b77 100644 > --- a/fs/btrfs/extent_io.c > +++ b/fs/btrfs/extent_io.c > @@ -974,6 +974,10 @@ static int btrfs_do_readpage(struct folio *folio, struct extent_map **em_cached, > end_folio_read(folio, true, cur, iosize); > break; > } > + if (btrfs_folio_test_uptodate(fs_info, folio, cur, blocksize)) { > + end_folio_read(folio, true, cur, blocksize); > + continue; > + } > em = get_extent_map(BTRFS_I(inode), folio, cur, end - cur + 1, em_cached); > if (IS_ERR(em)) { > end_folio_read(folio, false, cur, end + 1 - cur); > diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c > index cd4e40a719186..61ad1a79e5698 100644 > --- a/fs/btrfs/file.c > +++ b/fs/btrfs/file.c > @@ -804,14 +804,15 @@ static int prepare_uptodate_folio(struct inode *inode, struct folio *folio, u64 > { > u64 clamp_start = max_t(u64, pos, folio_pos(folio)); > u64 clamp_end = min_t(u64, pos + len, folio_pos(folio) + folio_size(folio)); > + const u32 blocksize = inode_to_fs_info(inode)->sectorsize; > int ret = 0; > > if (folio_test_uptodate(folio)) > return 0; > > if (!force_uptodate && > - IS_ALIGNED(clamp_start, PAGE_SIZE) && > - IS_ALIGNED(clamp_end, PAGE_SIZE)) > + IS_ALIGNED(clamp_start, blocksize) && > + IS_ALIGNED(clamp_end, blocksize)) > return 0; > > ret = btrfs_read_folio(NULL, folio);

5 months, 3 weeks

2
1
0 0

[PATCH v4] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()

by Wentao Liang

The function mlx5_query_nic_vport_node_guid() calls the function mlx5_query_nic_vport_context() but does not check its return value. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Target: net Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v4: Fix code error. v3: Explicitly mention target branch. Change improper code. v2: Remove redundant reassignment. Fix typo error. drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 0d5f750faa45..c34cd9a1a79b 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -465,19 +465,22 @@ int mlx5_query_nic_vport_node_guid(struct mlx5_core_dev *mdev, u64 *node_guid) { u32 *out; int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int err; out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + err = mlx5_query_nic_vport_context(mdev, 0, out); + if (err) + goto out; *node_guid = MLX5_GET64(query_nic_vport_context_out, out, nic_vport_context.node_guid); - +out: kvfree(out); - return 0; + return err; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); -- 2.42.0.windows.2

5 months, 3 weeks

2
1
0 0

[PATCH 1/2] block: Make __submit_bio_noacct() preserve the bio submission order

by Bart Van Assche

submit_bio() may be called recursively. To limit the stack depth, recursive calls result in bios being added to a list (current->bio_list). __submit_bio_noacct() sets up that list and maintains two lists with requests: * bio_list_on_stack[0] is the list with bios submitted by recursive submit_bio() calls from inside the latest __submit_bio() call. * bio_list_on_stack[1] is the list with bios submitted by recursive submit_bio() calls from inside previous __submit_bio() calls. Make sure that bios are submitted to lower devices in the order these have been submitted by submit_bio() by adding new bios at the end of the list instead of at the front. This patch fixes unaligned write errors that I encountered with F2FS submitting zoned writes to a dm driver stacked on top of a zoned UFS device. Cc: Christoph Hellwig <hch(a)lst.de> Cc: Damien Le Moal <dlemoal(a)kernel.org> Cc: Yu Kuai <yukuai1(a)huaweicloud.com> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- block/blk-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk-core.c b/block/blk-core.c index b862c66018f2..4b728fa1c138 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -704,9 +704,9 @@ static void __submit_bio_noacct(struct bio *bio) /* * Now assemble so we handle the lowest level first. */ + bio_list_on_stack[0] = bio_list_on_stack[1]; bio_list_merge(&bio_list_on_stack[0], &lower); bio_list_merge(&bio_list_on_stack[0], &same); - bio_list_merge(&bio_list_on_stack[0], &bio_list_on_stack[1]); } while ((bio = bio_list_pop(&bio_list_on_stack[0]))); current->bio_list = NULL;

5 months, 3 weeks

3
9
0 0

Re: Patch "f2fs: defer readonly check vs norecovery" has been added to the 6.14-stable tree

by Eric Sandeen

On 5/22/25 4:10 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > f2fs: defer readonly check vs norecovery > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > f2fs-defer-readonly-check-vs-norecovery.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. I already replied to the AUTOSEL email on 5/5 saying that this is not a bug fix and should not be in the stable tree, but here we are. > commit 442e4090bb78d5dce4506a591214ce2447d6ea50 > Author: Eric Sandeen <sandeen(a)redhat.com> > Date: Mon Mar 3 11:12:17 2025 -0600 > > f2fs: defer readonly check vs norecovery > > [ Upstream commit 9cca49875997a1a7e92800a828a62bacb0f577b9 ] > > Defer the readonly-vs-norecovery check until after option parsing is done > so that option parsing does not require an active superblock for the test. > Add a helpful message, while we're at it. > > (I think could be moved back into parsing after we switch to the new mount > API if desired, as the fs context will have RO state available.) > > Signed-off-by: Eric Sandeen <sandeen(a)redhat.com> > Reviewed-by: Chao Yu <chao(a)kernel.org> > Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index b8a0e925a4011..d3b04a589b525 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -728,10 +728,8 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) > set_opt(sbi, DISABLE_ROLL_FORWARD); > break; > case Opt_norecovery: > - /* this option mounts f2fs with ro */ > + /* requires ro mount, checked in f2fs_default_check */ > set_opt(sbi, NORECOVERY); > - if (!f2fs_readonly(sb)) > - return -EINVAL; > break; > case Opt_discard: > if (!f2fs_hw_support_discard(sbi)) { > @@ -1418,6 +1416,12 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) > f2fs_err(sbi, "Allow to mount readonly mode only"); > return -EROFS; > } > + > + if (test_opt(sbi, NORECOVERY) && !f2fs_readonly(sbi->sb)) { > + f2fs_err(sbi, "norecovery requires readonly mount"); > + return -EINVAL; > + } > + > return 0; > } > >

5 months, 3 weeks

1
0
0 0

Re: [PATCH 6.6 005/568] md: fix deadlock between mddev_suspend and flush bio

by Andrew Kanner

> [...] > > Additionally, the only difference between fixing the issue and before is > that there is no return error handling of make_request(). But after > previous patch cleaned md_write_start(), make_requst() only return error > in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456, > md/raid456: fix a deadlock for dm-raid456 while io concurrent with > reshape)". Since dm always splits data and flush operation into two > separate io, io size of flush submitted by dm always is 0, make_request() > will not be called in md_submit_flush_data(). To prevent future > modifications from introducing issues, add WARN_ON to ensure > make_request() no error is returned in this context. > > [...] > @@ -560,8 +552,20 @@ static void md_submit_flush_data(struct work_struct *ws) > bio_endio(bio); > } else { > bio->bi_opf &= ~REQ_PREFLUSH; > - md_handle_request(mddev, bio); > + > + /* > + * make_requst() will never return error here, it only > + * returns error in raid5_make_request() by dm-raid. > + * Since dm always splits data and flush operation into > + * two separate io, io size of flush submitted by dm > + * always is 0, make_request() will not be called here. > + */ > + if (WARN_ON_ONCE(!mddev->pers->make_request(mddev, bio))) > + bio_io_error(bio);; > } Hello, It looks we can hit this WARN_ON_ONCE() after which rootfs is switching to read-only: May 20 15:13:35 hostname kernel: WARNING: CPU: 35 PID: 1517323 at drivers/md/md.c:621 md_submit_flush_data+0x9b/0xe0 ... May 20 15:13:35 hostname kernel: XFS (md125): log I/O error -5 May 20 15:13:35 hostname kernel: XFS (md125): Filesystem has been shut down due to log error (0x2). May 20 15:13:35 hostname kernel: XFS (md125): Please unmount the filesystem and rectify the problem(s). Can you double check if the following regression is actual? Since both stable/linux-6.1.y and stable/linux-6.6.y branches don't have b75197e86e6d ("md: Remove flush handling") there is a minor issue with this backport. Statement "previous patch cleaned md_write_start(), make_requst() only return error in raid5_make_request() by dm-raid" will not work for both branches since 03e792eaf18e ("md: change the return value type of md_write_start to void") was not backported. So we should either backport it, or do error handling, not the WARN_ON_ONCE(). -- Andrew Kanner

5 months, 3 weeks

1
0
0 0

Re: Patch "dm vdo vio-pool: allow variable-sized metadata vios" has been added to the 6.12-stable tree

by Matthew Sakai

On 5/22/25 6:31 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > dm vdo vio-pool: allow variable-sized metadata vios > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > dm-vdo-vio-pool-allow-variable-sized-metadata-vios.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. There is no reason to pull this patch into 6.12 since there are no features in 6.12 that would use it. Matt > > commit ac663217ac4eeab508db348a67511d45ccd9846f > Author: Ken Raeburn <raeburn(a)redhat.com> > Date: Fri Jan 31 21:18:05 2025 -0500 > > dm vdo vio-pool: allow variable-sized metadata vios > > [ Upstream commit f979da512553a41a657f2c1198277e84d66f8ce3 ] > > With larger-sized metadata vio pools, vdo will sometimes need to > issue I/O with a smaller size than the allocated size. Since > vio_reset_bio is where the bvec array and I/O size are initialized, > this reset interface must now specify what I/O size to use. > > Signed-off-by: Ken Raeburn <raeburn(a)redhat.com> > Signed-off-by: Matthew Sakai <msakai(a)redhat.com> > Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/md/dm-vdo/io-submitter.c b/drivers/md/dm-vdo/io-submitter.c > index ab62abe18827b..a664be89c15d7 100644 > --- a/drivers/md/dm-vdo/io-submitter.c > +++ b/drivers/md/dm-vdo/io-submitter.c > @@ -327,6 +327,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > * @error_handler: the handler for submission or I/O errors (may be NULL) > * @operation: the type of I/O to perform > * @data: the buffer to read or write (may be NULL) > + * @size: the I/O amount in bytes > * > * The vio is enqueued on a vdo bio queue so that bio submission (which may block) does not block > * other vdo threads. > @@ -338,7 +339,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > */ > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data) > + blk_opf_t operation, char *data, int size) > { > int result; > struct vdo_completion *completion = &vio->completion; > @@ -349,7 +350,8 @@ void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > > vdo_reset_completion(completion); > completion->error_handler = error_handler; > - result = vio_reset_bio(vio, data, callback, operation | REQ_META, physical); > + result = vio_reset_bio_with_size(vio, data, size, callback, operation | REQ_META, > + physical); > if (result != VDO_SUCCESS) { > continue_vio(vio, result); > return; > diff --git a/drivers/md/dm-vdo/io-submitter.h b/drivers/md/dm-vdo/io-submitter.h > index 80748699496f2..3088f11055fdd 100644 > --- a/drivers/md/dm-vdo/io-submitter.h > +++ b/drivers/md/dm-vdo/io-submitter.h > @@ -8,6 +8,7 @@ > > #include <linux/bio.h> > > +#include "constants.h" > #include "types.h" > > struct io_submitter; > @@ -26,14 +27,25 @@ void vdo_submit_data_vio(struct data_vio *data_vio); > > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data); > + blk_opf_t operation, char *data, int size); > > static inline void vdo_submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > blk_opf_t operation) > { > __submit_metadata_vio(vio, physical, callback, error_handler, > - operation, vio->data); > + operation, vio->data, vio->block_count * VDO_BLOCK_SIZE); > +} > + > +static inline void vdo_submit_metadata_vio_with_size(struct vio *vio, > + physical_block_number_t physical, > + bio_end_io_t callback, > + vdo_action_fn error_handler, > + blk_opf_t operation, > + int size) > +{ > + __submit_metadata_vio(vio, physical, callback, error_handler, > + operation, vio->data, size); > } > > static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > @@ -41,7 +53,7 @@ static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > { > /* FIXME: Can we just use REQ_OP_FLUSH? */ > __submit_metadata_vio(vio, 0, callback, error_handler, > - REQ_OP_WRITE | REQ_PREFLUSH, NULL); > + REQ_OP_WRITE | REQ_PREFLUSH, NULL, 0); > } > > #endif /* VDO_IO_SUBMITTER_H */ > diff --git a/drivers/md/dm-vdo/types.h b/drivers/md/dm-vdo/types.h > index dbe892b10f265..cdf36e7d77021 100644 > --- a/drivers/md/dm-vdo/types.h > +++ b/drivers/md/dm-vdo/types.h > @@ -376,6 +376,9 @@ struct vio { > /* The size of this vio in blocks */ > unsigned int block_count; > > + /* The amount of data to be read or written, in bytes */ > + unsigned int io_size; > + > /* The data being read or written. */ > char *data; > > diff --git a/drivers/md/dm-vdo/vio.c b/drivers/md/dm-vdo/vio.c > index b291578f726f5..7c417c1af4516 100644 > --- a/drivers/md/dm-vdo/vio.c > +++ b/drivers/md/dm-vdo/vio.c > @@ -188,14 +188,23 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > /* > * Prepares the bio to perform IO with the specified buffer. May only be used on a VDO-allocated > - * bio, as it assumes the bio wraps a 4k buffer that is 4k aligned, but there does not have to be a > - * vio associated with the bio. > + * bio, as it assumes the bio wraps a 4k-multiple buffer that is 4k aligned, but there does not > + * have to be a vio associated with the bio. > */ > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn) > { > - int bvec_count, offset, len, i; > + return vio_reset_bio_with_size(vio, data, vio->block_count * VDO_BLOCK_SIZE, > + callback, bi_opf, pbn); > +} > + > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn) > +{ > + int bvec_count, offset, i; > struct bio *bio = vio->bio; > + int vio_size = vio->block_count * VDO_BLOCK_SIZE; > + int remaining; > > bio_reset(bio, bio->bi_bdev, bi_opf); > vdo_set_bio_properties(bio, vio, callback, bi_opf, pbn); > @@ -204,22 +213,21 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > > bio->bi_io_vec = bio->bi_inline_vecs; > bio->bi_max_vecs = vio->block_count + 1; > - len = VDO_BLOCK_SIZE * vio->block_count; > + if (VDO_ASSERT(size <= vio_size, "specified size %d is not greater than allocated %d", > + size, vio_size) != VDO_SUCCESS) > + size = vio_size; > + vio->io_size = size; > offset = offset_in_page(data); > - bvec_count = DIV_ROUND_UP(offset + len, PAGE_SIZE); > + bvec_count = DIV_ROUND_UP(offset + size, PAGE_SIZE); > + remaining = size; > > - /* > - * If we knew that data was always on one page, or contiguous pages, we wouldn't need the > - * loop. But if we're using vmalloc, it's not impossible that the data is in different > - * pages that can't be merged in bio_add_page... > - */ > - for (i = 0; (i < bvec_count) && (len > 0); i++) { > + for (i = 0; (i < bvec_count) && (remaining > 0); i++) { > struct page *page; > int bytes_added; > int bytes = PAGE_SIZE - offset; > > - if (bytes > len) > - bytes = len; > + if (bytes > remaining) > + bytes = remaining; > > page = is_vmalloc_addr(data) ? vmalloc_to_page(data) : virt_to_page(data); > bytes_added = bio_add_page(bio, page, bytes, offset); > @@ -231,7 +239,7 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > } > > data += bytes; > - len -= bytes; > + remaining -= bytes; > offset = 0; > } > > diff --git a/drivers/md/dm-vdo/vio.h b/drivers/md/dm-vdo/vio.h > index 3490e9f59b04a..74e8fd7c8c029 100644 > --- a/drivers/md/dm-vdo/vio.h > +++ b/drivers/md/dm-vdo/vio.h > @@ -123,6 +123,8 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn); > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn); > > void update_vio_error_stats(struct vio *vio, const char *format, ...) > __printf(2, 3); >

5 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: prevent inline data extents read from touching blocks beyond its range" has been added to the 6.12-stable tree

by Qu Wenruo

在 2025/5/23 07:31, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: prevent inline data extents read from touching blocks beyond its range > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-prevent-inline-data-extents-read-from-touching.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this one from all stable trees. Although the patch won't cause any behavior change, the main reason for this patch is to prepare for the subpage optimization (and future large folios support). Thanks, Qu > > > > commit 98504dd74a2688ff63dba6bf1d9f8abc7f0b322e > Author: Qu Wenruo <wqu(a)suse.com> > Date: Fri Nov 15 19:15:34 2024 +1030 > > btrfs: prevent inline data extents read from touching blocks beyond its range > > [ Upstream commit 1a5b5668d711d3d1ef447446beab920826decec3 ] > > Currently reading an inline data extent will zero out the remaining > range in the page. > > This is not yet causing problems even for block size < page size > (subpage) cases because: > > 1) An inline data extent always starts at file offset 0 > Meaning at page read, we always read the inline extent first, before > any other blocks in the page. Then later blocks are properly read out > and re-fill the zeroed out ranges. > > 2) Currently btrfs will read out the whole page if a buffered write is > not page aligned > So a page is either fully uptodate at buffered write time (covers the > whole page), or we will read out the whole page first. > Meaning there is nothing to lose for such an inline extent read. > > But it's still not ideal: > > - We're zeroing out the page twice > Once done by read_inline_extent()/uncompress_inline(), once done by > btrfs_do_readpage() for ranges beyond i_size. > > - We're touching blocks that don't belong to the inline extent > In the incoming patches, we can have a partial uptodate folio, of > which some dirty blocks can exist while the page is not fully uptodate: > > The page size is 16K and block size is 4K: > > 0 4K 8K 12K 16K > | | |/////////| | > > And range [8K, 12K) is dirtied by a buffered write, the remaining > blocks are not uptodate. > > If range [0, 4K) contains an inline data extent, and we try to read > the whole page, the current behavior will overwrite range [8K, 12K) > with zero and cause data loss. > > So to make the behavior more consistent and in preparation for future > changes, limit the inline data extents read to only zero out the range > inside the first block, not the whole page. > > Reviewed-by: Filipe Manana <fdmanana(a)suse.com> > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 0da2611fb9c85..ee8c18d298758 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -6825,6 +6825,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > { > int ret; > struct extent_buffer *leaf = path->nodes[0]; > + const u32 blocksize = leaf->fs_info->sectorsize; > char *tmp; > size_t max_size; > unsigned long inline_size; > @@ -6841,7 +6842,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > > read_extent_buffer(leaf, tmp, ptr, inline_size); > > - max_size = min_t(unsigned long, PAGE_SIZE, max_size); > + max_size = min_t(unsigned long, blocksize, max_size); > ret = btrfs_decompress(compress_type, tmp, folio, 0, inline_size, > max_size); > > @@ -6853,8 +6854,8 @@ static noinline int uncompress_inline(struct btrfs_path *path, > * cover that region here. > */ > > - if (max_size < PAGE_SIZE) > - folio_zero_range(folio, max_size, PAGE_SIZE - max_size); > + if (max_size < blocksize) > + folio_zero_range(folio, max_size, blocksize - max_size); > kfree(tmp); > return ret; > } > @@ -6862,6 +6863,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > static int read_inline_extent(struct btrfs_inode *inode, struct btrfs_path *path, > struct folio *folio) > { > + const u32 blocksize = path->nodes[0]->fs_info->sectorsize; > struct btrfs_file_extent_item *fi; > void *kaddr; > size_t copy_size; > @@ -6876,14 +6878,14 @@ static int read_inline_extent(struct btrfs_inode *inode, struct btrfs_path *path > if (btrfs_file_extent_compression(path->nodes[0], fi) != BTRFS_COMPRESS_NONE) > return uncompress_inline(path, folio, fi); > > - copy_size = min_t(u64, PAGE_SIZE, > + copy_size = min_t(u64, blocksize, > btrfs_file_extent_ram_bytes(path->nodes[0], fi)); > kaddr = kmap_local_folio(folio, 0); > read_extent_buffer(path->nodes[0], kaddr, > btrfs_file_extent_inline_start(fi), copy_size); > kunmap_local(kaddr); > - if (copy_size < PAGE_SIZE) > - folio_zero_range(folio, copy_size, PAGE_SIZE - copy_size); > + if (copy_size < blocksize) > + folio_zero_range(folio, copy_size, blocksize - copy_size); > return 0; > } >

5 months, 3 weeks

1
0
0 0

+ mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ge Yang <yangge1116(a)126.com> Subject: mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios Date: Thu, 22 May 2025 11:22:17 +0800 A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: <TASK> replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL. Link: https://lkml.kernel.org/r/1747884137-26685-1-git-send-email-yangge1116@126.… Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") Signed-off-by: Ge Yang <yangge1116(a)126.com> Reviewed-by: Muchun Song <muchun.song(a)linux.dev> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <21cnbao(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/mm/hugetlb.c~mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios +++ a/mm/hugetlb.c @@ -2949,12 +2949,20 @@ int replace_free_hugepage_folios(unsigne while (start_pfn < end_pfn) { folio = pfn_folio(start_pfn); + + /* + * The folio might have been dissolved from under our feet, so make sure + * to carefully check the state under the lock. + */ + spin_lock_irq(&hugetlb_lock); if (folio_test_hugetlb(folio)) { h = folio_hstate(folio); } else { + spin_unlock_irq(&hugetlb_lock); start_pfn++; continue; } + spin_unlock_irq(&hugetlb_lock); if (!folio_ref_count(folio)) { ret = alloc_and_dissolve_hugetlb_folio(h, folio, _ Patches currently in -mm which might be from yangge1116(a)126.com are mm-hugetlb-fix-kernel-null-pointer-dereference-when-replacing-free-hugetlb-folios.patch

5 months, 3 weeks

1
0
0 0

Re: Patch "dm vdo vio-pool: allow variable-sized metadata vios" has been added to the 6.14-stable tree

by Matthew Sakai

On 5/22/25 5:44 PM, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > dm vdo vio-pool: allow variable-sized metadata vios > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > dm-vdo-vio-pool-allow-variable-sized-metadata-vios.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > This patch should probably not get added to 6.14 or any earlier stable tree. It implements an interface for a new feature added in in 6.15, but without backporting that feature, nothing will use the new interface so this patch is unnecessary. Thanks, Matt > > commit 921200c5e2f6a07ad93419d800d6a1a2fbf7abc7 > Author: Ken Raeburn <raeburn(a)redhat.com> > Date: Fri Jan 31 21:18:05 2025 -0500 > > dm vdo vio-pool: allow variable-sized metadata vios > > [ Upstream commit f979da512553a41a657f2c1198277e84d66f8ce3 ] > > With larger-sized metadata vio pools, vdo will sometimes need to > issue I/O with a smaller size than the allocated size. Since > vio_reset_bio is where the bvec array and I/O size are initialized, > this reset interface must now specify what I/O size to use. > > Signed-off-by: Ken Raeburn <raeburn(a)redhat.com> > Signed-off-by: Matthew Sakai <msakai(a)redhat.com> > Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/md/dm-vdo/io-submitter.c b/drivers/md/dm-vdo/io-submitter.c > index 421e5436c32c9..11d47770b54d2 100644 > --- a/drivers/md/dm-vdo/io-submitter.c > +++ b/drivers/md/dm-vdo/io-submitter.c > @@ -327,6 +327,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > * @error_handler: the handler for submission or I/O errors (may be NULL) > * @operation: the type of I/O to perform > * @data: the buffer to read or write (may be NULL) > + * @size: the I/O amount in bytes > * > * The vio is enqueued on a vdo bio queue so that bio submission (which may block) does not block > * other vdo threads. > @@ -338,7 +339,7 @@ void vdo_submit_data_vio(struct data_vio *data_vio) > */ > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data) > + blk_opf_t operation, char *data, int size) > { > int result; > struct vdo_completion *completion = &vio->completion; > @@ -349,7 +350,8 @@ void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > > vdo_reset_completion(completion); > completion->error_handler = error_handler; > - result = vio_reset_bio(vio, data, callback, operation | REQ_META, physical); > + result = vio_reset_bio_with_size(vio, data, size, callback, operation | REQ_META, > + physical); > if (result != VDO_SUCCESS) { > continue_vio(vio, result); > return; > diff --git a/drivers/md/dm-vdo/io-submitter.h b/drivers/md/dm-vdo/io-submitter.h > index 80748699496f2..3088f11055fdd 100644 > --- a/drivers/md/dm-vdo/io-submitter.h > +++ b/drivers/md/dm-vdo/io-submitter.h > @@ -8,6 +8,7 @@ > > #include <linux/bio.h> > > +#include "constants.h" > #include "types.h" > > struct io_submitter; > @@ -26,14 +27,25 @@ void vdo_submit_data_vio(struct data_vio *data_vio); > > void __submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > - blk_opf_t operation, char *data); > + blk_opf_t operation, char *data, int size); > > static inline void vdo_submit_metadata_vio(struct vio *vio, physical_block_number_t physical, > bio_end_io_t callback, vdo_action_fn error_handler, > blk_opf_t operation) > { > __submit_metadata_vio(vio, physical, callback, error_handler, > - operation, vio->data); > + operation, vio->data, vio->block_count * VDO_BLOCK_SIZE); > +} > + > +static inline void vdo_submit_metadata_vio_with_size(struct vio *vio, > + physical_block_number_t physical, > + bio_end_io_t callback, > + vdo_action_fn error_handler, > + blk_opf_t operation, > + int size) > +{ > + __submit_metadata_vio(vio, physical, callback, error_handler, > + operation, vio->data, size); > } > > static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > @@ -41,7 +53,7 @@ static inline void vdo_submit_flush_vio(struct vio *vio, bio_end_io_t callback, > { > /* FIXME: Can we just use REQ_OP_FLUSH? */ > __submit_metadata_vio(vio, 0, callback, error_handler, > - REQ_OP_WRITE | REQ_PREFLUSH, NULL); > + REQ_OP_WRITE | REQ_PREFLUSH, NULL, 0); > } > > #endif /* VDO_IO_SUBMITTER_H */ > diff --git a/drivers/md/dm-vdo/types.h b/drivers/md/dm-vdo/types.h > index dbe892b10f265..cdf36e7d77021 100644 > --- a/drivers/md/dm-vdo/types.h > +++ b/drivers/md/dm-vdo/types.h > @@ -376,6 +376,9 @@ struct vio { > /* The size of this vio in blocks */ > unsigned int block_count; > > + /* The amount of data to be read or written, in bytes */ > + unsigned int io_size; > + > /* The data being read or written. */ > char *data; > > diff --git a/drivers/md/dm-vdo/vio.c b/drivers/md/dm-vdo/vio.c > index e710f3c5a972d..725d87ecf2150 100644 > --- a/drivers/md/dm-vdo/vio.c > +++ b/drivers/md/dm-vdo/vio.c > @@ -188,14 +188,23 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > /* > * Prepares the bio to perform IO with the specified buffer. May only be used on a VDO-allocated > - * bio, as it assumes the bio wraps a 4k buffer that is 4k aligned, but there does not have to be a > - * vio associated with the bio. > + * bio, as it assumes the bio wraps a 4k-multiple buffer that is 4k aligned, but there does not > + * have to be a vio associated with the bio. > */ > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn) > { > - int bvec_count, offset, len, i; > + return vio_reset_bio_with_size(vio, data, vio->block_count * VDO_BLOCK_SIZE, > + callback, bi_opf, pbn); > +} > + > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn) > +{ > + int bvec_count, offset, i; > struct bio *bio = vio->bio; > + int vio_size = vio->block_count * VDO_BLOCK_SIZE; > + int remaining; > > bio_reset(bio, bio->bi_bdev, bi_opf); > vdo_set_bio_properties(bio, vio, callback, bi_opf, pbn); > @@ -205,22 +214,21 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > bio->bi_ioprio = 0; > bio->bi_io_vec = bio->bi_inline_vecs; > bio->bi_max_vecs = vio->block_count + 1; > - len = VDO_BLOCK_SIZE * vio->block_count; > + if (VDO_ASSERT(size <= vio_size, "specified size %d is not greater than allocated %d", > + size, vio_size) != VDO_SUCCESS) > + size = vio_size; > + vio->io_size = size; > offset = offset_in_page(data); > - bvec_count = DIV_ROUND_UP(offset + len, PAGE_SIZE); > + bvec_count = DIV_ROUND_UP(offset + size, PAGE_SIZE); > + remaining = size; > > - /* > - * If we knew that data was always on one page, or contiguous pages, we wouldn't need the > - * loop. But if we're using vmalloc, it's not impossible that the data is in different > - * pages that can't be merged in bio_add_page... > - */ > - for (i = 0; (i < bvec_count) && (len > 0); i++) { > + for (i = 0; (i < bvec_count) && (remaining > 0); i++) { > struct page *page; > int bytes_added; > int bytes = PAGE_SIZE - offset; > > - if (bytes > len) > - bytes = len; > + if (bytes > remaining) > + bytes = remaining; > > page = is_vmalloc_addr(data) ? vmalloc_to_page(data) : virt_to_page(data); > bytes_added = bio_add_page(bio, page, bytes, offset); > @@ -232,7 +240,7 @@ int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > } > > data += bytes; > - len -= bytes; > + remaining -= bytes; > offset = 0; > } > > diff --git a/drivers/md/dm-vdo/vio.h b/drivers/md/dm-vdo/vio.h > index 3490e9f59b04a..74e8fd7c8c029 100644 > --- a/drivers/md/dm-vdo/vio.h > +++ b/drivers/md/dm-vdo/vio.h > @@ -123,6 +123,8 @@ void vdo_set_bio_properties(struct bio *bio, struct vio *vio, bio_end_io_t callb > > int vio_reset_bio(struct vio *vio, char *data, bio_end_io_t callback, > blk_opf_t bi_opf, physical_block_number_t pbn); > +int vio_reset_bio_with_size(struct vio *vio, char *data, int size, bio_end_io_t callback, > + blk_opf_t bi_opf, physical_block_number_t pbn); > > void update_vio_error_stats(struct vio *vio, const char *format, ...) > __printf(2, 3); >

5 months, 3 weeks

1
0
0 0

+ mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: fix potensial buffer overflow in setup_clusters() has been added to the -mm mm-new branch. Its filename is mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: fix potensial buffer overflow in setup_clusters() Date: Thu, 22 May 2025 20:25:53 +0800 In setup_swap_map(), we only ensure badpages are in range (0, last_page]. As maxpages might be < last_page, setup_clusters() will encounter a buffer overflow when a badpage is >= maxpages. Only call inc_cluster_info_page() for badpage which is < maxpages to fix the issue. Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com Fixes: b843786b0bd01 ("mm: swapfile: fix SSD detection with swapfile on btrfs") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: <stable(a)vger.kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/mm/swapfile.c~mm-swap-fix-potensial-buffer-overflow-in-setup_clusters +++ a/mm/swapfile.c @@ -3208,9 +3208,13 @@ static struct swap_cluster_info *setup_c * and the EOF part of the last cluster. */ inc_cluster_info_page(si, cluster_info, 0); - for (i = 0; i < swap_header->info.nr_badpages; i++) - inc_cluster_info_page(si, cluster_info, - swap_header->info.badpages[i]); + for (i = 0; i < swap_header->info.nr_badpages; i++) { + unsigned int page_nr = swap_header->info.badpages[i]; + + if (page_nr >= maxpages) + continue; + inc_cluster_info_page(si, cluster_info, page_nr); + } for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++) inc_cluster_info_page(si, cluster_info, i); _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-add-missing-shmem_unacct_size-in-__shmem_file_setup.patch mm-shmem-fix-potential-dead-loop-in-shmem_unuse.patch mm-shmem-only-remove-inode-from-swaplist-when-its-swapped-page-count-is-0.patch mm-shmem-remove-unneeded-xa_is_value-check-in-shmem_unuse_swap_entries.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

5 months, 3 weeks

1
0
0 0

+ mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potensial deadloop has been added to the -mm mm-new branch. Its filename is mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potensial deadloop Date: Thu, 22 May 2025 20:25:52 +0800 We use maxpages from read_swap_header() to initialize swap_info_struct, however the maxpages might be reduced in setup_swap_extents() and the si->max is assigned with the reduced maxpages from the setup_swap_extents(). Obviously, this could lead to memory waste as we allocated memory based on larger maxpages, besides, this could lead to a potensial deadloop as following: 1) When calling setup_clusters() with larger maxpages, unavailable pages within range [si->max, larger maxpages) are not accounted with inc_cluster_info_page(). As a result, these pages are assumed available but can not be allocated. The cluster contains these pages can be moved to frag_clusters list after it's all available pages were allocated. 2) When the cluster mentioned in 1) is the only cluster in frag_clusters list, cluster_alloc_swap_entry() assume order 0 allocation will never failed and will enter a deadloop by keep trying to allocate page from the only cluster in frag_clusters which contains no actually available page. Call setup_swap_extents() to get the final maxpages before swap_info_struct initialization to fix the issue. Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com Fixes: 661383c6111a3 ("mm: swap: relaim the cached parts that got scanned") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: <stable(a)vger.kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kairui Song <kasong(a)tencent.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 47 ++++++++++++++++++++--------------------------- 1 file changed, 20 insertions(+), 27 deletions(-) --- a/mm/swapfile.c~mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop +++ a/mm/swapfile.c @@ -3141,43 +3141,30 @@ static unsigned long read_swap_header(st return maxpages; } -static int setup_swap_map_and_extents(struct swap_info_struct *si, - union swap_header *swap_header, - unsigned char *swap_map, - unsigned long maxpages, - sector_t *span) +static int setup_swap_map(struct swap_info_struct *si, + union swap_header *swap_header, + unsigned char *swap_map, + unsigned long maxpages) { - unsigned int nr_good_pages; unsigned long i; - int nr_extents; - - nr_good_pages = maxpages - 1; /* omit header page */ + swap_map[0] = SWAP_MAP_BAD; /* omit header page */ for (i = 0; i < swap_header->info.nr_badpages; i++) { unsigned int page_nr = swap_header->info.badpages[i]; if (page_nr == 0 || page_nr > swap_header->info.last_page) return -EINVAL; if (page_nr < maxpages) { swap_map[page_nr] = SWAP_MAP_BAD; - nr_good_pages--; + si->pages--; } } - if (nr_good_pages) { - swap_map[0] = SWAP_MAP_BAD; - si->max = maxpages; - si->pages = nr_good_pages; - nr_extents = setup_swap_extents(si, span); - if (nr_extents < 0) - return nr_extents; - nr_good_pages = si->pages; - } - if (!nr_good_pages) { + if (!si->pages) { pr_warn("Empty swap-file\n"); return -EINVAL; } - return nr_extents; + return 0; } #define SWAP_CLUSTER_INFO_COLS \ @@ -3217,7 +3204,7 @@ static struct swap_cluster_info *setup_c * Mark unusable pages as unavailable. The clusters aren't * marked free yet, so no list operations are involved yet. * - * See setup_swap_map_and_extents(): header page, bad pages, + * See setup_swap_map(): header page, bad pages, * and the EOF part of the last cluster. */ inc_cluster_info_page(si, cluster_info, 0); @@ -3354,6 +3341,15 @@ SYSCALL_DEFINE2(swapon, const char __use goto bad_swap_unlock_inode; } + si->max = maxpages; + si->pages = maxpages - 1; + nr_extents = setup_swap_extents(si, &span); + if (nr_extents < 0) { + error = nr_extents; + goto bad_swap_unlock_inode; + } + maxpages = si->max; + /* OK, set up the swap map and apply the bad block list */ swap_map = vzalloc(maxpages); if (!swap_map) { @@ -3365,12 +3361,9 @@ SYSCALL_DEFINE2(swapon, const char __use if (error) goto bad_swap_unlock_inode; - nr_extents = setup_swap_map_and_extents(si, swap_header, swap_map, - maxpages, &span); - if (unlikely(nr_extents < 0)) { - error = nr_extents; + error = setup_swap_map(si, swap_header, swap_map, maxpages); + if (error) goto bad_swap_unlock_inode; - } /* * Use kvmalloc_array instead of bitmap_zalloc as the allocation order might _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-add-missing-shmem_unacct_size-in-__shmem_file_setup.patch mm-shmem-fix-potential-dead-loop-in-shmem_unuse.patch mm-shmem-only-remove-inode-from-swaplist-when-its-swapped-page-count-is-0.patch mm-shmem-remove-unneeded-xa_is_value-check-in-shmem_unuse_swap_entries.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

5 months, 3 weeks

1
0
0 0

+ mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() has been added to the -mm mm-new branch. Its filename is mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kemeng Shi <shikemeng(a)huaweicloud.com> Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() Date: Thu, 22 May 2025 20:25:51 +0800 Patch series "Some randome fixes and cleanups to swapfile". Patch 0-3 are some random fixes. Patch 4 is a cleanup. More details can be found in respective patches. This patch (of 4): When folio_alloc_swap() encounters a failure in either mem_cgroup_try_charge_swap() or add_to_swap_cache(), nr_swap_pages counter is not decremented for allocated entry. However, the following put_swap_folio() will increase nr_swap_pages counter unpairly and lead to an imbalance. Move nr_swap_pages decrement from folio_alloc_swap() to swap_range_alloc() to pair the nr_swap_pages counting. Link: https://lkml.kernel.org/r/20250522122554.12209-1-shikemeng@huaweicloud.com Link: https://lkml.kernel.org/r/20250522122554.12209-2-shikemeng@huaweicloud.com Fixes: 0ff67f990bd45 ("mm, swap: remove swap slot cache") Signed-off-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Reviewed-by: Kairui Song <kasong(a)tencent.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/swapfile.c~mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc +++ a/mm/swapfile.c @@ -1115,6 +1115,7 @@ static void swap_range_alloc(struct swap if (vm_swap_full()) schedule_work(&si->reclaim_work); } + atomic_long_sub(nr_entries, &nr_swap_pages); } static void swap_range_free(struct swap_info_struct *si, unsigned long offset, @@ -1313,7 +1314,6 @@ int folio_alloc_swap(struct folio *folio if (add_to_swap_cache(folio, entry, gfp | __GFP_NOMEMALLOC, NULL)) goto out_free; - atomic_long_sub(size, &nr_swap_pages); return 0; out_free: _ Patches currently in -mm which might be from shikemeng(a)huaweicloud.com are mm-shmem-avoid-unpaired-folio_unlock-in-shmem_swapin_folio.patch mm-shmem-add-missing-shmem_unacct_size-in-__shmem_file_setup.patch mm-shmem-fix-potential-dead-loop-in-shmem_unuse.patch mm-shmem-only-remove-inode-from-swaplist-when-its-swapped-page-count-is-0.patch mm-shmem-remove-unneeded-xa_is_value-check-in-shmem_unuse_swap_entries.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potensial-deadloop.patch mm-swap-fix-potensial-buffer-overflow-in-setup_clusters.patch mm-swap-remove-stale-comment-stale-comment-in-cluster_alloc_swap_entry.patch

5 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: prevent inline data extents read from touching blocks beyond its range" has been added to the 6.14-stable tree

by Qu Wenruo

在 2025/5/23 06:35, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: prevent inline data extents read from touching blocks beyond its range > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-prevent-inline-data-extents-read-from-touching.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch. This is again a preparation patch for larger folios support of btrfs, and the optimization to dirty a block without reading the full page. This patch alone doesn't cause any difference for older kernels and should not be backported. Thanks, Qu > > > > commit 6a2d904623a8d1711b6b5065845d52cb3f2be60a > Author: Qu Wenruo <wqu(a)suse.com> > Date: Fri Nov 15 19:15:34 2024 +1030 > > btrfs: prevent inline data extents read from touching blocks beyond its range > > [ Upstream commit 1a5b5668d711d3d1ef447446beab920826decec3 ] > > Currently reading an inline data extent will zero out the remaining > range in the page. > > This is not yet causing problems even for block size < page size > (subpage) cases because: > > 1) An inline data extent always starts at file offset 0 > Meaning at page read, we always read the inline extent first, before > any other blocks in the page. Then later blocks are properly read out > and re-fill the zeroed out ranges. > > 2) Currently btrfs will read out the whole page if a buffered write is > not page aligned > So a page is either fully uptodate at buffered write time (covers the > whole page), or we will read out the whole page first. > Meaning there is nothing to lose for such an inline extent read. > > But it's still not ideal: > > - We're zeroing out the page twice > Once done by read_inline_extent()/uncompress_inline(), once done by > btrfs_do_readpage() for ranges beyond i_size. > > - We're touching blocks that don't belong to the inline extent > In the incoming patches, we can have a partial uptodate folio, of > which some dirty blocks can exist while the page is not fully uptodate: > > The page size is 16K and block size is 4K: > > 0 4K 8K 12K 16K > | | |/////////| | > > And range [8K, 12K) is dirtied by a buffered write, the remaining > blocks are not uptodate. > > If range [0, 4K) contains an inline data extent, and we try to read > the whole page, the current behavior will overwrite range [8K, 12K) > with zero and cause data loss. > > So to make the behavior more consistent and in preparation for future > changes, limit the inline data extents read to only zero out the range > inside the first block, not the whole page. > > Reviewed-by: Filipe Manana <fdmanana(a)suse.com> > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 9a648fb130230..a7136311a13c6 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -6779,6 +6779,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > { > int ret; > struct extent_buffer *leaf = path->nodes[0]; > + const u32 blocksize = leaf->fs_info->sectorsize; > char *tmp; > size_t max_size; > unsigned long inline_size; > @@ -6795,7 +6796,7 @@ static noinline int uncompress_inline(struct btrfs_path *path, > > read_extent_buffer(leaf, tmp, ptr, inline_size); > > - max_size = min_t(unsigned long, PAGE_SIZE, max_size); > + max_size = min_t(unsigned long, blocksize, max_size); > ret = btrfs_decompress(compress_type, tmp, folio, 0, inline_size, > max_size); > > @@ -6807,14 +6808,15 @@ static noinline int uncompress_inline(struct btrfs_path *path, > * cover that region here. > */ > > - if (max_size < PAGE_SIZE) > - folio_zero_range(folio, max_size, PAGE_SIZE - max_size); > + if (max_size < blocksize) > + folio_zero_range(folio, max_size, blocksize - max_size); > kfree(tmp); > return ret; > } > > static int read_inline_extent(struct btrfs_path *path, struct folio *folio) > { > + const u32 blocksize = path->nodes[0]->fs_info->sectorsize; > struct btrfs_file_extent_item *fi; > void *kaddr; > size_t copy_size; > @@ -6829,14 +6831,14 @@ static int read_inline_extent(struct btrfs_path *path, struct folio *folio) > if (btrfs_file_extent_compression(path->nodes[0], fi) != BTRFS_COMPRESS_NONE) > return uncompress_inline(path, folio, fi); > > - copy_size = min_t(u64, PAGE_SIZE, > + copy_size = min_t(u64, blocksize, > btrfs_file_extent_ram_bytes(path->nodes[0], fi)); > kaddr = kmap_local_folio(folio, 0); > read_extent_buffer(path->nodes[0], kaddr, > btrfs_file_extent_inline_start(fi), copy_size); > kunmap_local(kaddr); > - if (copy_size < PAGE_SIZE) > - folio_zero_range(folio, copy_size, PAGE_SIZE - copy_size); > + if (copy_size < blocksize) > + folio_zero_range(folio, copy_size, blocksize - copy_size); > return 0; > } >

5 months, 3 weeks

1
0
0 0

Re: Patch "btrfs: properly limit inline data extent according to block size" has been added to the 6.14-stable tree

by Qu Wenruo

在 2025/5/23 06:35, Sasha Levin 写道: > This is a note to let you know that I've just added the patch titled > > btrfs: properly limit inline data extent according to block size > > to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > btrfs-properly-limit-inline-data-extent-according-to.patch > and it can be found in the queue-6.14 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop this patch. This is mostly for the incoming large folios support for btrfs. For older kernels this patch will not cause any behavior change. Thanks, Qu> > > > commit ec02842137bdccb74ed331a1b0a335ee22eb179c > Author: Qu Wenruo <wqu(a)suse.com> > Date: Tue Feb 25 14:30:44 2025 +1030 > > btrfs: properly limit inline data extent according to block size > > [ Upstream commit 23019d3e6617a8ec99a8d2f5947aa3dd8a74a1b8 ] > > Btrfs utilizes inline data extent for the following cases: > > - Regular small files > - Symlinks > > And "btrfs check" detects any file extents that are too large as an > error. > > It's not a problem for 4K block size, but for the incoming smaller > block sizes (2K), it can cause problems due to bad limits: > > - Non-compressed inline data extents > We do not allow a non-compressed inline data extent to be as large as > block size. > > - Symlinks > Currently the only real limit on symlinks are 4K, which can be larger > than 2K block size. > > These will result btrfs-check to report too large file extents. > > Fix it by adding proper size checks for the above cases. > > Signed-off-by: Qu Wenruo <wqu(a)suse.com> > Reviewed-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: David Sterba <dsterba(a)suse.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index a06fca7934d55..9a648fb130230 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -583,6 +583,10 @@ static bool can_cow_file_range_inline(struct btrfs_inode *inode, > if (size > fs_info->sectorsize) > return false; > > + /* We do not allow a non-compressed extent to be as large as block size. */ > + if (data_len >= fs_info->sectorsize) > + return false; > + > /* We cannot exceed the maximum inline data size. */ > if (data_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info)) > return false; > @@ -8671,7 +8675,12 @@ static int btrfs_symlink(struct mnt_idmap *idmap, struct inode *dir, > struct extent_buffer *leaf; > > name_len = strlen(symname); > - if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info)) > + /* > + * Symlinks utilize uncompressed inline extent data, which should not > + * reach block size. > + */ > + if (name_len > BTRFS_MAX_INLINE_DATA_SIZE(fs_info) || > + name_len >= fs_info->sectorsize) > return -ENAMETOOLONG; > > inode = new_inode(dir->i_sb);

5 months, 3 weeks

1
0
0 0

[PATCH v1] Revert "usb: xhci: Implement xhci_handshake_check_state() helper"

by Roy Luo

This reverts commit 6ccb83d6c4972ebe6ae49de5eba051de3638362c. Commit 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") was introduced to workaround watchdog timeout issues on some platforms, allowing xhci_reset() to bail out early without waiting for the reset to complete. Skipping the xhci handshake during a reset is a dangerous move. The xhci specification explicitly states that certain registers cannot be accessed during reset in section 5.4.1 USB Command Register (USBCMD), Host Controller Reset (HCRST) field: "This bit is cleared to '0' by the Host Controller when the reset process is complete. Software cannot terminate the reset process early by writinga '0' to this bit and shall not write any xHC Operational or Runtime registers until while HCRST is '1'." This behavior causes a regression on SNPS DWC3 USB controller with dual-role capability. When the DWC3 controller exits host mode and removes xhci while a reset is still in progress, and then tries to configure its hardware for device mode, the ongoing reset leads to register access issues; specifically, all register reads returns 0. These issues extend beyond the xhci register space (which is expected during a reset) and affect the entire DWC3 IP block, causing the DWC3 device mode to malfunction. Cc: stable(a)vger.kernel.org Fixes: 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") Signed-off-by: Roy Luo <royluo(a)google.com> --- Changes in v1: - Link to previous patchset: https://lore.kernel.org/r/20250515185227.1507363-1-royluo@google.com/ --- drivers/usb/host/xhci-ring.c | 5 ++--- drivers/usb/host/xhci.c | 26 +------------------------- drivers/usb/host/xhci.h | 2 -- 3 files changed, 3 insertions(+), 30 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 423bf3649570..b720e04ce7d8 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -518,9 +518,8 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) * In the future we should distinguish between -ENODEV and -ETIMEDOUT * and try to recover a -ETIMEDOUT with a host controller reset. */ - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->cmd_ring, - CMD_RING_RUNNING, 0, 5 * 1000 * 1000, - XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->cmd_ring, + CMD_RING_RUNNING, 0, 5 * 1000 * 1000); if (ret < 0) { xhci_err(xhci, "Abort failed to stop command ring: %d\n", ret); xhci_halt(xhci); diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 90eb491267b5..472c4b6ae59e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -83,29 +83,6 @@ int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us) return ret; } -/* - * xhci_handshake_check_state - same as xhci_handshake but takes an additional - * exit_state parameter, and bails out with an error immediately when xhc_state - * has exit_state flag set. - */ -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state) -{ - u32 result; - int ret; - - ret = readl_poll_timeout_atomic(ptr, result, - (result & mask) == done || - result == U32_MAX || - xhci->xhc_state & exit_state, - 1, usec); - - if (result == U32_MAX || xhci->xhc_state & exit_state) - return -ENODEV; - - return ret; -} - /* * Disable interrupts and begin the xHCI halting process. */ @@ -226,8 +203,7 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) if (xhci->quirks & XHCI_INTEL_HOST) udelay(1000); - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->command, - CMD_RESET, 0, timeout_us, XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->command, CMD_RESET, 0, timeout_us); if (ret) return ret; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 242ab9fbc8ae..5e698561b96d 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1855,8 +1855,6 @@ void xhci_remove_secondary_interrupter(struct usb_hcd /* xHCI host controller glue */ typedef void (*xhci_get_quirks_t)(struct device *, struct xhci_hcd *); int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us); -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state); void xhci_quiesce(struct xhci_hcd *xhci); int xhci_halt(struct xhci_hcd *xhci); int xhci_start(struct xhci_hcd *xhci); base-commit: 172a9d94339cea832d89630b89d314e41d622bd8 -- 2.49.0.1112.g889b7c5bd8-goog

5 months, 3 weeks

5
8
0 0

[PATCH v1 2/2] Revert "usb: xhci: Implement xhci_handshake_check_state() helper"

by Roy Luo

This reverts commit 6ccb83d6c4972ebe6ae49de5eba051de3638362c. Commit 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") was introduced to workaround watchdog timeout issues on some platforms, allowing xhci_reset() to bail out early without waiting for the reset to complete. Skipping the xhci handshake during a reset is a dangerous move. The xhci specification explicitly states that certain registers cannot be accessed during reset in section 5.4.1 USB Command Register (USBCMD), Host Controller Reset (HCRST) field: "This bit is cleared to '0' by the Host Controller when the reset process is complete. Software cannot terminate the reset process early by writinga '0' to this bit and shall not write any xHC Operational or Runtime registers until while HCRST is '1'." This behavior causes a regression on SNPS DWC3 USB controller with dual-role capability. When the DWC3 controller exits host mode and removes xhci while a reset is still in progress, and then tries to configure its hardware for device mode, the ongoing reset leads to register access issues; specifically, all register reads returns 0. These issues extend beyond the xhci register space (which is expected during a reset) and affect the entire DWC3 IP block, causing the DWC3 device mode to malfunction. Cc: stable(a)vger.kernel.org Fixes: 6ccb83d6c497 ("usb: xhci: Implement xhci_handshake_check_state() helper") Signed-off-by: Roy Luo <royluo(a)google.com> --- drivers/usb/host/xhci-ring.c | 5 ++--- drivers/usb/host/xhci.c | 26 +------------------------- drivers/usb/host/xhci.h | 2 -- 3 files changed, 3 insertions(+), 30 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 423bf3649570..b720e04ce7d8 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -518,9 +518,8 @@ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags) * In the future we should distinguish between -ENODEV and -ETIMEDOUT * and try to recover a -ETIMEDOUT with a host controller reset. */ - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->cmd_ring, - CMD_RING_RUNNING, 0, 5 * 1000 * 1000, - XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->cmd_ring, + CMD_RING_RUNNING, 0, 5 * 1000 * 1000); if (ret < 0) { xhci_err(xhci, "Abort failed to stop command ring: %d\n", ret); xhci_halt(xhci); diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 244b12eafd95..cb9f35acb1f9 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -83,29 +83,6 @@ int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us) return ret; } -/* - * xhci_handshake_check_state - same as xhci_handshake but takes an additional - * exit_state parameter, and bails out with an error immediately when xhc_state - * has exit_state flag set. - */ -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state) -{ - u32 result; - int ret; - - ret = readl_poll_timeout_atomic(ptr, result, - (result & mask) == done || - result == U32_MAX || - xhci->xhc_state & exit_state, - 1, usec); - - if (result == U32_MAX || xhci->xhc_state & exit_state) - return -ENODEV; - - return ret; -} - /* * Disable interrupts and begin the xHCI halting process. */ @@ -226,8 +203,7 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) if (xhci->quirks & XHCI_INTEL_HOST) udelay(1000); - ret = xhci_handshake_check_state(xhci, &xhci->op_regs->command, - CMD_RESET, 0, timeout_us, XHCI_STATE_REMOVING); + ret = xhci_handshake(&xhci->op_regs->command, CMD_RESET, 0, timeout_us); if (ret) return ret; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 242ab9fbc8ae..5e698561b96d 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1855,8 +1855,6 @@ void xhci_remove_secondary_interrupter(struct usb_hcd /* xHCI host controller glue */ typedef void (*xhci_get_quirks_t)(struct device *, struct xhci_hcd *); int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, u64 timeout_us); -int xhci_handshake_check_state(struct xhci_hcd *xhci, void __iomem *ptr, - u32 mask, u32 done, int usec, unsigned int exit_state); void xhci_quiesce(struct xhci_hcd *xhci); int xhci_halt(struct xhci_hcd *xhci); int xhci_start(struct xhci_hcd *xhci); -- 2.49.0.1204.g71687c7c1d-goog

5 months, 3 weeks

1
0
0 0

[PATCH v3] net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()

by Wentao Liang

The function mlx5_query_nic_vport_node_guid() calls the function mlx5_query_nic_vport_context() but does not check its return value. A proper implementation can be found in mlx5_nic_vport_query_local_lb(). Add error handling for mlx5_query_nic_vport_context(). If it fails, free the out buffer via kvfree() and return error code. Fixes: 9efa75254593 ("net/mlx5_core: Introduce access functions to query vport RoCE fields") Cc: stable(a)vger.kernel.org # v4.5 Target: net Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- v3: Explicitly mention target branch. Change improper code. v2: Remove redundant reassignment. Fix typo error. drivers/net/ethernet/mellanox/mlx5/core/vport.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c index 0d5f750faa45..66e44905c1f0 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c @@ -465,19 +465,22 @@ int mlx5_query_nic_vport_node_guid(struct mlx5_core_dev *mdev, u64 *node_guid) { u32 *out; int outlen = MLX5_ST_SZ_BYTES(query_nic_vport_context_out); + int err; out = kvzalloc(outlen, GFP_KERNEL); if (!out) return -ENOMEM; - mlx5_query_nic_vport_context(mdev, 0, out); + ret = mlx5_query_nic_vport_context(mdev, 0, out); + if (err) + goto out; *node_guid = MLX5_GET64(query_nic_vport_context_out, out, nic_vport_context.node_guid); - +out: kvfree(out); - return 0; + return err; } EXPORT_SYMBOL_GPL(mlx5_query_nic_vport_node_guid); -- 2.42.0.windows.2

5 months, 3 weeks

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror