- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] drm/amd/display: Fix gpu reset in multidisplay config" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042801-bucktooth-unstopped-52b8@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 Mon Sep 17 00:00:00 2001 From: Roman Li <Roman.Li(a)amd.com> Date: Tue, 1 Apr 2025 17:05:10 -0400 Subject: [PATCH] drm/amd/display: Fix gpu reset in multidisplay config [Why] The indexing of stream_status in dm_gpureset_commit_state() is incorrect. That leads to asserts in multi-display configuration after gpu reset. [How] Adjust the indexing logic to align stream_status with surface_updates. Fixes: cdaae8371aa9 ("drm/amd/display: Handle GPU reset for DC block") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3808 Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Roman Li <Roman.Li(a)amd.com> Signed-off-by: Zaeem Mohamed <zaeem.mohamed(a)amd.com> Tested-by: Mark Broadworth <mark.broadworth(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit d91bc901398741d317d9b55c59ca949d4bc7394b) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 9fed4471405f..8f3a778df646 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -3355,16 +3355,16 @@ static void dm_gpureset_commit_state(struct dc_state *dc_state, for (k = 0; k < dc_state->stream_count; k++) { bundle->stream_update.stream = dc_state->streams[k]; - for (m = 0; m < dc_state->stream_status->plane_count; m++) { + for (m = 0; m < dc_state->stream_status[k].plane_count; m++) { bundle->surface_updates[m].surface = - dc_state->stream_status->plane_states[m]; + dc_state->stream_status[k].plane_states[m]; bundle->surface_updates[m].surface->force_full_update = true; } update_planes_and_stream_adapter(dm->dc, UPDATE_TYPE_FULL, - dc_state->stream_status->plane_count, + dc_state->stream_status[k].plane_count, dc_state->streams[k], &bundle->stream_update, bundle->surface_updates);

6 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] net: phy: microchip: force IRQ polling mode for lan88xx" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 30a41ed32d3088cd0d682a13d7f30b23baed7e93 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042825-unreal-nature-7581@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 30a41ed32d3088cd0d682a13d7f30b23baed7e93 Mon Sep 17 00:00:00 2001 From: Fiona Klute <fiona.klute(a)gmx.de> Date: Wed, 16 Apr 2025 12:24:13 +0200 Subject: [PATCH] net: phy: microchip: force IRQ polling mode for lan88xx With lan88xx based devices the lan78xx driver can get stuck in an interrupt loop while bringing the device up, flooding the kernel log with messages like the following: lan78xx 2-3:1.0 enp1s0u3: kevent 4 may have been dropped Removing interrupt support from the lan88xx PHY driver forces the driver to use polling instead, which avoids the problem. The issue has been observed with Raspberry Pi devices at least since 4.14 (see [1], bug report for their downstream kernel), as well as with Nvidia devices [2] in 2020, where disabling interrupts was the vendor-suggested workaround (together with the claim that phylib changes in 4.9 made the interrupt handling in lan78xx incompatible). Iperf reports well over 900Mbits/sec per direction with client in --dualtest mode, so there does not seem to be a significant impact on throughput (lan88xx device connected via switch to the peer). [1] https://github.com/raspberrypi/linux/issues/2447 [2] https://forums.developer.nvidia.com/t/jetson-xavier-and-lan7800-problem/142… Link: https://lore.kernel.org/0901d90d-3f20-4a10-b680-9c978e04ddda@lunn.ch Fixes: 792aec47d59d ("add microchip LAN88xx phy driver") Signed-off-by: Fiona Klute <fiona.klute(a)gmx.de> Cc: kernel-list(a)raspberrypi.com Cc: stable(a)vger.kernel.org Reviewed-by: Andrew Lunn <andrew(a)lunn.ch> Link: https://patch.msgid.link/20250416102413.30654-1-fiona.klute@gmx.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c index 0e17cc458efd..93de88c1c8fd 100644 --- a/drivers/net/phy/microchip.c +++ b/drivers/net/phy/microchip.c @@ -37,47 +37,6 @@ static int lan88xx_write_page(struct phy_device *phydev, int page) return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page); } -static int lan88xx_phy_config_intr(struct phy_device *phydev) -{ - int rc; - - if (phydev->interrupts == PHY_INTERRUPT_ENABLED) { - /* unmask all source and clear them before enable */ - rc = phy_write(phydev, LAN88XX_INT_MASK, 0x7FFF); - rc = phy_read(phydev, LAN88XX_INT_STS); - rc = phy_write(phydev, LAN88XX_INT_MASK, - LAN88XX_INT_MASK_MDINTPIN_EN_ | - LAN88XX_INT_MASK_LINK_CHANGE_); - } else { - rc = phy_write(phydev, LAN88XX_INT_MASK, 0); - if (rc) - return rc; - - /* Ack interrupts after they have been disabled */ - rc = phy_read(phydev, LAN88XX_INT_STS); - } - - return rc < 0 ? rc : 0; -} - -static irqreturn_t lan88xx_handle_interrupt(struct phy_device *phydev) -{ - int irq_status; - - irq_status = phy_read(phydev, LAN88XX_INT_STS); - if (irq_status < 0) { - phy_error(phydev); - return IRQ_NONE; - } - - if (!(irq_status & LAN88XX_INT_STS_LINK_CHANGE_)) - return IRQ_NONE; - - phy_trigger_machine(phydev); - - return IRQ_HANDLED; -} - static int lan88xx_suspend(struct phy_device *phydev) { struct lan88xx_priv *priv = phydev->priv; @@ -528,8 +487,9 @@ static struct phy_driver microchip_phy_driver[] = { .config_aneg = lan88xx_config_aneg, .link_change_notify = lan88xx_link_change_notify, - .config_intr = lan88xx_phy_config_intr, - .handle_interrupt = lan88xx_handle_interrupt, + /* Interrupt handling is broken, do not define related + * functions to force polling. + */ .suspend = lan88xx_suspend, .resume = genphy_resume,

6 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] xen-netfront: handle NULL returned by" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x cc3628dcd851ddd8d418bf0c897024b4621ddc92 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042800-convene-bless-ce4b@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cc3628dcd851ddd8d418bf0c897024b4621ddc92 Mon Sep 17 00:00:00 2001 From: Alexey Nepomnyashih <sdl(a)nppct.ru> Date: Thu, 17 Apr 2025 12:21:17 +0000 Subject: [PATCH] xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented. Cc: stable(a)vger.kernel.org # v5.9+ Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index fc52d5c4c69b..5091e1fa4a0d 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfront_queue *queue, struct page *pdata, act = bpf_prog_run_xdp(prog, xdp); switch (act) { case XDP_TX: - get_page(pdata); xdpf = xdp_convert_buff_to_frame(xdp); - err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); - if (unlikely(!err)) - xdp_return_frame_rx_napi(xdpf); - else if (unlikely(err < 0)) + if (unlikely(!xdpf)) { trace_xdp_exception(queue->info->netdev, prog, act); + break; + } + get_page(pdata); + err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); + if (unlikely(err <= 0)) { + if (err < 0) + trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_frame_rx_napi(xdpf); + } break; case XDP_REDIRECT: get_page(pdata); err = xdp_do_redirect(queue->info->netdev, xdp, prog); *need_xdp_flush = true; - if (unlikely(err)) + if (unlikely(err)) { trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_buff(xdp); + } break; case XDP_PASS: case XDP_DROP:

6 months, 2 weeks

1
0
0 0

stable request: eaaff9b6702e ("netfilter: fib: avoid lookup if socket is available")

by Florian Westphal

Hi Greg, hi Sasha, Could you please queue up eaaff9b6702e ("netfilter: fib: avoid lookup if socket is available") for 6.14 and 6.12? Unfortunately I did not realize that the missing handling of 'input' is not just a missing optimization but an actual bug fix, else I would have split this patch in two. The bug exists since 5.19, but its not a regression ('never worked'). Given noone noticed/reported this until this week (https://lore.kernel.org/netfilter/20250422114352.GA2092@breakpoint.cc/), we think it makes sense to only apply this to the two most recent trees and keep the rest as-is, users of those trees evidently don't use the b0rken configuration or they would have complained long ago. The commit cherry-picks cleanly to both. If you disagree let me know, I could also make a stable-only patch that only contains the bug fix part of the mentioned commit. Thanks!

6 months, 2 weeks

2
1
0 0

Stable request: net: stmmac: resume rx clocking

by Jon Hunter

Hi Greg, Sasha, Updates to the stmmac networking driver in Linux v6.14 exposed some issues with resuming the driver on platforms such as the Tegra186 Jetson TX2 board. This is why the suspend test has been failing on this platform for the linux-6.14.y updates ... Test failures: tegra186-p2771-0000: pm-system-suspend.sh Russell has provided some fixes for this that are now in the mainline and so I would like to integrate the following changes to linux-6.14.y ... f732549eb303 net: stmmac: simplify phylink_suspend() and phylink_resume() calls 367f1854d442 net: phylink: add phylink_prepare_resume() ef43e5132895 net: stmmac: address non-LPI resume failures properly 366aeeba7908 net: stmmac: socfpga: remove phy_resume() call ddf4bd3f7384 net: phylink: add functions to block/unblock rx clock stop dd557266cf5f net: stmmac: block PHY RXC clock-stop I had a quick look to see if we can backport to linux-6.12.y but looks like we need more commits and so for now just target linux-6.14.y. Jon

6 months, 2 weeks

2
1
0 0

Please apply commit d81cadbe1642 to 6.12 stable tree

by Naveen N Rao

Please apply commit d81cadbe1642 ("KVM: SVM: Disable AVIC on SNP-enabled system without HvInUseWrAllowed feature") to the stable v6.12 tree. This patch prevents a kernel BUG by disabling AVIC on systems without suitable support for AVIC to work when SEV-SNP support is enabled in the host. Thanks, Naveen

6 months, 2 weeks

3
4
0 0

Potential Linux Crash: possible deadlock in do_lock_mount in linux6.12.24(longterm maintenance)

by Jianzhou Zhao

Hello, I found a potential bug titled " possible deadlock in do_lock_mount " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). (The latest version of 6.12 is 6.12-25 at present. However, after comparison, I found that there seems to be no fix for this bug in the latest version.) Unfortunately, I am unable to reproduce this bug. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <luckd0g(a)163.com>, xingwei lee <xrivendell7(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: possible deadlock in do_lock_mount ------------[ cut here ]------------ ====================================================== ====================================================== WARNING: possible circular locking dependency detected 6.12.24 #3 Not tainted ------------------------------------------------------ syz.6.1765/29153 is trying to acquire lock: ffffffff8e14afc0 (fs_reclaim){+.+.}-{0:0}, at: might_alloc include/linux/sched/mm.h:318 [inline] ffffffff8e14afc0 (fs_reclaim){+.+.}-{0:0}, at: slab_pre_alloc_hook mm/slub.c:4058 [inline] ffffffff8e14afc0 (fs_reclaim){+.+.}-{0:0}, at: slab_alloc_node mm/slub.c:4136 [inline] ffffffff8e14afc0 (fs_reclaim){+.+.}-{0:0}, at: __kmalloc_cache_noprof+0x4b/0x310 mm/slub.c:4312 but task is already holding lock: ffffffff8e1bfdd0 (namespace_sem){++++}-{3:3}, at: namespace_lock fs/namespace.c:1713 [inline] ffffffff8e1bfdd0 (namespace_sem){++++}-{3:3}, at: do_lock_mount+0x150/0x5b0 fs/namespace.c:2618 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #7 (namespace_sem){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 namespace_lock fs/namespace.c:1713 [inline] do_lock_mount+0x150/0x5b0 fs/namespace.c:2618 lock_mount fs/namespace.c:2654 [inline] do_loopback fs/namespace.c:2777 [inline] path_mount+0xcda/0x1ea0 fs/namespace.c:3833 do_mount fs/namespace.c:3852 [inline] __do_sys_mount fs/namespace.c:4062 [inline] __se_sys_mount fs/namespace.c:4039 [inline] __x64_sys_mount+0x284/0x310 fs/namespace.c:4039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #6 (&sb->s_type->i_mutex_key#3){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 inode_lock include/linux/fs.h:815 [inline] start_creating.part.0+0xb2/0x370 fs/debugfs/inode.c:374 start_creating fs/debugfs/inode.c:351 [inline] debugfs_create_dir+0x72/0x600 fs/debugfs/inode.c:593 blk_register_queue+0x16a/0x4f0 block/blk-sysfs.c:766 device_add_disk+0x77f/0x12f0 block/genhd.c:489 add_disk include/linux/blkdev.h:741 [inline] brd_alloc.isra.0+0x57a/0x800 drivers/block/brd.c:401 brd_init+0xf5/0x1e0 drivers/block/brd.c:481 do_one_initcall+0x10e/0x6d0 init/main.c:1269 do_initcall_level init/main.c:1331 [inline] do_initcalls init/main.c:1347 [inline] do_basic_setup init/main.c:1366 [inline] kernel_init_freeable+0x5ae/0x8a0 init/main.c:1580 kernel_init+0x1e/0x2d0 init/main.c:1469 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #5 (&q->debugfs_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 blk_mq_init_sched+0x436/0x650 block/blk-mq-sched.c:473 elevator_init_mq+0x2cc/0x420 block/elevator.c:610 device_add_disk+0x10e/0x12f0 block/genhd.c:411 sd_probe+0xa0e/0xf80 drivers/scsi/sd.c:4024 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #4 (&q->q_usage_counter(queue)#51){++++}-{0:0}: blk_queue_enter+0x4d0/0x600 block/blk-core.c:328 blk_mq_alloc_request+0x422/0x9c0 block/blk-mq.c:680 scsi_alloc_request drivers/scsi/scsi_lib.c:1227 [inline] scsi_execute_cmd+0x1fe/0xf20 drivers/scsi/scsi_lib.c:304 read_capacity_16+0x1f2/0xe60 drivers/scsi/sd.c:2655 sd_read_capacity drivers/scsi/sd.c:2824 [inline] sd_revalidate_disk.isra.0+0x1989/0xa440 drivers/scsi/sd.c:3734 sd_probe+0x887/0xf80 drivers/scsi/sd.c:4010 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #3 (&q->limits_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 queue_limits_start_update include/linux/blkdev.h:935 [inline] loop_reconfigure_limits+0x1f2/0x960 drivers/block/loop.c:1004 loop_set_block_size drivers/block/loop.c:1474 [inline] lo_simple_ioctl drivers/block/loop.c:1497 [inline] lo_ioctl+0xb92/0x1870 drivers/block/loop.c:1560 blkdev_ioctl+0x27b/0x6c0 block/ioctl.c:693 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #2 (&q->q_usage_counter(io)#19){++++}-{0:0}: bio_queue_enter block/blk.h:76 [inline] blk_mq_submit_bio+0x2167/0x2b70 block/blk-mq.c:3090 __submit_bio+0x399/0x630 block/blk-core.c:629 __submit_bio_noacct_mq block/blk-core.c:716 [inline] submit_bio_noacct_nocheck+0x6c3/0xd00 block/blk-core.c:745 submit_bio_noacct+0x57a/0x1fa0 block/blk-core.c:868 xfs_buf_ioapply_map fs/xfs/xfs_buf.c:1585 [inline] _xfs_buf_ioapply+0x8a4/0xbe0 fs/xfs/xfs_buf.c:1673 __xfs_buf_submit+0x241/0x840 fs/xfs/xfs_buf.c:1757 xfs_buf_submit fs/xfs/xfs_buf.c:61 [inline] _xfs_buf_read fs/xfs/xfs_buf.c:808 [inline] xfs_buf_read_map+0x3e7/0xb40 fs/xfs/xfs_buf.c:872 xfs_trans_read_buf_map+0x10a/0x9b0 fs/xfs/xfs_trans_buf.c:289 xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline] xfs_read_agf+0x2c1/0x5b0 fs/xfs/libxfs/xfs_alloc.c:3367 xfs_alloc_read_agf+0x152/0xb90 fs/xfs/libxfs/xfs_alloc.c:3401 xfs_alloc_fix_freelist+0x925/0xff0 fs/xfs/libxfs/xfs_alloc.c:2863 xfs_alloc_vextent_prepare_ag+0x7c/0x6c0 fs/xfs/libxfs/xfs_alloc.c:3532 xfs_alloc_vextent_iterate_ags.constprop.0+0x1b0/0x970 fs/xfs/libxfs/xfs_alloc.c:3717 xfs_alloc_vextent_start_ag+0x32b/0x800 fs/xfs/libxfs/xfs_alloc.c:3806 xfs_bmap_btalloc_best_length fs/xfs/libxfs/xfs_bmap.c:3731 [inline] xfs_bmap_btalloc+0xbc4/0x17d0 fs/xfs/libxfs/xfs_bmap.c:3776 xfs_bmapi_allocate+0x23d/0xe80 fs/xfs/libxfs/xfs_bmap.c:4189 xfs_bmapi_write+0x686/0xca0 fs/xfs/libxfs/xfs_bmap.c:4518 xfs_dquot_disk_alloc+0x654/0xbb0 fs/xfs/xfs_dquot.c:376 xfs_qm_dqread+0x55d/0x5f0 fs/xfs/xfs_dquot.c:715 xfs_qm_dqget+0x142/0x470 fs/xfs/xfs_dquot.c:927 xfs_qm_quotacheck_dqadjust+0xaa/0x570 fs/xfs/xfs_qm.c:1125 xfs_qm_dqusage_adjust+0x511/0x680 fs/xfs/xfs_qm.c:1248 xfs_iwalk_ag_recs+0x476/0x7c0 fs/xfs/xfs_iwalk.c:213 xfs_iwalk_run_callbacks+0x1fa/0x560 fs/xfs/xfs_iwalk.c:371 xfs_iwalk_ag+0x73a/0x940 fs/xfs/xfs_iwalk.c:477 xfs_iwalk_ag_work+0x14e/0x1c0 fs/xfs/xfs_iwalk.c:619 xfs_pwork_work+0x7f/0x160 fs/xfs/xfs_pwork.c:47 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #1 (&xfs_nondir_ilock_class#3){++++}-{3:3}: down_write_nested+0x96/0x210 kernel/locking/rwsem.c:1693 xfs_ilock+0x198/0x210 fs/xfs/xfs_inode.c:164 xfs_reclaim_inode fs/xfs/xfs_icache.c:981 [inline] xfs_icwalk_process_inode fs/xfs/xfs_icache.c:1675 [inline] xfs_icwalk_ag+0xa5e/0x17b0 fs/xfs/xfs_icache.c:1757 xfs_icwalk fs/xfs/xfs_icache.c:1805 [inline] xfs_reclaim_inodes_nr+0x1bd/0x300 fs/xfs/xfs_icache.c:1047 super_cache_scan+0x412/0x570 fs/super.c:227 do_shrink_slab+0x44b/0x1190 mm/shrinker.c:437 shrink_slab+0x332/0x12a0 mm/shrinker.c:664 shrink_one+0x4ad/0x7c0 mm/vmscan.c:4835 shrink_many mm/vmscan.c:4896 [inline] lru_gen_shrink_node mm/vmscan.c:4974 [inline] shrink_node+0x2420/0x3890 mm/vmscan.c:5954 kswapd_shrink_node mm/vmscan.c:6782 [inline] balance_pgdat+0xbe5/0x18c0 mm/vmscan.c:6974 kswapd+0x702/0xd50 mm/vmscan.c:7243 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #0 (fs_reclaim){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 __fs_reclaim_acquire mm/page_alloc.c:3853 [inline] fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:3867 might_alloc include/linux/sched/mm.h:318 [inline] slab_pre_alloc_hook mm/slub.c:4058 [inline] slab_alloc_node mm/slub.c:4136 [inline] __kmalloc_cache_noprof+0x4b/0x310 mm/slub.c:4312 kmalloc_noprof include/linux/slab.h:878 [inline] get_mountpoint+0x14c/0x410 fs/namespace.c:909 do_lock_mount+0x171/0x5b0 fs/namespace.c:2639 lock_mount fs/namespace.c:2654 [inline] do_new_mount_fc fs/namespace.c:3449 [inline] do_new_mount fs/namespace.c:3514 [inline] path_mount+0x1695/0x1ea0 fs/namespace.c:3839 do_mount fs/namespace.c:3852 [inline] __do_sys_mount fs/namespace.c:4062 [inline] __se_sys_mount fs/namespace.c:4039 [inline] __x64_sys_mount+0x284/0x310 fs/namespace.c:4039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: fs_reclaim --> &sb->s_type->i_mutex_key#3 --> namespace_sem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(namespace_sem); lock(&sb->s_type->i_mutex_key#3); lock(namespace_sem); lock(fs_reclaim); *** DEADLOCK *** 2 locks held by syz.6.1765/29153: #0: ffff888055a94158 (&sb->s_type->i_mutex_key#29){++++}-{3:3}, at: inode_lock include/linux/fs.h:815 [inline] #0: ffff888055a94158 (&sb->s_type->i_mutex_key#29){++++}-{3:3}, at: do_lock_mount+0xae/0x5b0 fs/namespace.c:2612 #1: ffffffff8e1bfdd0 (namespace_sem){++++}-{3:3}, at: namespace_lock fs/namespace.c:1713 [inline] #1: ffffffff8e1bfdd0 (namespace_sem){++++}-{3:3}, at: do_lock_mount+0x150/0x5b0 fs/namespace.c:2618 stack backtrace: CPU: 1 UID: 0 PID: 29153 Comm: syz.6.1765 Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_circular_bug+0x406/0x5c0 kernel/locking/lockdep.c:2074 check_noncircular+0x2f7/0x3e0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 __fs_reclaim_acquire mm/page_alloc.c:3853 [inline] fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:3867 might_alloc include/linux/sched/mm.h:318 [inline] slab_pre_alloc_hook mm/slub.c:4058 [inline] slab_alloc_node mm/slub.c:4136 [inline] __kmalloc_cache_noprof+0x4b/0x310 mm/slub.c:4312 kmalloc_noprof include/linux/slab.h:878 [inline] get_mountpoint+0x14c/0x410 fs/namespace.c:909 do_lock_mount+0x171/0x5b0 fs/namespace.c:2639 lock_mount fs/namespace.c:2654 [inline] do_new_mount_fc fs/namespace.c:3449 [inline] do_new_mount fs/namespace.c:3514 [inline] path_mount+0x1695/0x1ea0 fs/namespace.c:3839 do_mount fs/namespace.c:3852 [inline] __do_sys_mount fs/namespace.c:4062 [inline] __se_sys_mount fs/namespace.c:4039 [inline] __x64_sys_mount+0x284/0x310 fs/namespace.c:4039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff6353ad5ad Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff6361edf98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ff6355e5fa0 RCX: 00007ff6353ad5ad RDX: 00002000000000c0 RSI: 0000200000000080 RDI: 0000000000000000 RBP: 00007ff635446d56 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007ff6355e5fa0 R15: 00007ff6361ce000 </TASK> ================================================================== I hope it helps. Best regards Jianzhou Zhao

6 months, 2 weeks

2
1
0 0

[PATCH 6.12 000/223] 6.12.25-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.25 release. There are 223 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.25-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.25-rc1 Jens Axboe <axboe(a)kernel.dk> block: make struct rq_list available for !CONFIG_BLOCK Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: extend changes_pkt_data with cases w/o subprograms Eduard Zingerman <eddyz87(a)gmail.com> bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: validate that tail call invalidates packet pointers Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: freplace tests for tracking of changes_packet_data Eduard Zingerman <eddyz87(a)gmail.com> bpf: check changes_pkt_data property for extension programs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: test for changing packet data from global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: track changes_pkt_data property for global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: add find_containing_subprog() utility function P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Alexander Tsoy <alexander(a)tsoy.me> Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process" Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Christoph Hellwig <hch(a)lst.de> block: don't reorder requests in blk_add_rq_to_plug Christoph Hellwig <hch(a)lst.de> block: add a rq_list type Christoph Hellwig <hch(a)lst.de> block: remove rq_list_move WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: Temporarily disable hostvm on DCN31 Yuli Wang <wangyuli(a)uniontech.com> LoongArch: Eliminate superfluous get_numa_distances_cnt() Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Shung-Hsi Yu <shung-hsi.yu(a)suse.com> selftests/bpf: Fix raw_tp null handling test Yu Kuai <yukuai3(a)huawei.com> md: fix mddev uaf while iterating all_mddevs list Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Rename "data" variable Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Lukas Fischer <kernel(a)o1oo11oo.de> scripts: generate_rust_analyzer: Add ffi crate Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HFGWTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HFGRTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HFGITR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HDFGWTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HDFGRTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 Thomas Zimmermann <tzimmermann(a)suse.de> drm/mgag200: Fix value in <VBLKSTR> register ZhenGuo Yin <zhenguo.yin(a)amd.com> drm/amdgpu: fix warning of drm_mm_clean Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Set LRC addresses before guc load Matthew Auld <matthew.auld(a)intel.com> drm/xe/userptr: fix notifier vs folio deadlock Matthew Auld <matthew.auld(a)intel.com> drm/xe/dma_buf: stop relying on placement in unmap Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1 Huacai Chen <chenhuacai(a)kernel.org> drm/amd/display: Protect FPU in dml2_init()/dml21_init() Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes() Christian König <christian.koenig(a)amd.com> drm/amdgpu: immediately use GTT for new allocations Jani Nikula <jani.nikula(a)intel.com> drm/i915/gvt: fix unterminated-string-initialization warning Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Fix an out-of-bounds shift when invalidating TLB Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Brendan King <Brendan.King(a)imgtec.com> drm/imagination: take paired job reference Brendan King <Brendan.King(a)imgtec.com> drm/imagination: fix firmware memory leaks Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Matthew Auld <matthew.auld(a)intel.com> drm/amdgpu/dma_buf: fix page_link check Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes11: optimize MES pipe FW version fetching Huacai Chen <chenhuacai(a)kernel.org> drm/amd/display: Protect FPU in dml21_copy() Huacai Chen <chenhuacai(a)kernel.org> drm/amd/display: Protect FPU in dml2_validate()/dml21_validate() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1 Matthew Brost <matthew.brost(a)intel.com> drm/xe: Use local fence in error path of xe_migrate_clear Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes12: optimize MES pipe FW version fetching Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/smu11: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm: Prevent division by zero Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Increase vblank offdelay for PSR panels Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Actually do immediate vblank disable Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Handle being compiled without SI or CIK support better Brendan Tam <Brendan.Tam(a)amd.com> drm/amd/display: prevent hang on link training fail Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Prefer shadow rom when available Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Fix stale rpmh votes from GPU Haoxiang Li <haoxiang_li2024(a)163.com> drm/msm/dsi: Add check for devm_kstrdup() Jocelyn Falempe <jfalempe(a)redhat.com> drm/ast: Fix ast_dp connection status Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Mario Limonciello <mario.limonciello(a)amd.com> platform/x86: amd: pmf: Fix STT limits Yazen Ghannam <yazen.ghannam(a)amd.com> RAS/AMD/FMPM: Get masked address Yazen Ghannam <yazen.ghannam(a)amd.com> RAS/AMD/ATL: Include row[13] bit in row retirement Sharath Srinivasan <sharath.srinivasan(a)oracle.com> RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure consistent phy reference counts Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: megaraid_sas: Block zero-length ATA VPD inquiry Ard Biesheuvel <ardb(a)kernel.org> x86/boot/sev: Avoid shared GHCB page for early memory acceptance Sandipan Das <sandipan.das(a)amd.com> x86/cpu/amd: Fix workaround for erratum 1054 Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Steven Rostedt <rostedt(a)goodmis.org> tracing: Fix filter string testing Peter Collingbourne <pcc(a)google.com> string: Add load_unaligned_zeropad() code path to sized_strscpy() Chunjie Zhu <chunjie.zhu(a)cloud.com> smb3 client: fix open hardlink on deferred close file error Suren Baghdasaryan <surenb(a)google.com> slab: ensure slab->obj_exts is clear in a newly allocated slab page Mark Brown <broonie(a)kernel.org> selftests/mm: generate a temporary mountpoint for cgroup filesystem Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Kuniyuki Iwashima <kuniyu(a)amazon.com> Revert "smb: client: fix TCP timers deadlock after rmmod" Kuniyuki Iwashima <kuniyu(a)amazon.com> Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix the warning from __kernel_write_iter Denis Arefev <arefev(a)swemel.ru> ksmbd: Prevent integer overflow in calculation of deadtime Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in smb_break_all_levII_oplock() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix dangling pointer in krb_authenticate Miklos Szeredi <mszeredi(a)redhat.com> ovl: don't allow datadir only Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix apply_to_existing_page_range() Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm: fix filemap_get_folios_contig returning batches of identical folios Baoquan He <bhe(a)redhat.com> mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm/compaction: fix bug in hugetlb handling pathway Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: LOOP_SET_FD: send uevents for partitions Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: properly send KOBJ_CHANGED uevent for disk device Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Herbert Xu <herbert(a)gondor.apana.org.au> crypto: caam/qi - Fix drv_ctx refcount bug Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Kees Cook <kees(a)kernel.org> Bluetooth: vhci: Avoid needless snprintf() calls Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Process valid commands in too long frame Rob Clark <robdclark(a)chromium.org> drm/msm/a6xx+: Don't let IB_SIZE overflow Menglong Dong <menglong8.dong(a)gmail.com> ftrace: fix incorrect hash size in register_ftrace_direct() Christoph Hellwig <hch(a)lst.de> fs: move the bdex_statx call to vfs_getattr_nosec Su Hui <suhui(a)nfschina.com> fs/stat.c: avoid harmless garbage value problem in vfs_statx_path() Stefan Berger <stefanb(a)linux.ibm.com> fs: Simplify getattr interface function checking AT_GETATTR_NOSEC flag Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: atr: Fix wrong include Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: decrease sc_count directly if fail to queue dl_recall Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Dan Carpenter <dan.carpenter(a)linaro.org> dma-buf/sw_sync: Decrement refcount on error in sw_sync_ioctl_get_deadline() Maíra Canal <mcanal(a)igalia.com> drm/v3d: Fix Indirect Dispatch configuration for V3D 7.1.6 and later Martin K. Petersen <martin.petersen(a)oracle.com> block: integrity: Do not call set_page_dirty_lock() Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable Evgeny Pimenov <pimenoveu12(a)gmail.com> ASoC: qcom: Fix sc7280 lpass potential buffer overflow Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S16 Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Herve Codina <herve.codina(a)bootlin.com> ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on TRIGGER_START event Alex Williamson <alex.williamson(a)redhat.com> Revert "PCI: Avoid reset when disabled via sysfs" Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Miguel Ojeda <ojeda(a)kernel.org> rust: kbuild: use `pound` to support GNU Make < 4.3 Miguel Ojeda <ojeda(a)kernel.org> rust: disable `clippy::needless_continue` Miguel Ojeda <ojeda(a)kernel.org> rust: kasan/kbuild: fix missing flags on first build Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.86.0 Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Do not inline arch_kgdb_breakpoint() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kunit: qemu_configs: SH: Respect kunit cmdline Samuel Holland <samuel.holland(a)sifive.com> riscv: module: Allocate PLT entries for R_RISCV_PLT32 Samuel Holland <samuel.holland(a)sifive.com> riscv: module: Fix out-of-bounds relocation access Björn Töpel <bjorn(a)rivosinc.com> riscv: Properly export reserved regions in /proc/iomem Will Pierce <wgpierce17(a)gmail.com> riscv: Use kvmalloc_array on relocation_hashtable Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for 100Mbps Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: reapply mdc divider on reset Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Fix possible NULL pointer dereference for perout request Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Add phase offset configuration for perout signal Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Add pwidth configuration for perout signal Sagi Maimon <maimon.sagi(a)gmail.com> ptp: ocp: fix start time alignment in ptp_ocp_signal_set Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: free routing table on probe failure Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: clean up FDB, MDB, VLAN entries on unbind Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Abdun Nihaal <abdun.nihaal(a)gmail.com> net: txgbe: fix memory leak in txgbe_probe() error path Jonas Gorski <jonas.gorski(a)gmail.com> net: bridge: switchdev: do not notify new brentries as changed Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-link: adjust mctp attribute naming Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-link: add an attr layer around alt-ifname Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: make sure we validate subtype of array-nest Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: individually free previous values on double set Abdun Nihaal <abdun.nihaal(a)gmail.com> cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Niklas Cassel <cassel(a)kernel.org> ata: libata-sata: Save all fields from sense data descriptor Christoph Hellwig <hch(a)lst.de> loop: stop using vfs_iter_{read,write} for buffered I/O Yunlong Xing <yunlong.xing(a)unisoc.com> loop: aio inherit the ioprio of original request Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: fix missing ring index trim on error path Michael Walle <mwalle(a)kernel.org> net: ethernet: ti: am65-cpsw: fix port_np reference counting Abdun Nihaal <abdun.nihaal(a)gmail.com> net: ngbe: fix memory leak in ngbe_probe() error path Weizhao Ouyang <o451686892(a)gmail.com> can: rockchip_canfd: fix broken quirks checks Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Jakub Kicinski <kuba(a)kernel.org> netlink: specs: ovs_vport: align with C codegen capabilities Zheng Qixing <zhengqixing(a)huawei.com> block: fix resource leak in blk_register_queue() error path Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: Set SOCK_RCU_FREE Damodharam Ammepalli <damodharam.ammepalli(a)broadcom.com> ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() Abdun Nihaal <abdun.nihaal(a)gmail.com> pds_core: fix memory leak in pdsc_debugfs_add_qcq() Matthew Wilcox (Oracle) <willy(a)infradead.org> test suite: use %zu to print size_t Kuniyuki Iwashima <kuniyu(a)amazon.com> smc: Fix lockdep false-positive for IPPROTO_SMC. Geert Uytterhoeven <geert+renesas(a)glider.be> dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry Christopher S M Hall <christopher.s.hall(a)intel.com> igc: add lock preventing multiple simultaneous PTM transactions Christopher S M Hall <christopher.s.hall(a)intel.com> igc: cleanup PTP module if probe fails Christopher S M Hall <christopher.s.hall(a)intel.com> igc: handle the IGC_PTP_ENABLED flag correctly Christopher S M Hall <christopher.s.hall(a)intel.com> igc: move ktime snapshot into PTM retry loop Christopher S M Hall <christopher.s.hall(a)intel.com> igc: increase wait time before retrying PTM Christopher S M Hall <christopher.s.hall(a)intel.com> igc: fix PTM cycle trigger logic Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Juergen Gross <jgross(a)suse.com> xen: fix multicall debug feature Xin Long <lucien.xin(a)gmail.com> ipv6: add exception routes to GC list in rt6_insert_exception Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Check encryption key size on incoming connection Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Shay Drory <shayd(a)nvidia.com> RDMA/core: Silence oversized kvmalloc() warning Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Reset clamp override on jack removal Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Workaround for resume on Dell Venue 11 Pro 7130 Jaroslav Kysela <perex(a)perex.cz> ALSA: hda: improve bass speaker support for ASUS Zenbook UM5606WA Richard Fitzgerald <rf(a)opensource.cirrus.com> ALSA: hda/cirrus_scodec_test: Don't select dependencies Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix wrong maximum DMA segment size Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Giuseppe Scrivano <gscrivan(a)redhat.com> ovl: remove unused forward declaration Akhil R <akhilrajeev(a)nvidia.com> crypto: tegra - Fix IV usage for AES ECB Akhil R <akhilrajeev(a)nvidia.com> crypto: tegra - Do not use fixed size buffers Colin Ian King <colin.i.king(a)gmail.com> crypto: tegra - remove redundant error check on ret Henry Martin <bsdhenrymartin(a)gmail.com> ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() Brady Norander <bradynorander(a)gmail.com> ASoC: dwc: always enable/disable i2s irqs Zheng Qixing <zhengqixing(a)huawei.com> md/md-bitmap: fix stats collection for external bitmaps Yu Kuai <yukuai3(a)huawei.com> md/raid10: fix missing discard IO accounting Martin Wilck <mwilck(a)suse.com> scsi: smartpqi: Use is_kdump_kernel() to check for kdump Daniel Wagner <wagi(a)kernel.org> scsi: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues Daniel Wagner <wagi(a)kernel.org> blk-mq: introduce blk_mq_map_hw_queues Daniel Wagner <wagi(a)kernel.org> driver core: bus: add irq_get_affinity callback to bus_type Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Enable force phy when SATA disk directly connected ------------- Diffstat: Documentation/arch/arm64/booting.rst | 22 +++ .../bindings/soc/fsl/fsl,ls1028a-reset.yaml | 2 +- Documentation/netlink/specs/ovs_vport.yaml | 4 +- Documentation/netlink/specs/rt_link.yaml | 14 +- Documentation/wmi/devices/msi-wmi-platform.rst | 4 + Makefile | 8 +- arch/arm64/include/asm/el2_setup.h | 25 ++++ arch/arm64/tools/sysreg | 104 ++++++++++++++ arch/loongarch/kernel/acpi.c | 12 -- arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/kernel/cevt-ds1287.c | 1 + arch/riscv/include/asm/kgdb.h | 9 +- arch/riscv/include/asm/syscall.h | 7 +- arch/riscv/kernel/kgdb.c | 6 + arch/riscv/kernel/module-sections.c | 13 +- arch/riscv/kernel/module.c | 11 +- arch/riscv/kernel/setup.c | 36 ++++- arch/x86/boot/compressed/mem.c | 5 +- arch/x86/boot/compressed/sev.c | 67 +++------ arch/x86/boot/compressed/sev.h | 2 + arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 107 ++------------- arch/x86/kernel/cpu/amd.c | 19 ++- arch/x86/kernel/cpu/microcode/amd.c | 9 +- arch/x86/xen/multicalls.c | 26 ++-- arch/x86/xen/smp_pv.c | 1 - arch/x86/xen/xen-ops.h | 3 - block/bdev.c | 3 +- block/bio-integrity.c | 17 +-- block/blk-core.c | 6 +- block/blk-merge.c | 2 +- block/blk-mq-cpumap.c | 37 +++++ block/blk-mq.c | 42 +++--- block/blk-mq.h | 2 +- block/blk-sysfs.c | 2 + drivers/ata/libata-sata.c | 15 +++ drivers/block/loop.c | 121 +++-------------- drivers/block/null_blk/main.c | 9 +- drivers/block/virtio_blk.c | 13 +- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_vhci.c | 10 +- drivers/cpufreq/cpufreq.c | 40 +++++- drivers/crypto/caam/qi.c | 6 +- drivers/crypto/tegra/tegra-se-aes.c | 131 +++++++++--------- drivers/crypto/tegra/tegra-se-hash.c | 38 ++++-- drivers/crypto/tegra/tegra-se.h | 2 - drivers/dma-buf/sw_sync.c | 19 ++- drivers/firmware/efi/libstub/efistub.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 34 ++++- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +++--- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 +- drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 + drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 21 +-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 62 ++++++++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 6 +- .../drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 17 ++- drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 9 ++ .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 7 +- .../amd/display/dc/resource/dcn31/dcn31_resource.c | 2 +- .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 +- drivers/gpu/drm/ast/ast_dp.c | 6 + drivers/gpu/drm/i915/display/intel_display.c | 4 +- drivers/gpu/drm/i915/gvt/opregion.c | 7 +- drivers/gpu/drm/imagination/pvr_fw.c | 27 +++- drivers/gpu/drm/imagination/pvr_job.c | 7 + drivers/gpu/drm/imagination/pvr_queue.c | 4 + drivers/gpu/drm/mgag200/mgag200_mode.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 82 +++++------ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 8 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 9 +- .../gpu/drm/msm/registers/adreno/adreno_pm4.xml | 7 + drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/gpu/drm/v3d/v3d_sched.c | 16 ++- drivers/gpu/drm/xe/xe_dma_buf.c | 5 +- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 +- drivers/gpu/drm/xe/xe_guc_ads.c | 75 ++++++----- drivers/gpu/drm/xe/xe_hmm.c | 24 ---- drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i2c/i2c-atr.c | 2 +- drivers/infiniband/core/cma.c | 4 +- drivers/infiniband/core/umem_odp.c | 6 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +- drivers/md/md-bitmap.c | 5 +- drivers/md/md.c | 22 +-- drivers/md/raid10.c | 1 + drivers/misc/pci_endpoint_test.c | 4 + drivers/net/can/rockchip/rockchip_canfd-core.c | 7 +- drivers/net/dsa/b53/b53_common.c | 10 ++ drivers/net/dsa/mv88e6xxx/chip.c | 13 +- drivers/net/dsa/mv88e6xxx/devlink.c | 3 +- drivers/net/ethernet/amd/pds_core/debugfs.c | 5 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 + drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_defines.h | 6 +- drivers/net/ethernet/intel/igc/igc_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 113 ++++++++++------ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 49 ++++--- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 15 ++- drivers/net/ethernet/ti/icssg/icss_iep.c | 150 ++++++++++++++------- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 3 +- drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 +- drivers/net/wireless/ath/ath12k/dp_mon.c | 4 +- drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/nvme/host/apple.c | 2 +- drivers/nvme/host/pci.c | 15 +-- drivers/nvme/target/fc.c | 14 -- drivers/pci/pci.c | 4 - drivers/platform/x86/amd/pmf/auto-mode.c | 4 +- drivers/platform/x86/amd/pmf/cnqf.c | 8 +- drivers/platform/x86/amd/pmf/core.c | 14 ++ drivers/platform/x86/amd/pmf/pmf.h | 1 + drivers/platform/x86/amd/pmf/sps.c | 12 +- drivers/platform/x86/amd/pmf/tee-if.c | 6 +- drivers/platform/x86/asus-laptop.c | 9 +- drivers/platform/x86/msi-wmi-platform.c | 99 +++++++++----- drivers/ptp/ptp_ocp.c | 1 + drivers/ras/amd/atl/internal.h | 3 + drivers/ras/amd/atl/umc.c | 19 ++- drivers/ras/amd/fmpm.c | 9 +- drivers/scsi/fnic/fnic_main.c | 3 +- drivers/scsi/hisi_sas/hisi_sas.h | 1 - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +- drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 18 ++- drivers/scsi/megaraid/megaraid_sas_base.c | 12 +- drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 +- drivers/scsi/mpi3mr/mpi3mr.h | 1 - drivers/scsi/mpi3mr/mpi3mr_os.c | 2 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +- drivers/scsi/pm8001/pm8001_init.c | 2 +- drivers/scsi/pm8001/pm8001_sas.h | 1 - drivers/scsi/qla2xxx/qla_nvme.c | 3 +- drivers/scsi/qla2xxx/qla_os.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/smartpqi/smartpqi_init.c | 20 +-- drivers/ufs/host/ufs-exynos.c | 6 + fs/Kconfig | 1 + fs/btrfs/super.c | 3 +- fs/ecryptfs/inode.c | 12 +- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 + fs/hfsplus/bnode.c | 6 + fs/isofs/export.c | 2 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 7 - fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsfh.h | 7 - fs/overlayfs/inode.c | 10 +- fs/overlayfs/overlayfs.h | 10 -- fs/overlayfs/super.c | 5 + fs/smb/client/cifsproto.h | 2 + fs/smb/client/connect.c | 34 ++--- fs/smb/client/file.c | 28 ++++ fs/smb/server/oplock.c | 29 ++-- fs/smb/server/oplock.h | 1 - fs/smb/server/smb2pdu.c | 4 +- fs/smb/server/transport_ipc.c | 7 +- fs/smb/server/vfs.c | 3 +- fs/stat.c | 39 +++--- include/linux/backing-dev.h | 1 + include/linux/blk-mq.h | 111 +++++++-------- include/linux/blkdev.h | 17 ++- include/linux/bpf.h | 1 + include/linux/bpf_verifier.h | 1 + include/linux/device/bus.h | 3 + include/linux/nfs.h | 7 - include/uapi/linux/fcntl.h | 4 - io_uring/rw.c | 4 +- kernel/bpf/verifier.c | 79 +++++++++-- kernel/sched/cpufreq_schedutil.c | 46 ++++++- kernel/trace/ftrace.c | 7 +- kernel/trace/trace_events_filter.c | 4 +- lib/string.c | 13 +- mm/compaction.c | 6 +- mm/filemap.c | 1 + mm/gup.c | 4 +- mm/memory.c | 4 +- mm/slub.c | 10 ++ mm/userfaultfd.c | 13 +- mm/vma.c | 38 +++++- mm/vma.h | 9 +- net/bluetooth/hci_event.c | 5 +- net/bluetooth/l2cap_core.c | 21 ++- net/bridge/br_vlan.c | 4 +- net/dsa/dsa.c | 59 ++++++-- net/dsa/tag_8021q.c | 2 +- net/ethtool/cmis_cdb.c | 2 +- net/ipv6/route.c | 1 + net/mac80211/iface.c | 3 + net/mctp/af_mctp.c | 3 + net/openvswitch/flow_netlink.c | 3 +- net/smc/af_smc.c | 5 + scripts/Makefile.compiler | 4 +- scripts/generate_rust_analyzer.py | 12 +- sound/pci/hda/Kconfig | 4 +- sound/pci/hda/patch_realtek.c | 55 ++++++-- sound/soc/codecs/cs42l43-jack.c | 3 + sound/soc/codecs/lpass-wsa-macro.c | 139 +++++++++++++------ sound/soc/dwc/dwc-i2s.c | 13 +- sound/soc/fsl/fsl_qmc_audio.c | 3 + sound/soc/intel/avs/pcm.c | 3 +- sound/soc/intel/boards/sof_sdw.c | 1 + sound/soc/qcom/lpass.h | 3 +- tools/net/ynl/ynl-gen-c.py | 69 +++++++--- tools/objtool/check.c | 1 + tools/testing/kunit/qemu_configs/sh.py | 4 +- .../selftests/bpf/prog_tests/changes_pkt_data.c | 107 +++++++++++++++ .../testing/selftests/bpf/progs/changes_pkt_data.c | 39 ++++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 +++ tools/testing/selftests/bpf/progs/raw_tp_null.c | 19 ++- tools/testing/selftests/bpf/progs/verifier_sock.c | 56 ++++++++ .../selftests/mm/charge_reserved_hugetlb.sh | 4 +- .../selftests/mm/hugetlb_reparenting_test.sh | 2 +- tools/testing/shared/linux.c | 4 +- 232 files changed, 2369 insertions(+), 1282 deletions(-)

6 months, 2 weeks

11
234
0 0

[PATCH v3 1/1] iommu: Allow attaching static domains in iommu_attach_device_pasid()

by Lu Baolu

The idxd driver attaches the default domain to a PASID of the device to perform kernel DMA using that PASID. The domain is attached to the device's PASID through iommu_attach_device_pasid(), which checks if the domain->owner matches the iommu_ops retrieved from the device. If they do not match, it returns a failure. if (ops != domain->owner || pasid == IOMMU_NO_PASID) return -EINVAL; The static identity domain implemented by the intel iommu driver doesn't specify the domain owner. Therefore, kernel DMA with PASID doesn't work for the idxd driver if the device translation mode is set to passthrough. Generally the owner field of static domains are not set because they are already part of iommu ops. Add a helper domain_iommu_ops_compatible() that checks if a domain is compatible with the device's iommu ops. This helper explicitly allows the static blocked and identity domains associated with the device's iommu_ops to be considered compatible. Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 Cc: stable(a)vger.kernel.org Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Link: https://lore.kernel.org/linux-iommu/20250422191554.GC1213339@ziepe.ca/ Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Reviewed-by: Robin Murphy <robin.murphy(a)arm.com> --- drivers/iommu/iommu.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) Change log: v3: - Convert all places checking domain->owner to the new helper. v2: https://lore.kernel.org/linux-iommu/20250423021839.2189204-1-baolu.lu@linux… - Make the solution generic for all static domains as suggested by Jason. v1: https://lore.kernel.org/linux-iommu/20250422075422.2084548-1-baolu.lu@linux… diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..b26fc3ed9f01 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -2204,6 +2204,19 @@ static void *iommu_make_pasid_array_entry(struct iommu_domain *domain, return xa_tag_pointer(domain, IOMMU_PASID_ARRAY_DOMAIN); } +static bool domain_iommu_ops_compatible(const struct iommu_ops *ops, + struct iommu_domain *domain) +{ + if (domain->owner == ops) + return true; + + /* For static domains, owner isn't set. */ + if (domain == ops->blocked_domain || domain == ops->identity_domain) + return true; + + return false; +} + static int __iommu_attach_group(struct iommu_domain *domain, struct iommu_group *group) { @@ -2214,7 +2227,8 @@ static int __iommu_attach_group(struct iommu_domain *domain, return -EBUSY; dev = iommu_group_first_dev(group); - if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) + if (!dev_has_iommu(dev) || + !domain_iommu_ops_compatible(dev_iommu_ops(dev), domain)) return -EINVAL; return __iommu_group_set_domain(group, domain); @@ -3435,7 +3449,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, !ops->blocked_domain->ops->set_dev_pasid) return -EOPNOTSUPP; - if (ops != domain->owner || pasid == IOMMU_NO_PASID) + if (!domain_iommu_ops_compatible(ops, domain) || + pasid == IOMMU_NO_PASID) return -EINVAL; mutex_lock(&group->mutex); @@ -3511,7 +3526,7 @@ int iommu_replace_device_pasid(struct iommu_domain *domain, if (!domain->ops->set_dev_pasid) return -EOPNOTSUPP; - if (dev_iommu_ops(dev) != domain->owner || + if (!domain_iommu_ops_compatible(dev_iommu_ops(dev), domain) || pasid == IOMMU_NO_PASID || !handle) return -EINVAL; -- 2.43.0

6 months, 2 weeks

6
5
0 0

[PATCH] arm64: dts: qcom: x1e80100: Add GFX power domain to GPU clock controller

by Abel Vesa

According to documentation, the VDD_GFX is powering up the whole GPU subsystem. The VDD_GFX is routed through the RPMh GFX power domain. So tie the RPMh GFX power domain to the GPU clock controller. Cc: stable(a)vger.kernel.org # 6.11 Fixes: 721e38301b79 ("arm64: dts: qcom: x1e80100: Add gpu support") Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- arch/arm64/boot/dts/qcom/x1e80100.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi index 46b79fce92c90d969e3de48bc88e27915d1592bb..96d5ab3c426639b0c0af2458d127e3bbbe41c556 100644 --- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi +++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi @@ -3873,6 +3873,7 @@ gpucc: clock-controller@3d90000 { clocks = <&bi_tcxo_div2>, <&gcc GCC_GPU_GPLL0_CPH_CLK_SRC>, <&gcc GCC_GPU_GPLL0_DIV_CPH_CLK_SRC>; + power-domains = <&rpmhpd RPMHPD_GFX>; #clock-cells = <1>; #reset-cells = <1>; #power-domain-cells = <1>; --- base-commit: 2c9c612abeb38aab0e87d48496de6fd6daafb00b change-id: 20250423-x1e80100-add-gpucc-gfx-pd-a51e3ff2d6e1 Best regards, -- Abel Vesa <abel.vesa(a)linaro.org>

6 months, 2 weeks

4
3
0 0

[PATCH 6.1 000/291] 6.1.135-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.135 release. There are 291 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.135-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.135-rc1 WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Jan Stancek <jstancek(a)redhat.com> sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Jan Stancek <jstancek(a)redhat.com> sign-file,extract-cert: avoid using deprecated ERR_get_error_line() Jan Stancek <jstancek(a)redhat.com> sign-file,extract-cert: move common SSL helper functions to a header Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix apply_to_existing_page_range() Li Nan <linan122(a)huawei.com> blk-iocost: do not WARN if iocg was already offlined Yu Kuai <yukuai3(a)huawei.com> blk-cgroup: support to track if policy is online Xu Kuohai <xukuohai(a)huawei.com> bpf: Prevent tail call between progs attached to different hooks Andrii Nakryiko <andrii(a)kernel.org> bpf: avoid holding freeze_mutex during mmap operation Haisu Wang <haisuwang(a)tencent.com> btrfs: fix the length of reserved qgroup to free Jakub Kicinski <kuba(a)kernel.org> net/sched: act_mirred: don't override retval if we already lost the skb Paulo Alcantara <pc(a)cjr.nz> cifs: use origin fullpath for automounts ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()" Mickaël Salaün <mic(a)digikod.net> landlock: Add the errata interface Hersen Wu <hersenxs.wu(a)amd.com> drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init" Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone finishing with missing devices Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone activation with missing devices Boris Burkov <boris(a)bur.io> btrfs: fix qgroup reserve leaks in cow_file_range Yuli Wang <wangyuli(a)uniontech.com> LoongArch: Eliminate superfluous get_numa_distances_cnt() Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Ard Biesheuvel <ardb(a)kernel.org> x86/pvh: Call C code via the kernel virtual mapping Maksim Davydov <davydov-max(a)yandex-team.ru> x86/split_lock: Fix the delayed detection logic Alex Williamson <alex.williamson(a)redhat.com> mm: Fix is_zero_page() usage in try_grab_page() Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting freebind & transparent Arnd Bergmann <arnd(a)arndb.de> media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Eagerly switch ZCR_EL{1,2} Fuad Tabba <tabba(a)google.com> KVM: arm64: Calculate cptr_el2 traps on activating traps Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Mark some header functions as inline Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Refactor exit handlers Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Remove host FPSIMD saving for non-protected KVM Mark Rutland <mark.rutland(a)arm.com> KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state Mark Brown <broonie(a)kernel.org> arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Mark Brown <broonie(a)kernel.org> arm64/fpsimd: Have KVM explicitly say which FP registers to save Mark Brown <broonie(a)kernel.org> arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE Mark Brown <broonie(a)kernel.org> KVM: arm64: Discard any SVE state when entering KVM guests Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix accept multishot handling Jani Nikula <jani.nikula(a)intel.com> drm/i915/gvt: fix unterminated-string-initialization warning Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Matthew Auld <matthew.auld(a)intel.com> drm/amdgpu/dma_buf: fix page_link check Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/smu11: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm: Prevent division by zero Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Handle being compiled without SI or CIK support better Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Fix stale rpmh votes from GPU Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Sharath Srinivasan <sharath.srinivasan(a)oracle.com> RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure consistent phy reference counts Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: megaraid_sas: Block zero-length ATA VPD inquiry Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Steven Rostedt <rostedt(a)goodmis.org> tracing: Fix filter string testing Peter Collingbourne <pcc(a)google.com> string: Add load_unaligned_zeropad() code path to sized_strscpy() Chunjie Zhu <chunjie.zhu(a)cloud.com> smb3 client: fix open hardlink on deferred close file error Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix the warning from __kernel_write_iter Denis Arefev <arefev(a)swemel.ru> ksmbd: Prevent integer overflow in calculation of deadtime Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix dangling pointer in krb_authenticate Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm: fix filemap_get_folios_contig returning batches of identical folios Baoquan He <bhe(a)redhat.com> mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: LOOP_SET_FD: send uevents for partitions Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: properly send KOBJ_CHANGED uevent for disk device Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Herbert Xu <herbert(a)gondor.apana.org.au> crypto: caam/qi - Fix drv_ctx refcount bug Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: decrease sc_count directly if fail to queue dl_recall Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Jeff Layton <jlayton(a)kernel.org> nfs: move nfs_fhandle_hash to common include file Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Alex Williamson <alex.williamson(a)redhat.com> Revert "PCI: Avoid reset when disabled via sysfs" Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Do not inline arch_kgdb_breakpoint() Björn Töpel <bjorn(a)rivosinc.com> riscv: Properly export reserved regions in /proc/iomem Sagi Maimon <maimon.sagi(a)gmail.com> ptp: ocp: fix start time alignment in ptp_ocp_signal_set Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Jonas Gorski <jonas.gorski(a)gmail.com> net: bridge: switchdev: do not notify new brentries as changed Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Abdun Nihaal <abdun.nihaal(a)gmail.com> cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: Set SOCK_RCU_FREE Matthew Wilcox (Oracle) <willy(a)infradead.org> test suite: use %zu to print size_t Christopher S M Hall <christopher.s.hall(a)intel.com> igc: cleanup PTP module if probe fails Christopher S M Hall <christopher.s.hall(a)intel.com> igc: handle the IGC_PTP_ENABLED flag correctly Christopher S M Hall <christopher.s.hall(a)intel.com> igc: move ktime snapshot into PTM retry loop Christopher S M Hall <christopher.s.hall(a)intel.com> igc: fix PTM cycle trigger logic Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Check encryption key size on incoming connection Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Shay Drory <shayd(a)nvidia.com> RDMA/core: Silence oversized kvmalloc() warning Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix wrong maximum DMA segment size Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Zheng Qixing <zhengqixing(a)huawei.com> md/md-bitmap: fix stats collection for external bitmaps Yu Kuai <yukuai3(a)huawei.com> md/raid10: fix missing discard IO accounting Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Enable force phy when SATA disk directly connected Kaixin Wang <kxwang23(a)m.fudan.edu.cn> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Nathan Chancellor <nathan(a)kernel.org> ACPI: platform-profile: Fix CFI violation when accessing sysfs files Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: close fd_in before returning in main_loop Stephan Gerhold <stephan.gerhold(a)linaro.org> pinctrl: qcom: Clear latched interrupt status when changing IRQ type Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_one() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Sean Christopherson <seanjc(a)google.com> KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Joshua Washington <joshwash(a)google.com> gve: handle overflow when reporting TX consumed descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind Guixin Liu <kanie(a)linux.alibaba.com> gpio: tegra186: fix resource handling in ACPI probe path zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix prefetch-vs-suspend race Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: fix prefetch-vs-suspend race Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Release pm subdomains in reverse add order Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Alexandra Diupina <adiupina(a)astralinux.ru> cifs: avoid NULL pointer dereference in dbg call Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Shuai Xue <xueshuai(a)linux.alibaba.com> mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock David Hildenbrand <david(a)redhat.com> mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Filipe Manana <fdmanana(a)suse.com> btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Correct the update of max_pfn Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: only inc MPJoinAckHMacFailure for HMAC failures Gang Yan <yangang(a)kylinos.cn> mptcp: fix NULL pointer in can_accept_new_subflow T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Chenyuan Yang <chenyuan0y(a)gmail.com> mfd: ene-kb3930: Fix a potential NULL pointer dereference Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use readsb helper for reading MDB Steve French <stfrench(a)microsoft.com> smb311 client: fix missing tcon check when mounting with linux/posix extensions Chenyuan Yang <chenyuan0y(a)gmail.com> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix oversized null mkey longer than 32bit Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix race between unprepare and queue_buf Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: reject zero sized provided buffers Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Haoxiang Li <haoxiang_li2024(a)163.com> wifi: mt76: Add check for devm_kstrdup() Alexandre Torgue <alexandre.torgue(a)foss.st.com> clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Replace kcalloc() with devm_kcalloc() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Add check for devm_kcalloc() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting IPV6_V6ONLY Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: refactor hfi packet parsing logic Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in remove Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: platform: stm32: Add check for clk_enable() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Fix timeout handling when waiting for TPM status Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Miquel Raynal <miquel.raynal(a)bootlin.com> spi: cadence-qspi: Fix probe on AM62A LP SK Will Deacon <will(a)kernel.org> KVM: arm64: Tear down vGIC on failed vCPU creation Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: rcar: Improve register calculation Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Workaround failed command reception on Infineon devices Ayush Jain <Ayush.jain3(a)amd.com> ktest: Fix Test Failures Due to Missing LOG_FILE Directories Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check Christian König <christian.koenig(a)amd.com> drm/amdgpu: grab an additional reference on the gang fence v2 Ryo Takakura <ryotkkr98(a)gmail.com> PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Wentao Liang <vulab(a)iscas.ac.cn> drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mode1 reset crash issue David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Lucas De Marchi <lucas.demarchi(a)intel.com> drivers: base: devres: Allow to release group on device release Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/bridge: panel: forbid initializing a panel with unknown connector type Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Zhikai Zhai <zhikai.zhai(a)amd.com> drm/amd/display: Update Cursor request mode to the beginning prefetch always Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Bluetooth: qca: simplify WCN399x NVM loading Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Zhongqiu Han <quic_zhonhan(a)quicinc.com> jfs: Fix uninit-value access of imap allocated in the diMount() function Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Chao Yu <chao(a)kernel.org> f2fs: don't retry IO for corrupted data scenario keenplify <keenplify(a)gmail.com> ASoC: amd: Add DMI quirk for ACP6X mic support Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Kaustabh Chakraborty <kauschluss(a)disroot.org> mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_audmix: register card device depends on 'dais' property Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Trond Myklebust <trond.myklebust(a)hammerspace.com> umount: Allow superblock owners to force umount Mateusz Guzik <mjguzik(a)gmail.com> fs: consistently deref the files table with rcu_dereference_raw() Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Florian Westphal <fw(a)strlen.de> nft_set_pipapo: fix incorrect avx2 match of 5th field octet Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Ido Schimmel <idosch(a)nvidia.com> ipv6: Align behavior across nexthops during path selection Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Daniel Wagner <wagi(a)kernel.org> nvmet-fcloop: swap list_add_tail arguments Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Maxime Chevallier <maxime.chevallier(a)bootlin.com> net: ethtool: Don't call .cleanup_data when prepare_data fails Toke Høiland-Jørgensen <toke(a)redhat.com> tc: Ensure we have enough buffer space when sending filter netlink notifications Pedro Tammela <pctammela(a)mojatatu.com> net/sched: cls_api: conditional notification of events Victor Nogueira <victor(a)mojatatu.com> rtnl: add helper to check if a notification is needed Jamal Hadi Salim <jhs(a)mojatatu.com> rtnl: add helper to check if rtnl group has listeners Jakub Kicinski <kuba(a)kernel.org> net: tls: explicitly disallow disconnect Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Edward Liaw <edliaw(a)google.com> selftests/futex: futex_waitv wouldblock test should fail ------------- Diffstat: MAINTAINERS | 1 + Makefile | 7 +- arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/fpsimd.h | 4 +- arch/arm64/include/asm/kvm_host.h | 19 +- arch/arm64/include/asm/kvm_hyp.h | 1 + arch/arm64/include/asm/processor.h | 7 + arch/arm64/include/asm/spectre.h | 1 - arch/arm64/kernel/fpsimd.c | 69 +++++-- arch/arm64/kernel/process.c | 2 + arch/arm64/kernel/proton-pack.c | 208 +++++++++++---------- arch/arm64/kernel/ptrace.c | 3 + arch/arm64/kernel/signal.c | 7 +- arch/arm64/kvm/arm.c | 7 +- arch/arm64/kvm/fpsimd.c | 92 +++------ arch/arm64/kvm/hyp/entry.S | 5 + arch/arm64/kvm/hyp/include/hyp/switch.h | 106 +++++++---- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 +- arch/arm64/kvm/hyp/nvhe/pkvm.c | 17 +- arch/arm64/kvm/hyp/nvhe/switch.c | 91 +++++---- arch/arm64/kvm/hyp/vhe/switch.c | 12 +- arch/arm64/kvm/reset.c | 3 + arch/arm64/mm/mmu.c | 3 +- arch/loongarch/kernel/acpi.c | 12 -- arch/loongarch/net/bpf_jit.c | 2 - arch/loongarch/net/bpf_jit.h | 5 - arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/kernel/cevt-ds1287.c | 1 + arch/powerpc/kernel/rtas.c | 4 + arch/riscv/include/asm/kgdb.h | 9 +- arch/riscv/include/asm/syscall.h | 7 +- arch/riscv/kernel/kgdb.c | 6 + arch/riscv/kernel/setup.c | 36 +++- arch/sparc/mm/tlb.c | 5 +- arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 107 +---------- arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/intel.c | 20 +- arch/x86/kernel/e820.c | 17 +- arch/x86/kvm/x86.c | 4 + arch/x86/platform/pvh/head.S | 7 +- block/blk-cgroup.c | 24 ++- block/blk-cgroup.h | 1 + block/blk-iocost.c | 7 +- certs/Makefile | 2 +- certs/extract-cert.c | 138 +++++++------- drivers/acpi/platform_profile.c | 20 +- drivers/ata/ahci.c | 2 + drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 + drivers/ata/sata_sx4.c | 13 +- drivers/base/devres.c | 7 + drivers/block/loop.c | 7 +- drivers/bluetooth/btqca.c | 13 +- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_ldisc.c | 19 +- drivers/bluetooth/hci_uart.h | 1 + drivers/bus/mhi/host/main.c | 16 +- drivers/char/tpm/tpm_tis_core.c | 20 +- drivers/char/tpm/tpm_tis_core.h | 1 + drivers/clk/qcom/gdsc.c | 61 +++--- drivers/clocksource/timer-stm32-lp.c | 4 +- drivers/cpufreq/cpufreq.c | 40 +++- drivers/crypto/caam/qi.c | 6 +- drivers/crypto/ccp/sp-pci.c | 15 +- drivers/gpio/gpio-tegra186.c | 25 +-- drivers/gpio/gpio-zynq.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +++-- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 ++ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +- .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 +-- drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 +- drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 + .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 +- drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_panel.c | 5 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 ++++- drivers/gpu/drm/i915/gvt/opregion.c | 7 +- drivers/gpu/drm/mediatek/mtk_dpi.c | 23 ++- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 82 ++++---- drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/hid/usbhid/hid-pidff.c | 60 ++++-- drivers/hsi/clients/ssi_protocol.c | 1 + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i3c/master.c | 3 + drivers/i3c/master/svc-i3c-master.c | 2 +- drivers/infiniband/core/cma.c | 4 +- drivers/infiniband/core/umem_odp.c | 6 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +- drivers/iommu/mtk_iommu.c | 26 +-- drivers/md/dm-ebs-target.c | 7 + drivers/md/dm-integrity.c | 3 + drivers/md/dm-verity-target.c | 8 + drivers/md/md-bitmap.c | 5 +- drivers/md/raid10.c | 1 + drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ccs/ccs-core.c | 6 +- drivers/media/i2c/ov7251.c | 4 +- .../mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c | 3 +- drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++++++--- drivers/media/platform/qcom/venus/hfi_venus.c | 18 +- drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +- drivers/media/rc/streamzap.c | 68 ++++--- drivers/media/test-drivers/vim2m.c | 6 +- drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/mfd/ene-kb3930.c | 2 +- drivers/misc/pci_endpoint_test.c | 6 +- drivers/mmc/host/dw_mmc.c | 94 +++++++++- drivers/mmc/host/dw_mmc.h | 27 +++ drivers/mtd/inftlcore.c | 9 +- drivers/mtd/mtdpstore.c | 12 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/dsa/b53/b53_common.c | 10 + drivers/net/dsa/mv88e6xxx/chip.c | 30 ++- drivers/net/dsa/mv88e6xxx/devlink.c | 3 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 + drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +- drivers/net/ethernet/intel/igc/igc_defines.h | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 93 +++++---- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- drivers/net/wireless/mediatek/mt76/eeprom.c | 4 + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/target/fc.c | 14 -- drivers/nvme/target/fcloop.c | 2 +- drivers/of/irq.c | 78 ++++---- drivers/pci/controller/pcie-brcmstb.c | 13 +- drivers/pci/controller/vmd.c | 12 +- drivers/pci/pci.c | 4 - drivers/pci/probe.c | 5 +- drivers/perf/arm_pmu.c | 8 +- drivers/pinctrl/qcom/pinctrl-msm.c | 12 +- drivers/platform/x86/asus-laptop.c | 9 +- drivers/ptp/ptp_ocp.c | 1 + drivers/pwm/pwm-fsl-ftm.c | 6 + drivers/pwm/pwm-mediatek.c | 8 +- drivers/pwm/pwm-rcar.c | 24 +-- drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +- drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 +- drivers/scsi/megaraid/megaraid_sas_base.c | 9 +- drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 +- drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/st.c | 2 +- drivers/soc/samsung/exynos-chipid.c | 2 + drivers/spi/spi-cadence-quadspi.c | 6 + drivers/thermal/rockchip_thermal.c | 1 + drivers/ufs/host/ufs-exynos.c | 6 + drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/swiotlb-xen.c | 2 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/Kconfig | 1 + fs/btrfs/disk-io.c | 12 ++ fs/btrfs/inode.c | 6 +- fs/btrfs/super.c | 3 +- fs/btrfs/zoned.c | 6 + fs/ext4/inode.c | 68 +++++-- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 17 ++ fs/ext4/xattr.c | 11 +- fs/f2fs/inode.c | 4 + fs/f2fs/node.c | 9 +- fs/file.c | 26 ++- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 + fs/hfsplus/bnode.c | 6 + fs/isofs/export.c | 2 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 4 +- fs/namespace.c | 3 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 22 --- fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsfh.h | 7 - fs/smb/client/cifs_dfs_ref.c | 34 +++- fs/smb/client/cifsproto.h | 23 +++ fs/smb/client/connect.c | 2 + fs/smb/client/dir.c | 21 ++- fs/smb/client/file.c | 28 +++ fs/smb/client/fs_context.c | 5 + fs/smb/client/smb2misc.c | 9 +- fs/smb/server/oplock.c | 2 +- fs/smb/server/smb2pdu.c | 6 +- fs/smb/server/transport_ipc.c | 7 +- fs/smb/server/vfs.c | 3 +- include/linux/backing-dev.h | 1 + include/linux/bpf.h | 1 + include/linux/nfs.h | 13 ++ include/linux/rtnetlink.h | 22 +++ include/linux/tpm.h | 1 + include/net/sctp/structs.h | 3 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/landlock.h | 2 + include/xen/interface/xen-mca.h | 2 +- io_uring/kbuf.c | 2 + io_uring/net.c | 2 + kernel/bpf/core.c | 19 +- kernel/bpf/syscall.c | 17 +- kernel/locking/lockdep.c | 3 + kernel/sched/cpufreq_schedutil.c | 18 +- kernel/trace/ftrace.c | 1 + kernel/trace/trace_events.c | 4 +- kernel/trace/trace_events_filter.c | 4 +- lib/sg_split.c | 2 - lib/string.c | 13 +- mm/filemap.c | 1 + mm/gup.c | 6 +- mm/memory-failure.c | 11 +- mm/memory.c | 4 +- mm/rmap.c | 2 +- mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +-- net/bluetooth/hci_event.c | 5 +- net/bluetooth/l2cap_core.c | 3 +- net/bridge/br_vlan.c | 4 +- net/core/filter.c | 80 ++++---- net/core/page_pool.c | 8 +- net/dsa/tag_8021q.c | 2 +- net/ethtool/netlink.c | 8 +- net/ipv6/route.c | 8 +- net/mac80211/iface.c | 3 + net/mac80211/mesh_hwmp.c | 14 +- net/mctp/af_mctp.c | 3 + net/mptcp/sockopt.c | 28 +++ net/mptcp/subflow.c | 19 +- net/netfilter/nft_set_pipapo_avx2.c | 3 +- net/openvswitch/flow_netlink.c | 3 +- net/sched/act_mirred.c | 20 +- net/sched/cls_api.c | 74 ++++++-- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_sfq.c | 66 +++++-- net/sctp/socket.c | 22 ++- net/sctp/transport.c | 2 + net/tipc/link.c | 1 + net/tls/tls_main.c | 6 + scripts/sign-file.c | 132 ++++++------- scripts/ssl-common.h | 32 ++++ security/landlock/errata.h | 87 +++++++++ security/landlock/setup.c | 30 +++ security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 ++- sound/pci/hda/hda_intel.c | 44 ++++- sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/lpass-wsa-macro.c | 139 +++++++++----- sound/soc/fsl/fsl_audmix.c | 16 +- sound/soc/qcom/qdsp6/q6apm-dai.c | 9 +- sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +- sound/usb/midi.c | 80 +++++++- tools/power/cpupower/bench/parse.c | 4 + tools/testing/ktest/ktest.pl | 8 + tools/testing/radix-tree/linux.c | 4 +- .../futex/functional/futex_wait_wouldblock.c | 2 +- tools/testing/selftests/landlock/base_test.c | 46 ++++- tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +- 278 files changed, 2913 insertions(+), 1414 deletions(-)

6 months, 2 weeks

12
303
0 0

[PATCH] LoongArch: Fix MAX_REG_OFFSET calculation

by Huacai Chen

Fix MAX_REG_OFFSET calculation, make it point to the last register in 'struct pt_regs' and not to the marker itself, which could allow regs_get_register() to return an invalid offset. Cc: stable(a)vger.kernel.org Fixes: 803b0fc5c3f2baa6e5 ("LoongArch: Add process management") Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/include/asm/ptrace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/loongarch/include/asm/ptrace.h b/arch/loongarch/include/asm/ptrace.h index a5b63c84f854..e5d21e836d99 100644 --- a/arch/loongarch/include/asm/ptrace.h +++ b/arch/loongarch/include/asm/ptrace.h @@ -55,7 +55,7 @@ static inline void instruction_pointer_set(struct pt_regs *regs, unsigned long v /* Query offset/name of register from its name/offset */ extern int regs_query_register_offset(const char *name); -#define MAX_REG_OFFSET (offsetof(struct pt_regs, __last)) +#define MAX_REG_OFFSET (offsetof(struct pt_regs, __last) - sizeof(unsigned long)) /** * regs_get_register() - get register value from its offset -- 2.47.1

6 months, 2 weeks

1
0
0 0

[PATCH] LoongArch: Move __arch_cpu_idle() to .cpuidle.text section

by Huacai Chen

Now arch_cpu_idle() is annotated with __cpuidle which means it is in the .cpuidle.text section, but __arch_cpu_idle() isn't. Thus, fix the missing .cpuidle.text section assignment for __arch_cpu_idle() in order to correct backtracing with nmi_backtrace(). The principle is similar to the commit 97c8580e85cf81c ("MIPS: Annotate cpu_wait implementations with __cpuidle") Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/genex.S | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/kernel/genex.S b/arch/loongarch/kernel/genex.S index 4f0912141781..733a7665e434 100644 --- a/arch/loongarch/kernel/genex.S +++ b/arch/loongarch/kernel/genex.S @@ -16,6 +16,7 @@ #include <asm/stackframe.h> #include <asm/thread_info.h> + .section .cpuidle.text, "ax" .align 5 SYM_FUNC_START(__arch_cpu_idle) /* start of idle interrupt region */ @@ -31,14 +32,16 @@ SYM_FUNC_START(__arch_cpu_idle) */ idle 0 /* end of idle interrupt region */ -1: jr ra +idle_exit: + jr ra SYM_FUNC_END(__arch_cpu_idle) + .previous SYM_CODE_START(handle_vint) UNWIND_HINT_UNDEFINED BACKUP_T0T1 SAVE_ALL - la_abs t1, 1b + la_abs t1, idle_exit LONG_L t0, sp, PT_ERA /* 3 instructions idle interrupt region */ ori t0, t0, 0b1100 -- 2.47.1

6 months, 2 weeks

1
0
0 0

[PATCH rtw-next v2] wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723

by Mingcong Bai

RTL8723BE found on some ASUSTek laptops, such as F441U and X555UQ with subsystem ID 11ad:1723 are known to output large amounts of PCIe AER errors during and after boot up, causing heavy lags and at times lock-ups: pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5 pcieport 0000:00:1c.5: PCIe Bus Error: severity=Correctable, type=Physical Layer, (Receiver ID) pcieport 0000:00:1c.5: device [8086:9d15] error status/mask=00000001/00002000 pcieport 0000:00:1c.5: [ 0] RxErr Disable ASPM on this combo as a quirk. This patch is a revision of a previous patch (linked below) which attempted to disable ASPM for RTL8723BE on all Intel Skylake and Kaby Lake PCIe bridges. I take a more conservative approach as all known reports point to ASUSTek laptops of these two generations with this particular wireless card. Please note, however, before the rtl8723be finishes probing, the AER errors remained. After the module finishes probing, all AER errors would indeed be eliminated, along with heavy lags, poor network throughput, and/or occasional lock-ups. Cc: <stable(a)vger.kernel.org> Fixes: a619d1abe20c ("rtlwifi: rtl8723be: Add new driver") Reported-by: Liangliang Zou <rawdiamondmc(a)outlook.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218127 Link: https://lore.kernel.org/lkml/05390e0b-27fd-4190-971e-e70a498c8221@lwfinger.… Tested-by: Liangliang Zou <rawdiamondmc(a)outlook.com> Signed-off-by: Mingcong Bai <jeffbai(a)aosc.io> --- drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c index 0eafc4d125f9..898f597f70a9 100644 --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -155,6 +155,16 @@ static void _rtl_pci_update_default_setting(struct ieee80211_hw *hw) ((u8)init_aspm) == (PCI_EXP_LNKCTL_ASPM_L0S | PCI_EXP_LNKCTL_ASPM_L1 | PCI_EXP_LNKCTL_CCC)) ppsc->support_aspm = false; + + /* RTL8723BE found on some ASUSTek laptops, such as F441U and + * X555UQ with subsystem ID 11ad:1723 are known to output large + * amounts of PCIe AER errors during and after boot up, causing + * heavy lags, poor network throughput, and occasional lock-ups. + */ + if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8723BE && + (rtlpci->pdev->subsystem_vendor == 0x11ad && + rtlpci->pdev->subsystem_device == 0x1723)) + ppsc->support_aspm = false; } static bool _rtl_pci_platform_switch_device_pci_aspm( -- 2.49.0

6 months, 2 weeks

2
1
0 0

RE: Several questions for backporting fix for CVE-2024-50063 to linux-5.15/5.10

by Ren, Jianqi (Jacky) (CN)

Hello, We are evaluating CVE-2024-50063 for v5.15 and v5.10. But the context of v5.15 and v5.10 is behind current version quite a lot. It seems the suggested fix in https://www.cve.org/CVERecord?id=CVE-2024-50063, https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…, requires https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… to work. But it seems risky to port so many changes. Is it worth porting commit f45d5b6ce2e8 plus 28ead3eaabc1 to v5.15 and v5.10? Is there any mitigation for this CVE? Is there any reproducer and test case for this CVE so that we could validate the fix if we decide to port it?

6 months, 2 weeks

1
0
0 0

[PATCH rc] iommu: Skip PASID validation for devices without PASID capability

by Tushar Dave

Generally PASID support requires ACS settings that usually create single device groups, but there are some niche cases where we can get multi-device groups and still have working PASID support. The primary issue is that PCI switches are not required to treat PASID tagged TLPs specially so appropriate ACS settings are required to route all TLPs to the host bridge if PASID is going to work properly. pci_enable_pasid() does check that each device that will use PASID has the proper ACS settings to achieve this routing. However, no-PASID devices can be combined with PASID capable devices within the same topology using non-uniform ACS settings. In this case the no-PASID devices may not have strict route to host ACS flags and end up being grouped with the PASID devices. This configuration fails to allow use of the PASID within the iommu core code which wrongly checks if the no-PASID device supports PASID. Fix this by ignoring no-PASID devices during the PASID validation. They will never issue a PASID TLP anyhow so they can be ignored. Fixes: c404f55c26fc ("iommu: Validate the PASID in iommu_attach_device_pasid()") Cc: stable(a)vger.kernel.org Signed-off-by: Tushar Dave <tdave(a)nvidia.com> --- drivers/iommu/iommu.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..e01df4c3e709 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3440,7 +3440,13 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, mutex_lock(&group->mutex); for_each_group_device(group, device) { - if (pasid >= device->dev->iommu->max_pasids) { + /* + * Skip PASID validation for devices without PASID support + * (max_pasids = 0). These devices cannot issue transactions + * with PASID, so they don't affect group's PASID usage. + */ + if ((device->dev->iommu->max_pasids > 0) && + (pasid >= device->dev->iommu->max_pasids)) { ret = -EINVAL; goto out_unlock; } -- 2.34.1

6 months, 2 weeks

5
8
0 0

[PATCH AUTOSEL 6.14 01/31] staging: gpib: Use min for calculating transfer length

by Sasha Levin

From: Dave Penkler <dpenkler(a)gmail.com> [ Upstream commit 76d54fd5471b10ee993c217928a39d7351eaff5c ] In the accel read and write functions the transfer length was being calculated by an if statement setting it to the lesser of the remaining bytes to read/write and the fifo size. Replace both instances with min() which is clearer and more compact. Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Julia Lawall <julia.lawall(a)inria.fr> Closes: https://lore.kernel.org/r/202501182153.qHfL4Fbc-lkp@intel.com/ Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250120145030.29684-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/staging/gpib/agilent_82350b/agilent_82350b.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/drivers/staging/gpib/agilent_82350b/agilent_82350b.c b/drivers/staging/gpib/agilent_82350b/agilent_82350b.c index 3f4f95b7fe34a..0ba592dc98490 100644 --- a/drivers/staging/gpib/agilent_82350b/agilent_82350b.c +++ b/drivers/staging/gpib/agilent_82350b/agilent_82350b.c @@ -66,10 +66,7 @@ int agilent_82350b_accel_read(gpib_board_t *board, uint8_t *buffer, size_t lengt int j; int count; - if (num_fifo_bytes - i < agilent_82350b_fifo_size) - block_size = num_fifo_bytes - i; - else - block_size = agilent_82350b_fifo_size; + block_size = min(num_fifo_bytes - i, agilent_82350b_fifo_size); set_transfer_counter(a_priv, block_size); writeb(ENABLE_TI_TO_SRAM | DIRECTION_GPIB_TO_HOST, a_priv->gpib_base + SRAM_ACCESS_CONTROL_REG); @@ -200,10 +197,7 @@ int agilent_82350b_accel_write(gpib_board_t *board, uint8_t *buffer, size_t leng for (i = 1; i < fifotransferlength;) { clear_bit(WRITE_READY_BN, &tms_priv->state); - if (fifotransferlength - i < agilent_82350b_fifo_size) - block_size = fifotransferlength - i; - else - block_size = agilent_82350b_fifo_size; + block_size = min(fifotransferlength - i, agilent_82350b_fifo_size); set_transfer_counter(a_priv, block_size); for (j = 0; j < block_size; ++j, ++i) { // load data into board's sram -- 2.39.5

6 months, 2 weeks

3
34
0 0

[PATCH AUTOSEL 6.13 01/28] staging: gpib: Use min for calculating transfer length

by Sasha Levin

From: Dave Penkler <dpenkler(a)gmail.com> [ Upstream commit 76d54fd5471b10ee993c217928a39d7351eaff5c ] In the accel read and write functions the transfer length was being calculated by an if statement setting it to the lesser of the remaining bytes to read/write and the fifo size. Replace both instances with min() which is clearer and more compact. Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Julia Lawall <julia.lawall(a)inria.fr> Closes: https://lore.kernel.org/r/202501182153.qHfL4Fbc-lkp@intel.com/ Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250120145030.29684-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/staging/gpib/agilent_82350b/agilent_82350b.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/drivers/staging/gpib/agilent_82350b/agilent_82350b.c b/drivers/staging/gpib/agilent_82350b/agilent_82350b.c index 8e2334fe5c9b8..533cc956b3f6c 100644 --- a/drivers/staging/gpib/agilent_82350b/agilent_82350b.c +++ b/drivers/staging/gpib/agilent_82350b/agilent_82350b.c @@ -69,10 +69,7 @@ int agilent_82350b_accel_read(gpib_board_t *board, uint8_t *buffer, size_t lengt int j; int count; - if (num_fifo_bytes - i < agilent_82350b_fifo_size) - block_size = num_fifo_bytes - i; - else - block_size = agilent_82350b_fifo_size; + block_size = min(num_fifo_bytes - i, agilent_82350b_fifo_size); set_transfer_counter(a_priv, block_size); writeb(ENABLE_TI_TO_SRAM | DIRECTION_GPIB_TO_HOST, a_priv->gpib_base + SRAM_ACCESS_CONTROL_REG); @@ -203,10 +200,7 @@ int agilent_82350b_accel_write(gpib_board_t *board, uint8_t *buffer, size_t leng for (i = 1; i < fifotransferlength;) { clear_bit(WRITE_READY_BN, &tms_priv->state); - if (fifotransferlength - i < agilent_82350b_fifo_size) - block_size = fifotransferlength - i; - else - block_size = agilent_82350b_fifo_size; + block_size = min(fifotransferlength - i, agilent_82350b_fifo_size); set_transfer_counter(a_priv, block_size); for (j = 0; j < block_size; ++j, ++i) { // load data into board's sram -- 2.39.5

6 months, 2 weeks

2
30
0 0

[PATCH AUTOSEL 6.13 01/34] KVM: s390: Don't use %pK through tracepoints

by Sasha Levin

From: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> [ Upstream commit 6c9567e0850be2f0f94ab64fa6512413fd1a1eb1 ] Restricted pointers ("%pK") are not meant to be used through TP_format(). It can unintentionally expose security sensitive, raw pointer values. Use regular pointer formatting instead. Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c70704… Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> Reviewed-by: Michael Mueller <mimu(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-1-0e4ace75d8… Signed-off-by: Janosch Frank <frankja(a)linux.ibm.com> Message-ID: <20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa(a)linutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/s390/kvm/trace-s390.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h index 9ac92dbf680db..9e28f165c114c 100644 --- a/arch/s390/kvm/trace-s390.h +++ b/arch/s390/kvm/trace-s390.h @@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu, __entry->sie_block = sie_block; ), - TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK", + TP_printk("create cpu %d at 0x%p, sie block at 0x%p", __entry->id, __entry->vcpu, __entry->sie_block) ); @@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css, __entry->kvm = kvm; ), - TP_printk("enabling channel I/O support (kvm @ %pK)\n", + TP_printk("enabling channel I/O support (kvm @ %p)\n", __entry->kvm) ); -- 2.39.5

6 months, 2 weeks

2
35
0 0

[PATCH] PCI: dw-rockchip: Fix function call sequence in rockchip_pcie_phy_deinit

by Diederik de Haas

The documentation for the phy_power_off() function explicitly says Must be called before phy_exit(). So let's follow that instruction. Fixes: 0e898eb8df4e ("PCI: rockchip-dwc: Add Rockchip RK356X host controller driver") Cc: stable(a)vger.kernel.org # v5.15+ Signed-off-by: Diederik de Haas <didi.debian(a)cknow.org> --- drivers/pci/controller/dwc/pcie-dw-rockchip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/controller/dwc/pcie-dw-rockchip.c b/drivers/pci/controller/dwc/pcie-dw-rockchip.c index c624b7ebd118..4f92639650e3 100644 --- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c +++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c @@ -410,8 +410,8 @@ static int rockchip_pcie_phy_init(struct rockchip_pcie *rockchip) static void rockchip_pcie_phy_deinit(struct rockchip_pcie *rockchip) { - phy_exit(rockchip->phy); phy_power_off(rockchip->phy); + phy_exit(rockchip->phy); } static const struct dw_pcie_ops dw_pcie_ops = { -- 2.49.0

6 months, 2 weeks

5
6
0 0

[PATCH 6.1.y] jfs: define xtree root and page independently

by Aditya Dutt

From: Dave Kleikamp <dave.kleikamp(a)oracle.com> [ Upstream commit a779ed754e52d582b8c0e17959df063108bd0656 ] In order to make array bounds checking sane, provide a separate definition of the in-inode xtree root and the external xtree page. Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Tested-by: Manas Ghandat <ghandatmanas(a)gmail.com> (cherry picked from commit a779ed754e52d582b8c0e17959df063108bd0656) Closes: https://syzkaller.appspot.com/bug?extid=7cb897779f3c479d0615 Closes: https://syzkaller.appspot.com/bug?extid=6b1d79dad6cc6b3eef41 Closes: https://syzkaller.appspot.com/bug?extid=67f714a53ce18d5b542e Closes: https://syzkaller.appspot.com/bug?extid=e829cfdd0de521302df4 Reported-by: syzbot+7cb897779f3c479d0615(a)syzkaller.appspotmail.com Reported-by: syzbot+6b1d79dad6cc6b3eef41(a)syzkaller.appspotmail.com Reported-by: syzbot+67f714a53ce18d5b542e(a)syzkaller.appspotmail.com Reported-by: syzbot+e829cfdd0de521302df4(a)syzkaller.appspotmail.com Signed-off-by: Aditya Dutt <duttaditya18(a)gmail.com> --- I am sending this as per the suggestion by Greg to submit backports for all the relevant stable trees: https://lore.kernel.org/stable/2025042210-stylized-nearest-ea59@gregkh/ I will send one more mail for 5.15. This patch has been applied in >= 6.12 and has been backported to 6.6: 2ff51719ec615e1b373c1811443efe93594c41a9 syzbot checked the patch against 6.1.y and confirmed that the reproducer did not trigger any issues. check here: https://lore.kernel.org/all/680e4455.050a0220.3b8549.0082.GAE@google.com/ I also tested the patch manually using the C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=15b291ef680000 (given in the syzkaller dashboard link) fs/jfs/jfs_dinode.h | 2 +- fs/jfs/jfs_imap.c | 6 +++--- fs/jfs/jfs_incore.h | 2 +- fs/jfs/jfs_txnmgr.c | 4 ++-- fs/jfs/jfs_xtree.c | 4 ++-- fs/jfs/jfs_xtree.h | 37 +++++++++++++++++++++++-------------- 6 files changed, 32 insertions(+), 23 deletions(-) diff --git a/fs/jfs/jfs_dinode.h b/fs/jfs/jfs_dinode.h index 6b231d0d0071..603aae17a693 100644 --- a/fs/jfs/jfs_dinode.h +++ b/fs/jfs/jfs_dinode.h @@ -96,7 +96,7 @@ struct dinode { #define di_gengen u._file._u1._imap._gengen union { - xtpage_t _xtroot; + xtroot_t _xtroot; struct { u8 unused[16]; /* 16: */ dxd_t _dxd; /* 16: */ diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 155f66812934..9adb29e7862c 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -673,7 +673,7 @@ int diWrite(tid_t tid, struct inode *ip) * This is the special xtree inside the directory for storing * the directory table */ - xtpage_t *p, *xp; + xtroot_t *p, *xp; xad_t *xad; jfs_ip->xtlid = 0; @@ -687,7 +687,7 @@ int diWrite(tid_t tid, struct inode *ip) * copy xtree root from inode to dinode: */ p = &jfs_ip->i_xtroot; - xp = (xtpage_t *) &dp->di_dirtable; + xp = (xtroot_t *) &dp->di_dirtable; lv = ilinelock->lv; for (n = 0; n < ilinelock->index; n++, lv++) { memcpy(&xp->xad[lv->offset], &p->xad[lv->offset], @@ -716,7 +716,7 @@ int diWrite(tid_t tid, struct inode *ip) * regular file: 16 byte (XAD slot) granularity */ if (type & tlckXTREE) { - xtpage_t *p, *xp; + xtroot_t *p, *xp; xad_t *xad; /* diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h index 721def69e732..dd4264aa9bed 100644 --- a/fs/jfs/jfs_incore.h +++ b/fs/jfs/jfs_incore.h @@ -66,7 +66,7 @@ struct jfs_inode_info { lid_t xtlid; /* lid of xtree lock on directory */ union { struct { - xtpage_t _xtroot; /* 288: xtree root */ + xtroot_t _xtroot; /* 288: xtree root */ struct inomap *_imap; /* 4: inode map header */ } file; struct { diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index ce4b4760fcb1..dccc8b3f1045 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -783,7 +783,7 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp, if (mp->xflag & COMMIT_PAGE) p = (xtpage_t *) mp->data; else - p = &jfs_ip->i_xtroot; + p = (xtpage_t *) &jfs_ip->i_xtroot; xtlck->lwm.offset = le16_to_cpu(p->header.nextindex); } @@ -1676,7 +1676,7 @@ static void xtLog(struct jfs_log * log, struct tblock * tblk, struct lrd * lrd, if (tlck->type & tlckBTROOT) { lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT); - p = &JFS_IP(ip)->i_xtroot; + p = (xtpage_t *) &JFS_IP(ip)->i_xtroot; if (S_ISDIR(ip->i_mode)) lrd->log.redopage.type |= cpu_to_le16(LOG_DIR_XTREE); diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c index 2d304cee884c..5ee618d17e77 100644 --- a/fs/jfs/jfs_xtree.c +++ b/fs/jfs/jfs_xtree.c @@ -1213,7 +1213,7 @@ xtSplitRoot(tid_t tid, struct xtlock *xtlck; int rc; - sp = &JFS_IP(ip)->i_xtroot; + sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot; INCREMENT(xtStat.split); @@ -2098,7 +2098,7 @@ int xtAppend(tid_t tid, /* transaction id */ */ void xtInitRoot(tid_t tid, struct inode *ip) { - xtpage_t *p; + xtroot_t *p; /* * acquire a transaction lock on the root diff --git a/fs/jfs/jfs_xtree.h b/fs/jfs/jfs_xtree.h index 142caafc73b1..15da4e16d8b2 100644 --- a/fs/jfs/jfs_xtree.h +++ b/fs/jfs/jfs_xtree.h @@ -65,24 +65,33 @@ struct xadlist { #define XTPAGEMAXSLOT 256 #define XTENTRYSTART 2 -/* - * xtree page: - */ -typedef union { - struct xtheader { - __le64 next; /* 8: */ - __le64 prev; /* 8: */ +struct xtheader { + __le64 next; /* 8: */ + __le64 prev; /* 8: */ - u8 flag; /* 1: */ - u8 rsrvd1; /* 1: */ - __le16 nextindex; /* 2: next index = number of entries */ - __le16 maxentry; /* 2: max number of entries */ - __le16 rsrvd2; /* 2: */ + u8 flag; /* 1: */ + u8 rsrvd1; /* 1: */ + __le16 nextindex; /* 2: next index = number of entries */ + __le16 maxentry; /* 2: max number of entries */ + __le16 rsrvd2; /* 2: */ - pxd_t self; /* 8: self */ - } header; /* (32) */ + pxd_t self; /* 8: self */ +}; +/* + * xtree root (in inode): + */ +typedef union { + struct xtheader header; xad_t xad[XTROOTMAXSLOT]; /* 16 * maxentry: xad array */ +} xtroot_t; + +/* + * xtree page: + */ +typedef union { + struct xtheader header; + xad_t xad[XTPAGEMAXSLOT]; /* 16 * maxentry: xad array */ } xtpage_t; /* -- 2.34.1

6 months, 2 weeks

1
0
0 0

[PATCH v4] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

by Wojciech Dubowik

Define vqmmc regulator-gpio for usdhc2 with vin-supply coming from LDO5. Without this definition LDO5 will be powered down, disabling SD card after bootup. This has been introduced in commit f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") Tested-by: Manuel Traut <manuel.traut(a)mt.com> Reviewed-by: Philippe Schenker <philippe.schenker(a)impulsing.ch> Tested-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> Reviewed-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> Cc: stable(a)vger.kernel.org Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> --- v1 -> v2: https://lore.kernel.org/all/20250417112012.785420-1-Wojciech.Dubowik@mt.com/ - define gpio regulator for LDO5 vin controlled by vselect signal v2 -> v3: https://lore.kernel.org/all/20250422130127.GA238494@francesco-nb/ - specify vselect as gpio v3 -> v4: https://lore.kernel.org/all/84dc6fdf295902044d49cafc4479eb75477bba5c.camel@… - add reviewed and tested by tags and changed fixes --- .../boot/dts/freescale/imx8mm-verdin.dtsi | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi index 7251ad3a0017..b46566f3ce20 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi @@ -144,6 +144,19 @@ reg_usdhc2_vmmc: regulator-usdhc2 { startup-delay-us = <20000>; }; + reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { + compatible = "regulator-gpio"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc2_vsel>; + gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <1800000>; + states = <1800000 0x1>, + <3300000 0x0>; + regulator-name = "PMIC_USDHC_VSELECT"; + vin-supply = <&reg_nvcc_sd>; + }; + reserved-memory { #address-cells = <2>; #size-cells = <2>; @@ -269,7 +282,7 @@ &gpio1 { "SODIMM_19", "", "", - "", + "PMIC_USDHC_VSELECT", "", "", "", @@ -785,6 +798,7 @@ &usdhc2 { pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; vmmc-supply = <&reg_usdhc2_vmmc>; + vqmmc-supply = <&reg_usdhc2_vqmmc>; }; &wdog1 { @@ -1206,13 +1220,17 @@ pinctrl_usdhc2_pwr_en: usdhc2pwrengrp { <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */ }; + pinctrl_usdhc2_vsel: usdhc2vselgrp { + fsl,pins = + <MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x10>; /* PMIC_USDHC_VSELECT */ + }; + /* * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. */ pinctrl_usdhc2: usdhc2grp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */ @@ -1223,7 +1241,6 @@ pinctrl_usdhc2: usdhc2grp { pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>, @@ -1234,7 +1251,6 @@ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>, @@ -1246,7 +1262,6 @@ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { /* Avoid backfeeding with removed card power */ pinctrl_usdhc2_sleep: usdhc2slpgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>, -- 2.47.2

6 months, 2 weeks

3
2
0 0

Hope to hear from you soon..

by MRS NORAH JANE

My Dear, I am pleased to find your email address via google search when i was searching for my lost childhood friend which I have not seen for the past 30 years, i have been searching for him on all social media platforms to no avail. Actually I was searching for him because of my health, which started since covid 19, 2020, covid 19 killed every member of my family, I am the only surviving member. I Survived the pandemic through the assistance of the CDC, But my life has never remained the same since ever then. my heart and lungs is Severely affected and damaged, my life is gradually fading away before me. I was searching for my childhood friend to be the beneficiary of my family estate and funds in the bank. When I saw your name there was something fascinating about it. Please can you grant me the opportunity to make you the beneficiary. I shall be awaiting your response for more details. Thanks Mrs Norah Jane

6 months, 2 weeks

1
0
0 0

[PATCH 1/2] drm/dp: Correct Write_Status_Update_Request handling

by Wayne Lin

[Why] Notice few problems under I2C-write-over-Aux with Write_Status_Update_Request flag set cases: - I2C-write-over-Aux request with Write_Status_Update_Request flag set won't get sent upon the reply of I2C_ACK|AUX_ACK followed by “M” Value. Now just set the flag but won't send out - The I2C-over-Aux request command with Write_Status_Update_Request flag set is incorrect. Should be "SYNC->COM3:0 (= 0110)|0000-> 0000|0000-> 0|7-bit I2C address (the same as the last)-> STOP->". Address only transaction without length and data. - Upon I2C_DEFER|AUX_ACK Reply for I2C-read-over-Aux, soure should repeat the identical I2C-read-over-AUX transaction with the same LEN value. Not with Write_Status_Update_Request set. [How] Refer to DP v2.1: 2.11.7.1.5.3 & 2.11.7.1.5.4 - Clean aux msg buffer and size when constructing write status update request. - Send out Write_Status_Update_Request upon reply of I2C_ACK|AUX_ACK followed by “M” - Send Write_Status_Update_Request upon I2C_DEFER|AUX_ACK reply only when the request is I2C-write-over-Aux. Fixes: 68ec2a2a2481 ("drm/dp: Use I2C_WRITE_STATUS_UPDATE to drain partial I2C_WRITE requests") Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> --- drivers/gpu/drm/display/drm_dp_helper.c | 27 +++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c index 6ee51003de3c..28f0708c3b27 100644 --- a/drivers/gpu/drm/display/drm_dp_helper.c +++ b/drivers/gpu/drm/display/drm_dp_helper.c @@ -1631,6 +1631,12 @@ static void drm_dp_i2c_msg_write_status_update(struct drm_dp_aux_msg *msg) msg->request &= DP_AUX_I2C_MOT; msg->request |= DP_AUX_I2C_WRITE_STATUS_UPDATE; } + + /* + * Address only transaction + */ + msg->buffer = NULL; + msg->size = 0; } #define AUX_PRECHARGE_LEN 10 /* 10 to 16 */ @@ -1797,10 +1803,22 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) case DP_AUX_I2C_REPLY_ACK: /* * Both native ACK and I2C ACK replies received. We - * can assume the transfer was successful. + * can't assume the transfer was completed. Both I2C + * WRITE/READ request may get I2C ack reply with partially + * completion. We have to continue to poll for the + * completion of the request. */ - if (ret != msg->size) - drm_dp_i2c_msg_write_status_update(msg); + if (ret != msg->size) { + drm_dbg_kms(aux->drm_dev, + "%s: I2C partially ack (result=%d, size=%zu)\n", + aux->name, ret, msg->size); + if (!(msg->request & DP_AUX_I2C_READ)) { + usleep_range(AUX_RETRY_INTERVAL, AUX_RETRY_INTERVAL + 100); + drm_dp_i2c_msg_write_status_update(msg); + } + + continue; + } return ret; case DP_AUX_I2C_REPLY_NACK: @@ -1819,7 +1837,8 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) if (defer_i2c < 7) defer_i2c++; usleep_range(AUX_RETRY_INTERVAL, AUX_RETRY_INTERVAL + 100); - drm_dp_i2c_msg_write_status_update(msg); + if (!(msg->request & DP_AUX_I2C_READ)) + drm_dp_i2c_msg_write_status_update(msg); continue; -- 2.43.0

6 months, 2 weeks

3
2
0 0

[PATCH] MIPS: CPS: Fix potential NULL pointer dereferences in cps_prepare_cpus()

by Thorsten Blum

Check the return values of kcalloc() and exit early to avoid potential NULL pointer dereferences. Compile-tested only. Cc: stable(a)vger.kernel.org Fixes: 75fa6a583882e ("MIPS: CPS: Introduce struct cluster_boot_config") Fixes: 0856c143e1cd3 ("MIPS: CPS: Boot CPUs in secondary clusters") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- arch/mips/kernel/smp-cps.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c index e85bd087467e..cc26d56f3ab6 100644 --- a/arch/mips/kernel/smp-cps.c +++ b/arch/mips/kernel/smp-cps.c @@ -332,6 +332,8 @@ static void __init cps_prepare_cpus(unsigned int max_cpus) mips_cps_cluster_bootcfg = kcalloc(nclusters, sizeof(*mips_cps_cluster_bootcfg), GFP_KERNEL); + if (!mips_cps_cluster_bootcfg) + goto err_out; if (nclusters > 1) mips_cm_update_property(); @@ -348,6 +350,8 @@ static void __init cps_prepare_cpus(unsigned int max_cpus) mips_cps_cluster_bootcfg[cl].core_power = kcalloc(BITS_TO_LONGS(ncores), sizeof(unsigned long), GFP_KERNEL); + if (!mips_cps_cluster_bootcfg[cl].core_power) + goto err_out; /* Allocate VPE boot configuration structs */ for (c = 0; c < ncores; c++) { -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH v3] mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS

by Khem Raj

GCC 15 changed the default C standard dialect from gnu17 to gnu23, which should not have impacted the kernel because it explicitly requests the gnu11 standard in the main Makefile. However, mips/vdso code uses its own CFLAGS without a '-std=' value, which break with this dialect change because of the kernel's own definitions of bool, false, and true conflicting with the C23 reserved keywords. include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant 11 | false = 0, | ^~~~~ include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef' 35 | typedef _Bool bool; | ^~~~ include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards Add -std as specified in KBUILD_CFLAGS to the decompressor and purgatory CFLAGS to eliminate these errors and make the C standard version of these areas match the rest of the kernel. Signed-off-by: Khem Raj <raj.khem(a)gmail.com> Cc: stable(a)vger.kernel.org --- v2: Filter the -std flag from KBUILD_CFLAGS instead of hardcoding v3: Adjust subject and commit message arch/mips/vdso/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile index fb4c493aaffa..69d4593f64fe 100644 --- a/arch/mips/vdso/Makefile +++ b/arch/mips/vdso/Makefile @@ -27,6 +27,7 @@ endif # offsets. cflags-vdso := $(ccflags-vdso) \ $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \ + $(filter -std=%,$(KBUILD_CFLAGS)) \ -O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \ -mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \ -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \

6 months, 2 weeks

2
1
0 0

[PATCH 0/3 V2] Fix erroneous ioctl returns

by Dave Penkler

Recent tests with timeouts > INT_MAX produced random error returns with usbtmc_get_stb. This was caused by assigning the return value of wait_event_interruptible_timeout to an int which overflowed to negative values. Also return value on success was the remaining number of jiffies instead of 0. These patches fix all the cases where the return of wait_event_interruptible_timeout was assigned to an int and the case of the remaining jiffies return in usbtmc_get_stb. Patch 1: Fixes usbtmc_get_stb Patch 2: Fixes usbtmc488_ioctl_wait_srq Patch 3: Fixes usbtmc_generic_read Dave Penkler (3): usb: usbtmc: Fix erroneous get_stb ioctl error returns usb: usbtmc: Fix erroneous wait_srq ioctl return usb: usbtmc: Fix erroneous generic_read ioctl return drivers/usb/class/usbtmc.c | 53 ++++++++++++++++++++++---------------- 1 file changed, 31 insertions(+), 22 deletions(-) -- Changes V1 => V2 Add cc to stable line 2.49.0

6 months, 2 weeks

1
3
0 0

BUG：KASAN: slab-use-after-free Read in jfs_lazycommit in linux6.12.24 and linux6.12.25(longterm maintenance)

by Jianzhou Zhao

Hello, I found a potential bug titled " KASAN: slab-use-after-free Read in jfs_lazycommit " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025) and the Linux6.12.25(longterm maintenance, last updated on April 25, 2025) I will put the C language reproduction program for this bug at the end. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <luckd0g(a)163.com>, xingwei lee <xrivendell7(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: KASAN: slab-use-after-free Read in jfs_lazycommit ------------[ cut here ]------------ ================================================================== BUG: KASAN: slab-use-after-free in jfs_lazycommit+0xa1f/0xb10 fs/jfs/jfs_txnmgr.c:2736 Read of size 4 at addr ffff888060f7de94 by task jfsCommit/123 CPU: 1 UID: 0 PID: 123 Comm: jfsCommit Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc0/0x5e0 mm/kasan/report.c:488 kasan_report+0xbd/0xf0 mm/kasan/report.c:601 jfs_lazycommit+0xa1f/0xb10 fs/jfs/jfs_txnmgr.c:2736 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 18638: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] jfs_fill_super+0xdd/0xd40 fs/jfs/super.c:495 mount_bdev+0x1e9/0x2e0 fs/super.c:1693 legacy_get_tree+0x109/0x220 fs/fs_context.c:662 vfs_get_tree+0x94/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3512 [inline] path_mount+0x6b2/0x1ea0 fs/namespace.c:3839 do_mount fs/namespace.c:3852 [inline] __do_sys_mount fs/namespace.c:4062 [inline] __se_sys_mount fs/namespace.c:4039 [inline] __x64_sys_mount+0x284/0x310 fs/namespace.c:4039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 9521: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x54/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2363 [inline] slab_free mm/slub.c:4601 [inline] kfree+0x14b/0x4b0 mm/slub.c:4749 generic_shutdown_super+0x15c/0x3d0 fs/super.c:642 kill_block_super+0x3b/0x90 fs/super.c:1710 deactivate_locked_super+0xbc/0x1a0 fs/super.c:473 deactivate_super+0xb1/0xd0 fs/super.c:506 cleanup_mnt+0x2df/0x430 fs/namespace.c:1373 task_work_run+0x169/0x260 kernel/task_work.c:239 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xd8/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888060f7de00 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 148 bytes inside of freed 256-byte region [ffff888060f7de00, ffff888060f7df00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888060f7c800 pfn:0x60f7c head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 04fff00000000040 ffff88801ac41b40 0000000000000000 dead000000000001 raw: ffff888060f7c800 000000000010000f 00000001f5000000 0000000000000000 head: 04fff00000000040 ffff88801ac41b40 0000000000000000 dead000000000001 head: ffff888060f7c800 000000000010000f 00000001f5000000 0000000000000000 head: 04fff00000000001 ffffea000183df01 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9543, tgid 9543 (syz-executor), ts 103433205575, free_ts 103378736576 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2e7/0x350 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0xe4e/0x2b20 mm/page_alloc.c:3476 __alloc_pages_noprof+0x219/0x21f0 mm/page_alloc.c:4754 alloc_pages_mpol_noprof+0x2b6/0x600 mm/mempolicy.c:2269 alloc_slab_page mm/slub.c:2433 [inline] allocate_slab mm/slub.c:2599 [inline] new_slab+0x2d5/0x420 mm/slub.c:2652 ___slab_alloc+0xbb7/0x1860 mm/slub.c:3840 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3930 __slab_alloc_node mm/slub.c:3983 [inline] slab_alloc_node mm/slub.c:4144 [inline] __do_kmalloc_node mm/slub.c:4285 [inline] __kmalloc_noprof+0x388/0x430 mm/slub.c:4298 kmalloc_noprof include/linux/slab.h:882 [inline] kmalloc_array_noprof include/linux/slab.h:923 [inline] batadv_hash_new+0x6f/0x2f0 net/batman-adv/hash.c:52 batadv_bla_init+0x3ff/0x750 net/batman-adv/bridge_loop_avoidance.c:1567 batadv_mesh_init+0x529/0x9b0 net/batman-adv/main.c:212 batadv_softif_init_late+0xbd6/0xf40 net/batman-adv/soft-interface.c:812 register_netdevice+0x651/0x1bf0 net/core/dev.c:10484 batadv_softif_newlink+0x72/0xa0 net/batman-adv/soft-interface.c:1089 rtnl_newlink_create net/core/rtnetlink.c:3542 [inline] __rtnl_newlink+0x1138/0x18e0 net/core/rtnetlink.c:3762 rtnl_newlink+0x68/0xa0 net/core/rtnetlink.c:3775 page last free pid 26 tgid 26 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0x714/0x10c0 mm/page_alloc.c:2659 vfree+0x172/0x940 mm/vmalloc.c:3378 delayed_vfree_work+0x57/0x70 mm/vmalloc.c:3298 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff888060f7dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888060f7de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888060f7de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888060f7df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888060f7df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <pthread.h> #include <setjmp.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stddef.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <sys/mount.h> #include <sys/prctl.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #include <linux/futex.h> #include <linux/loop.h> #ifndef __NR_memfd_create #define __NR_memfd_create 319 #endif static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void use_temporary_dir(void) { char tmpdir_template[] = "./syzkaller.XXXXXX"; char* tmpdir = mkdtemp(tmpdir_template); if (!tmpdir) exit(1); if (chmod(tmpdir, 0777)) exit(1); if (chdir(tmpdir)) exit(1); } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } //% This code is derived from puff.{c,h}, found in the zlib development. The //% original files come with the following copyright notice: //% Copyright (C) 2002-2013 Mark Adler, all rights reserved //% version 2.3, 21 Jan 2013 //% This software is provided 'as-is', without any express or implied //% warranty. In no event will the author be held liable for any damages //% arising from the use of this software. //% Permission is granted to anyone to use this software for any purpose, //% including commercial applications, and to alter it and redistribute it //% freely, subject to the following restrictions: //% 1. The origin of this software must not be misrepresented; you must not //% claim that you wrote the original software. If you use this software //% in a product, an acknowledgment in the product documentation would be //% appreciated but is not required. //% 2. Altered source versions must be plainly marked as such, and must not be //% misrepresented as being the original software. //% 3. This notice may not be removed or altered from any source distribution. //% Mark Adler madler(a)alumni.caltech.edu //% BEGIN CODE DERIVED FROM puff.{c,h} #define MAXBITS 15 #define MAXLCODES 286 #define MAXDCODES 30 #define MAXCODES (MAXLCODES + MAXDCODES) #define FIXLCODES 288 struct puff_state { unsigned char* out; unsigned long outlen; unsigned long outcnt; const unsigned char* in; unsigned long inlen; unsigned long incnt; int bitbuf; int bitcnt; jmp_buf env; }; static int puff_bits(struct puff_state* s, int need) { long val = s->bitbuf; while (s->bitcnt < need) { if (s->incnt == s->inlen) longjmp(s->env, 1); val |= (long)(s->in[s->incnt++]) << s->bitcnt; s->bitcnt += 8; } s->bitbuf = (int)(val >> need); s->bitcnt -= need; return (int)(val & ((1L << need) - 1)); } static int puff_stored(struct puff_state* s) { s->bitbuf = 0; s->bitcnt = 0; if (s->incnt + 4 > s->inlen) return 2; unsigned len = s->in[s->incnt++]; len |= s->in[s->incnt++] << 8; if (s->in[s->incnt++] != (~len & 0xff) || s->in[s->incnt++] != ((~len >> 8) & 0xff)) return -2; if (s->incnt + len > s->inlen) return 2; if (s->outcnt + len > s->outlen) return 1; for (; len--; s->outcnt++, s->incnt++) { if (s->in[s->incnt]) s->out[s->outcnt] = s->in[s->incnt]; } return 0; } struct puff_huffman { short* count; short* symbol; }; static int puff_decode(struct puff_state* s, const struct puff_huffman* h) { int first = 0; int index = 0; int bitbuf = s->bitbuf; int left = s->bitcnt; int code = first = index = 0; int len = 1; short* next = h->count + 1; while (1) { while (left--) { code |= bitbuf & 1; bitbuf >>= 1; int count = *next++; if (code - count < first) { s->bitbuf = bitbuf; s->bitcnt = (s->bitcnt - len) & 7; return h->symbol[index + (code - first)]; } index += count; first += count; first <<= 1; code <<= 1; len++; } left = (MAXBITS + 1) - len; if (left == 0) break; if (s->incnt == s->inlen) longjmp(s->env, 1); bitbuf = s->in[s->incnt++]; if (left > 8) left = 8; } return -10; } static int puff_construct(struct puff_huffman* h, const short* length, int n) { int len; for (len = 0; len <= MAXBITS; len++) h->count[len] = 0; int symbol; for (symbol = 0; symbol < n; symbol++) (h->count[length[symbol]])++; if (h->count[0] == n) return 0; int left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= h->count[len]; if (left < 0) return left; } short offs[MAXBITS + 1]; offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + h->count[len]; for (symbol = 0; symbol < n; symbol++) if (length[symbol] != 0) h->symbol[offs[length[symbol]]++] = symbol; return left; } static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode, const struct puff_huffman* distcode) { static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258}; static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0}; static const short dists[30] = { 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577}; static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13}; int symbol; do { symbol = puff_decode(s, lencode); if (symbol < 0) return symbol; if (symbol < 256) { if (s->outcnt == s->outlen) return 1; if (symbol) s->out[s->outcnt] = symbol; s->outcnt++; } else if (symbol > 256) { symbol -= 257; if (symbol >= 29) return -10; int len = lens[symbol] + puff_bits(s, lext[symbol]); symbol = puff_decode(s, distcode); if (symbol < 0) return symbol; unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]); if (dist > s->outcnt) return -11; if (s->outcnt + len > s->outlen) return 1; while (len--) { if (dist <= s->outcnt && s->out[s->outcnt - dist]) s->out[s->outcnt] = s->out[s->outcnt - dist]; s->outcnt++; } } } while (symbol != 256); return 0; } static int puff_fixed(struct puff_state* s) { static int virgin = 1; static short lencnt[MAXBITS + 1], lensym[FIXLCODES]; static short distcnt[MAXBITS + 1], distsym[MAXDCODES]; static struct puff_huffman lencode, distcode; if (virgin) { lencode.count = lencnt; lencode.symbol = lensym; distcode.count = distcnt; distcode.symbol = distsym; short lengths[FIXLCODES]; int symbol; for (symbol = 0; symbol < 144; symbol++) lengths[symbol] = 8; for (; symbol < 256; symbol++) lengths[symbol] = 9; for (; symbol < 280; symbol++) lengths[symbol] = 7; for (; symbol < FIXLCODES; symbol++) lengths[symbol] = 8; puff_construct(&lencode, lengths, FIXLCODES); for (symbol = 0; symbol < MAXDCODES; symbol++) lengths[symbol] = 5; puff_construct(&distcode, lengths, MAXDCODES); virgin = 0; } return puff_codes(s, &lencode, &distcode); } static int puff_dynamic(struct puff_state* s) { static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; int nlen = puff_bits(s, 5) + 257; int ndist = puff_bits(s, 5) + 1; int ncode = puff_bits(s, 4) + 4; if (nlen > MAXLCODES || ndist > MAXDCODES) return -3; short lengths[MAXCODES]; int index; for (index = 0; index < ncode; index++) lengths[order[index]] = puff_bits(s, 3); for (; index < 19; index++) lengths[order[index]] = 0; short lencnt[MAXBITS + 1], lensym[MAXLCODES]; struct puff_huffman lencode = {lencnt, lensym}; int err = puff_construct(&lencode, lengths, 19); if (err != 0) return -4; index = 0; while (index < nlen + ndist) { int symbol; int len; symbol = puff_decode(s, &lencode); if (symbol < 0) return symbol; if (symbol < 16) lengths[index++] = symbol; else { len = 0; if (symbol == 16) { if (index == 0) return -5; len = lengths[index - 1]; symbol = 3 + puff_bits(s, 2); } else if (symbol == 17) symbol = 3 + puff_bits(s, 3); else symbol = 11 + puff_bits(s, 7); if (index + symbol > nlen + ndist) return -6; while (symbol--) lengths[index++] = len; } } if (lengths[256] == 0) return -9; err = puff_construct(&lencode, lengths, nlen); if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1])) return -7; short distcnt[MAXBITS + 1], distsym[MAXDCODES]; struct puff_huffman distcode = {distcnt, distsym}; err = puff_construct(&distcode, lengths + nlen, ndist); if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1])) return -8; return puff_codes(s, &lencode, &distcode); } static int puff(unsigned char* dest, unsigned long* destlen, const unsigned char* source, unsigned long sourcelen) { struct puff_state s = { .out = dest, .outlen = *destlen, .outcnt = 0, .in = source, .inlen = sourcelen, .incnt = 0, .bitbuf = 0, .bitcnt = 0, }; int err; if (setjmp(s.env) != 0) err = 2; else { int last; do { last = puff_bits(&s, 1); int type = puff_bits(&s, 2); err = type == 0 ? puff_stored(&s) : (type == 1 ? puff_fixed(&s) : (type == 2 ? puff_dynamic(&s) : -1)); if (err != 0) break; } while (!last); } *destlen = s.outcnt; return err; } //% END CODE DERIVED FROM puff.{c,h} #define ZLIB_HEADER_WIDTH 2 static int puff_zlib_to_file(const unsigned char* source, unsigned long sourcelen, int dest_fd) { if (sourcelen < ZLIB_HEADER_WIDTH) return 0; source += ZLIB_HEADER_WIDTH; sourcelen -= ZLIB_HEADER_WIDTH; const unsigned long max_destlen = 132 << 20; void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ, MAP_PRIVATE | MAP_ANON, -1, 0); if (ret == MAP_FAILED) return -1; unsigned char* dest = (unsigned char*)ret; unsigned long destlen = max_destlen; int err = puff(dest, &destlen, source, sourcelen); if (err) { munmap(dest, max_destlen); errno = -err; return -1; } if (write(dest_fd, dest, destlen) != (ssize_t)destlen) { munmap(dest, max_destlen); return -1; } return munmap(dest, max_destlen); } static int setup_loop_device(unsigned char* data, unsigned long size, const char* loopname, int* loopfd_p) { int err = 0, loopfd = -1; int memfd = syscall(__NR_memfd_create, "syzkaller", 0); if (memfd == -1) { err = errno; goto error; } if (puff_zlib_to_file(data, size, memfd)) { err = errno; goto error_close_memfd; } loopfd = open(loopname, O_RDWR); if (loopfd == -1) { err = errno; goto error_close_memfd; } if (ioctl(loopfd, LOOP_SET_FD, memfd)) { if (errno != EBUSY) { err = errno; goto error_close_loop; } ioctl(loopfd, LOOP_CLR_FD, 0); usleep(1000); if (ioctl(loopfd, LOOP_SET_FD, memfd)) { err = errno; goto error_close_loop; } } close(memfd); *loopfd_p = loopfd; return 0; error_close_loop: close(loopfd); error_close_memfd: close(memfd); error: errno = err; return -1; } static void reset_loop_device(const char* loopname) { int loopfd = open(loopname, O_RDWR); if (loopfd == -1) { return; } if (ioctl(loopfd, LOOP_CLR_FD, 0)) { } close(loopfd); } static long syz_mount_image(volatile long fsarg, volatile long dir, volatile long flags, volatile long optsarg, volatile long change_dir, volatile unsigned long size, volatile long image) { unsigned char* data = (unsigned char*)image; int res = -1, err = 0, need_loop_device = !!size; char* mount_opts = (char*)optsarg; char* target = (char*)dir; char* fs = (char*)fsarg; char* source = NULL; char loopname[64]; if (need_loop_device) { int loopfd; memset(loopname, 0, sizeof(loopname)); snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid); if (setup_loop_device(data, size, loopname, &loopfd) == -1) return -1; close(loopfd); source = loopname; } mkdir(target, 0777); char opts[256]; memset(opts, 0, sizeof(opts)); if (strlen(mount_opts) > (sizeof(opts) - 32)) { } strncpy(opts, mount_opts, sizeof(opts) - 32); if (strcmp(fs, "iso9660") == 0) { flags |= MS_RDONLY; } else if (strncmp(fs, "ext", 3) == 0) { bool has_remount_ro = false; char* remount_ro_start = strstr(opts, "errors=remount-ro"); if (remount_ro_start != NULL) { char after = *(remount_ro_start + strlen("errors=remount-ro")); char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1); has_remount_ro = ((before == '\0' || before == ',') && (after == '\0' || after == ',')); } if (strstr(opts, "errors=panic") || !has_remount_ro) strcat(opts, ",errors=continue"); } else if (strcmp(fs, "xfs") == 0) { strcat(opts, ",nouuid"); } res = mount(source, target, fs, flags, opts); if (res == -1) { err = errno; goto error_clear_loop; } res = open(target, O_RDONLY | O_DIRECTORY); if (res == -1) { err = errno; goto error_clear_loop; } if (change_dir) { res = chdir(target); if (res == -1) { err = errno; } } error_clear_loop: if (need_loop_device) reset_loop_device(loopname); errno = err; return res; } #define FS_IOC_SETFLAGS _IOW('f', 2, long) static void remove_dir(const char* dir) { int iter = 0; DIR* dp = 0; const int umount_flags = MNT_FORCE | UMOUNT_NOFOLLOW; retry: while (umount2(dir, umount_flags) == 0) { } dp = opendir(dir); if (dp == NULL) { if (errno == EMFILE) { exit(1); } exit(1); } struct dirent* ep = 0; while ((ep = readdir(dp))) { if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0) continue; char filename[FILENAME_MAX]; snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name); while (umount2(filename, umount_flags) == 0) { } struct stat st; if (lstat(filename, &st)) exit(1); if (S_ISDIR(st.st_mode)) { remove_dir(filename); continue; } int i; for (i = 0;; i++) { if (unlink(filename) == 0) break; if (errno == EPERM) { int fd = open(filename, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno != EBUSY || i > 100) exit(1); if (umount2(filename, umount_flags)) exit(1); } } closedir(dp); for (int i = 0;; i++) { if (rmdir(dir) == 0) break; if (i < 100) { if (errno == EPERM) { int fd = open(dir, O_RDONLY); if (fd != -1) { long flags = 0; if (ioctl(fd, FS_IOC_SETFLAGS, &flags) == 0) { } close(fd); continue; } } if (errno == EROFS) { break; } if (errno == EBUSY) { if (umount2(dir, umount_flags)) exit(1); continue; } if (errno == ENOTEMPTY) { if (iter < 100) { iter++; goto retry; } } } exit(1); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void reset_loop() { char buf[64]; snprintf(buf, sizeof(buf), "/dev/loop%llu", procid); int loopfd = open(buf, O_RDWR); if (loopfd != -1) { ioctl(loopfd, LOOP_CLR_FD, 0); close(loopfd); } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); if (symlink("/dev/binderfs", "./binderfs")) { } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void execute_one(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 4; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); event_timedwait(&th->done, 50 + (call == 0 ? 4000 : 0)); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { char cwdbuf[32]; sprintf(cwdbuf, "./%d", iter); if (mkdir(cwdbuf, 0777)) exit(1); reset_loop(); int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { if (chdir(cwdbuf)) exit(1); setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } remove_dir(cwdbuf); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: memcpy((void*)0x200000000000, "jfs\000", 4); memcpy((void*)0x2000000004c0, "./bus\000", 6); memcpy( (void*)0x200000010140, "\x78\x9c\xec\xdd\x4d\x6f\x1d\x57\x19\x07\xf0\xe7\xbe\xf8\xfa\xa5\xb4" "\x8d\x2a\x54\x85\x88\x85\x9b\x42\x69\x29\xcd\x7b\x02\xe5\xad\x29\x0b" "\x16\xb0\x00\x09\x75\x4d\x22\xd7\xad\x02\x29\xa0\x24\x20\x5a\x59\xc4" "\x95\x17\x88\x0d\xf0\x11\x60\xd3\x0d\x8b\x7e\x05\x3e\x40\x3f\x03\xe2" "\x03\x10\xc9\x66\xd5\x05\x65\xd0\xd8\xe7\x24\xe3\xf1\x75\xae\x43\xe2" "\x3b\xd7\x3e\xbf\x9f\x74\x33\xf3\xcc\xb9\x63\x9f\xc9\xdf\xe3\xb9\xd7" "\x33\x73\x4f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xf1\x83\xef\xff\xe4\x7c\x2f\x22\xae\xfd\x26\x2d\x38\x11\xf1\xb9" "\x18\x44\xf4\x23\x16\xeb\x7a\x39\xea\x99\xab\xf9\xf9\xc3\x88\x38\x19" "\xdb\xcd\xf1\x7c\x44\x0c\xe6\x23\xea\xf5\xb7\xff\x79\x36\xe2\x52\x44" "\x7c\xf2\x4c\xc4\xe6\xd6\xda\x4a\xbd\xf8\xc2\x01\xfb\x71\xf9\xdc\x9d" "\x5b\x9f\xfd\xf0\x7b\xff\xf8\xfd\x9f\x36\x4e\xfe\xec\xed\x9f\x7e\xd4" "\x6e\xff\xf1\xe7\x2f\x7e\xfc\x87\xbb\x11\x27\x7e\xf4\xfa\xc7\x9f\xdd" "\x7d\x32\xdb\x0e\x00\x00\x00\xa5\xa8\xaa\xaa\xea\xa5\xb7\xf9\xa7\xd2" "\xfb\xfb\x7e\xd7\x9d\x02\x00\xa6\x22\x1f\xff\xab\x24\x2f\x57\xab\xd5" "\x6a\xf5\x13\xad\xff\xd8\x9f\xad\xfe\xa8\x0b\xad\x9b\xaa\xf1\xee\x36" "\x8b\x88\x58\x6f\xae\x53\xbf\x66\x70\x3a\x1e\x00\x8e\x98\xf5\xf8\xb4" "\xeb\x2e\xd0\x21\xf9\x17\x6d\x18\x11\x4f\x75\xdd\x09\x60\xa6\xf5\xba" "\xee\x00\x87\x62\x73\x6b\x6d\xa5\x97\xf2\xed\x35\x8f\x07\xcb\x3b\xed" "\xf9\xef\x94\xbb\xf2\x5f\xef\xdd\xbf\xbf\x63\xbf\xe9\x24\xed\x6b\x4c" "\xa6\xf5\xf3\xb5\x11\x83\x78\x6e\x9f\xfe\x2c\x4e\xa9\x0f\xb3\x24\xe7" "\xdf\x6f\xe7\x7f\x6d\xa7\x7d\x94\x9e\x77\xd8\xf9\x4f\xcb\x7e\xf9\x8f" "\x76\x6e\x7d\x2a\x4e\xce\x7f\xd0\xce\xbf\x65\x57\xfe\x7f\x8e\x88\x23" "\x9b\x7f\x7f\x6c\xfe\xa5\xca\xf9\x0f\x1f\x25\xff\xf5\xc1\x11\xde\xff" "\xe5\x0f\x00\x00\x00\x00\xc0\xf1\x97\xff\xfe\x7f\xa2\xe3\xf3\xbf\xf3" "\x8f\xbf\x29\x07\xf2\xb0\xf3\xbf\xcb\x53\xea\x03\x00\x00\x00\x00\x00" "\x00\x00\x3c\x69\x8f\x3b\xfe\xdf\x7d\xc6\xff\x03\x00\x00\x80\x99\x55" "\xbf\x57\xaf\xfd\xe5\x99\x07\xcb\xf6\xfb\x2c\xb6\x7a\xf9\x5b\xbd\x88" "\xa7\x5b\xcf\x07\x0a\xb3\xdc\xf8\x70\x40\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x60\x3a\x86\x11\x4b\xe9\xba\xfe\xb9\x88\x78\x7a\x69\xa9" "\xaa\xaa\xfa\xd1\xd4\xae\x1f\xd5\xe3\xae\x7f\xd4\x95\xbe\xfd\x50\xb2" "\xae\x7f\xc9\x03\x00\xc0\x8e\x4f\x9e\x69\xdd\xcb\xdf\x8b\x58\x88\x88" "\xb7\xd2\x67\xfd\xcd\x2d\x2d\x2d\x55\xd5\xc2\xe2\x52\xb5\x54\x2d\xce" "\xe7\xd7\xb3\xa3\xf9\x85\x6a\xb1\xf1\xbe\x36\x4f\xeb\x65\xf3\xa3\x03" "\xbc\x20\x1e\x8e\xaa\xfa\x8b\x2d\x34\xd6\x6b\x9a\xf4\x7e\x79\x52\x7b" "\xfb\xeb\xd5\xdf\x6b\x54\x0d\x0e\xd0\xb1\xe9\xe8\x30\x70\x00\x88\x88" "\x9d\xa3\xd1\xa6\x23\xd2\x31\x53\x55\xcf\x46\xd7\xaf\x72\x38\x1a\xec" "\xff\xc7\x8f\xfd\x9f\x83\xe8\xfa\xe7\x14\x00\x00\x00\x38\x7c\x55\x55" "\x55\xbd\xf4\x71\xde\xa7\xd2\x39\xff\x7e\xd7\x9d\x02\x00\xa6\x22\x1f" "\xff\xdb\xe7\x05\xd4\x6a\xb5\x5a\xad\x56\x1f\xbf\xba\xa9\x1a\xef\x6e" "\xb3\x88\x88\xf5\xe6\x3a\xf5\x6b\x06\xc3\xf1\x03\xc0\x11\xb3\x1e\x9f" "\x76\xdd\x05\x3a\x24\xff\xa2\x0d\x23\xe2\x64\xd7\x9d\x00\x66\x5a\xaf" "\xeb\x0e\x70\x28\x36\xb7\xd6\x56\x7a\x29\xdf\x5e\xf3\x78\xb0\xbc\xd3" "\x9e\xaf\x05\xd9\x95\xff\x7a\x6f\x7b\xbd\xbc\xfe\xb8\xe9\x24\xed\x6b" "\x4c\xa6\xf5\xf3\xb5\x11\x83\x78\x6e\x9f\xfe\x3c\x3f\xa5\x3e\xcc\x92" "\x9c\x7f\xbf\x9d\xff\xb5\x9d\xf6\x3c\xc4\xff\x61\xe7\x3f\x2d\xfb\xe5" "\x5f\x6f\xe7\x89\x0e\xfa\xd3\xb5\x9c\xff\xa0\x9d\x7f\xcb\xf1\xc9\xbf" "\x3f\x36\xff\x52\xe5\xfc\x87\x8f\x94\xff\x40\xfe\x00\x00\x00\x00\x00" "\x30\xc3\xf2\xdf\xff\x4f\x38\xff\x9b\x37\x19\x00\x00\x00\x00\x00\x00" "\x00\x8e\x9c\xcd\xad\xb5\x95\x7c\xdf\x6b\x3e\xff\xff\xc5\x31\xcf\xeb" "\x35\xe7\xdc\xff\x79\x6c\xe4\xfc\x7b\x07\xce\xdf\xfd\xbf\xc7\x49\xce" "\xbf\xdf\xce\xbf\x75\x41\xce\xa0\x31\x7f\xef\xcd\x07\xf9\xff\x7b\x6b" "\x6d\xe5\xa3\x3b\xff\xfa\x42\x9e\xce\x7c\xfe\x73\x83\x51\xfd\xbd\xe7" "\x7a\xfd\xc1\x30\x5d\xf3\x53\xcd\xbd\x13\x37\xe2\x66\xac\xc6\xb9\x3d" "\xcf\x1f\xee\x6a\x3f\xbf\xa7\x7d\x6e\x57\xfb\x85\x09\xed\x17\xf7\xb4" "\x8f\xea\xf6\xc5\xdc\x7e\x26\x56\xe2\x97\x71\x33\xde\xbe\xdf\x3e\x3f" "\xe1\xc2\xa8\x85\x09\xed\xd5\x84\xf6\x9c\xff\xc0\xfe\x5f\xa4\x9c\xff" "\xb0\xf1\xa8\xf3\x5f\x4a\xed\xbd\xd6\xb4\x76\xef\xc3\xfe\x9e\xfd\xbe" "\x39\x1d\xf7\x7d\xae\xfe\xed\x3f\x2f\xed\xdd\xbb\xa6\x6f\x23\x06\xf7" "\xb7\xad\xa9\xde\xbe\xd3\x1d\xf4\x67\xfb\xff\xe4\xa9\x51\xfc\xfa\xf6" "\xea\xad\x33\xbf\xbd\x7e\xe7\xce\xad\xf3\x91\x26\xbb\x96\x5e\x88\x34" "\x79\xc2\x72\xfe\x73\xe9\x91\xf3\x7f\xf9\xc5\x9d\xf6\xfc\x7b\xbf\xb9" "\xbf\xde\xfb\x70\xf4\xc8\xf9\xcf\x8a\x8d\x18\xee\x9b\xff\x8b\x8d\xf9" "\x7a\x7b\x5f\x99\x72\xdf\xba\x90\xf3\x1f\xa5\x47\xce\x3f\x1f\x81\xc6" "\xef\xff\x47\x39\xff\xfd\xf7\xff\x57\x3b\xe8\x0f\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x3c\x4c\x55\x55\xdb\xb7\x88\x5e\x8d\x88" "\x2b\xe9\xfe\x9f\xae\xee\xcd\x04\x00\xa6\x2b\x1f\xff\xab\x24\x2f\x57" "\xab\xd5\x6a\xb5\x5a\x7d\xfc\xea\xa6\x6a\xbc\x37\x9a\x45\x44\xfc\xbd" "\xb9\x4e\xfd\x9a\xe1\x77\xe3\xbe\x18\x00\x30\xcb\xfe\x1b\x11\xff\xec" "\xba\x13\x74\x46\xfe\x05\xcb\x9f\xf7\x57\x4f\xbf\xd4\x75\x67\x80\xa9" "\xba\xfd\xfe\x07\x3f\xbf\x7e\xf3\xe6\xea\xad\xdb\x5d\xf7\x04\x00\x00" "\x00\x00\x00\x00\x00\xf8\x7f\xe5\xf1\x3f\x97\x1b\xe3\x3f\x6f\x5f\x07" "\xd4\x1a\x37\x7a\xd7\xf8\xaf\x6f\xc6\xf2\x8c\x8f\xff\xb9\xb8\x5f\xc3" "\x46\x7f\x34\xd8\x1e\xeb\x3c\x6d\xd0\x0b\xf1\xf0\xf1\xbf\x4f\xc7\xc3" "\xc7\xff\x1e\x4e\xe8\xc8\xdc\x84\xf6\xd1\x84\xf6\xf9\x09\xed\x0b\x13" "\xda\xc7\xde\xe8\xd1\x90\xf3\x7f\x21\x65\x9c\xf3\x3f\x95\x36\xac\xa4" "\xf1\x5f\x5f\xee\xa0\x3f\x5d\xcb\xf9\x9f\x4e\x63\x3d\xe7\xfc\xbf\xd2" "\x7a\x5e\x33\xff\xea\xaf\x47\x39\xff\xfe\xae\xfc\xcf\xde\x79\xef\x57" "\x67\x6f\xbf\xff\xc1\x6b\x37\xde\xbb\xfe\xee\xea\xbb\xab\xbf\x38\x7f" "\xee\xca\xa5\x8b\x97\x2f\x5d\xbc\x7c\xf9\xec\x3b\x37\x6e\xae\x9e\xdb" "\xf9\xb7\xc3\x1e\x1f\xae\x9c\x7f\x1e\xfb\xda\x75\xa0\x65\xc9\xf9\xe7" "\xcc\xe5\x5f\x96\x9c\xff\x97\x53\x2d\xff\xb2\xe4\xfc\x5f\x4a\xb5\xfc" "\xcb\x92\xf3\xcf\xaf\xf7\xe4\x5f\x96\x9c\x7f\x7e\xef\x23\xff\xb2\xe4" "\xfc\x5f\x49\xb5\xfc\xcb\x92\xf3\xff\x6a\xaa\xe5\x5f\x96\x9c\xff\xab" "\xa9\x96\x7f\x59\x72\xfe\x5f\x4b\xb5\xfc\xcb\x92\xf3\x7f\x2d\xd5\xf2" "\x2f\x4b\xce\xff\x4c\xaa\xe5\x5f\x96\x9c\xff\xd9\x54\xcb\xbf\x2c\x39" "\xff\x7c\x86\x4b\xfe\x65\xc9\xf9\xe7\x2b\x1b\xe4\x5f\x96\x9c\xff\x85" "\x54\xcb\xbf\x2c\x39\xff\x8b\xa9\x96\x7f\x59\x72\xfe\x97\x52\x2d\xff" "\xb2\xe4\xfc\x2f\xa7\x5a\xfe\x65\xc9\xf9\x5f\x49\xb5\xfc\xcb\x92\xf3" "\xff\x7a\xaa\xe5\x5f\x96\x9c\xff\x37\x52\x2d\xff\xb2\xe4\xfc\x5f\x4f" "\xb5\xfc\xcb\x92\xf3\xff\x66\xaa\xe5\x5f\x96\x9c\xff\xb7\x52\x2d\xff" "\xb2\xe4\xfc\xbf\x9d\x6a\xf9\x97\x25\xe7\xff\x9d\x54\xcb\xbf\x2c\x39" "\xff\xef\xa6\x5a\xfe\x65\xc9\xf9\xbf\x91\x6a\xf9\x97\xe5\xc1\xe7\xff" "\x9b\x31\x63\xc6\x4c\x9e\xe9\xfa\x37\x13\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\xd0\x36\x8d\xcb\x89\xbb\xde\x46\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\xf8\x1f\x3b\x70\x20\x00\x00\x00\x00\x00\xe4\xff\xda\x08\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55" "\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\x55\xd8\x81\x03" "\x01\x00\x00\x00\x00\x20\xff\xd7\x46\xa8\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xc2\xde\xdd\xc5\xc8\x55\xde\xf7\x03" "\x3f\xfb\x66\xaf\x0d\x09\xfe\x87\x77\xe2\x80\x6d\xde\x0c\x2c\xec\xae" "\xdf\xc0\x21\x06\x93\x84\xfc\x29\xe9\x0b\x25\x21\x6d\x5a\x52\xe3\xd8" "\x6b\xe3\xc4\x6f\xf5\xee\x12\x40\xa8\xde\x14\xda\x12\x05\xa9\x48\xed" "\x05\xbd\x68\x9a\x44\x69\x14\xa9\xad\x40\x55\xa4\xa6\x12\x8d\x90\x1a" "\xa9\xbd\x6b\xae\x1a\x71\x13\xb5\x52\x2e\x7c\x01\x95\x83\x92\x56\xa9" "\x02\x5b\x9d\x39\xcf\xf3\xec\xcc\xec\xec\xcc\x7a\xed\xf1\xce\x9c\xf3" "\xf9\x20\xfc\xf3\xce\x9c\x99\x79\xe6\xcc\x99\xd9\xfd\xae\xf5\x9d\x01" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x80\x7a\x9b\x3f\x36\xf5\x27\x03\x59\x96\xe5\xff" "\xd7\xfe\xd8\x90\x65\x97\xe6\x7f\x5f\x97\xed\xcd\xbf\x9c\xdb\xb5\xda" "\x2b\x04\x00\x00\x00\xce\xd7\xbb\xb5\x3f\xff\xf6\xb2\x74\xc2\xde\x65" "\x5c\xa8\x6e\x9b\x7f\xb9\xfe\xdf\xbe\x3b\x3f\x3f\x3f\x9f\x7d\xfe\x9d" "\x33\xef\xfd\xd9\xfc\x7c\x3a\x63\x53\x96\x0d\xad\xcd\xb2\xda\x79\xd1" "\xbf\xfe\xe2\xe7\xf3\xf5\xdb\x04\xcf\x67\xa3\x03\x83\x75\x5f\x0f\x76" "\xb8\xf9\xa1\x0e\xe7\x0f\x77\x38\x7f\xa4\xc3\xf9\x6b\x3a\x9c\xbf\xb6" "\xc3\xf9\xa3\x1d\xce\x5f\xb4\x03\x16\x59\x57\xfc\x3e\xa6\x76\x65\x37" "\xd5\xfe\xba\xa1\xd8\xa5\xd9\x15\xd9\x48\xed\xbc\x9b\x5a\x5c\xea\xf9" "\x81\xb5\x83\x83\xf1\x77\x39\x35\x03\xb5\xcb\xcc\x8f\x1c\xca\x8e\x64" "\x47\xb3\xa9\x6c\x62\xd1\x65\x06\x6a\xff\x65\xd9\xeb\x9b\xf3\xdb\x7a" "\x28\x8b\xb7\x35\x58\x77\x5b\x1b\xb3\x2c\x3b\xfb\xd3\xe7\x0e\xc4\x35" "\x0c\x84\x7d\x7c\x53\xd6\x70\x63\x35\xf5\x8f\xdd\xdb\x0f\x64\x9b\xde" "\xf9\xe9\x73\x07\xbe\x3d\xf3\xd6\xb5\xad\x66\xc7\xdd\xb0\x68\xa5\x59" "\xb6\x75\x4b\xbe\xce\x17\xb2\x6c\xe1\xd7\x55\xd9\x40\xb6\x36\xed\x93" "\xb8\xce\xc1\xba\x75\x6e\x6c\xb1\xce\xa1\x86\x75\x0e\xd4\x2e\x97\xff" "\xbd\x79\x9d\x67\x97\xb9\xce\x78\xbf\x47\xc3\x3a\x7f\xd8\x66\x9d\x1b" "\xc3\x69\x4f\xdf\x98\x65\xd9\x5c\xb6\xe4\x36\xcd\x9e\xcf\x06\xb3\xf5" "\x4d\xb7\x9a\xf6\xf7\x68\x71\x44\xe4\xd7\x91\x3f\x94\x1f\xc8\x86\xcf" "\xe9\x38\xd9\xbc\x8c\xe3\x24\xbf\xcc\x4f\x6e\x6c\x3c\x4e\x9a\x8f\xc9" "\xb8\xff\x37\x87\x7d\x32\xbc\xc4\x1a\xea\x1f\x8e\xb7\xbf\xbc\x66\xd1" "\x7e\x5f\xe9\x71\x92\xdf\xeb\x5e\x38\x56\xf3\xeb\x7e\x24\xbf\xd1\xd1" "\xd1\xfa\x5f\xad\x36\x1c\xab\xf9\x36\xcf\xdd\xbc\xf4\x31\xd0\xf2\xb1" "\x6b\x71\x0c\xa4\x63\xb9\xee\x18\xd8\xd2\xe9\x18\x18\x5c\x33\x54\x3b" "\x06\x06\x17\xd6\xbc\xa5\xe1\x18\x98\x5c\x74\x99\xc1\x6c\xa0\x76\x5b" "\x67\x6e\x6e\x7f\x0c\x8c\xcf\x1c\x3b\x39\x3e\xfd\xcc\xb3\x77\x1e\x39" "\xb6\xff\xf0\xd4\xe1\xa9\xe3\x93\x13\xbb\x76\x6c\xdf\xb9\x63\xfb\xce" "\x9d\xe3\x87\x8e\x1c\x9d\x9a\x28\xfe\x3c\xb7\x5d\xda\x47\xd6\x67\x83" "\xe9\x18\xdc\x12\x5e\x6b\xe2\x31\x78\x6b\xd3\xb6\xf5\x87\xe4\xfc\x37" "\x2e\xdc\xf3\x60\xb4\x47\x9e\x07\xf9\x7d\xff\xf4\x2d\xf9\x82\x2e\x1d" "\xcc\x96\x38\xc6\xf3\x6d\x5e\xd8\x7a\xfe\xcf\x83\xf4\x7d\xbf\xee\x79" "\x30\x5c\xf7\x3c\x68\xf9\x9a\xda\xe2\x79\x30\xbc\x8c\xe7\x41\xbe\xcd" "\xd9\xad\xcb\xfb\x9e\x39\x5c\xf7\x7f\xab\x35\x74\xeb\xb5\x70\x43\xdd" "\x31\xb0\x9a\xdf\x0f\xf3\xdb\x7c\xfc\xb6\xa5\x5f\x0b\x37\x86\x75\xbd" "\x78\xfb\xb9\x7e\x3f\x1c\x5a\x74\x0c\xc4\xbb\x35\x10\x9e\x7b\xf9\x29" "\xe9\xe7\xbd\xd1\x7b\xc2\x7e\x59\x7c\x5c\x5c\x97\x9f\x71\xc9\x9a\x6c" "\x76\x7a\xea\xd4\x5d\x4f\xef\x9f\x99\x39\x35\x99\x85\x71\x51\x5c\x5e" "\xf7\x58\x35\x1f\x2f\xeb\xeb\xee\x53\xb6\xe8\x78\x19\x3c\xe7\xe3\x65" "\xef\xdf\xfc\xf2\x96\xeb\x5a\x9c\xbe\x21\xec\xab\xd1\x3b\xda\x3f\x56" "\xf9\x36\x3b\xc6\xda\x3f\x56\xb5\x57\xf7\xd6\xfb\xb3\xe1\xd4\x6d\x59" "\x18\x17\xd8\xc5\xde\x9f\xad\xbe\x9b\xe5\xfb\x33\x65\x89\x36\xfb\x33" "\xdf\xe6\x85\x3b\xcf\xff\x67\xc1\x94\x4b\xea\x5e\xff\x46\x3a\xbd\xfe" "\x0d\x8d\x0c\x17\xaf\x7f\x43\x69\x6f\x8c\x34\xbc\xfe\x2d\x7e\x68\x86" "\x6a\x2b\xcb\xb2\xb3\x77\x2e\xef\xf5\x6f\x24\xfc\x7f\xb1\x5f\xff\xae" "\xe8\x91\xd7\xbf\x7c\x5f\x3d\x7e\x57\xfb\x63\x20\xdf\xe6\xc5\xf1\x73" "\x3d\x06\x86\xdb\xbe\xfe\xdd\x18\xe6\x40\x58\xcf\x6d\x21\x31\x8c\xd6" "\xe5\xfe\xf7\x6a\xe7\xcf\x15\x87\x69\xdd\x63\xd9\xf1\xb8\x19\x1e\x1e" "\x09\xc7\xcd\x70\xbc\xc5\xc6\xe3\x66\xfb\xa2\xcb\xe4\xd7\x96\xdf\xf6" "\xd6\x89\x95\x1d\x37\x5b\x6f\x6c\x7c\xac\x1a\x7e\x6e\x29\xe1\x71\x93" "\xef\xab\x3f\x9f\x68\x7f\xdc\xe4\xdb\xbc\x31\x79\xfe\xaf\x1d\xeb\xe2" "\x5f\xeb\x5e\x3b\xd6\x74\x3a\x06\x46\x86\xd6\xe4\xeb\x1d\x49\x07\x41" "\xf1\x7a\x37\xbf\x2e\x1e\x03\x77\x65\x07\xb2\x13\xd9\xd1\xec\x60\xba" "\x4c\xfe\x28\xe7\xb7\x35\xb6\x6d\x79\xc7\xc0\x9a\xf0\xff\xc5\x7e\xed" "\xb8\xa6\x47\x8e\x81\x7c\x5f\xbd\xb2\xad\xfd\x31\x90\x6f\xf3\x83\xed" "\x17\xf6\x67\xa7\xad\xe1\x94\xb4\x4d\xdd\xcf\x4e\xcd\xbf\x5f\x58\x2a" "\xf3\x5f\x37\xbc\x70\x7d\xcd\xbb\xed\x42\x67\xfe\x7c\x9d\x1f\xdf\xd1" "\xfe\x77\x43\xf9\x36\x6f\xed\x38\xd7\x9c\xd1\x7e\x3f\xdd\x11\x4e\xb9" "\xa4\xc5\x7e\x6a\x7e\xfe\x2c\x75\x4c\x1f\xcc\x2e\xce\x7e\xba\x26\xac" "\xf3\xe8\xce\xf6\xbf\x9b\xca\xb7\xb9\x62\xd7\x32\x8f\xa7\xbd\x59\x96" "\xbd\x39\xf9\x66\xed\xf7\x5d\xe1\xf7\xbb\x7f\x3f\xfb\xef\xdf\x6d\xf8" "\xbd\x6f\xab\xdf\x29\xbf\x39\xf9\xe6\xc3\xe3\x8f\xfe\xe8\x5c\xd6\x0f" "\x00\xc0\xca\xbd\x57\xfb\x73\x6e\x4d\xf1\xb3\x66\xdd\xbf\x58\x2f\xe7" "\xdf\xff\x01\x00\x00\x80\xbe\x10\x73\xff\x60\x98\x89\xfc\x0f\x00\x00" "\x00\xa5\x11\x73\xff\x50\x98\x89\xfc\x0f\x00\x00\x00\xa5\x11\x73\xff" "\x70\x98\x49\x45\xf2\xff\x93\xf7\xec\x7e\xf5\xdd\xd3\x59\x7a\x37\xc0" "\xf9\x20\x9e\x1f\x77\xc3\x23\xf7\x15\xdb\xc5\x8e\xf7\x5c\xf8\x7a\xd3" "\xfc\x82\xfc\xf4\x8f\x7e\x6b\xe4\xd5\xaf\x9c\x5e\xde\x6d\x0f\x66\x59" "\xf6\xcb\x87\x3f\xd8\x72\xfb\x27\xef\x8b\xeb\x2a\x9c\x8c\xeb\xfc\x70" "\xe3\xe9\x8b\x5c\x73\xc3\xb2\x6e\xff\x89\xc7\x16\xb6\xab\x7f\xff\x84" "\xb3\xbb\x8b\xeb\x8f\xf7\x67\xb9\x87\x41\xec\x2a\xbf\x3e\xbe\xad\x76" "\xbd\x9b\x9e\x99\xac\xcd\x37\x1e\xce\x6a\xf3\xd1\xb9\x17\x9f\x2f\xae" "\xbf\xf8\x3a\x6e\x7f\x66\x7b\xb1\xfd\x5f\x86\x37\x2d\xd9\x7b\x68\xa0" "\xe1\xf2\x5b\xc3\x7a\x6e\x0a\x73\x53\x78\x4f\x99\x47\xf6\x2e\xec\x87" "\x7c\xc6\xcb\xbd\xba\xf1\xfa\x7f\xbe\xfc\x33\x0b\xb7\x17\x2f\x37\xb0" "\xe5\xfd\xb5\xbb\xf9\xca\x1f\x14\xd7\x1b\xdf\x23\xea\xe5\xcb\x8b\xed" "\xe3\xfd\x5e\x6a\xfd\xff\xf4\xd5\xef\xbc\x9a\x6f\xff\xf4\xcd\xad\xd7" "\x7f\x7a\xb0\xf5\xfa\xcf\x84\xeb\xfd\x49\x98\xbf\xd8\x53\x6c\x5f\xbf" "\xcf\xbf\x52\xb7\xfe\x3f\x0a\xeb\x8f\xb7\x17\x2f\x77\xd7\x37\xbf\xdf" "\x72\xfd\xaf\x5d\x5d\x6c\xff\x5a\x38\x2e\xbe\x1e\x66\xf3\xfa\x1f\xf8" "\xd3\x0f\xbd\xdb\xea\xf1\x8a\xb7\xb3\xf7\xde\xe2\x72\xf1\xf6\x27\xfe" "\x7b\x47\xed\x72\xf1\xfa\xe2\xf5\x37\xaf\x7f\xf4\xf4\x64\xc3\xfe\x68" "\xbe\xfe\x37\xde\x29\xae\x67\xcf\x53\x3f\x1b\xaa\xdf\x3e\x9e\x1e\x6f" "\x27\x7a\xe2\xde\xc6\xe3\x7b\x20\x3c\xbe\x0d\x3d\xf2\x2c\xcb\xbe\xf3" "\xc7\x59\xc3\x7e\xce\x3e\x52\x5c\xee\x1f\x9b\xd6\x1f\xaf\xef\xe4\xbd" "\xad\xd7\x7f\x47\xd3\x3a\x4f\x0e\xdc\x50\xbb\xfc\xc2\xfd\xd9\xd0\x70" "\xbf\xbe\xf6\xd7\xdb\x5a\xde\xdf\xb8\x9e\xbd\x7f\xb7\xa1\xe1\xfe\xbc" "\xfc\x60\xd8\x7f\xef\x8c\xff\x20\xbf\xde\x33\x8f\x86\xe3\x31\x9c\xff" "\xbf\x3f\x2c\xae\xaf\xf9\xbd\x4c\x5f\x7b\xb0\xf1\xf5\x26\x6e\xff\xf5" "\x0d\xc5\xf3\x36\x5e\xdf\x78\xd3\xfa\x5f\x6e\x5a\xff\xdc\x0d\xf9\xbe" "\xeb\xbc\xfe\x87\xde\x29\xd6\xff\xda\xfd\x6b\x1b\xd6\xbf\xf7\x13\xe1" "\x78\x7a\xa8\x98\x9d\xd6\x7f\xf8\xaf\x2e\x6b\xb8\xfc\x37\xbe\x5d\x3c" "\x1e\xa7\xbe\x34\x76\xfc\xc4\xf4\xec\x91\x83\x75\x7b\xb5\xfe\x79\xbc" "\x76\x74\xdd\xfa\x4b\x2e\x7d\xdf\xfb\x2f\x0b\xaf\xa5\xcd\x5f\xef\x3b" "\x31\xf3\xe4\xd4\xa9\x4d\x13\x9b\x26\xb2\x6c\x53\x1f\xbe\x65\x60\xb7" "\xd7\xff\xcd\x30\xff\xab\x18\x73\x17\xfe\x16\x0a\x3f\xfa\x59\x71\xdc" "\xbd\xf4\xc9\xe2\xfb\xd6\xad\x3f\x2f\xbe\x7e\x39\x9c\xfe\x44\x78\x3c" "\xe3\xf7\xc7\xaf\xfd\xc5\x48\xc3\xf1\xda\xfc\xb8\xcf\xdd\x5f\xcc\xf3" "\x5d\xff\xed\x61\x1d\xcb\x75\xf5\x57\xff\xf3\x86\x65\x6d\x78\xe6\x73" "\xaf\xcf\xfe\xc3\x1f\xbe\xd5\xfc\x73\x41\xbc\x3f\x27\xaf\x1c\xad\xdd" "\xbf\x57\x36\x5f\x55\x3b\x6f\xe0\x8d\xe2\xfc\xe6\xd7\xab\x4e\xfe\xe3" "\xca\xc6\xe7\xf5\x8f\x87\x27\x6a\xf3\x7b\x61\xbf\xce\x87\x77\x66\xde" "\x72\x55\x71\x7b\xcd\xd7\x1f\xdf\x9b\xe4\xa5\x4f\x15\xcf\xdf\xf8\x93" "\x5c\xbc\x7c\xd6\xf4\x7e\x22\x1b\x86\x1a\xef\xc7\xf9\xae\xff\xc7\xe1" "\xe7\x98\xef\x5f\xd3\xf8\xfa\x17\x8f\x8f\xef\x9d\x6e\x7a\x37\xe7\x0d" "\xd9\x40\xbe\x84\xb9\xf0\xfa\x90\xcd\x15\xe7\xc7\xad\xe2\xfe\x7e\xe9" "\xec\x55\x2d\x6f\x2f\xbe\x0f\x4f\x36\x77\xed\xb9\x2c\x73\x49\xd3\xcf" "\x4c\x8f\x1f\x3d\x72\x7c\xf6\xe9\xf1\x99\xa9\xe9\x99\xf1\xe9\x67\x9e" "\xdd\x77\xec\xc4\xec\xf1\x99\x7d\xb5\xf7\x2e\xdd\xf7\x85\x4e\x97\x5f" "\x78\x7e\xaf\xaf\x3d\xbf\x0f\x4e\xed\xda\x91\xd5\x9e\xed\x27\x8a\xd1" "\x65\xab\xbd\xfe\x93\x8f\x1d\x38\x78\xf7\xc4\x2d\x07\xa7\x0e\xed\x9f" "\x3d\x34\xf3\xd8\xc9\xa9\x53\x87\x0f\x4c\x4f\x1f\x98\x3a\x38\x7d\xcb" "\xfe\x43\x87\xa6\xbe\xd4\xe9\xf2\x47\x0e\xee\x99\xdc\xb6\x7b\xfb\xdd" "\xdb\xc6\x0e\x1f\x39\xb8\xe7\x9e\xdd\xbb\xb7\xef\x1e\x3b\x72\xfc\x44" "\xbe\x8c\x62\x51\x1d\xec\x9a\xf8\xe2\xd8\xf1\x53\xfb\x6a\x17\x99\xde" "\xb3\x63\xf7\xe4\xce\x9d\x3b\x26\xc6\x8e\x9d\x38\x38\xb5\xe7\xee\x89" "\x89\xb1\xd9\x4e\x97\xaf\x7d\x6f\x1a\xcb\x2f\xfd\xd4\xd8\xa9\xa9\xa3" "\xfb\x67\x8e\x1c\x9b\x1a\x9b\x3e\xf2\xec\xd4\x9e\xc9\xdd\xbb\x76\x6d" "\xeb\xf8\xee\x8f\xc7\x4e\x1e\x9a\xde\x34\x7e\x6a\xf6\xf8\xf8\xec\xf4" "\xd4\xa9\xf1\xe2\xbe\x6c\x9a\xa9\x9d\x9c\x7f\xef\xeb\x74\x79\xaa\x61" "\xfa\x44\x78\xbd\x6b\x32\x10\x7e\x3a\xff\xec\x1d\xbb\xd2\xfb\xe3\xe6" "\xbe\xf5\xe5\x25\xaf\xaa\xd8\xa4\xf1\xc7\xd3\xec\xed\xf0\x5e\x50\xf1" "\xfb\x5b\xa7\xaf\x63\xee\x1f\x09\x33\xa9\x48\xfe\x07\x00\x00\x80\x2a" "\x88\xb9\x3f\xbc\xf1\xff\xc2\x19\xf2\x3f\x00\x00\x00\x94\x46\xcc\xfd" "\x6b\xc3\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\x47\xc3\x4c\x2a\x92" "\xff\xf5\xff\xf5\xff\xf5\xff\xf5\xff\xf5\xff\xf5\xff\xbb\x49\xff\x5f" "\xff\xbf\x1d\xfd\x7f\xfd\xff\x7e\x5e\xbf\xfe\xbf\xfe\x3f\x9d\xf5\x5a" "\xff\x3f\xe6\xfe\x75\x59\x56\xc9\xfc\x0f\x00\x00\x00\x55\x10\x73\xff" "\xfa\x30\x13\xf9\x1f\x00\x00\x00\x4a\x23\xe6\xfe\x4b\xc2\x4c\xe4\x7f" "\x00\x00\x00\x28\x8d\x98\xfb\x2f\x0d\x33\xa9\x46\xfe\x1f\x59\xb8\xc7" "\xfa\xff\x99\xfe\xbf\xfe\xff\xa2\xfe\x7f\xdc\x56\xff\x3f\xd3\xff\xd7" "\xff\x5f\x21\xfd\x7f\xfd\xff\x76\xf4\xff\xf5\xff\xfb\x79\xfd\x3d\xd8" "\xff\x5f\xa7\xff\x4f\xaf\xe9\xb5\xfe\x7f\xcc\xfd\xef\x0b\x33\xa9\x46" "\xfe\x07\x00\x00\x80\x4a\x88\xb9\xff\xfd\x61\x26\xf2\x3f\x00\x00\x00" "\x94\x46\xcc\xfd\x97\x85\x99\xc8\xff\x00\x00\x00\x50\x1a\x31\xf7\x6f" "\x08\x33\xa9\x48\xfe\xf7\xf9\xff\xfa\xff\xfa\xff\x3e\xff\x5f\xff\x5f" "\xff\xbf\x9b\xf4\xff\xf5\xff\xdb\xd1\xff\xd7\xff\xef\xe7\xf5\xf7\x60" "\xff\xdf\xe7\xff\xd3\x73\x7a\xad\xff\x1f\x73\xff\xff\x0b\x33\xa9\x48" "\xfe\x07\x00\x00\x80\x2a\x88\xb9\xff\x03\x61\x26\xf2\x3f\x00\x00\x00" "\x94\x46\xcc\xfd\x97\x87\x99\xc8\xff\x00\x00\x00\x50\x1a\x31\xf7\x5f" "\x11\x66\x52\x91\xfc\xaf\xff\xaf\xff\xaf\xff\xaf\xff\xaf\xff\xaf\xff" "\xdf\x4d\xfa\xff\xfa\xff\xed\xe8\xff\xeb\xff\xf7\xf3\xfa\x2f\x74\xff" "\x3f\x1e\xab\xfa\xff\x94\x49\xaf\xf5\xff\x63\xee\xbf\x32\xcc\xa4\x22" "\xf9\x1f\x00\x00\x00\xaa\x20\xe6\xfe\xab\xc2\x4c\xe4\x7f\x00\x00\x00" "\x28\x8d\x98\xfb\xaf\x0e\x33\x91\xff\x01\x00\x00\xa0\x34\x62\xee\xbf" "\x26\xcc\xa4\x22\xf9\x5f\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff" "\xbf\x9b\xf4\xff\xf5\xff\xdb\xd1\xff\xd7\xff\xef\xe7\xf5\xfb\xfc\x7f" "\xfd\x7f\x3a\xeb\xb5\xfe\x7f\xcc\xfd\xd7\x86\x99\x54\x24\xff\x03\x00" "\x00\x40\x15\xc4\xdc\x7f\x5d\x98\x89\xfc\x0f\x00\x00\x00\xa5\x11\x73" "\xff\x07\xc3\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\x37\x86\x99\x54" "\x24\xff\xeb\xff\xeb\xff\xeb\xff\xeb\xff\xeb\xff\xeb\xff\x77\x53\x7f" "\xf5\xff\x07\x97\x3c\x47\xff\xbf\xa0\xff\xdf\x48\xff\x5f\xff\x5f\xff" "\x5f\xff\x9f\xf6\x7a\xad\xff\x1f\x73\xff\x87\xc2\x4c\x2a\x92\xff\x01" "\x00\x00\xa0\x0a\x62\xee\xbf\x3e\xcc\x44\xfe\x07\x00\x00\x80\xd2\x88" "\xb9\xff\x86\x30\x13\xf9\x1f\x00\x00\x00\x4a\x23\xe6\xfe\x4d\x61\x26" "\x15\xc9\xff\xfa\xff\xfa\xff\xfa\xff\xfa\xff\xfa\xff\xfa\xff\xdd\xd4" "\x5f\xfd\xff\xa5\xe9\xff\x17\xf4\xff\x1b\xe9\xff\xeb\xff\xeb\xff\xeb" "\xff\xd3\x5e\xaf\xf5\xff\x63\xee\xdf\x1c\x66\x52\x91\xfc\x0f\x00\x00" "\x00\x55\x10\x73\xff\x96\x30\x13\xf9\x1f\x00\x00\x00\x4a\x23\xe6\xfe" "\x1b\xc3\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\x6f\x0a\x33\xa9\x48" "\xfe\xd7\xff\xd7\xff\xd7\xff\xd7\xff\xd7\xff\xd7\xff\xef\x26\xfd\xff" "\x32\xf6\xff\xff\x67\x5e\xff\xbf\xa0\xff\xaf\xff\xaf\xff\xdf\xb9\xff" "\xbf\xa6\xd3\x15\x51\x6a\xbd\xd6\xff\x8f\xb9\xff\xe6\x30\x93\x8a\xe4" "\x7f\x00\x00\x00\xa8\x82\x98\xfb\x6f\x09\x33\x91\xff\x01\x00\x00\xa0" "\x34\x62\xee\xbf\x35\xcc\x44\xfe\x07\x00\x00\x80\xd2\x88\xb9\x7f\x6b" "\x98\x49\x45\xf2\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xfe\x7f" "\x37\xe9\xff\x97\xb1\xff\xef\xf3\xff\x23\xfd\x7f\xfd\x7f\xfd\x7f\x9f" "\xff\x4f\x7b\xbd\xd6\xff\x8f\xb9\xff\xb6\x30\x93\x8a\xe4\x7f\x00\x00" "\x00\xa8\x82\x98\xfb\x6f\x0f\x33\x91\xff\x01\x00\x00\xa0\x34\x62\xee" "\xbf\x23\xcc\x44\xfe\x07\x00\x00\x80\xd2\x88\xb9\x7f\x2c\xcc\xa4\x22" "\xf9\x5f\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff\xbf\x9b\xca\xda" "\xff\x4f\xaf\xa3\xfa\xff\xfa\xff\xfa\xff\xfa\xff\xfa\xff\xfa\xff\x2c" "\xa9\xd7\xfa\xff\x31\xf7\xdf\x19\x66\x52\x91\xfc\x0f\x00\x00\x00\x55" "\x10\x73\xff\x5d\x61\x26\xf2\x3f\x00\x00\x00\x94\x46\xcc\xfd\xe3\x61" "\x26\xf2\x3f\x00\x00\x00\x94\x46\xcc\xfd\x13\x61\x26\xcd\xf9\x7f\xf4" "\x62\xae\xea\xe2\xd1\xff\xd7\xff\xd7\xff\xd7\xff\xd7\xff\xd7\xff\xef" "\xa6\xb2\xf6\xff\x57\xfb\xf3\xff\xd7\x85\xa9\xff\x5f\xd0\xff\x5f\x99" "\xd5\xee\xcf\xf7\xfb\xfa\xf5\xff\xf5\xff\xe9\xac\xd7\xfa\xff\x31\xf7" "\x4f\x86\x99\xf8\xf7\x7f\x00\x00\x00\x28\x8d\x98\xfb\xb7\x85\x99\xc8" "\xff\x00\x00\x00\x50\x1a\x31\xf7\x6f\x0f\x33\x91\xff\x01\x00\x00\xa0" "\x34\x62\xee\xdf\x11\x66\x52\x91\xfc\xaf\xff\xaf\xff\xaf\xff\xaf\xff" "\xaf\xff\xaf\xff\xdf\x4d\xfa\xff\x3e\xff\xbf\x1d\xfd\x7f\xfd\xff\x7e" "\x5e\xbf\xfe\xbf\xfe\x3f\x8d\x06\x5b\x9c\xd6\x6b\xfd\xff\x98\xfb\x77" "\x86\x99\x54\x24\xff\x03\x00\x00\x40\x15\xc4\xdc\xbf\x2b\xcc\x44\xfe" "\x07\x00\x00\x80\xd2\x88\xb9\xff\xee\x30\x13\xf9\x1f\x00\x00\x00\x4a" "\x23\xe6\xfe\x7b\xc2\x4c\x2a\x92\xff\xf5\xff\xf5\xff\xf5\xff\xf5\xff" "\xf5\xff\xf5\xff\xbb\x49\xff\x5f\xff\xbf\x1d\xfd\x7f\xfd\xff\x7e\x5e" "\xbf\xfe\xbf\xfe\x3f\x9d\xf5\x5a\xff\x3f\xe6\xfe\xdd\x61\x26\x15\xc9" "\xff\x00\x00\x00\x50\x05\x31\xf7\x7f\x38\xcc\x44\xfe\x07\x00\x00\x80" "\xd2\x88\xb9\xff\xde\x30\x13\xf9\x1f\x00\x00\x00\xfa\x4a\xab\xcf\x21" "\x8c\x62\xee\xff\x48\x98\x49\x45\xf2\xbf\xfe\x7f\xd9\xfb\xff\xf3\x6b" "\xf5\xff\xf5\xff\xf5\xff\xdb\xaf\xbf\x67\xfa\xff\xe1\x25\x58\xff\xff" "\xdc\xe8\xff\xeb\xff\x67\xfa\xff\x2b\xb6\xda\xfd\xf9\x7e\x5f\xbf\xfe" "\xbf\xfe\x3f\x9d\xf5\x5a\xff\x3f\xe6\xfe\x3d\x61\x26\x15\xc9\xff\x00" "\x00\x00\x50\x05\x31\xf7\xdf\x17\x66\x22\xff\x03\x00\x00\x40\x69\xc4" "\xdc\x7f\x7f\x98\x89\xfc\x0f\x00\x00\x00\xa5\x11\x73\xff\xde\x30\x93" "\x8a\xe4\x7f\xfd\xff\xb2\xf7\xff\x7d\xfe\xbf\xfe\x7f\x9f\xf6\xff\x47" "\x2b\xd8\xff\xf7\xf9\xff\x2b\xa2\xff\xaf\xff\x9f\xe9\xff\xaf\xd8\x4a" "\xfb\xf3\xe1\xc7\x16\xfd\xff\x1e\xea\xff\xe7\xc7\x90\xfe\x3f\xbd\xa8" "\xd7\xfa\xff\x31\xf7\x3f\x10\x66\x52\x91\xfc\x0f\x00\x00\x00\x55\x10" "\x73\xff\x47\xc3\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\x3f\x16\x66" "\x22\xff\x03\x00\x00\x40\x69\xc4\xdc\xff\xf1\x30\x93\x8a\xe4\x7f\xfd" "\x7f\xfd\x7f\xfd\x7f\xfd\xff\x9e\xec\xff\x57\xf1\xf3\xff\xf5\xff\x57" "\x44\xff\x5f\xff\x3f\xd3\xff\x5f\xb1\xd5\xee\xcf\xf7\xfb\xfa\x7b\xa9" "\xff\xef\xf3\xff\xe9\x55\xbd\xd6\xff\x8f\xb9\xff\xc1\x30\x93\x8a\xe4" "\x7f\x00\x00\x00\xa8\x82\x98\xfb\x3f\x11\x66\x22\xff\x03\x00\x00\x40" "\x69\xc4\xdc\xff\xff\xc3\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\x1f" "\x0a\x33\xa9\x48\xfe\xd7\xff\xd7\xff\xd7\xff\xd7\xff\xaf\x70\xff\x7f" "\x5d\xb6\xaa\xfd\xff\xe2\x9a\xf4\xff\xcf\x4f\xdf\xf7\xff\x4f\x9f\xdf" "\xfa\xf5\xff\x0b\xfa\xff\x2b\xb3\xda\xfd\xf9\x7e\x5f\xbf\xfe\xbf\xfe" "\x3f\x9d\xf5\x5a\xff\x3f\xe6\xfe\x5f\x09\x33\xa9\x48\xfe\x07\x00\x00" "\x80\x2a\x88\xb9\xff\xe1\x30\x13\xf9\x1f\x00\x00\x00\x4a\x23\xe6\xfe" "\x4f\x86\x99\xc8\xff\x00\x00\x00\x50\x1a\x31\xf7\xff\x6a\x98\x49\x45" "\xf2\xbf\xfe\xff\xc5\xe9\xff\x0f\xa6\xeb\xd7\xff\xd7\xff\xaf\x6a\xff" "\xff\x92\x5e\xec\xff\xd7\x9c\x7f\xff\x7f\x20\xb4\xb6\x7d\xfe\x7f\x2b" "\xfa\xff\x3e\xff\xbf\x1d\xfd\x7f\xfd\xff\x7e\x5e\xbf\xfe\xbf\xfe\x3f" "\x9d\xf5\x5a\xff\x3f\xe6\xfe\x5f\x0b\x33\xa9\x48\xfe\x07\x00\x00\x80" "\x2a\x88\xb9\xff\xd7\xc3\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\x7f" "\x23\xcc\x44\xfe\x07\x00\x00\x80\xd2\x88\xb9\xff\x91\x30\x93\x8a\xe4" "\x7f\xfd\x7f\x9f\xff\xaf\xff\xaf\xff\x5f\xe1\xcf\xff\xaf\x59\xbd\xcf" "\xff\xd7\xff\xbf\x10\xf4\xff\xf5\xff\x33\xfd\xff\x15\x5b\xed\xfe\x7c" "\xbf\xaf\x5f\xff\x5f\xff\x9f\xce\x7a\xad\xff\x1f\x73\xff\x6f\x86\x99" "\x54\x24\xff\x03\x00\x00\x40\x15\xc4\xdc\xff\x68\x98\x49\xca\xff\x83" "\xab\xb0\x2a\x00\x00\x00\xe0\x42\x8a\xb9\xff\x53\x61\x26\xfe\xfd\x1f" "\x00\x00\x00\x4a\x23\xe6\xfe\x4f\x87\x99\x54\x24\xff\xeb\xff\xeb\xff" "\xeb\xff\xeb\xff\x77\xa1\xff\x5f\xdb\x44\xff\x5f\xff\x3f\xd3\xff\xd7" "\xff\xef\x40\xff\x5f\xff\xbf\x9f\xd7\xaf\xff\xaf\xff\x4f\x67\xbd\xd6" "\xff\x8f\xb9\xff\xb1\x30\x93\x8a\xe4\x7f\x00\x00\x00\xa8\x82\x98\xfb" "\x3f\x13\x66\x22\xff\x03\x00\x00\x40\x69\xc4\xdc\xff\x5b\x61\x26\xf2" "\x3f\x00\x00\x00\x94\x46\xcc\xfd\xbf\x1d\x66\x52\x91\xfc\xaf\xff\xaf" "\xff\xaf\xff\xaf\xff\xef\xf3\xff\xf5\xff\xbb\x49\xff\x7f\x71\xff\x3f" "\x7f\x0d\x5b\xcd\xfe\xff\x9a\xe5\x6c\xa8\xff\xbf\x2c\xfa\xff\xfa\xff" "\xfa\xff\xfa\xff\xb4\xd7\x6b\xfd\xff\x98\xfb\x3f\x1b\x66\x52\x91\xfc" "\x0f\x00\x00\x00\x55\x10\x73\xff\xef\x84\x99\xc8\xff\x00\x00\x00\x50" "\x1a\x31\xf7\xff\x6e\x98\x89\xfc\x0f\x00\x00\x00\xa5\x11\x73\xff\xe3" "\x61\x26\x15\xc9\xff\xfa\xff\xfa\xff\xfa\xff\xe7\xde\xff\x0f\x0f\x97" "\xfe\x7f\xd3\x7a\xf4\xff\xf5\xff\x5b\xd1\xff\xf7\xf9\xff\xed\xe8\xff" "\xeb\xff\xf7\xf3\xfa\xf5\xff\xf5\xff\xe9\xac\xd7\xfa\xff\x31\xf7\x7f" "\x2e\xcc\xa4\x22\xf9\x1f\x00\x00\x00\xaa\x20\xe6\xfe\xdf\x0b\x33\x91" "\xff\x01\x00\x00\xa0\x34\x62\xee\xdf\x17\x66\x22\xff\x03\x00\x00\x40" "\x69\xc4\xdc\xff\x44\x98\x49\x45\xf2\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xcf" "\xff\xd7\xff\xd7\xff\xef\x26\xfd\x7f\xfd\xff\x76\xf4\xff\xf5\xff\xfb" "\x79\xfd\xfa\xff\xfa\xff\x74\xd6\x6b\xfd\xff\x98\xfb\xf7\x87\x99\x54" "\x24\xff\x03\x00\x00\x40\x15\xc4\xdc\xff\xf9\x30\x13\xf9\x1f\x00\x00" "\x00\x4a\x23\xe6\xfe\x03\x61\x26\xf2\x3f\x00\x00\x00\x94\x46\xcc\xfd" "\x07\xc3\x4c\x2a\x92\xff\xf5\xff\xf5\xff\xf5\xff\xf5\xff\xf5\xff\xf5" "\xff\xbb\x49\xff\x5f\xff\xbf\x1d\xfd\x7f\xfd\xff\x7e\x5e\xbf\xfe\xbf" "\xfe\x3f\x9d\xf5\x5a\xff\x3f\xe6\xfe\xa9\x30\x93\x8a\xe4\x7f\x00\x00" "\x00\xa8\x82\x98\xfb\x0f\x85\x99\xc8\xff\x00\x00\x00\x50\x1a\x31\xf7" "\x1f\x0e\x33\x91\xff\x01\x00\x00\xa0\x34\x62\xee\x7f\x32\xcc\xa4\x22" "\xf9\x5f\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff\xbf\x9b\xf4\xff" "\xf5\xff\xdb\xd1\xff\xd7\xff\xef\xe7\xf5\xeb\xff\xeb\xff\xd3\x59\xaf" "\xf5\xff\x63\xee\x3f\x12\x66\x52\x91\xfc\x0f\x00\x00\x00\x55\x10\x73" "\xff\x17\xc2\x4c\xe4\x7f\x00\x00\x00\x28\x8d\x98\xfb\xbf\x18\x66\x22" "\xff\x03\x00\x00\x40\x69\xc4\xdc\x7f\x34\xcc\xa4\x22\xf9\x5f\xff\x5f" "\xff\x5f\xff\x5f\xff\x5f\xff\x5f\xff\xbf\x9b\xf4\xff\xf5\xff\xdb\xd1" "\xff\xd7\xff\xef\xe7\xf5\xeb\xff\xeb\xff\xd3\x59\xaf\xf5\xff\x63\xee" "\x3f\x16\x66\x52\x91\xfc\x0f\x00\x00\x00\x55\x10\x73\xff\xf1\x30\x13" "\xf9\x1f\x00\x00\x00\x4a\x23\xe6\xfe\x13\x61\x26\xf2\x3f\x00\x00\x00" "\x94\x46\xcc\xfd\x27\xc3\x4c\x2a\x92\xff\xf5\xff\xf5\xff\xf5\xff\xf5" "\xff\xf5\xff\xf5\xff\xbb\x49\xff\x5f\xff\xbf\x1d\xfd\x7f\xfd\xff\x7e" "\x5e\xbf\xfe\xbf\xfe\x3f\x9d\xf5\x5a\xff\x3f\xe6\xfe\xdf\x0f\x33\xa9" "\x48\xfe\x07\x00\x00\x80\x2a\x88\xb9\xff\x54\x98\x89\xfc\x0f\x00\x00" "\x00\xa5\x11\x73\xff\x74\x98\x89\xfc\x0f\x00\x00\x00\xa5\x11\x73\xff" "\x4c\x98\x49\x45\xf2\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xfe\xbf\xfe" "\x7f\x37\xe9\xff\xeb\xff\xb7\xa3\xff\xaf\xff\xdf\xcf\xeb\xd7\xff\xd7" "\xff\xa7\xb3\x5e\xeb\xff\xc7\xdc\x3f\x1b\x66\x52\x91\xfc\x0f\x00\x00" "\x00\x55\x10\x73\xff\x53\x61\x26\xf2\x3f\x00\x00\x00\x94\x46\xcc\xfd" "\xff\xc7\xde\x7d\xed\xe8\x75\x56\x71\x1c\xfe\x02\x84\x04\x21\xc4\xb5" "\x70\x05\x5c\x02\xc7\x1c\x72\x15\x74\x42\x87\xd0\x7b\xef\xbd\xf7\xde" "\x7b\xef\x35\xf4\xde\x09\x84\x5e\x82\x64\x14\xcf\x5a\x2b\x91\x3d\xde" "\xdb\x33\x9e\xcf\xdf\xbb\xdf\xf5\x3c\x07\x59\xb2\x30\xf6\x2b\x46\x08" "\xfd\x85\x7e\xda\xf7\x8f\x5b\xec\x7f\x00\x00\x00\x98\x46\xee\xfe\x07" "\xc4\x2d\x4d\xf6\xbf\xfe\x5f\xff\xaf\xff\x1f\xa6\xff\x3f\xea\xfc\xf4" "\xff\xfa\x7f\xfd\xff\x89\xe8\xff\xf5\xff\xbb\x89\xfb\xff\xeb\x2f\xf8" "\xfb\xf4\xff\x63\xbd\x5f\xff\xaf\xff\x67\xdd\x68\xfd\x7f\xee\xfe\x07" "\xc6\x2d\x4d\xf6\x3f\x00\x00\x00\x74\x90\xbb\xff\x41\x71\x8b\xfd\x0f" "\x00\x00\x00\xd3\xc8\xdd\xff\xe0\xb8\xc5\xfe\x07\x00\x00\x80\x69\xe4" "\xee\x7f\x48\xdc\xd2\x64\xff\xeb\xff\xf5\xff\xfa\xff\x61\xfa\x7f\xdf" "\xff\xcf\x9f\xab\xfe\x5f\xff\x7f\x02\xfa\x7f\xfd\xff\x6e\xe2\xfe\xff" "\x42\xfa\xff\xb1\xde\xbf\xe1\xfe\xff\x6e\x3b\xfd\x3f\x57\xc9\x68\xfd" "\x7f\xee\xfe\x87\xc6\x2d\x4d\xf6\x3f\x00\x00\x00\x74\x90\xbb\xff\x61" "\x71\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\x7f\x43\xdc\x62\xff\x03\x00" "\x00\xc0\x34\x72\xf7\x3f\x3c\x6e\x69\xb2\xff\xf5\xff\xfa\x7f\xfd\xbf" "\xfe\x5f\xff\xaf\xff\xdf\x27\xfd\xbf\xfe\x7f\x89\xfe\x5f\xff\xbf\xe5" "\xf7\x6f\xb8\xff\x3f\x4f\xff\xcf\xd5\x30\x5a\xff\x9f\xbb\xff\x11\x71" "\x4b\x93\xfd\x0f\x00\x00\x00\x1d\xe4\xee\x7f\x64\xdc\x62\xff\x03\x00" "\x00\xc0\x34\x72\xf7\x3f\x2a\x6e\xb1\xff\x01\x00\x00\x60\x1a\xb9\xfb" "\x1f\x1d\xb7\x34\xd9\xff\xfa\x7f\xfd\xbf\xfe\x5f\xff\xaf\xff\xd7\xff" "\xef\x93\xfe\x5f\xff\xbf\x44\xff\xaf\xff\xdf\xf2\xfb\xf5\xff\xfa\x7f" "\xd6\x8d\xd6\xff\xe7\xee\x7f\x4c\xdc\xd2\x64\xff\x03\x00\x00\x40\x07" "\xb9\xfb\x1f\x1b\xb7\xd8\xff\x00\x00\x00\x30\x8d\xdc\xfd\x8f\x8b\x5b" "\xec\x7f\x00\x00\x00\x98\x46\xee\xfe\xc7\xc7\x2d\x4d\xf6\xbf\xfe\x5f" "\xff\xbf\x95\xfe\xff\x2e\xfa\xff\xa2\xff\xd7\xff\x6f\x89\xfe\x5f\xff" "\xbf\x44\xff\xaf\xff\xdf\xf2\xfb\xf5\xff\xfa\x7f\xd6\xed\xbd\xff\xbf" "\xcf\x8d\xe7\xef\xe5\xf6\xff\xb9\xfb\x6f\x8c\x5b\x9a\xec\x7f\x00\x00" "\x00\xe8\x20\x77\xff\x13\xe2\x16\xfb\x1f\x00\x00\x00\xa6\x91\xbb\xff" "\x89\x71\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\xff\xa4\xb8\xa5\xc9\xfe" "\xd7\xff\xeb\xff\x6f\xef\xff\xcf\x5d\x33\x72\xff\x7f\xdc\xfb\xf5\xff" "\xfa\xff\x9d\xfe\x7f\x78\x0b\xef\xbf\xee\x2c\xfe\x7c\xfd\xbf\xfe\x7f" "\xa7\xff\x3f\xb5\x4b\xf7\xf3\x97\xf7\x9f\x84\xfe\x5f\xff\xaf\xff\x67" "\xcd\xde\xfb\xff\x95\xde\xff\xc2\x5f\xe7\xee\x7f\x72\xdc\xd2\x64\xff" "\x03\x00\x00\x40\x07\xb9\xfb\x9f\x12\xb7\xd8\xff\x00\x00\x00\x30\x8d" "\xdc\xfd\x4f\x8d\x5b\xec\x7f\x00\x00\x00\x98\x46\xee\xfe\xa7\xc5\x2d" "\x4d\xf6\xbf\xfe\x5f\xff\xbf\x95\xef\xff\x1f\xf7\xfe\xd9\xfa\xff\x73" "\x37\x1c\xfd\x3c\xef\xf8\xe7\xe8\xff\xf5\xff\x13\xf7\xff\x67\x42\xff" "\xaf\xff\xdf\xe9\xff\x4f\xed\xd0\xfd\xfc\xd6\xdf\xbf\xd4\xff\xdf\xfb" "\x32\xde\xaf\xff\xa7\x83\xd1\xfa\xff\xdc\xfd\x4f\x8f\x5b\x9a\xec\x7f" "\x00\x00\x00\xe8\x20\x77\xff\x33\xe2\x16\xfb\x1f\x00\x00\x00\xa6\x91" "\xbb\xff\x99\x71\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\xff\xac\xb8\xa5" "\xc9\xfe\xd7\xff\xeb\xff\xf5\xff\xe3\xf4\xff\xbe\xff\x1f\x3f\x57\xfd" "\xbf\xfe\xff\x04\xf4\xff\xfa\xff\xdd\x69\xfb\xff\xbb\xea\xff\x0f\xdd" "\xcf\x6f\xfd\xfd\xbe\xff\xaf\xff\x67\xdd\x68\xfd\x7f\xee\xfe\x67\xc7" "\x2d\x4d\xf6\x3f\x00\x00\x00\x74\x90\xbb\xff\x39\x71\x8b\xfd\x0f\x00" "\x00\x00\xd3\xc8\xdd\xff\xdc\xb8\xc5\xfe\x07\x00\x00\x80\x69\xe4\xee" "\x7f\x5e\xdc\xd2\x64\xff\xeb\xff\xf5\xff\xfa\x7f\xfd\xff\x15\xf5\xff" "\x77\xd6\xff\xeb\xff\x97\xe9\xff\xf5\xff\x4b\x7c\xff\x5f\xff\xbf\xe5" "\xf7\xeb\xff\xf5\xff\xac\x3b\x4c\xff\x7f\xdb\xb8\x3a\xbe\xff\xcf\xdd" "\xff\xfc\xb8\xa5\xc9\xfe\x07\x00\x00\x80\x0e\x72\xf7\xbf\x20\x6e\xb1" "\xff\x01\x00\x00\x60\x1a\xb9\xfb\x5f\x18\xb7\xd8\xff\x00\x00\x00\x30" "\x8d\xdc\xfd\x2f\x8a\x5b\x9a\xec\x7f\xfd\xbf\xfe\x5f\xff\xaf\xff\xf7" "\xfd\x7f\xfd\xff\x3e\xe9\xff\xa7\xeb\xff\xaf\xd1\xff\xdf\x4e\xff\xaf" "\xff\xd7\xff\xeb\xff\x59\x76\x98\xfe\xff\xd2\xbf\xce\xdd\xff\xe2\xb8" "\xa5\xc9\xfe\x07\x00\x00\x80\x0e\x72\xf7\xbf\x24\x6e\xb1\xff\x01\x00" "\x00\x60\x1a\xb9\xfb\x5f\x1a\xb7\xd8\xff\x00\x00\x00\x30\x8d\xdc\xfd" "\x2f\x8b\x5b\x9a\xec\x7f\xfd\xbf\xfe\x5f\xff\xaf\xff\xd7\xff\xeb\xff" "\xf7\x49\xff\x3f\x5d\xff\xef\xfb\xff\x77\xa0\xff\xd7\xff\xeb\xff\xf5" "\xff\x2c\x1b\xad\xff\xcf\xdd\xff\xf2\xb8\xa5\xc9\xfe\x07\x00\x00\x80" "\x0e\x72\xf7\xbf\x22\x6e\xb1\xff\x01\x00\x00\x60\x1a\xb9\xfb\x5f\x19" "\xb7\xd8\xff\x00\x00\x00\x30\x8d\xdc\xfd\xaf\x8a\x5b\x9a\xec\x7f\xfd" "\xbf\xfe\x5f\xff\xaf\xff\xd7\xff\xeb\xff\xf7\x49\xff\xaf\xff\x5f\xa2" "\xff\x3f\xbe\xff\xbf\xfe\x12\x7f\x9f\xfe\x7f\xac\xf7\xeb\xff\xf5\xff" "\xac\x1b\xad\xff\xcf\xdd\xff\xea\xb8\xa5\xc9\xfe\x07\x00\x00\x80\x0e" "\x72\xf7\xbf\x26\x6e\xb1\xff\x01\x00\x00\x60\x1a\xb9\xfb\x5f\x1b\xb7" "\xd8\xff\x00\x00\x00\x30\x8d\xdc\xfd\xaf\x8b\x5b\x9a\xec\xff\x4b\xf5" "\xff\xb7\xdc\xfd\xe8\x5f\xd7\xff\x5f\x1e\xfd\xff\xf1\xef\xd7\xff\xeb" "\xff\xf5\xff\xfa\x7f\xfd\xbf\xfe\x7f\x89\xfe\xdf\xf7\xff\xb7\xfc\x7e" "\xfd\xbf\xfe\x9f\x75\xa7\xef\xff\x6f\xbd\xe0\x7f\x81\xce\xa6\xff\xcf" "\xdd\xff\xfa\xb8\xa5\xc9\xfe\x07\x00\x00\x80\x0e\x72\xf7\xbf\x21\x6e" "\xb1\xff\x01\x00\x00\x60\x1a\xb9\xfb\xdf\x18\xb7\xd8\xff\x00\x00\x00" "\x30\x8d\xdc\xfd\x6f\x8a\x5b\x9a\xec\x7f\xdf\xff\xd7\xff\xeb\xff\xf5" "\xff\xfa\x7f\xfd\xff\x3e\xe9\xff\xf5\xff\x4b\xf4\xff\xfa\xff\x2d\xbf" "\x5f\xff\xaf\xff\x67\xdd\xe9\xfb\xff\x8b\xff\x2d\xe7\xff\x79\x85\xfd" "\x7f\xee\xfe\x37\xc7\x2d\x4d\xf6\x3f\x00\x00\x00\x74\x90\xbb\xff\x2d" "\x71\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\xff\xd6\xb8\xc5\xfe\x07\x00" "\x00\x80\x69\xe4\xee\x7f\x5b\xdc\xd2\x64\xff\xeb\xff\xf5\xff\x07\xef" "\xff\xef\xa4\xff\x4f\xfa\xff\xf8\xb9\xea\xff\xf5\xff\x27\xa0\xff\xd7" "\xff\xef\xf4\xff\xa7\x76\xe8\x7e\x7e\xeb\xef\xd7\xff\xeb\xff\x59\x37" "\x5a\xff\x9f\xbb\xff\xed\x71\x4b\x93\xfd\x0f\x00\x00\x00\x1d\xe4\xee" "\x7f\x47\xdc\x62\xff\x03\x00\x00\xc0\x34\xce\xef\xfe\x6b\xf3\x57\xf6" "\x3f\x00\x00\x00\xcc\xe8\x9d\xe7\xff\x79\xfd\xee\x5d\x71\x4b\x93\xfd" "\xaf\xff\xd7\xff\x1f\xbc\xff\xf7\xfd\xff\xa2\xff\x8f\x9f\xab\xfe\x5f" "\xff\x7f\x02\xfa\x7f\xfd\xff\x4e\xff\x7f\x6a\x87\xee\xe7\xb7\xfe\x7e" "\xfd\xbf\xfe\x9f\x75\xa3\xf5\xff\xb9\xfb\xdf\x1d\xb7\x34\xd9\xff\x00" "\x00\x00\xd0\x41\xee\xfe\xf7\xc4\x2d\xf6\x3f\x00\x00\x00\x4c\x23\x77" "\xff\x7b\xe3\x16\xfb\x1f\x00\x00\x00\xa6\x91\xbb\xff\x7d\x71\x4b\x93" "\xfd\xaf\xff\xd7\xff\xeb\xff\xf5\xff\xfa\x7f\xfd\xff\x3e\xe9\xff\xf5" "\xff\x4b\xf4\xff\xfa\xff\x2d\xbf\x5f\xff\xaf\xff\x67\xdd\x68\xfd\x7f" "\xee\xfe\xf7\xc7\x2d\x4d\xf6\x3f\x00\x00\x00\x74\x90\xbb\xff\x03\x71" "\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\xff\xc1\xb8\xc5\xfe\x07\x00\x00" "\x80\x69\xe4\xee\xff\x50\xdc\xd2\x64\xff\xeb\xff\xb7\xde\xff\xdf\xef" "\xe6\x78\x81\xfe\x5f\xff\xaf\xff\xd7\xff\x0f\x49\xff\xaf\xff\x5f\xa2" "\xff\xd7\xff\x6f\xf9\xfd\xfa\x7f\xfd\x3f\xeb\x46\xeb\xff\x73\xf7\x7f" "\x38\x6e\x69\xb2\xff\x01\x00\x00\xa0\x83\xdc\xfd\x1f\x89\x5b\xec\x7f" "\x00\x00\x00\x98\x46\xee\xfe\x8f\xc6\x2d\xf6\x3f\x00\x00\x00\x4c\x23" "\x77\xff\xc7\xe2\x96\x26\xfb\xbf\x47\xff\x7f\xed\x45\xbf\x6d\x9e\xfe" "\xdf\xf7\xff\xf5\xff\xfa\x7f\xfd\xff\xd8\xf4\xff\xfa\xff\x25\xfa\x7f" "\xfd\xff\x96\xdf\xaf\xff\xd7\xff\xb3\x6e\xb4\xfe\x3f\x77\xff\xc7\xe3" "\x96\x26\xfb\x1f\x00\x00\x00\x3a\xc8\xdd\xff\x89\xb8\xc5\xfe\x07\x00" "\x00\x80\x69\xe4\xee\xff\x64\xdc\x62\xff\x03\x00\x00\xc0\x34\x72\xf7" "\x7f\x2a\x6e\x69\xb2\xff\x7b\xf4\xff\x17\xd3\xff\x1f\x39\xf3\xfe\xff" "\xdc\x3d\xf5\xff\xfa\xff\xa2\xff\xd7\xff\xef\xf4\xff\xfa\xff\x15\xfa" "\x7f\xfd\xff\x96\xdf\xaf\xff\xd7\xff\xb3\x6e\xb4\xfe\x3f\x77\xff\xa7" "\xe3\x96\x26\xfb\x1f\x00\x00\x00\x3a\xc8\xdd\xff\x99\xb8\xc5\xfe\x07" "\x00\x00\x80\x69\xe4\xee\xff\x6c\xdc\x62\xff\x03\x00\x00\xc0\x34\x72" "\xf7\x7f\x2e\x6e\xb8\xd7\x3d\x0e\xf7\xa4\xab\x4a\xff\xaf\xff\xf7\xfd" "\x7f\xfd\xbf\xfe\x5f\xff\xbf\x4f\xfa\x7f\xfd\xff\x12\xfd\xbf\xfe\x7f" "\xcb\xef\xd7\xff\xeb\xff\x59\x37\x5a\xff\x9f\xbb\xff\xf3\x71\x8b\xff" "\xff\x1f\x00\x00\x00\xa6\x91\xbb\xff\x0b\x71\x8b\xfd\x0f\x00\x00\x00" "\xd3\xc8\xdd\xff\xc5\xb8\xc5\xfe\x07\x00\x00\x80\x69\xe4\xee\xff\x52" "\xdc\xd2\x64\xff\xeb\xff\xf5\xff\xfa\x7f\xfd\xbf\xfe\x5f\xff\xbf\x4f" "\xfa\x7f\xfd\xff\x12\xfd\xbf\xfe\x7f\xcb\xef\xd7\xff\xeb\xff\x59\x37" "\x5a\xff\x9f\xbb\xff\xcb\x71\x4b\x93\xfd\x0f\x00\x00\x00\x1d\xe4\xee" "\xff\x4a\xdc\x62\xff\x03\x00\x00\xc0\x34\x72\xf7\x7f\x35\x6e\xb1\xff" "\x01\x00\x00\x60\x1a\xb9\xfb\xbf\x16\xb7\x34\xd9\xff\xfa\x7f\xfd\xbf" "\xfe\x5f\xff\xaf\xff\xd7\xff\xef\x93\xfe\x5f\xff\xbf\x44\xff\xaf\xff" "\xdf\xf2\xfb\xf5\xff\xfa\x7f\xd6\x8d\xd6\xff\xe7\xee\xff\x7a\xdc\xd2" "\x64\xff\x03\x00\x00\x40\x07\xb9\xfb\xbf\x11\xb7\xd8\xff\x00\x00\x00" "\x30\x8d\xdc\xfd\xdf\x8c\x5b\xec\x7f\x00\x00\x00\x98\x46\xee\xfe\x6f" "\xc5\x2d\x4d\xf6\xbf\xfe\x5f\xff\xaf\xff\xd7\xff\xeb\xff\xf5\xff\xfb" "\xa4\xff\xd7\xff\x2f\xd1\xff\xeb\xff\xb7\xfc\x7e\xfd\xbf\xfe\x9f\x75" "\xa3\xf5\xff\xb9\xfb\xbf\x1d\xb7\x34\xd9\xff\x00\x00\x00\xd0\x41\xee" "\xfe\xef\xc4\x2d\xf6\x3f\x00\x00\x00\x4c\x23\x77\xff\x77\xe3\x16\xfb" "\x1f\x00\x00\x00\xa6\x91\xbb\xff\xa6\xb8\xa5\xc9\xfe\x9f\xb9\xff\x5f" "\xfa\x6d\xfa\xff\x23\xfa\x7f\xfd\xff\x4e\xff\xaf\xff\xdf\x33\xfd\xbf" "\xfe\x7f\xc9\xa9\xfb\xff\xf8\x2f\x9e\xfe\xff\xca\x1c\xba\x9f\xdf\xfa" "\xfb\xf5\xff\xfa\x7f\xd6\x8d\xd6\xff\xe7\xee\xff\x5e\xdc\xd2\x64\xff" "\x03\x00\x00\x40\x07\xb9\xfb\xbf\x1f\xb7\xd8\xff\x00\x00\x00\x30\x8d" "\xdc\xfd\x3f\x88\x5b\xec\x7f\x00\x00\x00\x98\x46\xee\xfe\x1f\xc6\x2d" "\x4d\xf6\xff\xcc\xfd\xff\x12\xfd\xff\x11\xfd\xbf\xfe\x7f\xa7\xff\xd7" "\xff\xef\x99\xfe\x5f\xff\xbf\xc4\xf7\xff\xf5\xff\x5b\x7e\xbf\xfe\x5f" "\xff\xcf\xba\xd1\xfa\xff\xdc\xfd\x3f\x8a\x5b\x9a\xec\x7f\x00\x00\x00" "\xe8\x20\x77\xff\x8f\xe3\x16\xfb\x1f\x00\x00\x00\xa6\x91\xbb\xff\x27" "\x71\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\xff\xd3\xb8\xa5\xc9\xfe\xd7" "\xff\xeb\xff\xf5\xff\xfa\x7f\xfd\xbf\xfe\x7f\x9f\xf4\xff\xfa\xff\x25" "\xfa\x7f\xfd\xff\x96\xdf\xaf\xff\xd7\xff\xb3\x6e\xb4\xfe\x3f\x77\xff" "\xcf\xe2\x96\x26\xfb\x1f\x00\x00\x00\x3a\xc8\xdd\xff\xf3\xb8\xc5\xfe" "\x07\x00\x00\x80\x69\xe4\xee\xff\x45\xdc\x62\xff\x03\x00\x00\xc0\x34" "\x72\xf7\xff\x32\x6e\x69\xb2\xff\xf5\xff\xfa\x7f\xfd\xbf\xfe\x5f\xff" "\xaf\xff\xdf\x27\xfd\xbf\xfe\x7f\x89\xfe\x5f\xff\xbf\xe5\xf7\xeb\xff" "\xf5\xff\xac\x1b\xad\xff\xcf\xdd\xff\xab\xb8\xa5\xc9\xfe\x07\x00\x00" "\x80\x0e\x72\xf7\xff\x3a\x6e\xb1\xff\x01\x00\x00\x60\x1a\xb9\xfb\x7f" "\x13\xb7\xd8\xff\x00\x00\x00\x30\x8d\xdc\xfd\xbf\x8d\x5b\x9a\xec\x7f" "\xfd\xbf\xfe\x5f\xff\xaf\xff\xd7\xff\xeb\xff\xf7\x49\xff\xaf\xff\x5f" "\xa2\xff\xd7\xff\x6f\xf9\xfd\xfa\x7f\xfd\x3f\xeb\x46\xeb\xff\x73\xf7" "\xff\x2e\x6e\x69\xb2\xff\x01\x00\x00\xa0\x83\xdc\xfd\xbf\x8f\x5b\xec" "\x7f\x00\x00\x00\x98\x46\xee\xfe\x3f\xc4\x2d\xf6\x3f\x00\x00\x00\x4c" "\x23\x77\xff\x1f\xe3\x96\x26\xfb\x5f\xff\xaf\xff\xd7\xff\xeb\xff\xf5" "\xff\xfa\xff\x7d\xd2\xff\xeb\xff\x97\xe8\xff\xf5\xff\x5b\x7e\xbf\xfe" "\x5f\xff\xcf\xba\xd1\xfa\xff\xdc\xfd\x37\xc7\x2d\x4d\xf6\x3f\x00\x00" "\x00\x74\x90\xbb\xff\x4f\x71\x8b\xfd\x0f\x00\x00\x00\xd3\xc8\xdd\xff" "\xe7\xb8\xc5\xfe\x07\x00\x00\x80\x69\xe4\xee\xbf\x25\x6e\x69\xb2\xff" "\xf5\xff\xfa\xff\x29\xfb\xff\xeb\xf4\xff\xfa\x7f\xfd\xff\x28\xf4\xff" "\xfa\xff\x25\xfa\x7f\xfd\xff\x96\xdf\xaf\xff\xd7\xff\xb3\x6e\xb4\xfe" "\x3f\x77\xff\x5f\xe2\x96\x26\xfb\x1f\x00\x00\x00\x3a\xc8\xdd\xff\xd7" "\xb8\xc5\xfe\x07\x00\x00\x80\x69\xe4\xee\xff\x5b\xdc\x62\xff\x03\x00" "\x00\xc0\x34\x72\xf7\xff\x3d\x6e\x69\xb2\xff\xf5\xff\xfa\xff\x29\xfb" "\x7f\xdf\xff\xd7\xff\xeb\xff\x87\xa1\xff\xd7\xff\x2f\xd1\xff\xeb\xff" "\xb7\xfc\x7e\xfd\xbf\xfe\x9f\x75\xa3\xf5\xff\xb9\xfb\xff\x11\xb7\x34" "\xd9\xff\x00\x00\x00\xd0\x41\xee\xfe\x7f\xc6\x2d\xf6\x3f\x00\x00\x00" "\x4c\x23\x77\xff\xbf\xe2\x16\xfb\x1f\x00\x00\x00\xa6\x91\xbb\xff\xdf" "\x71\x4b\x93\xfd\xaf\xff\xbf\xec\xfe\x7f\xb1\xc9\xd4\xff\x1f\xff\x7e" "\xfd\xff\x6d\x7f\xce\x4d\xf7\xdd\x5d\xf0\xfb\xf5\xff\x47\xf4\xff\xfa" "\xff\xb3\xa0\xff\xd7\xff\xef\xf4\xff\xa7\x76\xe8\x7e\x7e\xeb\xef\xd7" "\xff\xeb\xff\x59\x37\x5a\xff\x9f\xbb\xff\x3f\x71\x4b\x93\xfd\x0f\x00" "\x00\x00\x1d\xe4\xee\xff\x6f\xdc\x62\xff\x03\x00\x00\xc0\x34\x72\xf7" "\xdf\x1a\xb7\xd8\xff\x00\x00\x00\x30\x8d\xdc\xfd\xff\x8b\x5b\x9a\xec" "\x7f\xfd\xbf\xef\xff\xeb\xff\x7d\xff\x5f\xff\xaf\xff\xdf\x27\xfd\xbf" "\xfe\x7f\x89\xfe\x5f\xff\xbf\xe5\xf7\xeb\xff\xf5\xff\xac\x1b\xad\xff" "\xcf\xdd\xff\xff\x00\x00\x00\xff\xff\xfd\x4a\x32\xe9", 24306); syz_mount_image(/*fs=*/0x200000000000, /*dir=*/0x2000000004c0, /*flags=MS_LAZYTIME|MS_REC|MS_NODEV*/ 0x2004004, /*opts=*/0x2000000001c0, /*chdir=*/1, /*size=*/0x5ef2, /*img=*/0x200000010140); break; case 1: memcpy((void*)0x200000000300, "./file1\000", 8); res = syscall( __NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200000000300ul, /*flags=O_NOATIME|O_DIRECT|O_CREAT|O_CLOEXEC|0x2*/ 0xc4042, /*mode=S_IXOTH|S_IWOTH|S_IROTH|S_IXGRP|S_IWGRP|S_IRGRP|S_IXUSR|S_IWUSR|0x100*/ 0x1ff); if (res != -1) r[0] = res; break; case 2: memcpy((void*)0x200000000040, "/dev/nullb0\000", 12); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, /*flags=*/0, /*mode=*/0); if (res != -1) r[1] = res; break; case 3: syscall(__NR_sendfile, /*fdout=*/r[0], /*fdin=*/r[1], /*off=*/0ul, /*count=*/0xfffe82ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; for (procid = 0; procid < 5; procid++) { if (fork() == 0) { use_temporary_dir(); loop(); } } sleep(1000000); return 0; } =================================================================== I hope it helps. Best regards Jianzhou Zhao

6 months, 2 weeks

1
0
0 0

Potential Linux Crash: possible deadlock in kernfs_unlink_sibling in linux6.12.24(longterm maintenance)

by Jianzhou Zhao

Hello, I found a potential bug titled " possible deadlock in kernfs_unlink_sibling " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). (The latest version of 6.12 is 6.12-25 at present. However, after comparison, I found that there seems to be no fix for this bug in the latest version.) Unfortunately, I am unable to reproduce this bug. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <luckd0g(a)163.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: possible deadlock in kernfs_unlink_sibling ------------[ cut here ]------------ ====================================================== ====================================================== WARNING: possible circular locking dependency detected 6.12.24 #3 Not tainted ------------------------------------------------------ syz-executor/42274 is trying to acquire lock: ffff88801bae51e0 (&root->kernfs_iattr_rwsem){++++}-{3:3}, at: kernfs_unlink_sibling+0xad/0x2c0 fs/kernfs/dir.c:413 but task is already holding lock: ffff88801bae5148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_remove_by_name_ns+0x89/0x130 fs/kernfs/dir.c:1689 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #13 (&root->kernfs_rwsem){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 kernfs_add_one+0xac/0x530 fs/kernfs/dir.c:778 kernfs_create_dir_ns+0xfa/0x160 fs/kernfs/dir.c:1071 internal_create_group+0x338/0xeb0 fs/sysfs/group.c:167 cpuhp_invoke_callback+0x3d2/0x9d0 kernel/cpu.c:194 cpuhp_issue_call+0x1c1/0x8d0 kernel/cpu.c:2370 __cpuhp_setup_state_cpuslocked+0x400/0x700 kernel/cpu.c:2516 __cpuhp_setup_state+0x106/0x320 kernel/cpu.c:2545 do_one_initcall+0x10e/0x6d0 init/main.c:1269 do_initcall_level init/main.c:1331 [inline] do_initcalls init/main.c:1347 [inline] do_basic_setup init/main.c:1366 [inline] kernel_init_freeable+0x5ae/0x8a0 init/main.c:1580 kernel_init+0x1e/0x2d0 init/main.c:1469 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #12 (cpuhp_state_mutex){+.+.}-{3:3}: -> #11 (cpu_hotplug_lock){++++}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] cpus_read_lock+0x42/0x160 kernel/cpu.c:490 __static_call_update+0x8b/0x630 kernel/static_call_inline.c:139 tracepoint_update_call kernel/tracepoint.c:317 [inline] tracepoint_add_func+0xa18/0xe50 kernel/tracepoint.c:358 tracepoint_probe_register_prio kernel/tracepoint.c:511 [inline] tracepoint_probe_register+0xa5/0xf0 kernel/tracepoint.c:531 register_trace_sched_wakeup include/trace/events/sched.h:178 [inline] tracing_sched_register kernel/trace/trace_sched_switch.c:56 [inline] tracing_start_sched_switch+0x97/0x1e0 kernel/trace/trace_sched_switch.c:110 __ftrace_event_enable_disable+0x68b/0x8a0 kernel/trace/trace_events.c:831 ftrace_event_enable_disable kernel/trace/trace_events.c:871 [inline] __ftrace_set_clr_event_nolock+0x29b/0x390 kernel/trace/trace_events.c:1200 __ftrace_set_clr_event kernel/trace/trace_events.c:1222 [inline] trace_set_clr_event+0xec/0x150 kernel/trace/trace_events.c:1287 __set_printk_clr_event kernel/trace/bpf_trace.c:416 [inline] bpf_get_trace_printk_proto+0x22/0x90 kernel/trace/bpf_trace.c:422 bpf_base_func_proto+0x9d6/0xbb0 kernel/bpf/helpers.c:2024 bpf_sk_base_func_proto+0x167/0x190 net/core/filter.c:11925 tc_cls_act_func_proto+0x506/0x510 net/core/filter.c:8289 get_helper_proto kernel/bpf/verifier.c:10430 [inline] mark_fastcall_pattern_for_call+0x242/0xd50 kernel/bpf/verifier.c:16305 mark_fastcall_patterns kernel/bpf/verifier.c:16416 [inline] bpf_check+0x85e6/0xb370 kernel/bpf/verifier.c:22458 bpf_prog_load+0x14d9/0x25d0 kernel/bpf/syscall.c:2847 __sys_bpf+0x1711/0x4f20 kernel/bpf/syscall.c:5667 __do_sys_bpf kernel/bpf/syscall.c:5774 [inline] __se_sys_bpf kernel/bpf/syscall.c:5772 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5772 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #10 (tracepoints_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 tracepoint_probe_register_prio kernel/tracepoint.c:507 [inline] tracepoint_probe_register+0x7c/0xf0 kernel/tracepoint.c:531 register_trace_block_rq_insert include/trace/events/block.h:238 [inline] blk_register_tracepoints+0x1b/0x3c0 kernel/trace/blktrace.c:1094 get_probe_ref kernel/trace/blktrace.c:337 [inline] do_blk_trace_setup+0x98a/0xbc0 kernel/trace/blktrace.c:611 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:630 blk_trace_setup+0x47/0x70 kernel/trace/blktrace.c:648 sg_ioctl_common drivers/scsi/sg.c:1114 [inline] sg_ioctl+0x65e/0x2720 drivers/scsi/sg.c:1156 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #9 (blk_probe_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 get_probe_ref kernel/trace/blktrace.c:335 [inline] do_blk_trace_setup+0x797/0xbc0 kernel/trace/blktrace.c:611 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:630 blk_trace_setup+0x47/0x70 kernel/trace/blktrace.c:648 sg_ioctl_common drivers/scsi/sg.c:1114 [inline] sg_ioctl+0x65e/0x2720 drivers/scsi/sg.c:1156 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #8 (&q->debugfs_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 blk_mq_init_sched+0x436/0x650 block/blk-mq-sched.c:473 elevator_init_mq+0x2cc/0x420 block/elevator.c:610 device_add_disk+0x10e/0x12f0 block/genhd.c:411 sd_probe+0xa0e/0xf80 drivers/scsi/sd.c:4024 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #7 (&q->q_usage_counter(queue)#51){++++}-{0:0}: blk_queue_enter+0x4d0/0x600 block/blk-core.c:328 blk_mq_alloc_request+0x422/0x9c0 block/blk-mq.c:680 scsi_alloc_request drivers/scsi/scsi_lib.c:1227 [inline] scsi_execute_cmd+0x1fe/0xf20 drivers/scsi/scsi_lib.c:304 read_capacity_16+0x1f2/0xe60 drivers/scsi/sd.c:2655 sd_read_capacity drivers/scsi/sd.c:2824 [inline] sd_revalidate_disk.isra.0+0x1989/0xa440 drivers/scsi/sd.c:3734 sd_probe+0x887/0xf80 drivers/scsi/sd.c:4010 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #6 (&q->limits_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 queue_limits_start_update include/linux/blkdev.h:935 [inline] loop_reconfigure_limits+0x1f2/0x960 drivers/block/loop.c:1004 loop_set_block_size drivers/block/loop.c:1474 [inline] lo_simple_ioctl drivers/block/loop.c:1497 [inline] lo_ioctl+0xb92/0x1870 drivers/block/loop.c:1560 blkdev_ioctl+0x27b/0x6c0 block/ioctl.c:693 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #5 (&q->q_usage_counter(io)#19){++++}-{0:0}: bio_queue_enter block/blk.h:76 [inline] blk_mq_submit_bio+0x2167/0x2b70 block/blk-mq.c:3090 __submit_bio+0x399/0x630 block/blk-core.c:629 __submit_bio_noacct_mq block/blk-core.c:716 [inline] submit_bio_noacct_nocheck+0x6c3/0xd00 block/blk-core.c:745 submit_bio_noacct+0x57a/0x1fa0 block/blk-core.c:868 nilfs_btnode_submit_block+0x58a/0x6e0 fs/nilfs2/btnode.c:139 __nilfs_btree_get_block+0x10b/0x6b0 fs/nilfs2/btree.c:481 nilfs_btree_do_lookup+0x3ea/0x8e0 fs/nilfs2/btree.c:579 nilfs_btree_lookup+0x4b/0x110 fs/nilfs2/btree.c:696 nilfs_bmap_lookup_at_level+0xd4/0x460 fs/nilfs2/bmap.c:69 nilfs_bmap_lookup fs/nilfs2/bmap.h:182 [inline] nilfs_mdt_submit_block+0x1a1/0x870 fs/nilfs2/mdt.c:141 nilfs_mdt_read_block+0x92/0x3c0 fs/nilfs2/mdt.c:175 nilfs_mdt_get_block+0xd2/0xa40 fs/nilfs2/mdt.c:250 nilfs_palloc_get_block+0xc0/0x310 fs/nilfs2/alloc.c:217 nilfs_palloc_get_entry_block+0x16b/0x1d0 fs/nilfs2/alloc.c:319 nilfs_dat_translate+0x82/0x3b0 fs/nilfs2/dat.c:413 nilfs_bmap_lookup_at_level+0x250/0x460 fs/nilfs2/bmap.c:74 nilfs_bmap_lookup fs/nilfs2/bmap.h:182 [inline] nilfs_mdt_submit_block+0x1a1/0x870 fs/nilfs2/mdt.c:141 nilfs_mdt_read_block+0x92/0x3c0 fs/nilfs2/mdt.c:175 nilfs_mdt_get_block+0xd2/0xa40 fs/nilfs2/mdt.c:250 nilfs_sufile_read+0x20f/0x5f0 fs/nilfs2/sufile.c:1254 nilfs_load_super_root fs/nilfs2/the_nilfs.c:128 [inline] load_nilfs+0x69d/0x1300 fs/nilfs2/the_nilfs.c:299 nilfs_fill_super fs/nilfs2/super.c:1067 [inline] nilfs_get_tree+0xa62/0x10d0 fs/nilfs2/super.c:1220 vfs_get_tree+0x94/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3512 [inline] path_mount+0x6b2/0x1ea0 fs/namespace.c:3839 do_mount fs/namespace.c:3852 [inline] __do_sys_mount fs/namespace.c:4062 [inline] __se_sys_mount fs/namespace.c:4039 [inline] __x64_sys_mount+0x284/0x310 fs/namespace.c:4039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #4 (&nilfs_bmap_dat_lock_key){++++}-{3:3}: down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 nilfs_bmap_lookup_at_level+0x7f/0x460 fs/nilfs2/bmap.c:68 nilfs_bmap_lookup fs/nilfs2/bmap.h:182 [inline] nilfs_mdt_submit_block+0x1a1/0x870 fs/nilfs2/mdt.c:141 nilfs_mdt_read_block+0x92/0x3c0 fs/nilfs2/mdt.c:175 nilfs_mdt_get_block+0xd2/0xa40 fs/nilfs2/mdt.c:250 nilfs_palloc_get_block+0xc0/0x310 fs/nilfs2/alloc.c:217 nilfs_palloc_get_entry_block+0x16b/0x1d0 fs/nilfs2/alloc.c:319 nilfs_dat_translate+0x82/0x3b0 fs/nilfs2/dat.c:413 nilfs_direct_lookup_contig+0x294/0x330 fs/nilfs2/direct.c:67 nilfs_bmap_lookup_contig+0x89/0x190 fs/nilfs2/bmap.c:100 nilfs_get_block+0x1fc/0xa70 fs/nilfs2/inode.c:82 do_mpage_readpage+0x6e2/0x16a0 fs/mpage.c:225 mpage_readahead+0x344/0x580 fs/mpage.c:374 read_pages+0x19b/0xd50 mm/readahead.c:160 page_cache_ra_unbounded+0x3ac/0x680 mm/readahead.c:290 do_page_cache_ra mm/readahead.c:320 [inline] page_cache_ra_order+0x8ee/0xb70 mm/readahead.c:519 page_cache_sync_ra+0x4e3/0x9e0 mm/readahead.c:607 page_cache_sync_readahead include/linux/pagemap.h:1394 [inline] filemap_get_pages+0x327/0x19f0 mm/filemap.c:2558 filemap_read+0x3a2/0xc70 mm/filemap.c:2656 generic_file_read_iter+0x349/0x450 mm/filemap.c:2844 __kernel_read+0x3c6/0xb20 fs/read_write.c:527 integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:28 ima_calc_file_hash_tfm+0x2bd/0x3c0 security/integrity/ima/ima_crypto.c:480 ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline] ima_calc_file_hash+0x1b5/0x490 security/integrity/ima/ima_crypto.c:568 ima_collect_measurement+0x86c/0xa20 security/integrity/ima/ima_api.c:293 process_measurement+0xff9/0x1fb0 security/integrity/ima/ima_main.c:383 ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:583 security_file_post_open+0x95/0x230 security/security.c:3129 do_open fs/namei.c:3776 [inline] path_openat+0x14d8/0x2960 fs/namei.c:3933 do_filp_open+0x1c7/0x410 fs/namei.c:3960 do_sys_openat2+0x164/0x1d0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x140/0x1f0 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #3 (&bmap->b_sem){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 nilfs_bmap_clear+0x1c/0xa0 fs/nilfs2/bmap.c:319 nilfs_clear_inode+0x21c/0x330 fs/nilfs2/inode.c:869 nilfs_evict_inode+0x3c1/0x530 fs/nilfs2/inode.c:889 evict+0x3ef/0x940 fs/inode.c:725 dispose_list+0x117/0x1e0 fs/inode.c:774 prune_icache_sb+0xeb/0x150 fs/inode.c:963 super_cache_scan+0x37f/0x570 fs/super.c:223 do_shrink_slab+0x44b/0x1190 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0xb61/0x12a0 mm/shrinker.c:628 shrink_one+0x4ad/0x7c0 mm/vmscan.c:4835 shrink_many mm/vmscan.c:4896 [inline] lru_gen_shrink_node mm/vmscan.c:4974 [inline] shrink_node+0x2420/0x3890 mm/vmscan.c:5954 kswapd_shrink_node mm/vmscan.c:6782 [inline] balance_pgdat+0xbe5/0x18c0 mm/vmscan.c:6974 kswapd+0x702/0xd50 mm/vmscan.c:7243 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire mm/page_alloc.c:3853 [inline] fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:3867 might_alloc include/linux/sched/mm.h:318 [inline] slab_pre_alloc_hook mm/slub.c:4058 [inline] slab_alloc_node mm/slub.c:4136 [inline] kmem_cache_alloc_noprof+0x4e/0x2f0 mm/slub.c:4163 __kernfs_iattrs+0xbc/0x3f0 fs/kernfs/inode.c:37 kernfs_iattrs fs/kernfs/inode.c:60 [inline] kernfs_xattr_set fs/kernfs/inode.c:309 [inline] kernfs_vfs_xattr_set+0x5d/0xe0 fs/kernfs/inode.c:340 __vfs_setxattr+0x173/0x1e0 fs/xattr.c:200 __vfs_setxattr_noperm+0x129/0x670 fs/xattr.c:234 __vfs_setxattr_locked+0x1d7/0x260 fs/xattr.c:295 vfs_setxattr+0x143/0x360 fs/xattr.c:321 do_setxattr+0x171/0x1e0 fs/xattr.c:629 path_setxattr+0x202/0x260 fs/xattr.c:658 __do_sys_setxattr fs/xattr.c:676 [inline] __se_sys_setxattr fs/xattr.c:672 [inline] __x64_sys_setxattr+0xc4/0x160 fs/xattr.c:672 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (iattr_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 __kernfs_iattrs+0x2b/0x3f0 fs/kernfs/inode.c:32 kernfs_iattrs fs/kernfs/inode.c:60 [inline] __kernfs_setattr+0x4d/0x3d0 fs/kernfs/inode.c:73 kernfs_iop_setattr+0x12b/0x190 fs/kernfs/inode.c:127 notify_change+0x6d3/0x1280 fs/attr.c:503 do_truncate+0x143/0x200 fs/open.c:65 handle_truncate fs/namei.c:3395 [inline] do_open fs/namei.c:3778 [inline] path_openat+0x22b6/0x2960 fs/namei.c:3933 do_filp_open+0x1c7/0x410 fs/namei.c:3960 do_sys_openat2+0x164/0x1d0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x140/0x1f0 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&root->kernfs_iattr_rwsem){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_write+0x92/0x200 kernel/locking/rwsem.c:1577 kernfs_unlink_sibling+0xad/0x2c0 fs/kernfs/dir.c:413 __kernfs_remove+0x2b3/0x670 fs/kernfs/dir.c:1492 kernfs_remove_by_name_ns+0xb4/0x130 fs/kernfs/dir.c:1694 kernfs_remove_by_name include/linux/kernfs.h:625 [inline] remove_files+0x96/0x1c0 fs/sysfs/group.c:28 sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:319 sysfs_remove_groups fs/sysfs/group.c:343 [inline] sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:335 __kobject_del+0x89/0x1f0 lib/kobject.c:595 kobject_cleanup lib/kobject.c:680 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2e5/0x4c0 lib/kobject.c:737 net_rx_queue_update_kobjects+0x4d4/0x640 net/core/net-sysfs.c:1178 remove_queue_kobjects net/core/net-sysfs.c:1953 [inline] netdev_unregister_kobject+0x150/0x270 net/core/net-sysfs.c:2107 unregister_netdevice_many_notify+0x1202/0x1ce0 net/core/dev.c:11503 unregister_netdevice_many net/core/dev.c:11531 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11405 unregister_netdevice include/linux/netdevice.h:3126 [inline] nsim_destroy+0x102/0x6c0 drivers/net/netdevsim/netdev.c:778 __nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1428 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline] nsim_dev_reload_destroy+0x105/0x490 drivers/net/netdevsim/dev.c:1661 nsim_drv_remove+0x52/0x1d0 drivers/net/netdevsim/dev.c:1676 device_remove+0xc8/0x170 drivers/base/dd.c:567 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x443/0x620 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x395/0x9d0 drivers/base/core.c:3855 device_unregister+0x1e/0xc0 drivers/base/core.c:3896 nsim_bus_dev_del drivers/net/netdevsim/bus.c:462 [inline] del_device_store+0x34e/0x4b0 drivers/net/netdevsim/bus.c:226 bus_attr_store+0x71/0xb0 drivers/base/bus.c:172 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x335/0x500 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xbfc/0x10d0 fs/read_write.c:683 ksys_write+0x122/0x250 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: &root->kernfs_iattr_rwsem --> cpuhp_state_mutex --> &root->kernfs_rwsem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&root->kernfs_rwsem); lock(cpuhp_state_mutex); lock(&root->kernfs_rwsem); lock(&root->kernfs_iattr_rwsem); *** DEADLOCK *** 8 locks held by syz-executor/42274: #0: ffff8880454fe420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x122/0x250 fs/read_write.c:736 #1: ffff88806a42d488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27a/0x500 fs/kernfs/file.c:325 #2: ffff888043faf0f8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x29e/0x500 fs/kernfs/file.c:326 #3: ffffffff8f280da8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xc9/0x4b0 drivers/net/netdevsim/bus.c:216 #4: ffff88801fc9c0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88801fc9c0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88801fc9c0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x620 drivers/base/dd.c:1293 #5: ffff88801fc9d250 (&devlink->lock_key#42){+.+.}-{3:3}, at: nsim_drv_remove+0x4a/0x1d0 drivers/net/netdevsim/dev.c:1675 #6: ffffffff8fce93a8 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x6b/0x6c0 drivers/net/netdevsim/netdev.c:773 #7: ffff88801bae5148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_remove_by_name_ns+0x89/0x130 fs/kernfs/dir.c:1689 stack backtrace: CPU: 1 UID: 0 PID: 42274 Comm: syz-executor Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_circular_bug+0x406/0x5c0 kernel/locking/lockdep.c:2074 check_noncircular+0x2f7/0x3e0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_write+0x92/0x200 kernel/locking/rwsem.c:1577 kernfs_unlink_sibling+0xad/0x2c0 fs/kernfs/dir.c:413 __kernfs_remove+0x2b3/0x670 fs/kernfs/dir.c:1492 kernfs_remove_by_name_ns+0xb4/0x130 fs/kernfs/dir.c:1694 kernfs_remove_by_name include/linux/kernfs.h:625 [inline] remove_files+0x96/0x1c0 fs/sysfs/group.c:28 sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:319 sysfs_remove_groups fs/sysfs/group.c:343 [inline] sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:335 __kobject_del+0x89/0x1f0 lib/kobject.c:595 kobject_cleanup lib/kobject.c:680 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2e5/0x4c0 lib/kobject.c:737 net_rx_queue_update_kobjects+0x4d4/0x640 net/core/net-sysfs.c:1178 remove_queue_kobjects net/core/net-sysfs.c:1953 [inline] netdev_unregister_kobject+0x150/0x270 net/core/net-sysfs.c:2107 unregister_netdevice_many_notify+0x1202/0x1ce0 net/core/dev.c:11503 unregister_netdevice_many net/core/dev.c:11531 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11405 unregister_netdevice include/linux/netdevice.h:3126 [inline] nsim_destroy+0x102/0x6c0 drivers/net/netdevsim/netdev.c:778 __nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1428 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline] nsim_dev_reload_destroy+0x105/0x490 drivers/net/netdevsim/dev.c:1661 nsim_drv_remove+0x52/0x1d0 drivers/net/netdevsim/dev.c:1676 device_remove+0xc8/0x170 drivers/base/dd.c:567 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x443/0x620 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x395/0x9d0 drivers/base/core.c:3855 device_unregister+0x1e/0xc0 drivers/base/core.c:3896 nsim_bus_dev_del drivers/net/netdevsim/bus.c:462 [inline] del_device_store+0x34e/0x4b0 drivers/net/netdevsim/bus.c:226 bus_attr_store+0x71/0xb0 drivers/base/bus.c:172 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x335/0x500 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xbfc/0x10d0 fs/read_write.c:683 ksys_write+0x122/0x250 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb2b1ac01f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 79 0d 03 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 bc 0d 03 00 48 RSP: 002b:00007ffdd4ed8e70 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007feb2b1ac01f RDX: 0000000000000001 RSI: 00007ffdd4ed8ec0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000000 R09: 00007ffdd4ed8e10 R10: 0000000000000000 R11: 0000000000000293 R12: 00007feb2b247e34 R13: 00007ffdd4ed8ec0 R14: 0000000000000000 R15: 00007ffdd4ed9aa0 </TASK> netdevsim netdevsim4 netdevsim0: renamed from eth0 netdevsim netdevsim4 netdevsim1: renamed from eth1 netdevsim netdevsim4 netdevsim2: renamed from eth2 netdevsim netdevsim4 netdevsim3: renamed from eth3 8021q: adding VLAN 0 to HW filter on device bond0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device batadv0 veth0_vlan: entered promiscuous mode veth1_vlan: entered promiscuous mode veth0_macvtap: entered promiscuous mode veth1_macvtap: entered promiscuous mode batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: batadv0: Interface activated: batadv_slave_1 netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 ieee80211 phy54: Selected rate control algorithm 'minstrel_ht' ieee80211 phy55: Selected rate control algorithm 'minstrel_ht' ================================================================== I hope it helps. Best regards Jianzhou Zhao

6 months, 2 weeks

1
0
0 0

Re: Patch "lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP" has been added to the 6.14-stable tree

by Kees Cook

On April 26, 2025 6:25:09 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP > >to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > lib-kconfig.ubsan-remove-default-ubsan-from-ubsan_in.patch >and it can be found in the queue-6.14 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. Please drop this; it's fixing the other patch that should not be backported. :) -Kees -- Kees Cook

6 months, 2 weeks

3
5
0 0

[PATCH] securityfs: fix missing of d_delete() in securityfs_remove()

by alexjlzheng＠gmail.com

From: Jinliang Zheng <alexjlzheng(a)tencent.com> Consider the following module code: static struct dentry *dentry; static int __init securityfs_test_init(void) { dentry = securityfs_create_dir("standon", NULL); return PTR_ERR(dentry); } static void __exit securityfs_test_exit(void) { securityfs_remove(dentry); } module_init(securityfs_test_init); module_exit(securityfs_test_exit); and then: insmod /path/to/thismodule cd /sys/kernel/security/standon <- we hold 'standon' rmmod thismodule <- 'standon' don't go away insmod /path/to/thismodule <- Failed: File exists! Fix this by adding d_delete() in securityfs_remove(). Fixes: b67dbf9d4c198 ("[PATCH] add securityfs for all LSMs to use") Signed-off-by: Jinliang Zheng <alexjlzheng(a)tencent.com> Cc: <stable(a)vger.kernel.org> --- security/inode.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/inode.c b/security/inode.c index da3ab44c8e57..d99baf26350a 100644 --- a/security/inode.c +++ b/security/inode.c @@ -306,6 +306,7 @@ void securityfs_remove(struct dentry *dentry) simple_rmdir(dir, dentry); else simple_unlink(dir, dentry); + d_delete(dentry); dput(dentry); } inode_unlock(dir); -- 2.49.0

6 months, 2 weeks

4
4
0 0

Re: Patch "lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP" has been added to the 6.12-stable tree

by Kees Cook

On April 26, 2025 6:27:11 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP > >to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > lib-kconfig.ubsan-remove-default-ubsan-from-ubsan_in.patch >and it can be found in the queue-6.12 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. And this too; please drop. :) -Kees -- Kees Cook

6 months, 2 weeks

1
0
0 0

Re: Patch "ubsan/overflow: Rework integer overflow sanitizer option to turn on everything" has been added to the 6.12-stable tree

by Kees Cook

On April 26, 2025 6:27:07 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > ubsan/overflow: Rework integer overflow sanitizer option to turn on everything > >to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > ubsan-overflow-rework-integer-overflow-sanitizer-opt.patch >and it can be found in the queue-6.12 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. Same as the other email; please drop. -Kees -- Kees Cook

6 months, 2 weeks

1
0
0 0

Re: Patch "ubsan/overflow: Rework integer overflow sanitizer option to turn on everything" has been added to the 6.14-stable tree

by Kees Cook

On April 26, 2025 6:25:06 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > ubsan/overflow: Rework integer overflow sanitizer option to turn on everything > >to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > ubsan-overflow-rework-integer-overflow-sanitizer-opt.patch >and it can be found in the queue-6.14 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. Please drop this; it is a config change and should not be backported. -Kees -- Kees Cook

6 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041736-abrasion-yonder-b301@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

6 months, 2 weeks

3
2
0 0

[PATCH stable 6.12 0/4] Fix xdp_devmap_attach failure in BPF selftests

by Shung-Hsi Yu

This patchset backport commit to fix BPF selftests failure in stable 6.12 since commit 972bafed67ca ("bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()"), which is backport of upstream commit 6b3d638ca897. The fix needed is upstream commit c7f2188d68c1 ("selftests/bpf: Adjust data size to have ETH_HLEN"), which in turn depends on upstream commit d5fbcf46ee82 "selftests/bpf: make xdp_cpumap_attach keep redirect prog attached". Latter is part of "selftests/bpf: add coverage for xdp_features in test_progs"[1], and I opt to backport the series entirely since it adds coverage. With these patches the xdp_devmap_attach no longer fails[2]. BPF selftests failure log below for completeness. See [3] for the raw log. Error: #566 xdp_devmap_attach Error: #566/1 xdp_devmap_attach/DEVMAP with programs in entries test_xdp_with_devmap_helpers:PASS:ip netns add devmap_attach_ns 0 nsec test_xdp_with_devmap_helpers:PASS:open_netns 0 nsec test_xdp_with_devmap_helpers:PASS:ip link set dev lo up 0 nsec test_xdp_with_devmap_helpers:PASS:test_xdp_with_devmap_helpers__open_and_load 0 nsec test_xdp_with_devmap_helpers:PASS:Generic attach of program with 8-byte devmap 0 nsec test_xdp_with_devmap_helpers:PASS:bpf_prog_get_info_by_fd 0 nsec test_xdp_with_devmap_helpers:PASS:Add program to devmap entry 0 nsec test_xdp_with_devmap_helpers:PASS:Read devmap entry 0 nsec test_xdp_with_devmap_helpers:PASS:Match program id to devmap entry prog_id 0 nsec test_xdp_with_devmap_helpers:FAIL:XDP test run unexpected error: -22 (errno 22) test_xdp_with_devmap_helpers:PASS:XDP program detach 0 nsec libbpf: Kernel error message: BPF_XDP_DEVMAP programs can not be attached to a device test_xdp_with_devmap_helpers:PASS:Attach of BPF_XDP_DEVMAP program 0 nsec test_xdp_with_devmap_helpers:PASS:Add non-BPF_XDP_DEVMAP program to devmap entry 0 nsec test_xdp_with_devmap_helpers:PASS:Add BPF_XDP program with frags to devmap entry 0 nsec Error: #566/4 xdp_devmap_attach/DEVMAP with programs in entries on veth test_xdp_with_devmap_helpers_veth:PASS:ip netns add devmap_attach_ns 0 nsec test_xdp_with_devmap_helpers_veth:PASS:open_netns 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ip link add veth_src type veth peer name veth_dst 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ip link set dev veth_src up 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ip link set dev veth_dst up 0 nsec test_xdp_with_devmap_helpers_veth:PASS:val.ifindex 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ifindex_dst 0 nsec test_xdp_with_devmap_helpers_veth:PASS:test_xdp_with_devmap_helpers__open_and_load 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Attach of program with 8-byte devmap 0 nsec test_xdp_with_devmap_helpers_veth:PASS:bpf_prog_get_info_by_fd 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Add program to devmap entry 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Read devmap entry 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Match program id to devmap entry prog_id 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Attach of dummy XDP 0 nsec test_xdp_with_devmap_helpers_veth:FAIL:XDP test run unexpected error: -22 (errno 22) test_xdp_with_devmap_helpers_veth:PASS:XDP program detach 0 nsec test_xdp_with_devmap_helpers_veth:PASS:XDP program detach 0 nsec 1: https://lore.kernel.org/all/20241009-convert_xdp_tests-v3-0-51cea913710c@bo… 2: https://github.com/shunghsiyu/libbpf/actions/runs/14569651139/job/408644287… 3: https://github.com/shunghsiyu/libbpf/actions/runs/14562221313/job/408469275… Alexis Lothoré (eBPF Foundation) (3): selftests/bpf: fix bpf_map_redirect call for cpu map test selftests/bpf: make xdp_cpumap_attach keep redirect prog attached selftests/bpf: check program redirect in xdp_cpumap_attach Shigeru Yoshida (1): selftests/bpf: Adjust data size to have ETH_HLEN .../bpf/prog_tests/xdp_cpumap_attach.c | 44 +++++++++++++++---- .../bpf/prog_tests/xdp_devmap_attach.c | 8 ++-- .../bpf/progs/test_xdp_with_cpumap_helpers.c | 7 ++- 3 files changed, 46 insertions(+), 13 deletions(-) -- 2.49.0

6 months, 2 weeks

2
8
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041737-impart-slacker-8722@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

6 months, 2 weeks

3
2
0 0

[PATCH stable 6.12 6.14 1/1] selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure

by Shung-Hsi Yu

From: Ihor Solodrai <ihor.solodrai(a)linux.dev> commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 upstream. "sockmap_ktls disconnect_after_delete" test has been failing on BPF CI after recent merges from netdev: * https://github.com/kernel-patches/bpf/actions/runs/14458537639 * https://github.com/kernel-patches/bpf/actions/runs/14457178732 It happens because disconnect has been disabled for TLS [1], and it renders the test case invalid. Removing all the test code creates a conflict between bpf and bpf-next, so for now only remove the offending assert [2]. The test will be removed later on bpf-next. [1] https://lore.kernel.org/netdev/20250404180334.3224206-1-kuba@kernel.org/ [2] https://lore.kernel.org/bpf/cfc371285323e1a3f3b006bfcf74e6cf7ad65258@linux.… Signed-off-by: Ihor Solodrai <ihor.solodrai(a)linux.dev> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Reviewed-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Link: https://lore.kernel.org/bpf/20250416170246.2438524-1-ihor.solodrai@linux.dev [ shung-hsi.yu: needed because upstream commit 5071a1e606b3 ("net: tls: explicitly disallow disconnect") is backported ] Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c b/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c index 2d0796314862..0a99fd404f6d 100644 --- a/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c @@ -68,7 +68,6 @@ static void test_sockmap_ktls_disconnect_after_delete(int family, int map) goto close_cli; err = disconnect(cli); - ASSERT_OK(err, "disconnect"); close_cli: close(cli); -- 2.49.0

6 months, 2 weeks

3
5
0 0

[PATCH 5.10.y] perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> [ Upstream commit 96a720db59ab330c8562b2437153faa45dac705f ] (The existing patch in queue-5.10 was wrong. queue-5.10/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch It's supposed to change the array snr_uncore_iio_freerunning_events[] rather than icx_uncore_iio_freerunning_events[]. Send the patch to replace the wrong one. With this fix the https://lore.kernel.org/stable/2025042139-protector-rickety-a72d@gregkh/ can be applied then.) There was a mistake in the SNR uncore spec. The counter increments for every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes which was documented in the spec. The event list has been updated: "EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN", "BriefDescription": "Free running counter that increments for every 32 bytes of data sent from the IO agent to the SOC", Update the scale of the IIO bandwidth in free running counters as well. Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server") Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Acked-by: Peter Zijlstra <a.p.zijlstra(a)chello.nl> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com --- arch/x86/events/intel/uncore_snbep.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c index ad084a5a1463..dd70a6b7879b 100644 --- a/arch/x86/events/intel/uncore_snbep.c +++ b/arch/x86/events/intel/uncore_snbep.c @@ -4487,28 +4487,28 @@ static struct uncore_event_desc snr_uncore_iio_freerunning_events[] = { INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), /* Free-Running IIO BANDWIDTH IN Counters */ INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), - INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), - INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), - INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), - INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), - INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), - INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), - INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), - INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), + INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"), INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), { /* end: all zeroes */ }, }; -- 2.38.1

6 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> [ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ] In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- Hello, commit cf7385cb26ac4f0ee6c7385960525ad534323252 was already backported to stable/linux-6.6.y as commit 0b0d5701a8bf02f8fee037e81aacf6746558bfd6. In 6.1 the function to fix is in a different file and differently named since v6.1 lacks commits 5c3d15e127eb ("of: Update of_device_get_modalias()") and bd7a7ed774af ("of: Move of_modalias() to module.c") This is the respective backport to 6.1. Looking into that commit was triggered by https://bugs.debian.org/1103277 and my backport is identical to this bug's reporter's. Thanks for considering it for the next 6.1.y update. Best regards Uwe drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index ce225d2590b5..91d92bfe5735 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -264,14 +264,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 535ec20c50273d81b2cc7985fed2108dee0e65d7 -- 2.47.2

6 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041733-cosmetics-brigade-9ed7@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

6 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041734-deport-antennae-d763@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

6 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041731-release-charity-8e70@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

6 months, 2 weeks

3
2
0 0

[tip: irq/urgent] irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()

by tip-bot2 for Suzuki K Poulose

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 3318dc299b072a0511d6dfd8367f3304fb6d9827 Gitweb: https://git.kernel.org/tip/3318dc299b072a0511d6dfd8367f3304fb6d9827 Author: Suzuki K Poulose <suzuki.poulose(a)arm.com> AuthorDate: Tue, 22 Apr 2025 17:16:16 +01:00 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Sat, 26 Apr 2025 10:17:24 +02:00 irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use. Fixes: 0644b3daca28 ("irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support") Signed-off-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/irqchip/irq-gic-v2m.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-gic-v2m.c b/drivers/irqchip/irq-gic-v2m.c index c698948..dc98c39 100644 --- a/drivers/irqchip/irq-gic-v2m.c +++ b/drivers/irqchip/irq-gic-v2m.c @@ -421,7 +421,7 @@ static int __init gicv2m_of_init(struct fwnode_handle *parent_handle, #ifdef CONFIG_ACPI static int acpi_num_msi; -static __init struct fwnode_handle *gicv2m_get_fwnode(struct device *dev) +static struct fwnode_handle *gicv2m_get_fwnode(struct device *dev) { struct v2m_data *data;

6 months, 2 weeks

1
0
0 0

Re: G R A N T

by U N

Dear, Send your Ref: FSG2025 / Name / Phone Number / Country to Mr. Andrej Mahecic on un.grant(a)socialworker.net, +1 888 673 0430 for your £100,000.00 payment. Sincerely Mr. C. Gunness On behalf of the UN.

6 months, 2 weeks

1
0
0 0

[PATCH] Revert "rndis_host: Flag RNDIS modems as WWAN devices"

by Christian Heusel

This reverts commit 67d1a8956d2d62fe6b4c13ebabb57806098511d8. Since this commit has been proven to be problematic for the setup of USB-tethered ethernet connections and the related breakage is very noticeable for users it should be reverted until a fixed version of the change can be rolled out. Closes: https://lore.kernel.org/all/e0df2d85-1296-4317-b717-bd757e3ab928@heusel.eu/ Link: https://chaos.social/@gromit/114377862699921553 Link: https://bugzilla.kernel.org/show_bug.cgi?id=220002 Link: https://bugs.gentoo.org/953555 Link: https://bbs.archlinux.org/viewtopic.php?id=304892 Cc: stable(a)vger.kernel.org Acked-by: Lubomir Rintel <lkundrak(a)v3.sk> Signed-off-by: Christian Heusel <christian(a)heusel.eu> --- drivers/net/usb/rndis_host.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c index bb0bf1415872745aea177ce0ba7d6eb578cb4a47..7b3739b29c8f72b7b108c5f4ae11fdfcf243237d 100644 --- a/drivers/net/usb/rndis_host.c +++ b/drivers/net/usb/rndis_host.c @@ -630,16 +630,6 @@ static const struct driver_info zte_rndis_info = { .tx_fixup = rndis_tx_fixup, }; -static const struct driver_info wwan_rndis_info = { - .description = "Mobile Broadband RNDIS device", - .flags = FLAG_WWAN | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT, - .bind = rndis_bind, - .unbind = rndis_unbind, - .status = rndis_status, - .rx_fixup = rndis_rx_fixup, - .tx_fixup = rndis_tx_fixup, -}; - /*-------------------------------------------------------------------------*/ static const struct usb_device_id products [] = { @@ -676,11 +666,9 @@ static const struct usb_device_id products [] = { USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3), .driver_info = (unsigned long) &rndis_info, }, { - /* Mobile Broadband Modem, seen in Novatel Verizon USB730L and - * Telit FN990A (RNDIS) - */ + /* Novatel Verizon USB730L */ USB_INTERFACE_INFO(USB_CLASS_MISC, 4, 1), - .driver_info = (unsigned long)&wwan_rndis_info, + .driver_info = (unsigned long) &rndis_info, }, { }, // END }; --- base-commit: 9c32cda43eb78f78c73aee4aa344b777714e259b change-id: 20250424-usb-tethering-fix-398688b32dad Best regards, -- Christian Heusel <christian(a)heusel.eu>

6 months, 2 weeks

4
3
0 0

+ mm-vmalloc-support-more-granular-vrealloc-sizing.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: vmalloc: support more granular vrealloc() sizing has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-vmalloc-support-more-granular-vrealloc-sizing.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kees Cook <kees(a)kernel.org> Subject: mm: vmalloc: support more granular vrealloc() sizing Date: Fri, 25 Apr 2025 17:11:07 -0700 Introduce struct vm_struct::requested_size so that the requested (re)allocation size is retained separately from the allocated area size. This means that KASAN will correctly poison the correct spans of requested bytes. This also means we can support growing the usable portion of an allocation that can already be supported by the existing area's existing allocation. Link: https://lkml.kernel.org/r/20250426001105.it.679-kees@kernel.org Fixes: 3ddc2fefe6f3 ("mm: vmalloc: implement vrealloc()") Signed-off-by: Kees Cook <kees(a)kernel.org> Reported-by: Erhard Furtner <erhard_f(a)mailbox.org> Closes: https://lore.kernel.org/all/20250408192503.6149a816@outsider.home/ Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/vmalloc.h | 1 + mm/vmalloc.c | 31 ++++++++++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) --- a/include/linux/vmalloc.h~mm-vmalloc-support-more-granular-vrealloc-sizing +++ a/include/linux/vmalloc.h @@ -61,6 +61,7 @@ struct vm_struct { unsigned int nr_pages; phys_addr_t phys_addr; const void *caller; + unsigned long requested_size; }; struct vmap_area { --- a/mm/vmalloc.c~mm-vmalloc-support-more-granular-vrealloc-sizing +++ a/mm/vmalloc.c @@ -1940,7 +1940,7 @@ static inline void setup_vmalloc_vm(stru { vm->flags = flags; vm->addr = (void *)va->va_start; - vm->size = va_size(va); + vm->size = vm->requested_size = va_size(va); vm->caller = caller; va->vm = vm; } @@ -3133,6 +3133,7 @@ struct vm_struct *__get_vm_area_node(uns area->flags = flags; area->caller = caller; + area->requested_size = requested_size; va = alloc_vmap_area(size, align, start, end, node, gfp_mask, 0, area); if (IS_ERR(va)) { @@ -4063,6 +4064,8 @@ EXPORT_SYMBOL(vzalloc_node_noprof); */ void *vrealloc_noprof(const void *p, size_t size, gfp_t flags) { + struct vm_struct *vm = NULL; + size_t alloced_size = 0; size_t old_size = 0; void *n; @@ -4072,15 +4075,17 @@ void *vrealloc_noprof(const void *p, siz } if (p) { - struct vm_struct *vm; - vm = find_vm_area(p); if (unlikely(!vm)) { WARN(1, "Trying to vrealloc() nonexistent vm area (%p)\n", p); return NULL; } - old_size = get_vm_area_size(vm); + alloced_size = get_vm_area_size(vm); + old_size = vm->requested_size; + if (WARN(alloced_size < old_size, + "vrealloc() has mismatched area vs requested sizes (%p)\n", p)) + return NULL; } /* @@ -4088,14 +4093,26 @@ void *vrealloc_noprof(const void *p, siz * would be a good heuristic for when to shrink the vm_area? */ if (size <= old_size) { - /* Zero out spare memory. */ - if (want_init_on_alloc(flags)) + /* Zero out "freed" memory. */ + if (want_init_on_free()) memset((void *)p + size, 0, old_size - size); + vm->requested_size = size; kasan_poison_vmalloc(p + size, old_size - size); - kasan_unpoison_vmalloc(p, size, KASAN_VMALLOC_PROT_NORMAL); return (void *)p; } + /* + * We already have the bytes available in the allocation; use them. + */ + if (size <= alloced_size) { + kasan_unpoison_vmalloc(p + old_size, size - old_size, + KASAN_VMALLOC_PROT_NORMAL); + /* Zero out "alloced" memory. */ + if (want_init_on_alloc(flags)) + memset((void *)p + old_size, 0, size - old_size); + vm->requested_size = size; + } + /* TODO: Grow the vm_area, i.e. allocate and map additional pages. */ n = __vmalloc_noprof(size, flags); if (!n) _ Patches currently in -mm which might be from kees(a)kernel.org are mm-vmalloc-support-more-granular-vrealloc-sizing.patch

6 months, 2 weeks

1
0
0 0

[PATCH v2] usb: dwc3: Abort suspend on soft disconnect failure

by Kuen-Han Tsai

When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps going with the suspend, resulting in a period where the power domain is off, but the gadget driver remains connected. Within this time frame, invoking vbus_event_work() will cause an error as it attempts to access DWC3 registers for endpoint disabling after the power domain has been completely shut down. Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the controller and proceeds with a soft connect. Fixes: c8540870af4c ("usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()") CC: stable(a)vger.kernel.org Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> --- Kernel panic - not syncing: Asynchronous SError Interrupt Workqueue: events vbus_event_work Call trace: dump_backtrace+0xf4/0x118 show_stack+0x18/0x24 dump_stack_lvl+0x60/0x7c dump_stack+0x18/0x3c panic+0x16c/0x390 nmi_panic+0xa4/0xa8 arm64_serror_panic+0x6c/0x94 do_serror+0xc4/0xd0 el1h_64_error_handler+0x34/0x48 el1h_64_error+0x68/0x6c readl+0x4c/0x8c __dwc3_gadget_ep_disable+0x48/0x230 dwc3_gadget_ep_disable+0x50/0xc0 usb_ep_disable+0x44/0xe4 ffs_func_eps_disable+0x64/0xc8 ffs_func_set_alt+0x74/0x368 ffs_func_disable+0x18/0x28 composite_disconnect+0x90/0xec configfs_composite_disconnect+0x64/0x88 usb_gadget_disconnect_locked+0xc0/0x168 vbus_event_work+0x3c/0x58 process_one_work+0x1e4/0x43c worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 --- Changelog: v2: - move declarations in separate lines - add the Fixes tag drivers/usb/dwc3/core.c | 9 +++++++-- drivers/usb/dwc3/gadget.c | 22 +++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 66a08b527165..1cf1996ae1fb 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2388,6 +2388,7 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) { u32 reg; int i; + int ret; if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & @@ -2406,7 +2407,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) break; - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret synchronize_irq(dwc->irq_gadget); dwc3_core_exit(dwc); break; @@ -2441,7 +2444,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { - dwc3_gadget_suspend(dwc); + ret = dwc3_gadget_suspend(dwc); + if (ret) + return ret; synchronize_irq(dwc->irq_gadget); } diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89a4dc8ebf94..316c1589618e 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4776,26 +4776,22 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) int ret; ret = dwc3_gadget_soft_disconnect(dwc); - if (ret) - goto err; - - spin_lock_irqsave(&dwc->lock, flags); - if (dwc->gadget_driver) - dwc3_disconnect_gadget(dwc); - spin_unlock_irqrestore(&dwc->lock, flags); - - return 0; - -err: /* * Attempt to reset the controller's state. Likely no * communication can be established until the host * performs a port reset. */ - if (dwc->softconnect) + if (ret && dwc->softconnect) { dwc3_gadget_soft_connect(dwc); + return ret; + } - return ret; + spin_lock_irqsave(&dwc->lock, flags); + if (dwc->gadget_driver) + dwc3_disconnect_gadget(dwc); + spin_unlock_irqrestore(&dwc->lock, flags); + + return 0; } int dwc3_gadget_resume(struct dwc3 *dwc) -- 2.49.0.395.g12beb8f557-goog

6 months, 2 weeks

3
4
0 0

+ tools-testing-selftests-fix-guard-region-test-tmpfs-assumption.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: tools/testing/selftests: fix guard region test tmpfs assumption has been added to the -mm mm-hotfixes-unstable branch. Its filename is tools-testing-selftests-fix-guard-region-test-tmpfs-assumption.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: tools/testing/selftests: fix guard region test tmpfs assumption Date: Fri, 25 Apr 2025 17:24:36 +0100 The current implementation of the guard region tests assume that /tmp is mounted as tmpfs, that is shmem. This isn't always the case, and at least one instance of a spurious test failure has been reported as a result. This assumption is unsafe, rushed and silly - and easily remedied by simply using memfd, so do so. We also have to fixup the readonly_file test to explicitly only be applicable to file-backed cases. Link: https://lkml.kernel.org/r/20250425162436.564002-1-lorenzo.stoakes@oracle.com Fixes: 272f37d3e99a ("tools/selftests: expand all guard region tests to file-backed") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Ryan Roberts <ryan.roberts(a)arm.com> Closes: https://lore.kernel.org/linux-mm/a2d2766b-0ab4-437b-951a-8595a7506fe9@arm.c… Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/guard-regions.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) --- a/tools/testing/selftests/mm/guard-regions.c~tools-testing-selftests-fix-guard-region-test-tmpfs-assumption +++ a/tools/testing/selftests/mm/guard-regions.c @@ -271,12 +271,16 @@ FIXTURE_SETUP(guard_regions) self->page_size = (unsigned long)sysconf(_SC_PAGESIZE); setup_sighandler(); - if (variant->backing == ANON_BACKED) + switch (variant->backing) { + case ANON_BACKED: return; - - self->fd = open_file( - variant->backing == SHMEM_BACKED ? "/tmp/" : "", - self->path); + case LOCAL_FILE_BACKED: + self->fd = open_file("", self->path); + break; + case SHMEM_BACKED: + self->fd = memfd_create(self->path, 0); + break; + } /* We truncate file to at least 100 pages, tests can modify as needed. */ ASSERT_EQ(ftruncate(self->fd, 100 * self->page_size), 0); @@ -1696,7 +1700,7 @@ TEST_F(guard_regions, readonly_file) char *ptr; int i; - if (variant->backing == ANON_BACKED) + if (variant->backing != LOCAL_FILE_BACKED) SKIP(return, "Read-only test specific to file-backed"); /* Map shared so we can populate with pattern, populate it, unmap. */ _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are maintainers-add-reverse-mapping-section.patch maintainers-add-core-mm-section.patch maintainers-add-mm-thp-section.patch maintainers-add-mm-thp-section-fix.patch tools-testing-selftests-fix-guard-region-test-tmpfs-assumption.patch mm-vma-fix-incorrectly-disallowed-anonymous-vma-merges.patch tools-testing-add-procmap_query-helper-functions-in-mm-self-tests.patch tools-testing-selftests-assert-that-anon-merge-cases-behave-as-expected.patch mm-move-mmap-vma-locking-logic-into-specific-files.patch

6 months, 2 weeks

1
0
0 0

[PATCH v3] KVM: SVM: forcibly leave SMM mode on vCPU reset

by Mikhail Lobanov

Previously, commit ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") addressed an issue where a triple fault occurring in nested mode could lead to use-after-free scenarios. However, the commit did not handle the analogous situation for System Management Mode (SMM). This omission results in triggering a WARN when a vCPU reset occurs while still in SMM mode, due to the check in kvm_vcpu_reset(). This situation was reprodused using Syzkaller by: 1) Creating a KVM VM and vCPU 2) Sending a KVM_SMI ioctl to explicitly enter SMM 3) Executing invalid instructions causing consecutive exceptions and eventually a triple fault The issue manifests as follows: WARNING: CPU: 0 PID: 25506 at arch/x86/kvm/x86.c:12112 kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Modules linked in: CPU: 0 PID: 25506 Comm: syz-executor.0 Not tainted 6.1.130-syzkaller-00157-g164fe5dde9b6 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:kvm_vcpu_reset+0x1d2/0x1530 arch/x86/kvm/x86.c:12112 Call Trace: <TASK> shutdown_interception+0x66/0xb0 arch/x86/kvm/svm/svm.c:2136 svm_invoke_exit_handler+0x110/0x530 arch/x86/kvm/svm/svm.c:3395 svm_handle_exit+0x424/0x920 arch/x86/kvm/svm/svm.c:3457 vcpu_enter_guest arch/x86/kvm/x86.c:10959 [inline] vcpu_run+0x2c43/0x5a90 arch/x86/kvm/x86.c:11062 kvm_arch_vcpu_ioctl_run+0x50f/0x1cf0 arch/x86/kvm/x86.c:11283 kvm_vcpu_ioctl+0x570/0xf00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4122 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Architecturally, hardware CPUs exit SMM upon receiving a triple fault as part of a hardware reset. To reflect this behavior and avoid triggering the WARN, this patch explicitly calls kvm_smm_changed(vcpu, false) in the SVM-specific shutdown_interception() handler prior to resetting the vCPU. The initial version of this patch attempted to address the issue by calling kvm_smm_changed() inside kvm_vcpu_reset(). However, this approach was not architecturally accurate, as INIT is blocked during SMM and SMM should not be exited implicitly during a generic vCPU reset. This version moves the fix into shutdown_interception() for SVM, where the triple fault is actually handled, and where exiting SMM explicitly is appropriate. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: ed129ec9057f ("KVM: x86: forcibly leave nested mode on vCPU reset") Cc: stable(a)vger.kernel.org Suggested-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> --- v2: Move SMM exit from kvm_vcpu_reset() to SVM's shutdown_interception(), per suggestion from Sean Christopherson <seanjc(a)google.com>. v3: -Export kvm_smm_changed() using EXPORT_SYMBOL_GPL. -Wrap the call to kvm_smm_changed() in svm.c with #ifdef CONFIG_KVM_SMM to avoid build errors when SMM support is disabled. arch/x86/kvm/smm.c | 1 + arch/x86/kvm/svm/svm.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/arch/x86/kvm/smm.c b/arch/x86/kvm/smm.c index 699e551ec93b..9864c057187d 100644 --- a/arch/x86/kvm/smm.c +++ b/arch/x86/kvm/smm.c @@ -131,6 +131,7 @@ void kvm_smm_changed(struct kvm_vcpu *vcpu, bool entering_smm) kvm_mmu_reset_context(vcpu); } +EXPORT_SYMBOL_GPL(kvm_smm_changed); void process_smi(struct kvm_vcpu *vcpu) { diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d5d0c5c3300b..c5470d842aed 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2231,6 +2231,10 @@ static int shutdown_interception(struct kvm_vcpu *vcpu) */ if (!sev_es_guest(vcpu->kvm)) { clear_page(svm->vmcb); +#ifdef CONFIG_KVM_SMM + if (is_smm(vcpu)) + kvm_smm_changed(vcpu, false); +#endif kvm_vcpu_reset(vcpu, true); } -- 2.47.2

6 months, 2 weeks

2
1
0 0

[PATCH] arm64: dts: ti: k3-j784s4-j742s2-main-common: fix length of serdes_ln_ctrl

by Siddharth Vadapalli

Commit under Fixes corrected the "mux-reg-masks" property but did not update the "length" field of the "reg" property to account for the newly added register offsets which extend the region. Fix this. Fixes: 38e7f9092efb ("arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks") Cc: stable(a)vger.kernel.org Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit bc3372351d0c Merge tag 'for-6.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux of Mainline Linux. Regards, Siddharth. arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi b/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi index 1944616ab357..1fc0a11c5ab4 100644 --- a/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi +++ b/arch/arm64/boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi @@ -77,7 +77,7 @@ pcie1_ctrl: pcie1-ctrl@4074 { serdes_ln_ctrl: mux-controller@4080 { compatible = "reg-mux"; - reg = <0x00004080 0x30>; + reg = <0x00004080 0x50>; #mux-control-cells = <1>; mux-reg-masks = <0x0 0x3>, <0x4 0x3>, /* SERDES0 lane0/1 select */ <0x8 0x3>, <0xc 0x3>, /* SERDES0 lane2/3 select */ -- 2.34.1

6 months, 2 weeks

3
2
0 0

[PATCH 1/2] mm/userfaultfd: Fix uninitialized output field for -EAGAIN race

by Peter Xu

While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Cc: linux-stable <stable(a)vger.kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Signed-off-by: Peter Xu <peterx(a)redhat.com> --- fs/userfaultfd.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index d80f94346199..22f4bf956ba1 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg) user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx, user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */ -- 2.48.1

6 months, 2 weeks

3
3
0 0

Potential Linux Crash: possible deadlock in udf_page_mkwrite in linux6.12.24(longterm maintenance)

by Jianzhou Zhao

Hello, I found a potential bug titled " possible deadlock in udf_page_mkwrite " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). Unfortunately, I am unable to reproduce this bug. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <luckd0g(a)163.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: possible deadlock in udf_page_mkwrite ------------[ cut here ]------------ ====================================================== WARNING: possible circular locking dependency detected 6.12.24 #3 Not tainted ------------------------------------------------------ syz.6.870/18445 is trying to acquire lock: ffff888053607700 (mapping.invalidate_lock#4){++++}-{3:3}, at: filemap_invalidate_lock_shared include/linux/fs.h:870 [inline] ffff888053607700 (mapping.invalidate_lock#4){++++}-{3:3}, at: udf_page_mkwrite+0x2af/0xa20 fs/udf/file.c:50 but task is already holding lock: ffff888044124518 (sb_pagefaults#2){.+.+}-{0:0}, at: do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #9 (sb_pagefaults#2){.+.+}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] __sb_start_write include/linux/fs.h:1716 [inline] sb_start_pagefault include/linux/fs.h:1881 [inline] udf_page_mkwrite+0x18b/0xa20 fs/udf/file.c:48 do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 wp_page_shared mm/memory.c:3562 [inline] do_wp_page+0x1291/0x4860 mm/memory.c:3712 handle_pte_fault mm/memory.c:5786 [inline] __handle_mm_fault+0x150c/0x2a20 mm/memory.c:5913 handle_mm_fault+0x404/0xab0 mm/memory.c:6081 do_user_addr_fault+0x61b/0x13a0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x98/0x180 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 -> #8 (&vma->vm_lock->lock){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 vma_start_write include/linux/mm.h:757 [inline] vma_link+0x268/0x490 mm/vma.c:1604 insert_vm_struct+0x197/0x3f0 mm/mmap.c:2011 __bprm_mm_init fs/exec.c:289 [inline] bprm_mm_init fs/exec.c:393 [inline] alloc_bprm+0x6d1/0xd30 fs/exec.c:1578 kernel_execve+0xb0/0x3d0 fs/exec.c:2010 try_to_run_init_process init/main.c:1397 [inline] kernel_init+0x154/0x2d0 init/main.c:1525 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #7 (&mm->mmap_lock){++++}-{3:3}: __might_fault mm/memory.c:6719 [inline] __might_fault+0x118/0x190 mm/memory.c:6713 _inline_copy_from_user include/linux/uaccess.h:162 [inline] _copy_from_user+0x2b/0xd0 lib/usercopy.c:18 copy_from_user include/linux/uaccess.h:212 [inline] __blk_trace_setup+0x96/0x180 kernel/trace/blktrace.c:626 blk_trace_setup+0x47/0x70 kernel/trace/blktrace.c:648 sg_ioctl_common drivers/scsi/sg.c:1114 [inline] sg_ioctl+0x65e/0x2720 drivers/scsi/sg.c:1156 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #6 (&q->debugfs_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 blk_mq_init_sched+0x436/0x650 block/blk-mq-sched.c:473 elevator_init_mq+0x2cc/0x420 block/elevator.c:610 device_add_disk+0x10e/0x12f0 block/genhd.c:411 sd_probe+0xa0e/0xf80 drivers/scsi/sd.c:4024 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #5 (&q->q_usage_counter(queue)#51){++++}-{0:0}: blk_queue_enter+0x4d0/0x600 block/blk-core.c:328 blk_mq_alloc_request+0x422/0x9c0 block/blk-mq.c:680 scsi_alloc_request drivers/scsi/scsi_lib.c:1227 [inline] scsi_execute_cmd+0x1fe/0xf20 drivers/scsi/scsi_lib.c:304 read_capacity_16+0x1f2/0xe60 drivers/scsi/sd.c:2655 sd_read_capacity drivers/scsi/sd.c:2824 [inline] sd_revalidate_disk.isra.0+0x1989/0xa440 drivers/scsi/sd.c:3734 sd_probe+0x887/0xf80 drivers/scsi/sd.c:4010 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #4 (&q->limits_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 queue_limits_start_update include/linux/blkdev.h:935 [inline] loop_reconfigure_limits+0x1f2/0x960 drivers/block/loop.c:1004 loop_set_block_size drivers/block/loop.c:1474 [inline] lo_simple_ioctl drivers/block/loop.c:1497 [inline] lo_ioctl+0xb92/0x1870 drivers/block/loop.c:1560 blkdev_ioctl+0x27b/0x6c0 block/ioctl.c:693 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #3 (&q->q_usage_counter(io)#19){++++}-{0:0}: bio_queue_enter block/blk.h:76 [inline] blk_mq_submit_bio+0x2167/0x2b70 block/blk-mq.c:3090 __submit_bio+0x399/0x630 block/blk-core.c:629 __submit_bio_noacct_mq block/blk-core.c:716 [inline] submit_bio_noacct_nocheck+0x6c3/0xd00 block/blk-core.c:745 submit_bio_noacct+0x57a/0x1fa0 block/blk-core.c:868 submit_bh fs/buffer.c:2824 [inline] __bread_slow fs/buffer.c:1270 [inline] __bread_gfp+0x189/0x340 fs/buffer.c:1494 sb_bread include/linux/buffer_head.h:346 [inline] read_block_bitmap fs/udf/balloc.c:43 [inline] load_block_bitmap+0x1ff/0x570 fs/udf/balloc.c:99 udf_bitmap_free_blocks fs/udf/balloc.c:150 [inline] udf_free_blocks+0x57c/0x10a0 fs/udf/balloc.c:674 udf_evict_inode+0x34c/0x590 fs/udf/inode.c:163 evict+0x3ef/0x940 fs/inode.c:725 iput_final fs/inode.c:1877 [inline] iput fs/inode.c:1903 [inline] iput+0x511/0x7f0 fs/inode.c:1889 do_unlinkat+0x58f/0x710 fs/namei.c:4540 __do_sys_unlink fs/namei.c:4581 [inline] __se_sys_unlink fs/namei.c:4579 [inline] __x64_sys_unlink+0xc7/0x110 fs/namei.c:4579 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #2 (&sbi->s_alloc_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 udf_bitmap_new_block fs/udf/balloc.c:236 [inline] udf_new_block+0x7e2/0x1750 fs/udf/balloc.c:721 inode_getblk+0xe88/0x3bb0 fs/udf/inode.c:895 udf_map_block+0x2e3/0x5a0 fs/udf/inode.c:447 __udf_get_block+0x9c/0x340 fs/udf/inode.c:461 __block_write_begin_int+0x4e5/0x1670 fs/buffer.c:2121 block_write_begin+0x9a/0x1d0 fs/buffer.c:2231 udf_write_begin+0x1bc/0x280 fs/udf/inode.c:256 generic_perform_write+0x2bd/0x900 mm/filemap.c:4065 __generic_file_write_iter+0x1f6/0x240 mm/filemap.c:4166 udf_file_write_iter+0x233/0x740 fs/udf/file.c:111 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xbfc/0x10d0 fs/read_write.c:683 ksys_write+0x122/0x250 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (&ei->i_data_sem#2){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 udf_expand_file_adinicb+0x174/0x970 fs/udf/inode.c:363 udf_setsize+0x4b2/0x10f0 fs/udf/inode.c:1289 udf_setattr+0x523/0x6c0 fs/udf/file.c:236 notify_change+0x6d3/0x1280 fs/attr.c:503 do_truncate+0x143/0x200 fs/open.c:65 vfs_truncate+0x3e3/0x4c0 fs/open.c:111 do_sys_truncate.part.0+0xf7/0x140 fs/open.c:134 do_sys_truncate fs/open.c:128 [inline] __do_sys_truncate fs/open.c:146 [inline] __se_sys_truncate fs/open.c:144 [inline] __x64_sys_truncate+0x6d/0xa0 fs/open.c:144 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (mapping.invalidate_lock#4){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 filemap_invalidate_lock_shared include/linux/fs.h:870 [inline] udf_page_mkwrite+0x2af/0xa20 fs/udf/file.c:50 do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 wp_page_shared mm/memory.c:3562 [inline] do_wp_page+0x1291/0x4860 mm/memory.c:3712 handle_pte_fault mm/memory.c:5786 [inline] __handle_mm_fault+0x150c/0x2a20 mm/memory.c:5913 handle_mm_fault+0x404/0xab0 mm/memory.c:6081 do_user_addr_fault+0x61b/0x13a0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x98/0x180 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 other info that might help us debug this: Chain exists of: mapping.invalidate_lock#4 --> &vma->vm_lock->lock --> sb_pagefaults#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_pagefaults#2); lock(&vma->vm_lock->lock); lock(sb_pagefaults#2); rlock(mapping.invalidate_lock#4); *** DEADLOCK *** 2 locks held by syz.6.870/18445: #0: ffff888050dbed18 (&vma->vm_lock->lock){++++}-{3:3}, at: vma_start_read include/linux/mm.h:704 [inline] #0: ffff888050dbed18 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x141/0x9a0 mm/memory.c:6247 #1: ffff888044124518 (sb_pagefaults#2){.+.+}-{0:0}, at: do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 stack backtrace: CPU: 0 UID: 0 PID: 18445 Comm: syz.6.870 Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_circular_bug+0x406/0x5c0 kernel/locking/lockdep.c:2074 check_noncircular+0x2f7/0x3e0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 filemap_invalidate_lock_shared include/linux/fs.h:870 [inline] udf_page_mkwrite+0x2af/0xa20 fs/udf/file.c:50 do_page_mkwrite+0x17d/0x390 mm/memory.c:3161 wp_page_shared mm/memory.c:3562 [inline] do_wp_page+0x1291/0x4860 mm/memory.c:3712 handle_pte_fault mm/memory.c:5786 [inline] __handle_mm_fault+0x150c/0x2a20 mm/memory.c:5913 handle_mm_fault+0x404/0xab0 mm/memory.c:6081 do_user_addr_fault+0x61b/0x13a0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x98/0x180 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7fc9b0c4f002 Code: f0 48 8b 54 24 f0 8b 8a 80 00 00 00 8b 82 04 01 00 00 21 c8 83 c1 01 c1 e0 04 48 8b b4 02 40 01 00 00 48 8b 84 02 48 01 00 00 <89> 8a 80 00 00 00 48 81 fe 45 23 01 00 74 09 48 81 fe 56 34 02 00 RSP: 002b:00007fc9b1c9af88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00007fc9b0fe6080 RCX: 0000000000000001 RDX: 0000200000ff9000 RSI: 0000000000000000 RDI: 0000200000ff9000 RBP: 00007fc9b0e46d56 R08: 0000000000000000 R09: 0000000000000000 R10: 0000200000ff9000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fc9b0fe6080 R15: 00007fc9b1c7b000 </TASK> ================================================================== I hope it helps. Best regards Jianzhou Zhao

6 months, 2 weeks

1
0
0 0

[PATCH] usb: uhci-platform: Make the clock really optional

by Alexey Charkov

Device tree bindings state that the clock is optional for UHCI platform controllers, and some existing device trees don't provide those - such as those for VIA/WonderMedia devices. The driver however fails to probe now if no clock is provided, because devm_clk_get returns an error pointer in such case. Switch to devm_clk_get_optional instead, so that it could probe again on those platforms where no clocks are given. Cc: stable(a)vger.kernel.org Fixes: 26c502701c52 ("usb: uhci: Add clk support to uhci-platform") Signed-off-by: Alexey Charkov <alchark(a)gmail.com> --- drivers/usb/host/uhci-platform.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/uhci-platform.c b/drivers/usb/host/uhci-platform.c index a7c934404ebc7ed74f64265fafa7830809979ba5..62318291f5664c9ec94f24535c71d962e28354f3 100644 --- a/drivers/usb/host/uhci-platform.c +++ b/drivers/usb/host/uhci-platform.c @@ -121,7 +121,7 @@ static int uhci_hcd_platform_probe(struct platform_device *pdev) } /* Get and enable clock if any specified */ - uhci->clk = devm_clk_get(&pdev->dev, NULL); + uhci->clk = devm_clk_get_optional(&pdev->dev, NULL); if (IS_ERR(uhci->clk)) { ret = PTR_ERR(uhci->clk); goto err_rmr; --- base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 change-id: 20250425-uhci-clock-optional-9a9d09560e17 Best regards, -- Alexey Charkov <alchark(a)gmail.com>

6 months, 2 weeks

2
2
0 0

[PATCH RESEND v3 0/3] Add ti,suppress-v1p8-ena

by Judith Mendez

Resend patch series to fix cc list There are MMC boot failures seen with V1P8_SIGNAL_ENA on Kingston eMMC and Microcenter/Patriot SD cards on Sitara K3 boards due to the HS200 initialization sequence involving V1P8_SIGNAL_ENA. Since V1P8_SIGNAL_ENA is optional for eMMC, do not set V1P8_SIGNAL_ENA by default for eMMC. For SD cards we shall parse DT for ti,suppress-v1p8-ena property to determine whether to suppress V1P8_SIGNAL_ENA. Add new ti,suppress-v1p8-ena to am62x, am62ax, and am62px SoC dtsi files since there is no internal LDO tied to sdhci1 interface so V1P8_SIGNAL_ENA only affects timing. This fix was previously merged in the kernel, but was reverted due to the "heuristics for enabling the quirk"[0]. This issue is adressed in this patch series by adding optional ti,suppress-v1p8-ena DT property which determines whether to apply the quirk for SD. Changes since v2: - Include patch 3/3 - Reword cover letter - Reword binding patch description - Add fixes/cc tags to driver patch - Reorder patches according to binding patch first - Resend to fix cc list in original v3 series Link to v2: https://lore.kernel.org/linux-mmc/20250417182652.3521104-1-jm@ti.com/ Link to v1: https://lore.kernel.org/linux-mmc/20250407222702.2199047-1-jm@ti.com/ [0] https://lore.kernel.org/linux-mmc/20250127-am654-mmc-regression-v2-1-9bb39f… Judith Mendez (3): dt-bindings: mmc: sdhci-am654: Add ti,suppress-v1p8-ena mmc: sdhci_am654: Add sdhci_am654_start_signal_voltage_switch arm64: dts: ti: k3-am62*: add ti,suppress-v1p8-ena .../devicetree/bindings/mmc/sdhci-am654.yaml | 5 +++ arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 1 + arch/arm64/boot/dts/ti/k3-am62a-main.dtsi | 1 + .../dts/ti/k3-am62p-j722s-common-main.dtsi | 1 + drivers/mmc/host/sdhci_am654.c | 32 +++++++++++++++++++ 5 files changed, 40 insertions(+) base-commit: 1be38f81251f6d276713c259ecf4414f82f22c29 -- 2.49.0

6 months, 2 weeks

4
8
0 0

[PATCH v2 1/4] firmware: arm_scmi: Ensure that the message-id supports fastchannel

by Cristian Marussi

From: Sibi Sankar <quic_sibis(a)quicinc.com> Currently the perf and powercap protocol relies on the protocol domain attributes, which just ensures that one fastchannel per domain, before instantiating fastchannels for all possible message-ids. Fix this by ensuring that each message-id supports fastchannel before initialization. Logs: scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:0] - ret:-95. Using regular messaging. scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:1] - ret:-95. Using regular messaging. scmi: Failed to get FC for protocol 13 [MSG_ID:6 / RES_ID:2] - ret:-95. Using regular messaging. CC: stable(a)vger.kernel.org Reported-by: Johan Hovold <johan+linaro(a)kernel.org> Closes: https://lore.kernel.org/lkml/ZoQjAWse2YxwyRJv@hovoldconsulting.com/ Fixes: 6f9ea4dabd2d ("firmware: arm_scmi: Generalize the fast channel support") Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> Tested-by: Johan Hovold <johan+linaro(a)kernel.org> Signed-off-by: Sibi Sankar <quic_sibis(a)quicinc.com> [Cristian: Modified the condition checked to establish support or not] Signed-off-by: Cristian Marussi <cristian.marussi(a)arm.com> --- RFC -> V1 - picked up a few tags Since PROTOCOL_MESSAGE_ATTRIBUTES, used to check if message_id is supported, is a mandatory command, it cannot fail so we must bail-out NOT only if FC was not supported for that command but also if the query fails as a whole; so the condition checked for bailing out is modified to: if (ret || !MSG_SUPPORTS_FASTCHANNEL(attributes)) { --- drivers/firmware/arm_scmi/driver.c | 76 +++++++++++++++------------ drivers/firmware/arm_scmi/protocols.h | 2 + 2 files changed, 45 insertions(+), 33 deletions(-) diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c index 1cf18cc8e63f..0e281fca0a38 100644 --- a/drivers/firmware/arm_scmi/driver.c +++ b/drivers/firmware/arm_scmi/driver.c @@ -1738,6 +1738,39 @@ static int scmi_common_get_max_msg_size(const struct scmi_protocol_handle *ph) return info->desc->max_msg_size; } +/** + * scmi_protocol_msg_check - Check protocol message attributes + * + * @ph: A reference to the protocol handle. + * @message_id: The ID of the message to check. + * @attributes: A parameter to optionally return the retrieved message + * attributes, in case of Success. + * + * An helper to check protocol message attributes for a specific protocol + * and message pair. + * + * Return: 0 on SUCCESS + */ +static int scmi_protocol_msg_check(const struct scmi_protocol_handle *ph, + u32 message_id, u32 *attributes) +{ + int ret; + struct scmi_xfer *t; + + ret = xfer_get_init(ph, PROTOCOL_MESSAGE_ATTRIBUTES, + sizeof(__le32), 0, &t); + if (ret) + return ret; + + put_unaligned_le32(message_id, t->tx.buf); + ret = do_xfer(ph, t); + if (!ret && attributes) + *attributes = get_unaligned_le32(t->rx.buf); + xfer_put(ph, t); + + return ret; +} + /** * struct scmi_iterator - Iterator descriptor * @msg: A reference to the message TX buffer; filled by @prepare_message with @@ -1879,6 +1912,7 @@ scmi_common_fastchannel_init(const struct scmi_protocol_handle *ph, int ret; u32 flags; u64 phys_addr; + u32 attributes; u8 size; void __iomem *addr; struct scmi_xfer *t; @@ -1887,6 +1921,15 @@ scmi_common_fastchannel_init(const struct scmi_protocol_handle *ph, struct scmi_msg_resp_desc_fc *resp; const struct scmi_protocol_instance *pi = ph_to_pi(ph); + /* Check if the MSG_ID supports fastchannel */ + ret = scmi_protocol_msg_check(ph, message_id, &attributes); + if (ret || !MSG_SUPPORTS_FASTCHANNEL(attributes)) { + dev_dbg(ph->dev, + "Skip FC init for 0x%02X/%d domain:%d - ret:%d\n", + pi->proto->id, message_id, domain, ret); + return; + } + if (!p_addr) { ret = -EINVAL; goto err_out; @@ -2004,39 +2047,6 @@ static void scmi_common_fastchannel_db_ring(struct scmi_fc_db_info *db) SCMI_PROTO_FC_RING_DB(64); } -/** - * scmi_protocol_msg_check - Check protocol message attributes - * - * @ph: A reference to the protocol handle. - * @message_id: The ID of the message to check. - * @attributes: A parameter to optionally return the retrieved message - * attributes, in case of Success. - * - * An helper to check protocol message attributes for a specific protocol - * and message pair. - * - * Return: 0 on SUCCESS - */ -static int scmi_protocol_msg_check(const struct scmi_protocol_handle *ph, - u32 message_id, u32 *attributes) -{ - int ret; - struct scmi_xfer *t; - - ret = xfer_get_init(ph, PROTOCOL_MESSAGE_ATTRIBUTES, - sizeof(__le32), 0, &t); - if (ret) - return ret; - - put_unaligned_le32(message_id, t->tx.buf); - ret = do_xfer(ph, t); - if (!ret && attributes) - *attributes = get_unaligned_le32(t->rx.buf); - xfer_put(ph, t); - - return ret; -} - static const struct scmi_proto_helpers_ops helpers_ops = { .extended_name_get = scmi_common_extended_name_get, .get_max_msg_size = scmi_common_get_max_msg_size, diff --git a/drivers/firmware/arm_scmi/protocols.h b/drivers/firmware/arm_scmi/protocols.h index aaee57cdcd55..d62c4469d1fd 100644 --- a/drivers/firmware/arm_scmi/protocols.h +++ b/drivers/firmware/arm_scmi/protocols.h @@ -31,6 +31,8 @@ #define SCMI_PROTOCOL_VENDOR_BASE 0x80 +#define MSG_SUPPORTS_FASTCHANNEL(x) ((x) & BIT(0)) + enum scmi_common_cmd { PROTOCOL_VERSION = 0x0, PROTOCOL_ATTRIBUTES = 0x1, -- 2.47.0

6 months, 2 weeks

1
0
0 0

[PATCH] ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS()

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> In the latest kernel versions system crashes were noticed occasionally during suspend/resume. This occurs because the RZ SSI suspend trigger (called from snd_soc_suspend()) is executed after rz_ssi_pm_ops->suspend() and it accesses IP registers. After the rz_ssi_pm_ops->suspend() is executed the IP clocks are disabled and its reset line is asserted. Since snd_soc_suspend() is invoked through snd_soc_pm_ops->suspend(), snd_soc_pm_ops is associated with soc_driver (defined in sound/soc/soc-core.c), and there is no parent-child relationship between soc_driver and rz_ssi_driver the power management subsystem does not enforce a specific suspend/resume order between the RZ SSI platform driver and soc_driver. To ensure that the suspend/resume function of rz-ssi is executed after snd_soc_suspend(), use NOIRQ_SYSTEM_SLEEP_PM_OPS(). Fixes: 1fc778f7c833 ("ASoC: renesas: rz-ssi: Add suspend to RAM support") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- sound/soc/renesas/rz-ssi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/renesas/rz-ssi.c b/sound/soc/renesas/rz-ssi.c index 3a0af4ca7ab6..0f7458a43901 100644 --- a/sound/soc/renesas/rz-ssi.c +++ b/sound/soc/renesas/rz-ssi.c @@ -1244,7 +1244,7 @@ static int rz_ssi_runtime_resume(struct device *dev) static const struct dev_pm_ops rz_ssi_pm_ops = { RUNTIME_PM_OPS(rz_ssi_runtime_suspend, rz_ssi_runtime_resume, NULL) - SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume) + NOIRQ_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume) }; static struct platform_driver rz_ssi_driver = { -- 2.43.0

6 months, 2 weeks

2
1
0 0

[PATCH] ASoC: meson: meson-card-utils: use of_property_present() for DT parsing

by Martin Blumenstingl

Commit c141ecc3cecd ("of: Warn when of_property_read_bool() is used on non-boolean properties") added a warning when trying to parse a property with a value (boolean properties are defined as: absent = false, present without any value = true). This causes a warning from meson-card-utils. meson-card-utils needs to know about the existence of the "audio-routing" and/or "audio-widgets" properties in order to properly parse them. Switch to of_property_present() in order to silence the following warning messages during boot: OF: /sound: Read of boolean property 'audio-routing' with a value. OF: /sound: Read of boolean property 'audio-widgets' with a value. Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support") Tested-by: Christian Hewitt <christianshewitt(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> --- sound/soc/meson/meson-card-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/meson/meson-card-utils.c b/sound/soc/meson/meson-card-utils.c index cfc7f6e41ab5..68531183fb60 100644 --- a/sound/soc/meson/meson-card-utils.c +++ b/sound/soc/meson/meson-card-utils.c @@ -231,7 +231,7 @@ static int meson_card_parse_of_optional(struct snd_soc_card *card, const char *p)) { /* If property is not provided, don't fail ... */ - if (!of_property_read_bool(card->dev->of_node, propname)) + if (!of_property_present(card->dev->of_node, propname)) return 0; /* ... but do fail if it is provided and the parsing fails */ -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH RESEND] usb: renesas_usbhs: Add error handling for usbhsf_fifo_select()

by Wentao Liang

In usbhsf_dcp_data_stage_prepare_pop(), the return value of usbhsf_fifo_select() needs to be checked. A proper implementation can be found in usbhsf_dma_try_pop_with_rx_irq(). Add an error check and jump to PIO pop when FIFO selection fails. Fixes: 9e74d601de8a ("usb: gadget: renesas_usbhs: add data/status stage handler") Cc: stable(a)vger.kernel.org # v3.2+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/usb/renesas_usbhs/fifo.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c index 10607e273879..6cc07ab4782d 100644 --- a/drivers/usb/renesas_usbhs/fifo.c +++ b/drivers/usb/renesas_usbhs/fifo.c @@ -466,6 +466,7 @@ static int usbhsf_dcp_data_stage_prepare_pop(struct usbhs_pkt *pkt, struct usbhs_pipe *pipe = pkt->pipe; struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); struct usbhs_fifo *fifo = usbhsf_get_cfifo(priv); + int ret; if (usbhs_pipe_is_busy(pipe)) return 0; @@ -480,10 +481,14 @@ static int usbhsf_dcp_data_stage_prepare_pop(struct usbhs_pkt *pkt, usbhs_pipe_sequence_data1(pipe); /* DATA1 */ - usbhsf_fifo_select(pipe, fifo, 0); + ret = usbhsf_fifo_select(pipe, fifo, 0); + if (ret < 0) + goto usbhsf_pio_prepare_pop; + usbhsf_fifo_clear(pipe, fifo); usbhsf_fifo_unselect(pipe, fifo); +usbhsf_pio_prepare_pop: /* * change handler to PIO pop */ -- 2.42.0.windows.2

6 months, 2 weeks

2
1
0 0

[PATCH v2 1/2] platform/x86: int3472: add hpd pin support

by Dongcheng Yan

Typically HDMI to MIPI CSI-2 bridges have a pin to signal image data is being received. On the host side this is wired to a GPIO for polling or interrupts. This includes the Lontium HDMI to MIPI CSI-2 bridges lt6911uxe and lt6911uxc. The GPIO "hpd" is used already by other HDMI to CSI-2 bridges, use it here as well. Signed-off-by: Dongcheng Yan <dongcheng.yan(a)intel.com> --- drivers/platform/x86/intel/int3472/common.h | 1 + drivers/platform/x86/intel/int3472/discrete.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/drivers/platform/x86/intel/int3472/common.h b/drivers/platform/x86/intel/int3472/common.h index 145dec66df64..db4cd3720e24 100644 --- a/drivers/platform/x86/intel/int3472/common.h +++ b/drivers/platform/x86/intel/int3472/common.h @@ -22,6 +22,7 @@ #define INT3472_GPIO_TYPE_POWER_ENABLE 0x0b #define INT3472_GPIO_TYPE_CLK_ENABLE 0x0c #define INT3472_GPIO_TYPE_PRIVACY_LED 0x0d +#define INT3472_GPIO_TYPE_HOTPLUG_DETECT 0x13 #define INT3472_PDEV_MAX_NAME_LEN 23 #define INT3472_MAX_SENSOR_GPIOS 3 diff --git a/drivers/platform/x86/intel/int3472/discrete.c b/drivers/platform/x86/intel/int3472/discrete.c index 30ff8f3ea1f5..26215d1b63a2 100644 --- a/drivers/platform/x86/intel/int3472/discrete.c +++ b/drivers/platform/x86/intel/int3472/discrete.c @@ -186,6 +186,10 @@ static void int3472_get_con_id_and_polarity(struct acpi_device *adev, u8 *type, *con_id = "privacy-led"; *gpio_flags = GPIO_ACTIVE_HIGH; break; + case INT3472_GPIO_TYPE_HOTPLUG_DETECT: + *con_id = "hpd"; + *gpio_flags = GPIO_ACTIVE_HIGH; + break; case INT3472_GPIO_TYPE_POWER_ENABLE: *con_id = "power-enable"; *gpio_flags = GPIO_ACTIVE_HIGH; @@ -212,6 +216,7 @@ static void int3472_get_con_id_and_polarity(struct acpi_device *adev, u8 *type, * 0x0b Power enable * 0x0c Clock enable * 0x0d Privacy LED + * 0x13 Hotplug detect * * There are some known platform specific quirks where that does not quite * hold up; for example where a pin with type 0x01 (Power down) is mapped to @@ -281,6 +286,7 @@ static int skl_int3472_handle_gpio_resources(struct acpi_resource *ares, switch (type) { case INT3472_GPIO_TYPE_RESET: case INT3472_GPIO_TYPE_POWERDOWN: + case INT3472_GPIO_TYPE_HOTPLUG_DETECT: ret = skl_int3472_map_gpio_to_sensor(int3472, agpio, con_id, gpio_flags); if (ret) err_msg = "Failed to map GPIO pin to sensor\n"; base-commit: 01c6df60d5d4ae00cd5c1648818744838bba7763 -- 2.34.1

6 months, 2 weeks

4
4
0 0

Linux 6.14.4

by Greg Kroah-Hartman

I'm announcing the release of the 6.14.4 kernel. All users of the 6.14 kernel series must upgrade. The updated 6.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.14.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/arch/arm64/booting.rst | 22 + Documentation/devicetree/bindings/soc/fsl/fsl,ls1028a-reset.yaml | 2 Documentation/netlink/specs/ovs_vport.yaml | 4 Documentation/netlink/specs/rt_link.yaml | 20 - Documentation/netlink/specs/rt_neigh.yaml | 14 Documentation/wmi/devices/msi-wmi-platform.rst | 4 Makefile | 3 arch/arm64/include/asm/el2_setup.h | 25 + arch/arm64/tools/sysreg | 103 ++++++ arch/mips/dec/prom/init.c | 2 arch/mips/include/asm/ds1287.h | 2 arch/mips/kernel/cevt-ds1287.c | 1 arch/riscv/include/asm/kgdb.h | 9 arch/riscv/include/asm/syscall.h | 7 arch/riscv/kernel/kgdb.c | 6 arch/riscv/kernel/module-sections.c | 13 arch/riscv/kernel/module.c | 11 arch/riscv/kernel/setup.c | 36 ++ arch/x86/boot/compressed/mem.c | 5 arch/x86/boot/compressed/sev.c | 67 ---- arch/x86/boot/compressed/sev.h | 2 arch/x86/events/intel/ds.c | 8 arch/x86/events/intel/uncore_snbep.c | 107 ------ arch/x86/kernel/cpu/amd.c | 19 - arch/x86/kernel/cpu/microcode/amd.c | 9 arch/x86/xen/multicalls.c | 26 - arch/x86/xen/smp_pv.c | 1 arch/x86/xen/xen-ops.h | 3 block/bio-integrity.c | 17 - block/blk-sysfs.c | 2 drivers/accel/ivpu/ivpu_drv.c | 4 drivers/accel/ivpu/ivpu_fw.c | 3 drivers/accel/ivpu/ivpu_hw.h | 11 drivers/accel/ivpu/ivpu_hw_btrs.c | 126 +++----- drivers/accel/ivpu/ivpu_hw_btrs.h | 6 drivers/ata/libata-sata.c | 15 drivers/block/loop.c | 121 +------ drivers/bluetooth/btqca.c | 2 drivers/bluetooth/btrtl.c | 2 drivers/bluetooth/hci_vhci.c | 10 drivers/cpufreq/cpufreq.c | 8 drivers/crypto/caam/qi.c | 6 drivers/crypto/tegra/tegra-se-aes.c | 5 drivers/dma-buf/sw_sync.c | 19 - drivers/firmware/cirrus/test/cs_dsp_mock_mem_maps.c | 30 - drivers/firmware/cirrus/test/cs_dsp_test_bin.c | 2 drivers/firmware/cirrus/test/cs_dsp_test_bin_error.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 34 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 21 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 64 +++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 6 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 28 + drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 15 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 2 drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 55 +++ drivers/gpu/drm/ast/ast_dp.c | 6 drivers/gpu/drm/i915/display/intel_bw.c | 14 drivers/gpu/drm/i915/display/intel_display.c | 4 drivers/gpu/drm/i915/display/intel_display_device.h | 1 drivers/gpu/drm/i915/display/intel_dp.c | 56 ++- drivers/gpu/drm/i915/display/intel_vblank.c | 4 drivers/gpu/drm/i915/gvt/opregion.c | 7 drivers/gpu/drm/i915/i915_drv.h | 1 drivers/gpu/drm/i915/soc/intel_dram.c | 4 drivers/gpu/drm/imagination/pvr_fw.c | 27 + drivers/gpu/drm/imagination/pvr_job.c | 7 drivers/gpu/drm/imagination/pvr_queue.c | 4 drivers/gpu/drm/mgag200/mgag200_mode.c | 2 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 72 ++-- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 8 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_14_msm8937.h | 2 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_15_msm8917.h | 1 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h | 3 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_1_7_msm8996.h | 4 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_3_2_sdm660.h | 3 drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_3_3_sdm630.h | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 3 drivers/gpu/drm/msm/dsi/dsi_host.c | 9 drivers/gpu/drm/msm/registers/adreno/adreno_pm4.xml | 7 drivers/gpu/drm/nouveau/nouveau_bo.c | 3 drivers/gpu/drm/nouveau/nouveau_gem.c | 3 drivers/gpu/drm/sti/Makefile | 2 drivers/gpu/drm/tiny/repaper.c | 4 drivers/gpu/drm/v3d/v3d_sched.c | 16 - drivers/gpu/drm/virtio/virtgpu_gem.c | 11 drivers/gpu/drm/virtio/virtgpu_plane.c | 20 - drivers/gpu/drm/xe/xe_device_types.h | 1 drivers/gpu/drm/xe/xe_dma_buf.c | 5 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 drivers/gpu/drm/xe/xe_guc_ads.c | 75 ++-- drivers/gpu/drm/xe/xe_hmm.c | 24 - drivers/gpu/drm/xe/xe_migrate.c | 2 drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 drivers/i2c/i2c-atr.c | 2 drivers/infiniband/core/cma.c | 4 drivers/infiniband/core/umem_odp.c | 6 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 10 drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 drivers/md/md-bitmap.c | 5 drivers/md/raid10.c | 1 drivers/net/can/rockchip/rockchip_canfd-core.c | 7 drivers/net/dsa/b53/b53_common.c | 10 drivers/net/dsa/mv88e6xxx/chip.c | 13 drivers/net/dsa/mv88e6xxx/devlink.c | 3 drivers/net/ethernet/amd/pds_core/debugfs.c | 5 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 drivers/net/ethernet/hisilicon/hibmcge/hbg_err.c | 3 drivers/net/ethernet/hisilicon/hibmcge/hbg_hw.c | 7 drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c | 6 drivers/net/ethernet/hisilicon/hibmcge/hbg_reg.h | 3 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_defines.h | 6 drivers/net/ethernet/intel/igc/igc_main.c | 1 drivers/net/ethernet/intel/igc/igc_ptp.c | 113 ++++--- drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 2 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 49 +-- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 15 drivers/net/ethernet/ti/icssg/icss_iep.c | 154 ++++++---- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 3 drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 drivers/net/wireless/ath/ath12k/dp_mon.c | 4 drivers/net/wireless/atmel/at76c50x-usb.c | 2 drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 4 drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 8 drivers/net/wireless/ti/wl1251/tx.c | 4 drivers/nvme/target/fc.c | 14 drivers/nvme/target/pci-epf.c | 74 +++- drivers/pci/pci.c | 4 drivers/platform/mellanox/mlxbf-bootctl.c | 4 drivers/platform/x86/amd/pmf/auto-mode.c | 4 drivers/platform/x86/amd/pmf/cnqf.c | 8 drivers/platform/x86/amd/pmf/core.c | 14 drivers/platform/x86/amd/pmf/pmf.h | 1 drivers/platform/x86/amd/pmf/sps.c | 12 drivers/platform/x86/amd/pmf/tee-if.c | 6 drivers/platform/x86/asus-laptop.c | 9 drivers/platform/x86/dell/alienware-wmi.c | 56 +++ drivers/platform/x86/msi-wmi-platform.c | 99 ++++-- drivers/ptp/ptp_ocp.c | 1 drivers/ras/amd/atl/internal.h | 3 drivers/ras/amd/atl/umc.c | 19 + drivers/ras/amd/fmpm.c | 9 drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 drivers/scsi/megaraid/megaraid_sas_base.c | 9 drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 drivers/scsi/scsi_transport_iscsi.c | 7 drivers/scsi/smartpqi/smartpqi_init.c | 13 drivers/thermal/intel/int340x_thermal/processor_thermal_rfim.c | 33 +- drivers/ufs/host/ufs-exynos.c | 41 ++ drivers/ufs/host/ufs-exynos.h | 5 fs/Kconfig | 1 fs/btrfs/ioctl.c | 2 fs/btrfs/super.c | 3 fs/eventpoll.c | 38 +- fs/fuse/virtio_fs.c | 3 fs/hfs/bnode.c | 6 fs/hfsplus/bnode.c | 6 fs/isofs/export.c | 2 fs/nfs/Kconfig | 2 fs/nfs/internal.h | 7 fs/nfs/nfs4session.h | 4 fs/nfsd/Kconfig | 1 fs/nfsd/nfs4state.c | 2 fs/nfsd/nfsfh.h | 7 fs/overlayfs/overlayfs.h | 2 fs/overlayfs/super.c | 5 fs/smb/client/cifsproto.h | 2 fs/smb/client/connect.c | 34 -- fs/smb/client/file.c | 28 + fs/smb/server/connection.c | 4 fs/smb/server/oplock.c | 29 - fs/smb/server/oplock.h | 1 fs/smb/server/smb2pdu.c | 4 fs/smb/server/transport_ipc.c | 7 fs/smb/server/transport_tcp.c | 14 fs/smb/server/transport_tcp.h | 1 fs/smb/server/vfs.c | 3 include/drm/intel/pciids.h | 1 include/linux/backing-dev.h | 1 include/linux/firmware/cirrus/cs_dsp_test_utils.h | 1 include/linux/nfs.h | 7 include/uapi/drm/ivpu_accel.h | 4 io_uring/rsrc.c | 17 + kernel/sched/cpufreq_schedutil.c | 46 ++ kernel/trace/ftrace.c | 7 kernel/trace/trace_events_filter.c | 4 lib/alloc_tag.c | 15 lib/iov_iter.c | 2 lib/string.c | 13 mm/compaction.c | 6 mm/filemap.c | 1 mm/gup.c | 4 mm/memory.c | 4 mm/slub.c | 10 mm/userfaultfd.c | 13 mm/vma.c | 38 ++ mm/vma.h | 9 net/bluetooth/hci_event.c | 5 net/bluetooth/l2cap_core.c | 21 + net/bridge/br_vlan.c | 4 net/dsa/dsa.c | 59 +++ net/dsa/tag_8021q.c | 2 net/ethtool/cmis_cdb.c | 2 net/ipv6/route.c | 1 net/mac80211/iface.c | 3 net/mctp/af_mctp.c | 3 net/netfilter/nf_flow_table_core.c | 10 net/openvswitch/flow_netlink.c | 3 net/smc/af_smc.c | 5 rust/Makefile | 2 rust/helpers/io.c | 34 +- scripts/Makefile.compiler | 4 scripts/generate_rust_analyzer.py | 12 sound/pci/hda/Kconfig | 4 sound/pci/hda/patch_realtek.c | 23 - sound/soc/codecs/cs42l43-jack.c | 3 sound/soc/codecs/lpass-wsa-macro.c | 117 +++++-- sound/soc/dwc/dwc-i2s.c | 13 sound/soc/fsl/fsl_qmc_audio.c | 3 sound/soc/intel/avs/pcm.c | 3 sound/soc/intel/boards/sof_sdw.c | 1 sound/soc/qcom/lpass.h | 3 tools/objtool/check.c | 1 tools/perf/util/evsel.c | 22 - tools/testing/kunit/qemu_configs/sh.py | 4 tools/testing/selftests/mincore/mincore_selftest.c | 16 - tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 4 tools/testing/selftests/mm/hugetlb_reparenting_test.sh | 2 tools/testing/shared/linux.c | 4 246 files changed, 2157 insertions(+), 1271 deletions(-) Abdun Nihaal (7): wifi: at76c50x: fix use after free access in at76_disconnect wifi: brcmfmac: fix memory leak in brcmf_get_module_param wifi: wl1251: fix memory leak in wl1251_tx_work pds_core: fix memory leak in pdsc_debugfs_add_qcq() net: ngbe: fix memory leak in ngbe_probe() error path cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path net: txgbe: fix memory leak in txgbe_probe() error path Akhil P Oommen (1): drm/msm/a6xx: Fix stale rpmh votes from GPU Akhil R (1): crypto: tegra - Fix IV usage for AES ECB Alex Deucher (3): drm/amdgpu/mes12: optimize MES pipe FW version fetching drm/amdgpu/mes11: optimize MES pipe FW version fetching drm/amd/display/dml2: use vzalloc rather than kzalloc Alex Williamson (1): Revert "PCI: Avoid reset when disabled via sysfs" Alexander Tsoy (1): Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process" Andreas Gruenbacher (1): writeback: fix false warning in inode_to_wb() Andrzej Kacprowski (1): accel/ivpu: Fix the NPU's DPU frequency calculation Andy Shevchenko (1): i2c: atr: Fix wrong include Ankit Nautiyal (3): drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed drm/i915/display: Add macro for checking 3 DSC engines drm/i915/dp: Check for HAS_DSC_3ENGINES while configuring DSC slices Anshuman Khandual (7): arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 arm64/sysreg: Add register fields for HDFGRTR2_EL2 arm64/sysreg: Add register fields for HDFGWTR2_EL2 arm64/sysreg: Add register fields for HFGITR2_EL2 arm64/sysreg: Add register fields for HFGRTR2_EL2 arm64/sysreg: Add register fields for HFGWTR2_EL2 arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9 Ard Biesheuvel (1): x86/boot/sev: Avoid shared GHCB page for early memory acceptance Armin Wolf (2): platform/x86: msi-wmi-platform: Rename "data" variable platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug Aurabindo Pillai (1): drm/amd/display: Temporarily disable hostvm on DCN31 Baolin Wang (1): selftests: mincore: fix tmpfs mincore test failure Baoquan He (1): mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Björn Töpel (1): riscv: Properly export reserved regions in /proc/iomem Bo-Cun Chen (3): net: ethernet: mtk_eth_soc: reapply mdc divider on reset net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for 100Mbps net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings Borislav Petkov (AMD) (1): x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches Brady Norander (1): ASoC: dwc: always enable/disable i2s irqs Brendan King (2): drm/imagination: fix firmware memory leaks drm/imagination: take paired job reference Brendan Tam (1): drm/amd/display: prevent hang on link training fail Chandrakanth Patil (1): scsi: megaraid_sas: Block zero-length ATA VPD inquiry Charles Keepax (1): ASoC: cs42l43: Reset clamp override on jack removal Chengchang Tang (1): RDMA/hns: Fix wrong maximum DMA segment size Chenyuan Yang (2): octeontx2-pf: handle otx2_mbox_get_rsp errors drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check Chris Bainbridge (1): drm/nouveau: prime: fix ttm_bo_delayed_delete oops Christian König (1): drm/amdgpu: immediately use GTT for new allocations Christoph Hellwig (1): loop: stop using vfs_iter_{read,write} for buffered I/O Christopher S M Hall (6): igc: fix PTM cycle trigger logic igc: increase wait time before retrying PTM igc: move ktime snapshot into PTM retry loop igc: handle the IGC_PTP_ENABLED flag correctly igc: cleanup PTP module if probe fails igc: add lock preventing multiple simultaneous PTM transactions Chunjie Zhu (1): smb3 client: fix open hardlink on deferred close file error Damien Le Moal (2): nvmet: pci-epf: always fully initialize completion entries nvmet: pci-epf: clear CC and CSTS when disabling the controller Damodharam Ammepalli (1): ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() Dan Carpenter (2): Bluetooth: btrtl: Prevent potential NULL dereference dma-buf/sw_sync: Decrement refcount on error in sw_sync_ioctl_get_deadline() Dapeng Mi (1): perf/x86/intel: Allow to update user space GPRs from PEBS records David Thompson (1): mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show() Denis Arefev (8): asus-laptop: Fix an uninitialized variable ksmbd: Prevent integer overflow in calculation of deadtime drm/amd/pm: Prevent division by zero drm/amd/pm/powerplay: Prevent division by zero drm/amd/pm/smu11: Prevent division by zero drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Dmitry Baryshkov (2): Bluetooth: qca: fix NV variant for one of WCN3950 SoCs drm/msm/dpu: drop rogue intr_tear_rd_ptr values Dmitry Osipenko (2): drm/virtio: Don't attach GEM to a non-created context in gem_object_open() drm/virtio: Fix missed dmabuf unpinning in error path of prepare_fb() Edward Adam Davis (1): isofs: Prevent the use of too small fid Eric Biggers (1): nfs: add missing selections of CONFIG_CRC32 Evgeny Pimenov (1): ASoC: qcom: Fix sc7280 lpass potential buffer overflow FUJITA Tomonori (1): rust: helpers: Remove volatile qualifier from io helpers Florian Westphal (1): netfilter: conntrack: fix erronous removal of offload bit Frédéric Danis (2): Bluetooth: l2cap: Check encryption key size on incoming connection Bluetooth: l2cap: Process valid commands in too long frame Geert Uytterhoeven (1): dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry Giuseppe Scrivano (1): ovl: remove unused forward declaration Greg Kroah-Hartman (1): Linux 6.14.4 Haoxiang Li (1): drm/msm/dsi: Add check for devm_kstrdup() Henry Martin (1): ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() Herbert Xu (1): crypto: caam/qi - Fix drv_ctx refcount bug Herve Codina (1): ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on TRIGGER_START event Huacai Chen (3): drm/amd/display: Protect FPU in dml2_validate()/dml21_validate() drm/amd/display: Protect FPU in dml21_copy() drm/amd/display: Protect FPU in dml2_init()/dml21_init() Ilya Maximets (1): net: openvswitch: fix nested key length validation in the set() action Jakub Kicinski (6): netlink: specs: ovs_vport: align with C codegen capabilities eth: bnxt: fix missing ring index trim on error path netlink: specs: rt-link: add an attr layer around alt-ifname netlink: specs: rtnetlink: attribute naming corrections netlink: specs: rt-link: adjust mctp attribute naming netlink: specs: rt-neigh: prefix struct nfmsg members with ndm Jani Nikula (1): drm/i915/gvt: fix unterminated-string-initialization warning Jens Axboe (1): eventpoll: abstract out ep_try_send_events() helper Jijie Shao (4): net: hibmcge: fix incorrect pause frame statistics issue net: hibmcge: fix incorrect multicast filtering issue net: hibmcge: fix wrong mtu log issue net: hibmcge: fix not restore rx pause mac addr after reset issue Jocelyn Falempe (1): drm/ast: Fix ast_dp connection status Joe Damato (1): eventpoll: Set epoll timeout if it's in the future Johannes Berg (2): wifi: iwlwifi: pcie: set state to no-FW before reset handshake Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Johannes Kimmel (1): btrfs: correctly escape subvol in btrfs_show_options() Jonas Gorski (2): net: b53: enable BPDU reception for management port net: bridge: switchdev: do not notify new brentries as changed Juergen Gross (1): xen: fix multicall debug feature Kailang Yang (1): ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Kan Liang (3): perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Kashyap Desai (1): RDMA/bnxt_re: Fix budget handling of notification queue Kees Cook (1): Bluetooth: vhci: Avoid needless snprintf() calls Kirill A. Shutemov (1): mm: fix apply_to_existing_page_range() Kuniyuki Iwashima (3): smc: Fix lockdep false-positive for IPPROTO_SMC. Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" Revert "smb: client: fix TCP timers deadlock after rmmod" Kurt Borja (2): platform/x86: alienware-wmi-wmax: Add G-Mode support to Alienware m16 R1 platform/x86: alienware-wmi-wmax: Extend support to more laptops Leo Li (2): drm/amd/display: Actually do immediate vblank disable drm/amd/display: Increase vblank offdelay for PSR panels Leon Romanovsky (1): RDMA/bnxt_re: Remove unusable nq variable Li Lingfeng (1): nfsd: decrease sc_count directly if fail to queue dl_recall Lijo Lazar (1): drm/amdgpu: Prefer shadow rom when available Lorenzo Stoakes (1): mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Lucas De Marchi (1): drm/xe: Set LRC addresses before guc load Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Lukas Fischer (1): scripts: generate_rust_analyzer: Add ffi crate Mario Limonciello (4): platform/x86: amd: pmf: Fix STT limits drm/amd: Handle being compiled without SI or CIK support better drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1 drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1 Mark Brown (1): selftests/mm: generate a temporary mountpoint for cgroup filesystem Martin K. Petersen (1): block: integrity: Do not call set_page_dirty_lock() Martin Wilck (1): scsi: smartpqi: Use is_kdump_kernel() to check for kdump Matt Johnston (1): net: mctp: Set SOCK_RCU_FREE Matt Roper (1): drm/xe/bmg: Add one additional PCI ID Matthew Auld (3): drm/amdgpu/dma_buf: fix page_link check drm/xe/dma_buf: stop relying on placement in unmap drm/xe/userptr: fix notifier vs folio deadlock Matthew Brost (1): drm/xe: Use local fence in error path of xe_migrate_clear Matthew Wilcox (Oracle) (1): test suite: use %zu to print size_t Maíra Canal (1): drm/v3d: Fix Indirect Dispatch configuration for V3D 7.1.6 and later Meghana Malladi (3): net: ti: icss-iep: Add pwidth configuration for perout signal net: ti: icss-iep: Add phase offset configuration for perout signal net: ti: icss-iep: Fix possible NULL pointer dereference for perout request Menglong Dong (1): ftrace: fix incorrect hash size in register_ftrace_direct() Miaoqian Lin (1): scsi: iscsi: Fix missing scsi_host_put() in error path Michael Walle (1): net: ethernet: ti: am65-cpsw: fix port_np reference counting Miguel Ojeda (4): objtool/rust: add one more `noreturn` Rust function for Rust 1.86.0 rust: kasan/kbuild: fix missing flags on first build rust: disable `clippy::needless_continue` rust: kbuild: use `pound` to support GNU Make < 4.3 Miklos Szeredi (1): ovl: don't allow datadir only Namhyung Kim (1): perf tools: Remove evsel__handle_error_quirks() Namjae Jeon (3): ksmbd: fix use-after-free in __smb2_lease_break_noti() ksmbd: fix use-after-free in smb_break_all_levII_oplock() ksmbd: fix the warning from __kernel_write_iter Nathan Chancellor (1): riscv: Avoid fortify warning in syscall_get_arguments() Nikita Zhandarovich (1): drm/repaper: fix integer overflows in repeat functions Niklas Cassel (1): ata: libata-sata: Save all fields from sense data descriptor P Praneesh (1): wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Pavel Begunkov (1): io_uring: don't post tag CQEs on file/buffer registration failure Peter Collingbourne (1): string: Add load_unaligned_zeropad() code path to sized_strscpy() Peter Griffin (3): scsi: ufs: exynos: Move UFS shareability value to drvdata scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set scsi: ufs: exynos: Ensure consistent phy reference counts Peter Ujfalusi (1): ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S16 Rafael J. Wysocki (3): cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS cpufreq/sched: Explicitly synchronize limits_changed flag handling cpufreq: Reference count policy in cpufreq_update_limits() Remi Pommarel (2): wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() wifi: mac80211: Purge vif txq in ieee80211_do_stop() Richard Fitzgerald (2): ALSA: hda/cirrus_scodec_test: Don't select dependencies firmware: cs_dsp: test_bin_error: Fix uninitialized data used as fw version Rob Clark (1): drm/msm/a6xx+: Don't let IB_SIZE overflow Rolf Eike Beer (1): drm/sti: remove duplicate object names Sagi Maimon (1): ptp: ocp: fix start time alignment in ptp_ocp_signal_set Sami Tolvanen (1): rust: kbuild: Don't export __pfx symbols Samuel Holland (2): riscv: module: Fix out-of-bounds relocation access riscv: module: Allocate PLT entries for R_RISCV_PLT32 Sandipan Das (1): x86/cpu/amd: Fix workaround for erratum 1054 Sean Heelan (1): ksmbd: Fix dangling pointer in krb_authenticate Sharath Srinivasan (1): RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Shay Drory (1): RDMA/core: Silence oversized kvmalloc() warning Sheng Yong (1): lib/iov_iter: fix to increase non slab folio refcount Sidong Yang (1): btrfs: ioctl: don't free iov when btrfs_encoded_read() returns -EAGAIN Srinivas Kandagatla (2): ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Srinivas Pandruvada (1): thermal: intel: int340x: Fix Panther Lake DLVR support Steven Rostedt (1): tracing: Fix filter string testing Suren Baghdasaryan (1): slab: ensure slab->obj_exts is clear in a newly allocated slab page T.J. Mercier (1): alloc_tag: handle incomplete bulk allocations in vm_module_tags_populate Thadeu Lima de Souza Cascardo (1): i2c: cros-ec-tunnel: defer probe if parent EC is not present Thomas Hellström (1): drm/xe: Fix an out-of-bounds shift when invalidating TLB Thomas Weißschuh (3): kunit: qemu_configs: SH: Respect kunit cmdline loop: properly send KOBJ_CHANGED uevent for disk device loop: LOOP_SET_FD: send uevents for partitions Thomas Zimmermann (1): drm/mgag200: Fix value in <VBLKSTR> register Tom Chung (1): drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes() Tomasz Pakuła (1): drm/amd/pm: Add zero RPM enabled OD setting support for SMU14.0.2 Vasiliy Kovalev (1): hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Ville Syrjälä (2): drm/i915: Fix scanline_offset for LNL+ and BMG+ drm/i915/dp: Reject HBR3 when sink doesn't support TPS4 Vishal Moola (Oracle) (2): mm/compaction: fix bug in hugetlb handling pathway mm: fix filemap_get_folios_contig returning batches of identical folios Vivek Kasireddy (1): drm/i915/xe2hpd: Identify the memory type for SKUs with GDDR + ECC Vladimir Oltean (5): net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported net: dsa: clean up FDB, MDB, VLAN entries on unbind net: dsa: free routing table on probe failure net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails WangYuli (6): riscv: KGDB: Do not inline arch_kgdb_breakpoint() riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break nvmet-fc: Remove unused functions MIPS: dec: Declare which_prom() as static MIPS: cevt-ds1287: Add missing ds1287.h include MIPS: ds1287: Match ds1287_set_base_clock() function types Weizhao Ouyang (1): can: rockchip_canfd: fix broken quirks checks Will Pierce (1): riscv: Use kvmalloc_array on relocation_hashtable Xiangsheng Hou (1): virtiofs: add filesystem context source name check Xin Long (1): ipv6: add exception routes to GC list in rt6_insert_exception Xingui Yang (1): scsi: hisi_sas: Enable force phy when SATA disk directly connected Yazen Ghannam (2): RAS/AMD/ATL: Include row[13] bit in row retirement RAS/AMD/FMPM: Get masked address Yu Kuai (1): md/raid10: fix missing discard IO accounting Yue Haibing (1): RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Yunlong Xing (1): loop: aio inherit the ioprio of original request ZhenGuo Yin (1): drm/amdgpu: fix warning of drm_mm_clean Zheng Qixing (2): md/md-bitmap: fix stats collection for external bitmaps block: fix resource leak in blk_register_queue() error path

6 months, 2 weeks

1
1
0 0

Linux 6.12.25

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.25 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/arch/arm64/booting.rst | 22 + Documentation/devicetree/bindings/soc/fsl/fsl,ls1028a-reset.yaml | 2 Documentation/netlink/specs/ovs_vport.yaml | 4 Documentation/netlink/specs/rt_link.yaml | 14 Documentation/wmi/devices/msi-wmi-platform.rst | 4 Makefile | 6 arch/arm64/include/asm/el2_setup.h | 25 + arch/arm64/tools/sysreg | 104 ++++++ arch/loongarch/kernel/acpi.c | 12 arch/mips/dec/prom/init.c | 2 arch/mips/include/asm/ds1287.h | 2 arch/mips/kernel/cevt-ds1287.c | 1 arch/riscv/include/asm/kgdb.h | 9 arch/riscv/include/asm/syscall.h | 7 arch/riscv/kernel/kgdb.c | 6 arch/riscv/kernel/module-sections.c | 13 arch/riscv/kernel/module.c | 11 arch/riscv/kernel/setup.c | 36 ++ arch/x86/boot/compressed/mem.c | 5 arch/x86/boot/compressed/sev.c | 67 ---- arch/x86/boot/compressed/sev.h | 2 arch/x86/events/intel/ds.c | 8 arch/x86/events/intel/uncore_snbep.c | 107 ------ arch/x86/kernel/cpu/amd.c | 19 - arch/x86/kernel/cpu/microcode/amd.c | 9 arch/x86/xen/multicalls.c | 26 - arch/x86/xen/smp_pv.c | 1 arch/x86/xen/xen-ops.h | 3 block/bio-integrity.c | 17 - block/blk-core.c | 6 block/blk-merge.c | 2 block/blk-mq-cpumap.c | 37 ++ block/blk-mq.c | 42 +- block/blk-mq.h | 2 block/blk-sysfs.c | 2 drivers/ata/libata-sata.c | 15 drivers/block/loop.c | 121 +------ drivers/block/null_blk/main.c | 9 drivers/block/virtio_blk.c | 13 drivers/bluetooth/btrtl.c | 2 drivers/bluetooth/hci_vhci.c | 10 drivers/cpufreq/cpufreq.c | 8 drivers/crypto/caam/qi.c | 6 drivers/crypto/tegra/tegra-se-aes.c | 131 ++++---- drivers/crypto/tegra/tegra-se-hash.c | 38 +- drivers/crypto/tegra/tegra-se.h | 2 drivers/dma-buf/sw_sync.c | 19 - drivers/firmware/efi/libstub/efistub.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 34 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 21 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 64 +++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 6 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 17 - drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 9 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 2 drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 drivers/gpu/drm/ast/ast_dp.c | 6 drivers/gpu/drm/i915/display/intel_display.c | 4 drivers/gpu/drm/i915/gvt/opregion.c | 7 drivers/gpu/drm/imagination/pvr_fw.c | 27 + drivers/gpu/drm/imagination/pvr_job.c | 7 drivers/gpu/drm/imagination/pvr_queue.c | 4 drivers/gpu/drm/mgag200/mgag200_mode.c | 2 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 72 ++-- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 8 drivers/gpu/drm/msm/dsi/dsi_host.c | 9 drivers/gpu/drm/msm/registers/adreno/adreno_pm4.xml | 7 drivers/gpu/drm/nouveau/nouveau_bo.c | 3 drivers/gpu/drm/nouveau/nouveau_gem.c | 3 drivers/gpu/drm/sti/Makefile | 2 drivers/gpu/drm/tiny/repaper.c | 4 drivers/gpu/drm/v3d/v3d_sched.c | 16 - drivers/gpu/drm/xe/xe_dma_buf.c | 5 drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 drivers/gpu/drm/xe/xe_guc_ads.c | 75 ++-- drivers/gpu/drm/xe/xe_hmm.c | 24 - drivers/gpu/drm/xe/xe_migrate.c | 2 drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 drivers/i2c/i2c-atr.c | 2 drivers/infiniband/core/cma.c | 4 drivers/infiniband/core/umem_odp.c | 6 drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 drivers/md/md-bitmap.c | 5 drivers/md/md.c | 22 - drivers/md/raid10.c | 1 drivers/misc/pci_endpoint_test.c | 4 drivers/net/can/rockchip/rockchip_canfd-core.c | 7 drivers/net/dsa/b53/b53_common.c | 10 drivers/net/dsa/mv88e6xxx/chip.c | 13 drivers/net/dsa/mv88e6xxx/devlink.c | 3 drivers/net/ethernet/amd/pds_core/debugfs.c | 5 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_defines.h | 6 drivers/net/ethernet/intel/igc/igc_main.c | 1 drivers/net/ethernet/intel/igc/igc_ptp.c | 113 ++++--- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 49 +-- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 15 drivers/net/ethernet/ti/icssg/icss_iep.c | 154 ++++++---- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 3 drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 drivers/net/wireless/ath/ath12k/dp_mon.c | 4 drivers/net/wireless/atmel/at76c50x-usb.c | 2 drivers/net/wireless/ti/wl1251/tx.c | 4 drivers/nvme/host/apple.c | 2 drivers/nvme/host/pci.c | 15 drivers/nvme/target/fc.c | 14 drivers/pci/pci.c | 4 drivers/platform/x86/amd/pmf/auto-mode.c | 4 drivers/platform/x86/amd/pmf/cnqf.c | 8 drivers/platform/x86/amd/pmf/core.c | 14 drivers/platform/x86/amd/pmf/pmf.h | 1 drivers/platform/x86/amd/pmf/sps.c | 12 drivers/platform/x86/amd/pmf/tee-if.c | 6 drivers/platform/x86/asus-laptop.c | 9 drivers/platform/x86/msi-wmi-platform.c | 99 ++++-- drivers/ptp/ptp_ocp.c | 1 drivers/ras/amd/atl/internal.h | 3 drivers/ras/amd/atl/umc.c | 19 + drivers/ras/amd/fmpm.c | 9 drivers/scsi/fnic/fnic_main.c | 3 drivers/scsi/hisi_sas/hisi_sas.h | 1 drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 18 - drivers/scsi/megaraid/megaraid_sas_base.c | 12 drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 drivers/scsi/mpi3mr/mpi3mr.h | 1 drivers/scsi/mpi3mr/mpi3mr_os.c | 2 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 drivers/scsi/pm8001/pm8001_init.c | 2 drivers/scsi/pm8001/pm8001_sas.h | 1 drivers/scsi/qla2xxx/qla_nvme.c | 3 drivers/scsi/qla2xxx/qla_os.c | 4 drivers/scsi/scsi_transport_iscsi.c | 7 drivers/scsi/smartpqi/smartpqi_init.c | 20 - drivers/ufs/host/ufs-exynos.c | 6 fs/Kconfig | 1 fs/btrfs/super.c | 3 fs/fuse/virtio_fs.c | 3 fs/hfs/bnode.c | 6 fs/hfsplus/bnode.c | 6 fs/isofs/export.c | 2 fs/nfs/Kconfig | 2 fs/nfs/internal.h | 7 fs/nfs/nfs4session.h | 4 fs/nfsd/Kconfig | 1 fs/nfsd/nfs4state.c | 2 fs/nfsd/nfsfh.h | 7 fs/overlayfs/overlayfs.h | 2 fs/overlayfs/super.c | 5 fs/smb/client/cifsproto.h | 2 fs/smb/client/connect.c | 34 -- fs/smb/client/file.c | 28 + fs/smb/server/oplock.c | 29 - fs/smb/server/oplock.h | 1 fs/smb/server/smb2pdu.c | 4 fs/smb/server/transport_ipc.c | 7 fs/smb/server/vfs.c | 3 include/linux/backing-dev.h | 1 include/linux/blk-mq.h | 101 +++--- include/linux/blkdev.h | 11 include/linux/bpf.h | 1 include/linux/bpf_verifier.h | 1 include/linux/device/bus.h | 3 include/linux/nfs.h | 7 io_uring/rw.c | 4 kernel/bpf/verifier.c | 79 ++++- kernel/sched/cpufreq_schedutil.c | 46 ++ kernel/trace/ftrace.c | 7 kernel/trace/trace_events_filter.c | 4 lib/string.c | 13 mm/compaction.c | 6 mm/filemap.c | 1 mm/gup.c | 4 mm/memory.c | 4 mm/slub.c | 10 mm/userfaultfd.c | 13 mm/vma.c | 38 ++ mm/vma.h | 9 net/bluetooth/hci_event.c | 5 net/bluetooth/l2cap_core.c | 21 + net/bridge/br_vlan.c | 4 net/dsa/dsa.c | 59 +++ net/dsa/tag_8021q.c | 2 net/ethtool/cmis_cdb.c | 2 net/ipv6/route.c | 1 net/mac80211/iface.c | 3 net/mctp/af_mctp.c | 3 net/openvswitch/flow_netlink.c | 3 net/smc/af_smc.c | 5 scripts/Makefile.compiler | 4 scripts/generate_rust_analyzer.py | 12 sound/pci/hda/Kconfig | 4 sound/pci/hda/patch_realtek.c | 55 +++ sound/soc/codecs/cs42l43-jack.c | 3 sound/soc/codecs/lpass-wsa-macro.c | 117 +++++-- sound/soc/dwc/dwc-i2s.c | 13 sound/soc/fsl/fsl_qmc_audio.c | 3 sound/soc/intel/avs/pcm.c | 3 sound/soc/intel/boards/sof_sdw.c | 1 sound/soc/qcom/lpass.h | 3 tools/objtool/check.c | 1 tools/testing/kunit/qemu_configs/sh.py | 4 tools/testing/selftests/bpf/prog_tests/changes_pkt_data.c | 107 ++++++ tools/testing/selftests/bpf/progs/changes_pkt_data.c | 39 ++ tools/testing/selftests/bpf/progs/changes_pkt_data_freplace.c | 18 + tools/testing/selftests/bpf/progs/raw_tp_null.c | 19 - tools/testing/selftests/bpf/progs/verifier_sock.c | 56 +++ tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 4 tools/testing/selftests/mm/hugetlb_reparenting_test.sh | 2 tools/testing/shared/linux.c | 4 226 files changed, 2243 insertions(+), 1187 deletions(-) Abdun Nihaal (6): wifi: at76c50x: fix use after free access in at76_disconnect wifi: wl1251: fix memory leak in wl1251_tx_work pds_core: fix memory leak in pdsc_debugfs_add_qcq() net: ngbe: fix memory leak in ngbe_probe() error path cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path net: txgbe: fix memory leak in txgbe_probe() error path Akhil P Oommen (1): drm/msm/a6xx: Fix stale rpmh votes from GPU Akhil R (2): crypto: tegra - Do not use fixed size buffers crypto: tegra - Fix IV usage for AES ECB Alex Deucher (2): drm/amdgpu/mes12: optimize MES pipe FW version fetching drm/amdgpu/mes11: optimize MES pipe FW version fetching Alex Williamson (1): Revert "PCI: Avoid reset when disabled via sysfs" Alexander Tsoy (1): Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process" Andreas Gruenbacher (1): writeback: fix false warning in inode_to_wb() Andy Shevchenko (1): i2c: atr: Fix wrong include Ankit Nautiyal (1): drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed Anshuman Khandual (7): arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 arm64/sysreg: Add register fields for HDFGRTR2_EL2 arm64/sysreg: Add register fields for HDFGWTR2_EL2 arm64/sysreg: Add register fields for HFGITR2_EL2 arm64/sysreg: Add register fields for HFGRTR2_EL2 arm64/sysreg: Add register fields for HFGWTR2_EL2 arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9 Ard Biesheuvel (1): x86/boot/sev: Avoid shared GHCB page for early memory acceptance Armin Wolf (2): platform/x86: msi-wmi-platform: Rename "data" variable platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug Aurabindo Pillai (1): drm/amd/display: Temporarily disable hostvm on DCN31 Baoquan He (1): mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Björn Töpel (1): riscv: Properly export reserved regions in /proc/iomem Bo-Cun Chen (3): net: ethernet: mtk_eth_soc: reapply mdc divider on reset net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for 100Mbps net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings Borislav Petkov (AMD) (1): x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches Brady Norander (1): ASoC: dwc: always enable/disable i2s irqs Brendan King (2): drm/imagination: fix firmware memory leaks drm/imagination: take paired job reference Brendan Tam (1): drm/amd/display: prevent hang on link training fail Chandrakanth Patil (1): scsi: megaraid_sas: Block zero-length ATA VPD inquiry Charles Keepax (1): ASoC: cs42l43: Reset clamp override on jack removal Chengchang Tang (1): RDMA/hns: Fix wrong maximum DMA segment size Chris Bainbridge (1): drm/nouveau: prime: fix ttm_bo_delayed_delete oops Christian König (1): drm/amdgpu: immediately use GTT for new allocations Christoph Hellwig (4): loop: stop using vfs_iter_{read,write} for buffered I/O block: remove rq_list_move block: add a rq_list type block: don't reorder requests in blk_add_rq_to_plug Christopher S M Hall (6): igc: fix PTM cycle trigger logic igc: increase wait time before retrying PTM igc: move ktime snapshot into PTM retry loop igc: handle the IGC_PTP_ENABLED flag correctly igc: cleanup PTP module if probe fails igc: add lock preventing multiple simultaneous PTM transactions Chunjie Zhu (1): smb3 client: fix open hardlink on deferred close file error Colin Ian King (1): crypto: tegra - remove redundant error check on ret Damodharam Ammepalli (1): ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() Dan Carpenter (2): Bluetooth: btrtl: Prevent potential NULL dereference dma-buf/sw_sync: Decrement refcount on error in sw_sync_ioctl_get_deadline() Daniel Wagner (3): driver core: bus: add irq_get_affinity callback to bus_type blk-mq: introduce blk_mq_map_hw_queues scsi: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues Dapeng Mi (1): perf/x86/intel: Allow to update user space GPRs from PEBS records Denis Arefev (8): asus-laptop: Fix an uninitialized variable ksmbd: Prevent integer overflow in calculation of deadtime drm/amd/pm: Prevent division by zero drm/amd/pm/powerplay: Prevent division by zero drm/amd/pm/smu11: Prevent division by zero drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Eduard Zingerman (8): bpf: add find_containing_subprog() utility function bpf: track changes_pkt_data property for global functions selftests/bpf: test for changing packet data from global functions bpf: check changes_pkt_data property for extension programs selftests/bpf: freplace tests for tracking of changes_packet_data selftests/bpf: validate that tail call invalidates packet pointers bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs selftests/bpf: extend changes_pkt_data with cases w/o subprograms Edward Adam Davis (1): isofs: Prevent the use of too small fid Eric Biggers (1): nfs: add missing selections of CONFIG_CRC32 Evgeny Pimenov (1): ASoC: qcom: Fix sc7280 lpass potential buffer overflow Frédéric Danis (2): Bluetooth: l2cap: Check encryption key size on incoming connection Bluetooth: l2cap: Process valid commands in too long frame Geert Uytterhoeven (1): dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry Giuseppe Scrivano (1): ovl: remove unused forward declaration Greg Kroah-Hartman (1): Linux 6.12.25 Hamza Mahfooz (1): efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 Haoxiang Li (1): drm/msm/dsi: Add check for devm_kstrdup() Henry Martin (1): ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() Herbert Xu (1): crypto: caam/qi - Fix drv_ctx refcount bug Herve Codina (1): ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on TRIGGER_START event Huacai Chen (3): drm/amd/display: Protect FPU in dml2_validate()/dml21_validate() drm/amd/display: Protect FPU in dml21_copy() drm/amd/display: Protect FPU in dml2_init()/dml21_init() Ilya Maximets (1): net: openvswitch: fix nested key length validation in the set() action Jakub Kicinski (4): netlink: specs: ovs_vport: align with C codegen capabilities eth: bnxt: fix missing ring index trim on error path netlink: specs: rt-link: add an attr layer around alt-ifname netlink: specs: rt-link: adjust mctp attribute naming Jani Nikula (1): drm/i915/gvt: fix unterminated-string-initialization warning Jaroslav Kysela (1): ALSA: hda: improve bass speaker support for ASUS Zenbook UM5606WA Jens Axboe (1): block: make struct rq_list available for !CONFIG_BLOCK Jocelyn Falempe (1): drm/ast: Fix ast_dp connection status Johannes Berg (1): Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Johannes Kimmel (1): btrfs: correctly escape subvol in btrfs_show_options() Jonas Gorski (2): net: b53: enable BPDU reception for management port net: bridge: switchdev: do not notify new brentries as changed Juergen Gross (1): xen: fix multicall debug feature Kailang Yang (1): ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Kan Liang (3): perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Kees Cook (1): Bluetooth: vhci: Avoid needless snprintf() calls Kirill A. Shutemov (1): mm: fix apply_to_existing_page_range() Kunihiko Hayashi (2): misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kuniyuki Iwashima (3): smc: Fix lockdep false-positive for IPPROTO_SMC. Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" Revert "smb: client: fix TCP timers deadlock after rmmod" Leo Li (2): drm/amd/display: Actually do immediate vblank disable drm/amd/display: Increase vblank offdelay for PSR panels Li Lingfeng (1): nfsd: decrease sc_count directly if fail to queue dl_recall Lijo Lazar (1): drm/amdgpu: Prefer shadow rom when available Lorenzo Stoakes (1): mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Lucas De Marchi (1): drm/xe: Set LRC addresses before guc load Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Lukas Fischer (1): scripts: generate_rust_analyzer: Add ffi crate Mario Limonciello (4): platform/x86: amd: pmf: Fix STT limits drm/amd: Handle being compiled without SI or CIK support better drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1 drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1 Mark Brown (1): selftests/mm: generate a temporary mountpoint for cgroup filesystem Martin K. Petersen (1): block: integrity: Do not call set_page_dirty_lock() Martin Wilck (1): scsi: smartpqi: Use is_kdump_kernel() to check for kdump Matt Johnston (1): net: mctp: Set SOCK_RCU_FREE Matthew Auld (3): drm/amdgpu/dma_buf: fix page_link check drm/xe/dma_buf: stop relying on placement in unmap drm/xe/userptr: fix notifier vs folio deadlock Matthew Brost (1): drm/xe: Use local fence in error path of xe_migrate_clear Matthew Wilcox (Oracle) (1): test suite: use %zu to print size_t Maíra Canal (1): drm/v3d: Fix Indirect Dispatch configuration for V3D 7.1.6 and later Meghana Malladi (3): net: ti: icss-iep: Add pwidth configuration for perout signal net: ti: icss-iep: Add phase offset configuration for perout signal net: ti: icss-iep: Fix possible NULL pointer dereference for perout request Menglong Dong (1): ftrace: fix incorrect hash size in register_ftrace_direct() Miaoqian Lin (1): scsi: iscsi: Fix missing scsi_host_put() in error path Michael Walle (1): net: ethernet: ti: am65-cpsw: fix port_np reference counting Miguel Ojeda (4): objtool/rust: add one more `noreturn` Rust function for Rust 1.86.0 rust: kasan/kbuild: fix missing flags on first build rust: disable `clippy::needless_continue` rust: kbuild: use `pound` to support GNU Make < 4.3 Miklos Szeredi (1): ovl: don't allow datadir only Namjae Jeon (2): ksmbd: fix use-after-free in smb_break_all_levII_oplock() ksmbd: fix the warning from __kernel_write_iter Nathan Chancellor (2): riscv: Avoid fortify warning in syscall_get_arguments() kbuild: Add '-fno-builtin-wcslen' Nikita Zhandarovich (1): drm/repaper: fix integer overflows in repeat functions Niklas Cassel (1): ata: libata-sata: Save all fields from sense data descriptor P Praneesh (1): wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Peter Collingbourne (1): string: Add load_unaligned_zeropad() code path to sized_strscpy() Peter Griffin (1): scsi: ufs: exynos: Ensure consistent phy reference counts Peter Ujfalusi (1): ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S16 Rafael J. Wysocki (3): cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS cpufreq/sched: Explicitly synchronize limits_changed flag handling cpufreq: Reference count policy in cpufreq_update_limits() Remi Pommarel (2): wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() wifi: mac80211: Purge vif txq in ieee80211_do_stop() Richard Fitzgerald (1): ALSA: hda/cirrus_scodec_test: Don't select dependencies Rob Clark (1): drm/msm/a6xx+: Don't let IB_SIZE overflow Rolf Eike Beer (1): drm/sti: remove duplicate object names Sagi Maimon (1): ptp: ocp: fix start time alignment in ptp_ocp_signal_set Samuel Holland (2): riscv: module: Fix out-of-bounds relocation access riscv: module: Allocate PLT entries for R_RISCV_PLT32 Sandipan Das (1): x86/cpu/amd: Fix workaround for erratum 1054 Sean Heelan (1): ksmbd: Fix dangling pointer in krb_authenticate Sharath Srinivasan (1): RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Shay Drory (1): RDMA/core: Silence oversized kvmalloc() warning Shung-Hsi Yu (1): selftests/bpf: Fix raw_tp null handling test Srinivas Kandagatla (2): ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Steven Rostedt (1): tracing: Fix filter string testing Suren Baghdasaryan (1): slab: ensure slab->obj_exts is clear in a newly allocated slab page Takashi Iwai (1): ALSA: hda/realtek: Workaround for resume on Dell Venue 11 Pro 7130 Thadeu Lima de Souza Cascardo (1): i2c: cros-ec-tunnel: defer probe if parent EC is not present Thomas Hellström (1): drm/xe: Fix an out-of-bounds shift when invalidating TLB Thomas Weißschuh (3): kunit: qemu_configs: SH: Respect kunit cmdline loop: properly send KOBJ_CHANGED uevent for disk device loop: LOOP_SET_FD: send uevents for partitions Thomas Zimmermann (1): drm/mgag200: Fix value in <VBLKSTR> register Tom Chung (1): drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes() Vasiliy Kovalev (1): hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Vishal Moola (Oracle) (2): mm/compaction: fix bug in hugetlb handling pathway mm: fix filemap_get_folios_contig returning batches of identical folios Vladimir Oltean (5): net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported net: dsa: clean up FDB, MDB, VLAN entries on unbind net: dsa: free routing table on probe failure net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails WangYuli (6): riscv: KGDB: Do not inline arch_kgdb_breakpoint() riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break nvmet-fc: Remove unused functions MIPS: dec: Declare which_prom() as static MIPS: cevt-ds1287: Add missing ds1287.h include MIPS: ds1287: Match ds1287_set_base_clock() function types Weizhao Ouyang (1): can: rockchip_canfd: fix broken quirks checks Will Pierce (1): riscv: Use kvmalloc_array on relocation_hashtable Xiangsheng Hou (1): virtiofs: add filesystem context source name check Xin Long (1): ipv6: add exception routes to GC list in rt6_insert_exception Xingui Yang (1): scsi: hisi_sas: Enable force phy when SATA disk directly connected Yazen Ghannam (2): RAS/AMD/ATL: Include row[13] bit in row retirement RAS/AMD/FMPM: Get masked address Yu Kuai (2): md/raid10: fix missing discard IO accounting md: fix mddev uaf while iterating all_mddevs list Yue Haibing (1): RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Yuli Wang (1): LoongArch: Eliminate superfluous get_numa_distances_cnt() Yunlong Xing (1): loop: aio inherit the ioprio of original request ZhenGuo Yin (1): drm/amdgpu: fix warning of drm_mm_clean Zheng Qixing (2): md/md-bitmap: fix stats collection for external bitmaps block: fix resource leak in blk_register_queue() error path

6 months, 2 weeks

1
1
0 0

Linux 6.6.88

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.88 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml | 3 Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml | 3 Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml | 2 Documentation/netlink/specs/rt_link.yaml | 14 MAINTAINERS | 1 Makefile | 5 arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 arch/arm64/include/asm/cputype.h | 4 arch/arm64/include/asm/spectre.h | 1 arch/arm64/include/asm/tlbflush.h | 22 - arch/arm64/kernel/proton-pack.c | 218 +++++----- arch/arm64/kvm/arm.c | 6 arch/arm64/mm/mmu.c | 3 arch/loongarch/kernel/acpi.c | 12 arch/mips/dec/prom/init.c | 2 arch/mips/include/asm/ds1287.h | 2 arch/mips/kernel/cevt-ds1287.c | 1 arch/powerpc/kernel/rtas.c | 4 arch/riscv/include/asm/kgdb.h | 9 arch/riscv/include/asm/syscall.h | 7 arch/riscv/kernel/kgdb.c | 6 arch/riscv/kernel/setup.c | 36 + arch/sparc/include/asm/pgtable_64.h | 2 arch/sparc/mm/tlb.c | 5 arch/x86/Kconfig | 1 arch/x86/boot/compressed/mem.c | 5 arch/x86/boot/compressed/sev.c | 67 --- arch/x86/boot/compressed/sev.h | 2 arch/x86/coco/tdx/tdx.c | 26 + arch/x86/events/intel/ds.c | 8 arch/x86/events/intel/uncore_snbep.c | 107 ---- arch/x86/include/asm/irqflags.h | 40 + arch/x86/include/asm/paravirt.h | 20 arch/x86/include/asm/paravirt_types.h | 3 arch/x86/include/asm/tdx.h | 4 arch/x86/include/asm/xen/hypervisor.h | 5 arch/x86/kernel/cpu/amd.c | 21 arch/x86/kernel/cpu/intel.c | 20 arch/x86/kernel/cpu/microcode/amd.c | 9 arch/x86/kernel/e820.c | 17 arch/x86/kernel/paravirt.c | 14 arch/x86/kernel/process.c | 2 arch/x86/kernel/signal_32.c | 62 +- arch/x86/kvm/cpuid.c | 8 arch/x86/kvm/x86.c | 4 arch/x86/mm/pat/set_memory.c | 6 arch/x86/platform/pvh/enlighten.c | 3 arch/x86/xen/enlighten.c | 10 arch/x86/xen/enlighten_pvh.c | 93 ++-- arch/x86/xen/setup.c | 3 block/blk-sysfs.c | 2 certs/Makefile | 2 certs/extract-cert.c | 138 +++--- drivers/acpi/platform_profile.c | 20 drivers/ata/ahci.c | 2 drivers/ata/libata-eh.c | 11 drivers/ata/libata-sata.c | 15 drivers/ata/pata_pxa.c | 6 drivers/ata/sata_sx4.c | 13 drivers/base/devres.c | 7 drivers/block/loop.c | 7 drivers/bluetooth/btqca.c | 13 drivers/bluetooth/btrtl.c | 2 drivers/bluetooth/hci_ldisc.c | 19 drivers/bluetooth/hci_uart.h | 1 drivers/bluetooth/hci_vhci.c | 10 drivers/bus/mhi/host/main.c | 16 drivers/char/tpm/tpm-chip.c | 5 drivers/char/tpm/tpm-interface.c | 7 drivers/char/tpm/tpm_tis_core.c | 20 drivers/char/tpm/tpm_tis_core.h | 1 drivers/clk/qcom/clk-branch.c | 4 drivers/clk/qcom/gdsc.c | 61 +- drivers/clocksource/timer-stm32-lp.c | 4 drivers/cpufreq/cpufreq.c | 8 drivers/crypto/caam/qi.c | 6 drivers/crypto/ccp/sp-pci.c | 15 drivers/firmware/efi/libstub/efistub.h | 2 drivers/gpio/gpio-tegra186.c | 27 - drivers/gpio/gpio-zynq.c | 1 drivers/gpu/drm/Kconfig | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 drivers/gpu/drm/amd/display/dc/dc.h | 2 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 - drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 2 drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 drivers/gpu/drm/drm_atomic_helper.c | 2 drivers/gpu/drm/drm_panel.c | 5 drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 ++ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 drivers/gpu/drm/i915/gt/intel_mocs.c | 4 drivers/gpu/drm/i915/gt/intel_rc6.c | 19 drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 drivers/gpu/drm/i915/gvt/opregion.c | 7 drivers/gpu/drm/i915/i915_debugfs.c | 2 drivers/gpu/drm/i915/selftests/i915_selftest.c | 54 ++ drivers/gpu/drm/mediatek/mtk_dpi.c | 23 - drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 72 +-- drivers/gpu/drm/nouveau/nouveau_bo.c | 3 drivers/gpu/drm/nouveau/nouveau_gem.c | 3 drivers/gpu/drm/sti/Makefile | 2 drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 drivers/gpu/drm/tests/drm_kunit_helpers.c | 213 +++++++++ drivers/gpu/drm/tests/drm_modes_test.c | 22 + drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 drivers/gpu/drm/tiny/repaper.c | 4 drivers/hid/Kconfig | 14 drivers/hid/Makefile | 1 drivers/hid/hid-ids.h | 31 + drivers/hid/hid-universal-pidff.c | 197 +++++++++ drivers/hid/usbhid/hid-pidff.c | 173 +++++-- drivers/hsi/clients/ssi_protocol.c | 1 drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 drivers/i2c/i2c-atr.c | 2 drivers/i3c/master.c | 3 drivers/i3c/master/svc-i3c-master.c | 2 drivers/infiniband/core/cma.c | 4 drivers/infiniband/core/umem_odp.c | 6 drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 drivers/iommu/iommufd/device.c | 18 drivers/iommu/mtk_iommu.c | 26 - drivers/leds/rgb/leds-qcom-lpg.c | 8 drivers/mailbox/tegra-hsp.c | 72 ++- drivers/md/dm-ebs-target.c | 7 drivers/md/dm-integrity.c | 3 drivers/md/dm-verity-target.c | 8 drivers/md/md-bitmap.c | 5 drivers/md/md.c | 22 - drivers/md/raid10.c | 1 drivers/media/common/siano/smsdvb-main.c | 2 drivers/media/i2c/adv748x/adv748x.h | 2 drivers/media/i2c/ccs/ccs-core.c | 6 drivers/media/i2c/imx219.c | 13 drivers/media/i2c/ov7251.c | 4 drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp9_req_lat_if.c | 3 drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++- drivers/media/platform/qcom/venus/hfi_venus.c | 18 drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 drivers/media/rc/streamzap.c | 68 +-- drivers/media/test-drivers/vim2m.c | 6 drivers/media/test-drivers/visl/visl-core.c | 12 drivers/media/usb/uvc/uvc_driver.c | 9 drivers/media/v4l2-core/v4l2-dv-timings.c | 4 drivers/mfd/ene-kb3930.c | 2 drivers/misc/pci_endpoint_test.c | 6 drivers/mmc/host/dw_mmc.c | 94 ++++ drivers/mmc/host/dw_mmc.h | 27 + drivers/mtd/inftlcore.c | 9 drivers/mtd/mtdpstore.c | 12 drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 drivers/mtd/nand/raw/r852.c | 3 drivers/net/dsa/b53/b53_common.c | 10 drivers/net/dsa/mv88e6xxx/chip.c | 30 + drivers/net/dsa/mv88e6xxx/devlink.c | 3 drivers/net/ethernet/amd/pds_core/debugfs.c | 5 drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 drivers/net/ethernet/google/gve/gve_ethtool.c | 4 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_defines.h | 6 drivers/net/ethernet/intel/igc/igc_main.c | 1 drivers/net/ethernet/intel/igc/igc_ptp.c | 113 +++-- drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 19 drivers/net/ethernet/ti/am65-cpsw-nuss.h | 2 drivers/net/ethernet/ti/icssg/icss_iep.c | 154 ++++--- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 3 drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 3 drivers/net/phy/sfp.c | 2 drivers/net/ppp/ppp_synctty.c | 5 drivers/net/usb/asix_devices.c | 17 drivers/net/usb/cdc_ether.c | 7 drivers/net/usb/r8152.c | 6 drivers/net/usb/r8153_ecm.c | 6 drivers/net/wireless/ath/ath12k/dp_mon.c | 2 drivers/net/wireless/ath/ath12k/dp_rx.c | 42 + drivers/net/wireless/atmel/at76c50x-usb.c | 2 drivers/net/wireless/mediatek/mt76/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 drivers/net/wireless/realtek/rtw89/core.c | 2 drivers/net/wireless/realtek/rtw89/core.h | 6 drivers/net/wireless/realtek/rtw89/pci.c | 10 drivers/net/wireless/ti/wl1251/tx.c | 4 drivers/ntb/ntb_transport.c | 2 drivers/nvme/host/rdma.c | 8 drivers/nvme/target/fc.c | 14 drivers/nvme/target/fcloop.c | 2 drivers/of/irq.c | 80 ++- drivers/pci/controller/pcie-brcmstb.c | 13 drivers/pci/controller/vmd.c | 12 drivers/pci/pci.c | 4 drivers/pci/probe.c | 5 drivers/perf/arm_pmu.c | 8 drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 drivers/pinctrl/qcom/pinctrl-msm.c | 12 drivers/platform/x86/asus-laptop.c | 9 drivers/ptp/ptp_ocp.c | 1 drivers/pwm/pwm-fsl-ftm.c | 6 drivers/pwm/pwm-mediatek.c | 8 drivers/pwm/pwm-rcar.c | 24 - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 drivers/scsi/megaraid/megaraid_sas_base.c | 9 drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 drivers/scsi/scsi_transport_iscsi.c | 7 drivers/scsi/st.c | 2 drivers/soc/samsung/exynos-chipid.c | 2 drivers/spi/spi-cadence-quadspi.c | 6 drivers/target/target_core_spc.c | 2 drivers/thermal/rockchip_thermal.c | 1 drivers/ufs/host/ufs-exynos.c | 6 drivers/usb/typec/ucsi/ucsi_ccg.c | 5 drivers/vdpa/mlx5/core/mr.c | 7 drivers/video/backlight/led_bl.c | 5 drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 drivers/xen/balloon.c | 34 + drivers/xen/xenfs/xensyms.c | 4 fs/Kconfig | 1 fs/btrfs/disk-io.c | 12 fs/btrfs/inode.c | 6 fs/btrfs/super.c | 3 fs/btrfs/zoned.c | 6 fs/ext4/inode.c | 68 ++- fs/ext4/namei.c | 2 fs/ext4/super.c | 17 fs/ext4/xattr.c | 11 fs/f2fs/checkpoint.c | 21 fs/f2fs/f2fs.h | 32 + fs/f2fs/inode.c | 8 fs/f2fs/node.c | 110 +---- fs/f2fs/super.c | 4 fs/file.c | 26 - fs/fuse/virtio_fs.c | 3 fs/hfs/bnode.c | 6 fs/hfsplus/bnode.c | 6 fs/isofs/export.c | 2 fs/jbd2/journal.c | 1 fs/jfs/jfs_dmap.c | 10 fs/jfs/jfs_imap.c | 4 fs/namespace.c | 3 fs/nfs/Kconfig | 2 fs/nfs/internal.h | 7 fs/nfs/nfs4session.h | 4 fs/nfsd/Kconfig | 1 fs/nfsd/nfs4state.c | 2 fs/nfsd/nfsfh.h | 7 fs/overlayfs/overlayfs.h | 2 fs/overlayfs/super.c | 5 fs/smb/client/cifsproto.h | 2 fs/smb/client/connect.c | 36 - fs/smb/client/file.c | 28 + fs/smb/client/fs_context.c | 5 fs/smb/client/inode.c | 10 fs/smb/client/reparse.c | 4 fs/smb/client/smb2misc.c | 9 fs/smb/server/oplock.c | 29 - fs/smb/server/oplock.h | 1 fs/smb/server/smb2pdu.c | 4 fs/smb/server/transport_ipc.c | 7 fs/smb/server/vfs.c | 3 fs/udf/inode.c | 1 fs/userfaultfd.c | 51 +- include/drm/drm_kunit_helpers.h | 28 + include/linux/backing-dev.h | 1 include/linux/hid.h | 9 include/linux/nfs.h | 7 include/linux/pgtable.h | 14 include/linux/rtnetlink.h | 22 + include/linux/tpm.h | 1 include/net/sctp/structs.h | 3 include/net/xdp.h | 9 include/uapi/linux/kfd_ioctl.h | 2 include/uapi/linux/landlock.h | 2 include/xen/interface/xen-mca.h | 2 io_uring/kbuf.c | 2 io_uring/net.c | 2 kernel/locking/lockdep.c | 3 kernel/sched/cpufreq_schedutil.c | 18 kernel/trace/ftrace.c | 8 kernel/trace/trace_events.c | 4 kernel/trace/trace_events_filter.c | 4 kernel/trace/trace_events_synth.c | 1 kernel/trace/trace_probe.c | 28 + lib/sg_split.c | 2 lib/string.c | 13 lib/zstd/common/portability_macros.h | 2 mm/filemap.c | 1 mm/gup.c | 4 mm/hugetlb.c | 2 mm/memory-failure.c | 11 mm/memory.c | 4 mm/mremap.c | 10 mm/page_vma_mapped.c | 13 mm/rmap.c | 2 mm/vmscan.c | 2 net/8021q/vlan_dev.c | 31 - net/bluetooth/hci_event.c | 5 net/bluetooth/l2cap_core.c | 21 net/bridge/br_vlan.c | 4 net/core/filter.c | 80 ++- net/core/page_pool.c | 8 net/dsa/dsa.c | 59 ++ net/dsa/tag_8021q.c | 2 net/ethtool/netlink.c | 8 net/ipv6/route.c | 8 net/mac80211/iface.c | 3 net/mac80211/mesh_hwmp.c | 14 net/mctp/af_mctp.c | 3 net/mptcp/sockopt.c | 28 + net/mptcp/subflow.c | 19 net/netfilter/nft_set_pipapo_avx2.c | 3 net/openvswitch/flow_netlink.c | 3 net/sched/cls_api.c | 74 ++- net/sched/sch_codel.c | 5 net/sched/sch_fq_codel.c | 6 net/sched/sch_sfq.c | 66 ++- net/sctp/socket.c | 22 - net/sctp/transport.c | 2 net/tipc/link.c | 1 net/tls/tls_main.c | 6 scripts/sign-file.c | 132 +++--- scripts/ssl-common.h | 32 + security/landlock/errata.h | 87 +++ security/landlock/setup.c | 30 + security/landlock/setup.h | 3 security/landlock/syscalls.c | 22 - sound/pci/hda/hda_intel.c | 44 +- sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 14 sound/soc/codecs/cs42l43-jack.c | 3 sound/soc/codecs/lpass-wsa-macro.c | 117 +++-- sound/soc/dwc/dwc-i2s.c | 13 sound/soc/fsl/fsl_audmix.c | 16 sound/soc/intel/avs/pcm.c | 3 sound/soc/qcom/lpass.h | 3 sound/soc/qcom/qdsp6/q6apm-dai.c | 9 sound/soc/qcom/qdsp6/q6apm.c | 18 sound/soc/qcom/qdsp6/q6apm.h | 3 sound/soc/qcom/qdsp6/q6asm-dai.c | 19 sound/soc/sof/topology.c | 4 sound/usb/midi.c | 80 +++ tools/objtool/check.c | 5 tools/power/cpupower/bench/parse.c | 4 tools/testing/ktest/ktest.pl | 8 tools/testing/kunit/qemu_configs/sh.py | 4 tools/testing/radix-tree/linux.c | 4 tools/testing/selftests/futex/functional/futex_wait_wouldblock.c | 2 tools/testing/selftests/landlock/base_test.c | 46 ++ tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 4 tools/testing/selftests/mm/hugetlb_reparenting_test.sh | 2 tools/testing/selftests/net/mptcp/diag.sh | 23 - tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 tools/testing/selftests/net/mptcp/mptcp_connect.sh | 19 tools/testing/selftests/net/mptcp/mptcp_join.sh | 20 tools/testing/selftests/net/mptcp/mptcp_lib.sh | 18 tools/testing/selftests/net/mptcp/simult_flows.sh | 19 376 files changed, 4203 insertions(+), 1859 deletions(-) Abdun Nihaal (5): wifi: at76c50x: fix use after free access in at76_disconnect wifi: wl1251: fix memory leak in wl1251_tx_work pds_core: fix memory leak in pdsc_debugfs_add_qcq() net: ngbe: fix memory leak in ngbe_probe() error path cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Abel Vesa (2): leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs Abhinav Kumar (1): drm: allow encoder mode_set even when connectors change for crtc Ajit Pandey (1): clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Akhil P Oommen (1): drm/msm/a6xx: Fix stale rpmh votes from GPU Alain Volmat (1): dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Alex Williamson (1): Revert "PCI: Avoid reset when disabled via sysfs" Alexander Sverdlin (1): net: ethernet: ti: am65-cpsw-nuss: rename phy_node -> port_np Alexandra Diupina (1): cifs: avoid NULL pointer dereference in dbg call Alexandre Torgue (1): clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Alexey Klimov (1): ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Andreas Gruenbacher (1): writeback: fix false warning in inode_to_wb() Andrew Wyatt (5): drm: panel-orientation-quirks: Add support for AYANEO 2S drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB drm: panel-orientation-quirks: Add quirk for AYA NEO Slide drm: panel-orientation-quirks: Add new quirk for GPD Win 2 drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andy Shevchenko (1): i2c: atr: Fix wrong include AngeloGioacchino Del Regno (2): drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Ard Biesheuvel (1): x86/boot/sev: Avoid shared GHCB page for early memory acceptance Arnaud Lecomte (1): net: ppp: Add bound checking for skb data on ppp_sync_txmung Arnd Bergmann (2): media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Arseniy Krasnov (2): Bluetooth: hci_uart: fix race during initialization Bluetooth: hci_uart: Fix another race during initialization Artem Sadovnikov (1): ext4: fix off-by-one error in do_split Ayush Jain (1): ktest: Fix Test Failures Due to Missing LOG_FILE Directories Badal Nilawar (1): drm/i915: Disable RPG during live selftest Baoquan He (1): mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Bhupesh (1): ext4: ignore xattrs past end Birger Koblitz (1): net: sfp: add quirk for 2.5G OEM BX SFP Björn Töpel (1): riscv: Properly export reserved regions in /proc/iomem Bo-Cun Chen (2): net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for 100Mbps net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings Boqun Feng (1): locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Boris Burkov (1): btrfs: fix qgroup reserve leaks in cow_file_range Borislav Petkov (AMD) (1): x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches Brady Norander (1): ASoC: dwc: always enable/disable i2s irqs Brendan Tam (1): drm/amd/display: add workaround flag to link to force FFE preset Bryan O'Donoghue (2): clk: qcom: gdsc: Release pm subdomains in reverse add order clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Chandrakanth Patil (1): scsi: megaraid_sas: Block zero-length ATA VPD inquiry Chao Yu (3): f2fs: don't retry IO for corrupted data scenario f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Revert "f2fs: rebuild nat_bits during umount" Chaohai Chen (1): scsi: target: spc: Fix RSOC parameter data header size Charles Keepax (1): ASoC: cs42l43: Reset clamp override on jack removal Chen-Yu Tsai (1): arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Chengchang Tang (1): RDMA/hns: Fix wrong maximum DMA segment size Chenyuan Yang (3): net: libwx: handle page_pool_dev_alloc_pages error soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() mfd: ene-kb3930: Fix a potential NULL pointer dereference Chris Bainbridge (1): drm/nouveau: prime: fix ttm_bo_delayed_delete oops Christian König (1): drm/amdgpu: grab an additional reference on the gang fence v2 Christopher S M Hall (6): igc: fix PTM cycle trigger logic igc: increase wait time before retrying PTM igc: move ktime snapshot into PTM retry loop igc: handle the IGC_PTP_ENABLED flag correctly igc: cleanup PTP module if probe fails igc: add lock preventing multiple simultaneous PTM transactions Chunguang.xu (1): nvme-rdma: unquiesce admin_q before destroy it Chunjie Zhu (1): smb3 client: fix open hardlink on deferred close file error Cong Liu (1): selftests: mptcp: fix incorrect fd checks in main_loop Cong Wang (1): codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Dan Carpenter (2): Bluetooth: btrtl: Prevent potential NULL dereference usb: typec: fix potential array underflow in ucsi_ccg_sync_control() Daniel Kral (1): ahci: add PCI ID for Marvell 88SE9215 SATA Controller Daniel Wagner (1): nvmet-fcloop: swap list_add_tail arguments Daniele Ceraolo Spurio (1): drm/i915/dg2: wait for HuC load completion before running selftests Dapeng Mi (1): perf/x86/intel: Allow to update user space GPRs from PEBS records David Hildenbrand (1): mm/rmap: reject hugetlb folios in folio_make_device_exclusive() David Yat Sin (1): drm/amdkfd: clamp queue size to minimum Denis Arefev (8): asus-laptop: Fix an uninitialized variable ksmbd: Prevent integer overflow in calculation of deadtime drm/amd/pm: Prevent division by zero drm/amd/pm/powerplay: Prevent division by zero drm/amd/pm/smu11: Prevent division by zero drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Dmitry Baryshkov (1): Bluetooth: qca: simplify WCN399x NVM loading Douglas Anderson (6): arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD arm64: cputype: Add MIDR_CORTEX_A76AE arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Edward Adam Davis (3): jfs: Prevent copying of nlink with value 0 from disk inode jfs: add sanity check for agwidth in dbMount isofs: Prevent the use of too small fid Edward Liaw (1): selftests/futex: futex_waitv wouldblock test should fail Eric Biggers (1): nfs: add missing selections of CONFIG_CRC32 Evgeny Pimenov (1): ASoC: qcom: Fix sc7280 lpass potential buffer overflow Fedor Pchelkin (1): ntb: use 64-bit arithmetic for the MSI doorbell mask Filipe Manana (1): btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Florian Westphal (1): nft_set_pipapo: fix incorrect avx2 match of 5th field octet Frédéric Danis (2): Bluetooth: l2cap: Check encryption key size on incoming connection Bluetooth: l2cap: Process valid commands in too long frame GONG Ruiqi (1): usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() Gabriele Paoloni (1): tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Gang Yan (1): mptcp: fix NULL pointer in can_accept_new_subflow Gavrilov Ilia (1): wifi: mac80211: fix integer overflow in hwmp_route_info_get() Geliang Tang (2): selftests: mptcp: close fd_in before returning in main_loop selftests: mptcp: add mptcp_lib_wait_local_port_listen Giuseppe Scrivano (1): ovl: remove unused forward declaration Greg Kroah-Hartman (1): Linux 6.6.88 Guixin Liu (1): gpio: tegra186: fix resource handling in ACPI probe path Haisu Wang (1): btrfs: fix the length of reserved qgroup to free Hamza Mahfooz (1): efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 Haoxiang Li (1): wifi: mt76: Add check for devm_kstrdup() Hariprasad Kelam (1): octeontx2-pf: qos: fix VF root node parent queue index Harish Chegondi (1): drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ Henry Martin (2): ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() Herbert Xu (1): crypto: caam/qi - Fix drv_ctx refcount bug Hersen Wu (1): drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Herve Codina (1): backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Icenowy Zheng (1): wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Ido Schimmel (1): ipv6: Align behavior across nexthops during path selection Ilya Maximets (1): net: openvswitch: fix nested key length validation in the set() action Ingo Molnar (1): zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Jakub Kicinski (3): net: tls: explicitly disallow disconnect netlink: specs: rt-link: add an attr layer around alt-ifname netlink: specs: rt-link: adjust mctp attribute naming Jamal Hadi Salim (1): rtnl: add helper to check if rtnl group has listeners Jan Beulich (1): xenfs/xensyms: respect hypervisor's "next" indication Jan Kara (2): udf: Fix inode_getblk() return value jbd2: remove wrong sb->s_sequence check Jan Stancek (3): sign-file,extract-cert: move common SSL helper functions to a header sign-file,extract-cert: avoid using deprecated ERR_get_error_line() sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Jane Chu (1): mm: make page_mapped_in_vma() hugetlb walk aware Jani Nikula (2): drm/i915/mocs: use to_gt() instead of direct &i915->gt drm/i915/gvt: fix unterminated-string-initialization warning Jann Horn (1): ext4: don't treat fhandle lookup of ea_inode as FS corruption Janusz Krzysztofik (1): drm/i915/huc: Fix fence not released on early probe errors Jason Xing (1): page_pool: avoid infinite loop to schedule delayed worker Jeff Hugo (1): bus: mhi: host: Fix race between unprepare and queue_buf Jens Axboe (1): io_uring/kbuf: reject zero sized provided buffers Jiasheng Jiang (4): media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization media: platform: stm32: Add check for clk_enable() mtd: Add check for devm_kcalloc() mtd: Replace kcalloc() with devm_kcalloc() Jinjie Ruan (1): drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() Johannes Berg (1): Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Johannes Kimmel (1): btrfs: correctly escape subvol in btrfs_show_options() Johannes Thumshirn (2): btrfs: zoned: fix zone activation with missing devices btrfs: zoned: fix zone finishing with missing devices Jonas Gorski (2): net: b53: enable BPDU reception for management port net: bridge: switchdev: do not notify new brentries as changed Jonathan McDowell (2): tpm, tpm_tis: Workaround failed command reception on Infineon devices tpm, tpm_tis: Fix timeout handling when waiting for TPM status Josh Poimboeuf (2): objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Joshua Washington (1): gve: handle overflow when reporting TX consumed descriptors Kai Mäkisara (1): scsi: st: Fix array overflow in st_setup() Kaixin Wang (1): HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Kamal Dasu (1): mtd: rawnand: brcmnand: fix PM resume warning Kan Liang (3): perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Karina Yankevich (1): media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Karolina Stolarek (1): drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled Kartik Rajput (1): mailbox: tegra-hsp: Define dimensioning masks in SoC data Kaustabh Chakraborty (1): mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Kees Cook (2): xen/mcelog: Add __nonstring annotations for unterminated strings Bluetooth: vhci: Avoid needless snprintf() calls Kirill A. Shutemov (2): x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT mm: fix apply_to_existing_page_range() Krzysztof Kozlowski (3): dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' gpio: zynq: Fix wakeup source leaks on device unbind Kunihiko Hayashi (3): misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kuniyuki Iwashima (2): Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" Revert "smb: client: fix TCP timers deadlock after rmmod" Leonid Arapov (1): fbdev: omapfb: Add 'plane' value check Li Lingfeng (1): nfsd: decrease sc_count directly if fail to queue dl_recall Lorenzo Stoakes (1): mm/mremap: correctly handle partial mremap() of VMA starting at 0 Louis-Alexis Eyraud (1): iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Luca Ceresoli (1): drm/bridge: panel: forbid initializing a panel with unknown connector type Lucas De Marchi (1): drivers: base: devres: Allow to release group on device release Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Ma Ke (1): PCI: Fix reference leak in pci_alloc_child_bus() Maksim Davydov (1): x86/split_lock: Fix the delayed detection logic Manish Dharanenthiran (1): wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Manjunatha Venkatesh (1): i3c: Add NULL pointer check in i3c_master_queue_ibi() Marc Herbert (1): mm/hugetlb: move hugetlb_sysctl_init() to the __init section Marek Behún (1): net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Mario Limonciello (1): drm/amd: Handle being compiled without SI or CIK support better Mark Brown (1): selftests/mm: generate a temporary mountpoint for cgroup filesystem Mark Rutland (1): perf: arm_pmu: Don't disable counter in armpmu_add() Masami Hiramatsu (Google) (1): tracing: probe-events: Add comments about entry data storing code Mateusz Guzik (1): fs: consistently deref the files table with rcu_dereference_raw() Mathieu Desnoyers (1): mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Matt Johnston (1): net: mctp: Set SOCK_RCU_FREE Matthew Auld (1): drm/amdgpu/dma_buf: fix page_link check Matthew Majewski (1): media: vim2m: print device name after registering device Matthew Wilcox (Oracle) (2): x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW test suite: use %zu to print size_t Matthieu Baerts (NGI0) (3): mptcp: sockopt: fix getting IPV6_V6ONLY mptcp: only inc MPJoinAckHMacFailure for HMAC failures mptcp: sockopt: fix getting freebind & transparent Max Grobecker (1): x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Max Schulze (1): net: usb: asix_devices: add FiberGecko DeviceID Maxim Mikityanskiy (2): ALSA: hda: intel: Fix Optimus when GPU has no sound ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxime Chevallier (1): net: ethtool: Don't call .cleanup_data when prepare_data fails Maxime Ripard (8): drm/tests: modeset: Fix drm_display_mode memory leak drm/tests: helpers: Add atomic helpers drm/tests: Add helper to create mock plane drm/tests: Add helper to create mock crtc drm/tests: helpers: Create kunit helper to destroy a drm_display_mode drm/tests: cmdline: Fix drm_display_mode memory leak drm/tests: modes: Fix drm_display_mode memory leak drm/tests: probe-helper: Fix drm_display_mode memory leak Meghana Malladi (3): net: ti: icss-iep: Add pwidth configuration for perout signal net: ti: icss-iep: Add phase offset configuration for perout signal net: ti: icss-iep: Fix possible NULL pointer dereference for perout request Menglong Dong (1): ftrace: fix incorrect hash size in register_ftrace_direct() Miaoqian Lin (1): scsi: iscsi: Fix missing scsi_host_put() in error path Michael Walle (1): net: ethernet: ti: am65-cpsw: fix port_np reference counting Mickaël Salaün (1): landlock: Add the errata interface Miklos Szeredi (1): ovl: don't allow datadir only Mikulas Patocka (3): dm-ebs: fix prefetch-vs-suspend race dm-integrity: set ti->error on memory allocation failure dm-verity: fix prefetch-vs-suspend race Miquel Raynal (1): spi: cadence-qspi: Fix probe on AM62A LP SK Murad Masimov (1): media: streamzap: prevent processing IR data on URB failure Myrrh Periwinkle (1): x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Namjae Jeon (2): ksmbd: fix use-after-free in smb_break_all_levII_oplock() ksmbd: fix the warning from __kernel_write_iter Nathan Chancellor (3): ACPI: platform-profile: Fix CFI violation when accessing sysfs files riscv: Avoid fortify warning in syscall_get_arguments() kbuild: Add '-fno-builtin-wcslen' Nathan Lynch (1): powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Nicolas Dufresne (1): media: visl: Fix ERANGE error when setting enum controls Nicolin Chen (1): iommufd: Fix uninitialized rc in iommufd_access_rw() Nikita Zhandarovich (1): drm/repaper: fix integer overflows in repeat functions Niklas Cassel (2): ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode ata: libata-sata: Save all fields from sense data descriptor Niklas Söderlund (1): media: i2c: adv748x: Fix test pattern selection mask Octavian Purdila (2): net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: move the limit validation Ojaswin Mujoo (1): ext4: protect ext4_release_dquot against freezing P Praneesh (1): wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Pali Rohár (1): cifs: Ensure that all non-client-specific reparse points are processed by the server Pavel Begunkov (1): io_uring/net: fix accept multishot handling Pedro Tammela (1): net/sched: cls_api: conditional notification of events Peter Collingbourne (1): string: Add load_unaligned_zeropad() code path to sized_strscpy() Peter Griffin (1): scsi: ufs: exynos: Ensure consistent phy reference counts Peter Xu (1): mm/userfaultfd: fix release hang over concurrent GUP Philip Yang (3): drm/amdkfd: Fix mode1 reset crash issue drm/amdkfd: Fix pqm_destroy_queue race with GPU reset drm/amdkfd: debugfs hang_hws skip GPU with MES Philipp Hahn (1): cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Ping-Ke Shih (2): wifi: rtw89: pci: add pre_deinit to be called after probe complete wifi: rtw89: pci: disable PCIE wake bit when PCIE deinit Piotr Jaroszynski (1): Fix mmu notifiers for range-based invalidates Rafael J. Wysocki (2): cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS cpufreq: Reference count policy in cpufreq_update_limits() Rand Deeb (2): fs/jfs: cast inactags to s64 to prevent potential overflow fs/jfs: Prevent integer overflow in AG size calculation Remi Pommarel (2): wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() wifi: mac80211: Purge vif txq in ieee80211_do_stop() Ricard Wanderlof (1): ALSA: usb-audio: Fix CME quirk for UF series keyboards Ricardo Cañuelo Navarro (1): sctp: detect and prevent references to a freed transport in sendmsg Ricardo Ribalda (1): media: uvcvideo: Add quirk for Actions UVC05 Roger Pau Monne (3): x86/xen: fix balloon target initialization for PVH dom0 x86/xen: move xen_reserve_extra_memory() x86/xen: fix memblock_reserve() usage on PVH Rolf Eike Beer (1): drm/sti: remove duplicate object names Roman Smirnov (1): cifs: fix integer overflow in match_server() Ryan Roberts (3): sparc/mm: disable preemption in lazy mmu mode sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes mm: fix lazy mmu docs and usage Ryo Takakura (1): PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Sagi Maimon (1): ptp: ocp: fix start time alignment in ptp_ocp_signal_set Sakari Ailus (5): media: i2c: ccs: Set the device's runtime PM status correctly in remove media: i2c: ccs: Set the device's runtime PM status correctly in probe media: i2c: ov7251: Set enable GPIO low in probe media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO media: i2c: imx219: Rectify runtime PM handling in probe and remove Sandipan Das (1): x86/cpu/amd: Fix workaround for erratum 1054 Sean Christopherson (2): KVM: x86: Explicitly zero-initialize on-stack CPUID unions KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Sean Heelan (1): ksmbd: Fix dangling pointer in krb_authenticate Sebastian Andrzej Siewior (1): xdp: Reset bpf_redirect_info before running a xdp's BPF prog. Sharath Srinivasan (1): RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Shay Drory (1): RDMA/core: Silence oversized kvmalloc() warning Shengjiu Wang (1): ASoC: fsl_audmix: register card device depends on 'dais' property Shuai Xue (1): mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Si-Wei Liu (1): vdpa/mlx5: Fix oversized null mkey longer than 32bit Srinivas Kandagatla (5): ASoC: q6apm: add q6apm_get_hw_pointer helper ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Stanimir Varbanov (1): PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Stanislav Fomichev (1): net: vlan: don't propagate flags on open Stanley Chu (1): i3c: master: svc: Use readsb helper for reading MDB Stefan Eichenberger (1): phy: freescale: imx8m-pcie: assert phy reset and perst in power off Stephan Gerhold (1): pinctrl: qcom: Clear latched interrupt status when changing IRQ type Steve French (1): smb311 client: fix missing tcon check when mounting with linux/posix extensions Steven Rostedt (2): tracing: Do not add length to print format in synthetic events tracing: Fix filter string testing Syed Saba kareem (1): ASoC: amd: yc: update quirk data for new Lenovo model T Pratham (1): lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Takashi Iwai (1): ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model Taniya Das (1): clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Thadeu Lima de Souza Cascardo (2): tpm: do not start chip while suspended i2c: cros-ec-tunnel: defer probe if parent EC is not present Thomas Weißschuh (3): kunit: qemu_configs: SH: Respect kunit cmdline loop: properly send KOBJ_CHANGED uevent for disk device loop: LOOP_SET_FD: send uevents for partitions Toke Høiland-Jørgensen (1): tc: Ensure we have enough buffer space when sending filter netlink notifications Tom Lendacky (1): crypto: ccp - Fix check for the primary ASP device Tomasz Pakuła (10): HID: pidff: Convert infinite length from Linux API to PID standard HID: pidff: Do not send effect envelope if it's empty HID: pidff: Add MISSING_DELAY quirk and its detection HID: pidff: Add MISSING_PBO quirk and its detection HID: pidff: Add PERMISSIVE_CONTROL quirk HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol HID: pidff: Add FIX_WHEEL_DIRECTION quirk HID: Add hid-universal-pidff driver and supported device ids HID: pidff: Add PERIODIC_SINE_ONLY quirk HID: pidff: Fix null pointer dereference in pidff_find_fields Trevor Woerner (1): thermal/drivers/rockchip: Add missing rk3328 mapping entry Trond Myklebust (1): umount: Allow superblock owners to force umount Tung Nguyen (1): tipc: fix memory leak in tipc_link_xmit Uwe Kleine-König (2): pwm: rcar: Improve register calculation pwm: fsl-ftm: Handle clk_get_rate() returning 0 Vasiliy Kovalev (1): hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Victor Nogueira (1): rtnl: add helper to check if a notification is needed Vikash Garodia (4): media: venus: hfi: add a check to handle OOB in sfr region media: venus: hfi: add check to handle incorrect queue size media: venus: hfi_parser: add check to avoid out of bound access media: venus: hfi_parser: refactor hfi packet parsing logic Vishal Annapurve (1): x86/tdx: Fix arch_safe_halt() execution for TDX VMs Vishal Moola (Oracle) (1): mm: fix filemap_get_folios_contig returning batches of identical folios Vladimir Oltean (5): net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported net: dsa: clean up FDB, MDB, VLAN entries on unbind net: dsa: free routing table on probe failure net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails WangYuli (6): riscv: KGDB: Do not inline arch_kgdb_breakpoint() riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break nvmet-fc: Remove unused functions MIPS: dec: Declare which_prom() as static MIPS: cevt-ds1287: Add missing ds1287.h include MIPS: ds1287: Match ds1287_set_base_clock() function types Wentao Liang (4): ata: sata_sx4: Add error handling in pdc20621_i2c_read() drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() mtd: inftlcore: Add error check for inftl_read_oob() mtd: rawnand: Add status chack in r852_ready() Will Deacon (1): KVM: arm64: Tear down vGIC on failed vCPU creation Willem de Bruijn (1): bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Xiangsheng Hou (1): virtiofs: add filesystem context source name check Xin Li (Intel) (1): x86/ia32: Leave NULL selector values 0~3 unchanged Xingui Yang (1): scsi: hisi_sas: Enable force phy when SATA disk directly connected Yeongjin Gil (1): f2fs: fix to avoid atomicity corruption of atomic file Yi Liu (1): iommufd: Fail replace if device has not been attached Yu Kuai (2): md/raid10: fix missing discard IO accounting md: fix mddev uaf while iterating all_mddevs list Yu-Chun Lin (1): drm/tests: helpers: Fix compiler warning Yuan Can (1): media: siano: Fix error handling in smsdvb_module_init() Yue Haibing (1): RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Yuli Wang (1): LoongArch: Eliminate superfluous get_numa_distances_cnt() Zhang Heng (1): ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Zheng Qixing (2): md/md-bitmap: fix stats collection for external bitmaps block: fix resource leak in blk_register_queue() error path Zhenhua Huang (1): arm64: mm: Correct the update of max_pfn Zhikai Zhai (1): drm/amd/display: Update Cursor request mode to the beginning prefetch always Zhongqiu Han (2): pm: cpupower: bench: Prevent NULL dereference on malloc failure jfs: Fix uninit-value access of imap allocated in the diMount() function Zijun Hu (5): of/irq: Fix device node refcount leakage in API of_irq_parse_one() of/irq: Fix device node refcount leakage in API of_irq_parse_raw() of/irq: Fix device node refcount leakages in of_irq_count() of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() of/irq: Fix device node refcount leakages in of_irq_init() keenplify (1): ASoC: amd: Add DMI quirk for ACP6X mic support zhoumin (1): ftrace: Add cond_resched() to ftrace_graph_set_hash()

6 months, 2 weeks

1
1
0 0

Linux 6.1.135

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.135 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ MAINTAINERS | 1 Makefile | 5 arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 arch/arm64/include/asm/cputype.h | 4 arch/arm64/include/asm/fpsimd.h | 4 arch/arm64/include/asm/kvm_host.h | 19 arch/arm64/include/asm/kvm_hyp.h | 1 arch/arm64/include/asm/processor.h | 7 arch/arm64/include/asm/spectre.h | 1 arch/arm64/kernel/fpsimd.c | 69 ++- arch/arm64/kernel/process.c | 2 arch/arm64/kernel/proton-pack.c | 218 +++++----- arch/arm64/kernel/ptrace.c | 3 arch/arm64/kernel/signal.c | 7 arch/arm64/kvm/arm.c | 7 arch/arm64/kvm/fpsimd.c | 92 +--- arch/arm64/kvm/hyp/entry.S | 5 arch/arm64/kvm/hyp/include/hyp/switch.h | 106 +++- arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 arch/arm64/kvm/hyp/nvhe/pkvm.c | 17 arch/arm64/kvm/hyp/nvhe/switch.c | 91 ++-- arch/arm64/kvm/hyp/vhe/switch.c | 12 arch/arm64/kvm/reset.c | 3 arch/arm64/mm/mmu.c | 3 arch/loongarch/kernel/acpi.c | 12 arch/loongarch/net/bpf_jit.c | 2 arch/loongarch/net/bpf_jit.h | 5 arch/mips/dec/prom/init.c | 2 arch/mips/include/asm/ds1287.h | 2 arch/mips/kernel/cevt-ds1287.c | 1 arch/powerpc/kernel/rtas.c | 4 arch/riscv/include/asm/kgdb.h | 9 arch/riscv/include/asm/syscall.h | 7 arch/riscv/kernel/kgdb.c | 6 arch/riscv/kernel/setup.c | 36 + arch/sparc/mm/tlb.c | 5 arch/x86/events/intel/ds.c | 8 arch/x86/events/intel/uncore_snbep.c | 107 ---- arch/x86/kernel/cpu/amd.c | 2 arch/x86/kernel/cpu/intel.c | 20 arch/x86/kernel/e820.c | 17 arch/x86/kvm/x86.c | 4 arch/x86/platform/pvh/head.S | 7 block/blk-cgroup.c | 24 - block/blk-cgroup.h | 1 block/blk-iocost.c | 7 certs/Makefile | 2 certs/extract-cert.c | 138 +++--- drivers/acpi/platform_profile.c | 20 drivers/ata/ahci.c | 2 drivers/ata/libata-eh.c | 11 drivers/ata/pata_pxa.c | 6 drivers/ata/sata_sx4.c | 13 drivers/base/devres.c | 7 drivers/block/loop.c | 7 drivers/bluetooth/btqca.c | 13 drivers/bluetooth/btrtl.c | 2 drivers/bluetooth/hci_ldisc.c | 19 drivers/bluetooth/hci_uart.h | 1 drivers/bus/mhi/host/main.c | 16 drivers/char/tpm/tpm_tis_core.c | 20 drivers/char/tpm/tpm_tis_core.h | 1 drivers/clk/qcom/gdsc.c | 61 +- drivers/clocksource/timer-stm32-lp.c | 4 drivers/cpufreq/cpufreq.c | 8 drivers/crypto/caam/qi.c | 6 drivers/crypto/ccp/sp-pci.c | 15 drivers/gpio/gpio-tegra186.c | 27 - drivers/gpio/gpio-zynq.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 - drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 drivers/gpu/drm/drm_atomic_helper.c | 2 drivers/gpu/drm/drm_panel.c | 5 drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 ++ drivers/gpu/drm/i915/gvt/opregion.c | 7 drivers/gpu/drm/mediatek/mtk_dpi.c | 23 - drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 72 +-- drivers/gpu/drm/nouveau/nouveau_bo.c | 3 drivers/gpu/drm/nouveau/nouveau_gem.c | 3 drivers/gpu/drm/sti/Makefile | 2 drivers/gpu/drm/tiny/repaper.c | 4 drivers/hid/usbhid/hid-pidff.c | 60 +- drivers/hsi/clients/ssi_protocol.c | 1 drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 drivers/i3c/master.c | 3 drivers/i3c/master/svc-i3c-master.c | 2 drivers/infiniband/core/cma.c | 4 drivers/infiniband/core/umem_odp.c | 6 drivers/infiniband/hw/hns/hns_roce_main.c | 2 drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 drivers/iommu/mtk_iommu.c | 26 - drivers/md/dm-ebs-target.c | 7 drivers/md/dm-integrity.c | 3 drivers/md/dm-verity-target.c | 8 drivers/md/md-bitmap.c | 5 drivers/md/md.c | 50 +- drivers/md/raid10.c | 1 drivers/media/common/siano/smsdvb-main.c | 2 drivers/media/i2c/adv748x/adv748x.h | 2 drivers/media/i2c/ccs/ccs-core.c | 6 drivers/media/i2c/ov7251.c | 4 drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_req_lat_if.c | 3 drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++- drivers/media/platform/qcom/venus/hfi_venus.c | 18 drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 drivers/media/rc/streamzap.c | 68 +-- drivers/media/test-drivers/vim2m.c | 6 drivers/media/v4l2-core/v4l2-dv-timings.c | 4 drivers/mfd/ene-kb3930.c | 2 drivers/misc/pci_endpoint_test.c | 6 drivers/mmc/host/dw_mmc.c | 94 ++++ drivers/mmc/host/dw_mmc.h | 27 + drivers/mtd/inftlcore.c | 9 drivers/mtd/mtdpstore.c | 12 drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 drivers/mtd/nand/raw/r852.c | 3 drivers/net/dsa/b53/b53_common.c | 10 drivers/net/dsa/mv88e6xxx/chip.c | 30 + drivers/net/dsa/mv88e6xxx/devlink.c | 3 drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 drivers/net/ethernet/google/gve/gve_ethtool.c | 4 drivers/net/ethernet/intel/igc/igc_defines.h | 1 drivers/net/ethernet/intel/igc/igc_main.c | 1 drivers/net/ethernet/intel/igc/igc_ptp.c | 93 ++-- drivers/net/ppp/ppp_synctty.c | 5 drivers/net/wireless/atmel/at76c50x-usb.c | 2 drivers/net/wireless/mediatek/mt76/eeprom.c | 4 drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 drivers/net/wireless/ti/wl1251/tx.c | 4 drivers/ntb/ntb_transport.c | 2 drivers/nvme/target/fc.c | 14 drivers/nvme/target/fcloop.c | 2 drivers/of/irq.c | 80 ++- drivers/pci/controller/pcie-brcmstb.c | 13 drivers/pci/controller/vmd.c | 12 drivers/pci/pci.c | 4 drivers/pci/probe.c | 5 drivers/perf/arm_pmu.c | 8 drivers/pinctrl/qcom/pinctrl-msm.c | 12 drivers/platform/x86/asus-laptop.c | 9 drivers/ptp/ptp_ocp.c | 1 drivers/pwm/pwm-fsl-ftm.c | 6 drivers/pwm/pwm-mediatek.c | 8 drivers/pwm/pwm-rcar.c | 24 - drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 drivers/scsi/megaraid/megaraid_sas_base.c | 9 drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 drivers/scsi/scsi_transport_iscsi.c | 7 drivers/scsi/st.c | 2 drivers/soc/samsung/exynos-chipid.c | 2 drivers/spi/spi-cadence-quadspi.c | 6 drivers/thermal/rockchip_thermal.c | 1 drivers/ufs/host/ufs-exynos.c | 6 drivers/vdpa/mlx5/core/mr.c | 7 drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 drivers/xen/swiotlb-xen.c | 2 drivers/xen/xenfs/xensyms.c | 4 fs/Kconfig | 1 fs/btrfs/disk-io.c | 12 fs/btrfs/inode.c | 6 fs/btrfs/super.c | 3 fs/btrfs/zoned.c | 6 fs/ext4/inode.c | 68 ++- fs/ext4/namei.c | 2 fs/ext4/super.c | 17 fs/ext4/xattr.c | 11 fs/f2fs/inode.c | 4 fs/f2fs/node.c | 9 fs/file.c | 26 - fs/fuse/virtio_fs.c | 3 fs/hfs/bnode.c | 6 fs/hfsplus/bnode.c | 6 fs/isofs/export.c | 2 fs/jbd2/journal.c | 1 fs/jfs/jfs_dmap.c | 10 fs/jfs/jfs_imap.c | 4 fs/namespace.c | 3 fs/nfs/Kconfig | 2 fs/nfs/internal.h | 22 - fs/nfs/nfs4session.h | 4 fs/nfsd/Kconfig | 1 fs/nfsd/nfs4state.c | 2 fs/nfsd/nfsfh.h | 7 fs/smb/client/cifs_dfs_ref.c | 34 + fs/smb/client/cifsproto.h | 23 + fs/smb/client/connect.c | 2 fs/smb/client/dir.c | 21 fs/smb/client/file.c | 28 + fs/smb/client/fs_context.c | 5 fs/smb/client/smb2misc.c | 9 fs/smb/server/oplock.c | 2 fs/smb/server/smb2pdu.c | 6 fs/smb/server/transport_ipc.c | 7 fs/smb/server/vfs.c | 3 include/linux/backing-dev.h | 1 include/linux/bpf.h | 1 include/linux/nfs.h | 13 include/linux/rtnetlink.h | 22 + include/linux/tpm.h | 1 include/net/sctp/structs.h | 3 include/uapi/linux/kfd_ioctl.h | 2 include/uapi/linux/landlock.h | 2 include/xen/interface/xen-mca.h | 2 io_uring/kbuf.c | 2 io_uring/net.c | 2 kernel/bpf/core.c | 19 kernel/bpf/syscall.c | 17 kernel/locking/lockdep.c | 3 kernel/sched/cpufreq_schedutil.c | 18 kernel/trace/ftrace.c | 1 kernel/trace/trace_events.c | 4 kernel/trace/trace_events_filter.c | 4 lib/sg_split.c | 2 lib/string.c | 13 mm/filemap.c | 1 mm/gup.c | 6 mm/memory-failure.c | 11 mm/memory.c | 4 mm/rmap.c | 2 mm/vmscan.c | 2 net/8021q/vlan_dev.c | 31 - net/bluetooth/hci_event.c | 5 net/bluetooth/l2cap_core.c | 3 net/bridge/br_vlan.c | 4 net/core/filter.c | 80 ++- net/core/page_pool.c | 8 net/dsa/tag_8021q.c | 2 net/ethtool/netlink.c | 8 net/ipv6/route.c | 8 net/mac80211/iface.c | 3 net/mac80211/mesh_hwmp.c | 14 net/mctp/af_mctp.c | 3 net/mptcp/sockopt.c | 28 + net/mptcp/subflow.c | 19 net/netfilter/nft_set_pipapo_avx2.c | 3 net/openvswitch/flow_netlink.c | 3 net/sched/cls_api.c | 74 ++- net/sched/sch_codel.c | 5 net/sched/sch_fq_codel.c | 6 net/sched/sch_sfq.c | 66 ++- net/sctp/socket.c | 22 - net/sctp/transport.c | 2 net/tipc/link.c | 1 net/tls/tls_main.c | 6 scripts/sign-file.c | 132 +++--- scripts/ssl-common.h | 32 + security/landlock/errata.h | 87 +++ security/landlock/setup.c | 30 + security/landlock/setup.h | 3 security/landlock/syscalls.c | 22 - sound/pci/hda/hda_intel.c | 44 +- sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/lpass-wsa-macro.c | 117 +++-- sound/soc/fsl/fsl_audmix.c | 16 sound/soc/qcom/qdsp6/q6apm-dai.c | 9 sound/soc/qcom/qdsp6/q6asm-dai.c | 19 sound/usb/midi.c | 80 +++ tools/power/cpupower/bench/parse.c | 4 tools/testing/ktest/ktest.pl | 8 tools/testing/radix-tree/linux.c | 4 tools/testing/selftests/futex/functional/futex_wait_wouldblock.c | 2 tools/testing/selftests/landlock/base_test.c | 46 ++ tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 279 files changed, 2897 insertions(+), 1409 deletions(-) Abdun Nihaal (3): wifi: at76c50x: fix use after free access in at76_disconnect wifi: wl1251: fix memory leak in wl1251_tx_work cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Abhinav Kumar (1): drm: allow encoder mode_set even when connectors change for crtc Akhil P Oommen (1): drm/msm/a6xx: Fix stale rpmh votes from GPU Alex Williamson (2): Revert "PCI: Avoid reset when disabled via sysfs" mm: Fix is_zero_page() usage in try_grab_page() Alexandra Diupina (1): cifs: avoid NULL pointer dereference in dbg call Alexandre Torgue (1): clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Alexey Klimov (1): ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Andreas Gruenbacher (1): writeback: fix false warning in inode_to_wb() Andrew Wyatt (5): drm: panel-orientation-quirks: Add support for AYANEO 2S drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB drm: panel-orientation-quirks: Add quirk for AYA NEO Slide drm: panel-orientation-quirks: Add new quirk for GPD Win 2 drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andrii Nakryiko (1): bpf: avoid holding freeze_mutex during mmap operation AngeloGioacchino Del Regno (2): drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off Ard Biesheuvel (1): x86/pvh: Call C code via the kernel virtual mapping Arnaud Lecomte (1): net: ppp: Add bound checking for skb data on ppp_sync_txmung Arnd Bergmann (1): media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Arseniy Krasnov (2): Bluetooth: hci_uart: fix race during initialization Bluetooth: hci_uart: Fix another race during initialization Artem Sadovnikov (1): ext4: fix off-by-one error in do_split Ayush Jain (1): ktest: Fix Test Failures Due to Missing LOG_FILE Directories Baoquan He (1): mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Bhupesh (1): ext4: ignore xattrs past end Björn Töpel (1): riscv: Properly export reserved regions in /proc/iomem Boqun Feng (1): locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Boris Burkov (1): btrfs: fix qgroup reserve leaks in cow_file_range Bryan O'Donoghue (2): clk: qcom: gdsc: Release pm subdomains in reverse add order clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Chandrakanth Patil (1): scsi: megaraid_sas: Block zero-length ATA VPD inquiry Chao Yu (2): f2fs: don't retry IO for corrupted data scenario f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Chen-Yu Tsai (1): arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string ChenXiaoSong (1): smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() Chengchang Tang (1): RDMA/hns: Fix wrong maximum DMA segment size Chenyuan Yang (2): soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() mfd: ene-kb3930: Fix a potential NULL pointer dereference Chris Bainbridge (1): drm/nouveau: prime: fix ttm_bo_delayed_delete oops Christian König (1): drm/amdgpu: grab an additional reference on the gang fence v2 Christopher S M Hall (4): igc: fix PTM cycle trigger logic igc: move ktime snapshot into PTM retry loop igc: handle the IGC_PTP_ENABLED flag correctly igc: cleanup PTP module if probe fails Chunjie Zhu (1): smb3 client: fix open hardlink on deferred close file error Cong Wang (1): codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Dan Carpenter (1): Bluetooth: btrtl: Prevent potential NULL dereference Daniel Kral (1): ahci: add PCI ID for Marvell 88SE9215 SATA Controller Daniel Wagner (1): nvmet-fcloop: swap list_add_tail arguments Dapeng Mi (1): perf/x86/intel: Allow to update user space GPRs from PEBS records David Hildenbrand (1): mm/rmap: reject hugetlb folios in folio_make_device_exclusive() David Yat Sin (1): drm/amdkfd: clamp queue size to minimum Denis Arefev (8): asus-laptop: Fix an uninitialized variable ksmbd: Prevent integer overflow in calculation of deadtime drm/amd/pm: Prevent division by zero drm/amd/pm/powerplay: Prevent division by zero drm/amd/pm/smu11: Prevent division by zero drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Dmitry Baryshkov (1): Bluetooth: qca: simplify WCN399x NVM loading Douglas Anderson (6): arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD arm64: cputype: Add MIDR_CORTEX_A76AE arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Edward Adam Davis (3): jfs: Prevent copying of nlink with value 0 from disk inode jfs: add sanity check for agwidth in dbMount isofs: Prevent the use of too small fid Edward Liaw (1): selftests/futex: futex_waitv wouldblock test should fail Eric Biggers (1): nfs: add missing selections of CONFIG_CRC32 Fedor Pchelkin (1): ntb: use 64-bit arithmetic for the MSI doorbell mask Filipe Manana (1): btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Florian Westphal (1): nft_set_pipapo: fix incorrect avx2 match of 5th field octet Frédéric Danis (1): Bluetooth: l2cap: Check encryption key size on incoming connection Fuad Tabba (1): KVM: arm64: Calculate cptr_el2 traps on activating traps Gabriele Paoloni (1): tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Gang Yan (1): mptcp: fix NULL pointer in can_accept_new_subflow Gavrilov Ilia (1): wifi: mac80211: fix integer overflow in hwmp_route_info_get() Geliang Tang (1): selftests: mptcp: close fd_in before returning in main_loop Greg Kroah-Hartman (3): Revert "Xen/swiotlb: mark xen_swiotlb_fixup() __init" Revert "LoongArch: BPF: Fix off-by-one error in build_prologue()" Linux 6.1.135 Guixin Liu (1): gpio: tegra186: fix resource handling in ACPI probe path Haisu Wang (1): btrfs: fix the length of reserved qgroup to free Haoxiang Li (1): wifi: mt76: Add check for devm_kstrdup() Henry Martin (1): ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Herbert Xu (1): crypto: caam/qi - Fix drv_ctx refcount bug Hersen Wu (1): drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Icenowy Zheng (1): wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Ido Schimmel (1): ipv6: Align behavior across nexthops during path selection Ilya Maximets (1): net: openvswitch: fix nested key length validation in the set() action Jakub Kicinski (1): net: tls: explicitly disallow disconnect Jamal Hadi Salim (1): rtnl: add helper to check if rtnl group has listeners Jan Beulich (1): xenfs/xensyms: respect hypervisor's "next" indication Jan Kara (1): jbd2: remove wrong sb->s_sequence check Jan Stancek (3): sign-file,extract-cert: move common SSL helper functions to a header sign-file,extract-cert: avoid using deprecated ERR_get_error_line() sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Jani Nikula (1): drm/i915/gvt: fix unterminated-string-initialization warning Jann Horn (1): ext4: don't treat fhandle lookup of ea_inode as FS corruption Jason Xing (1): page_pool: avoid infinite loop to schedule delayed worker Jeff Hugo (1): bus: mhi: host: Fix race between unprepare and queue_buf Jeff Layton (1): nfs: move nfs_fhandle_hash to common include file Jens Axboe (1): io_uring/kbuf: reject zero sized provided buffers Jiasheng Jiang (3): media: platform: stm32: Add check for clk_enable() mtd: Add check for devm_kcalloc() mtd: Replace kcalloc() with devm_kcalloc() Johannes Berg (1): Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Johannes Kimmel (1): btrfs: correctly escape subvol in btrfs_show_options() Johannes Thumshirn (2): btrfs: zoned: fix zone activation with missing devices btrfs: zoned: fix zone finishing with missing devices Jonas Gorski (2): net: b53: enable BPDU reception for management port net: bridge: switchdev: do not notify new brentries as changed Jonathan McDowell (2): tpm, tpm_tis: Workaround failed command reception on Infineon devices tpm, tpm_tis: Fix timeout handling when waiting for TPM status Josh Poimboeuf (1): pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Joshua Washington (1): gve: handle overflow when reporting TX consumed descriptors Kai Mäkisara (1): scsi: st: Fix array overflow in st_setup() Kaixin Wang (1): HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Kamal Dasu (1): mtd: rawnand: brcmnand: fix PM resume warning Kan Liang (3): perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Karina Yankevich (1): media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Kaustabh Chakraborty (1): mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Kees Cook (1): xen/mcelog: Add __nonstring annotations for unterminated strings Kirill A. Shutemov (1): mm: fix apply_to_existing_page_range() Krzysztof Kozlowski (1): gpio: zynq: Fix wakeup source leaks on device unbind Kunihiko Hayashi (3): misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Leonid Arapov (1): fbdev: omapfb: Add 'plane' value check Li Lingfeng (1): nfsd: decrease sc_count directly if fail to queue dl_recall Li Nan (1): blk-iocost: do not WARN if iocg was already offlined Louis-Alexis Eyraud (1): iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Luca Ceresoli (1): drm/bridge: panel: forbid initializing a panel with unknown connector type Lucas De Marchi (1): drivers: base: devres: Allow to release group on device release Luiz Augusto von Dentz (1): Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Ma Ke (1): PCI: Fix reference leak in pci_alloc_child_bus() Maksim Davydov (1): x86/split_lock: Fix the delayed detection logic Manjunatha Venkatesh (1): i3c: Add NULL pointer check in i3c_master_queue_ibi() Marek Behún (1): net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Mario Limonciello (1): drm/amd: Handle being compiled without SI or CIK support better Mark Brown (4): KVM: arm64: Discard any SVE state when entering KVM guests arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE arm64/fpsimd: Have KVM explicitly say which FP registers to save arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM Mark Rutland (8): perf: arm_pmu: Don't disable counter in armpmu_add() KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state KVM: arm64: Remove host FPSIMD saving for non-protected KVM KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN KVM: arm64: Refactor exit handlers KVM: arm64: Mark some header functions as inline KVM: arm64: Eagerly switch ZCR_EL{1,2} Mateusz Guzik (1): fs: consistently deref the files table with rcu_dereference_raw() Mathieu Desnoyers (1): mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Matt Johnston (1): net: mctp: Set SOCK_RCU_FREE Matthew Auld (1): drm/amdgpu/dma_buf: fix page_link check Matthew Majewski (1): media: vim2m: print device name after registering device Matthew Wilcox (Oracle) (1): test suite: use %zu to print size_t Matthieu Baerts (NGI0) (3): mptcp: sockopt: fix getting IPV6_V6ONLY mptcp: only inc MPJoinAckHMacFailure for HMAC failures mptcp: sockopt: fix getting freebind & transparent Max Grobecker (1): x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Maxim Mikityanskiy (2): ALSA: hda: intel: Fix Optimus when GPU has no sound ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxime Chevallier (1): net: ethtool: Don't call .cleanup_data when prepare_data fails Miaoqian Lin (1): scsi: iscsi: Fix missing scsi_host_put() in error path Mickaël Salaün (1): landlock: Add the errata interface Mikulas Patocka (3): dm-ebs: fix prefetch-vs-suspend race dm-integrity: set ti->error on memory allocation failure dm-verity: fix prefetch-vs-suspend race Miquel Raynal (1): spi: cadence-qspi: Fix probe on AM62A LP SK Murad Masimov (1): media: streamzap: prevent processing IR data on URB failure Myrrh Periwinkle (1): x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Namjae Jeon (1): ksmbd: fix the warning from __kernel_write_iter Nathan Chancellor (3): ACPI: platform-profile: Fix CFI violation when accessing sysfs files riscv: Avoid fortify warning in syscall_get_arguments() kbuild: Add '-fno-builtin-wcslen' Nathan Lynch (1): powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Nikita Zhandarovich (1): drm/repaper: fix integer overflows in repeat functions Niklas Cassel (1): ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Niklas Söderlund (1): media: i2c: adv748x: Fix test pattern selection mask Octavian Purdila (2): net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: move the limit validation Ojaswin Mujoo (1): ext4: protect ext4_release_dquot against freezing Paulo Alcantara (1): cifs: use origin fullpath for automounts Pavel Begunkov (1): io_uring/net: fix accept multishot handling Pedro Tammela (1): net/sched: cls_api: conditional notification of events Peter Collingbourne (1): string: Add load_unaligned_zeropad() code path to sized_strscpy() Peter Griffin (1): scsi: ufs: exynos: Ensure consistent phy reference counts Philip Yang (2): drm/amdkfd: Fix mode1 reset crash issue drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Rafael J. Wysocki (2): cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS cpufreq: Reference count policy in cpufreq_update_limits() Rand Deeb (2): fs/jfs: cast inactags to s64 to prevent potential overflow fs/jfs: Prevent integer overflow in AG size calculation Remi Pommarel (2): wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() wifi: mac80211: Purge vif txq in ieee80211_do_stop() Ricard Wanderlof (1): ALSA: usb-audio: Fix CME quirk for UF series keyboards Ricardo Cañuelo Navarro (1): sctp: detect and prevent references to a freed transport in sendmsg Rolf Eike Beer (1): drm/sti: remove duplicate object names Roman Smirnov (1): cifs: fix integer overflow in match_server() Ryan Roberts (1): sparc/mm: disable preemption in lazy mmu mode Ryo Takakura (1): PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Sagi Maimon (1): ptp: ocp: fix start time alignment in ptp_ocp_signal_set Sakari Ailus (4): media: i2c: ccs: Set the device's runtime PM status correctly in remove media: i2c: ccs: Set the device's runtime PM status correctly in probe media: i2c: ov7251: Set enable GPIO low in probe media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sean Christopherson (1): KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Sean Heelan (1): ksmbd: Fix dangling pointer in krb_authenticate Sharath Srinivasan (1): RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Shay Drory (1): RDMA/core: Silence oversized kvmalloc() warning Shengjiu Wang (1): ASoC: fsl_audmix: register card device depends on 'dais' property Shuai Xue (1): mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Si-Wei Liu (1): vdpa/mlx5: Fix oversized null mkey longer than 32bit Srinivas Kandagatla (4): ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Stanimir Varbanov (1): PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Stanislav Fomichev (1): net: vlan: don't propagate flags on open Stanley Chu (1): i3c: master: svc: Use readsb helper for reading MDB Stephan Gerhold (1): pinctrl: qcom: Clear latched interrupt status when changing IRQ type Steve French (1): smb311 client: fix missing tcon check when mounting with linux/posix extensions Steven Rostedt (1): tracing: Fix filter string testing T Pratham (1): lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Takashi Iwai (1): ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model Taniya Das (1): clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Thadeu Lima de Souza Cascardo (1): i2c: cros-ec-tunnel: defer probe if parent EC is not present Thomas Weißschuh (2): loop: properly send KOBJ_CHANGED uevent for disk device loop: LOOP_SET_FD: send uevents for partitions Toke Høiland-Jørgensen (1): tc: Ensure we have enough buffer space when sending filter netlink notifications Tom Lendacky (1): crypto: ccp - Fix check for the primary ASP device Tomasz Pakuła (3): HID: pidff: Convert infinite length from Linux API to PID standard HID: pidff: Do not send effect envelope if it's empty HID: pidff: Fix null pointer dereference in pidff_find_fields Trevor Woerner (1): thermal/drivers/rockchip: Add missing rk3328 mapping entry Trond Myklebust (1): umount: Allow superblock owners to force umount Tung Nguyen (1): tipc: fix memory leak in tipc_link_xmit Uwe Kleine-König (2): pwm: rcar: Improve register calculation pwm: fsl-ftm: Handle clk_get_rate() returning 0 Vasiliy Kovalev (1): hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Victor Nogueira (1): rtnl: add helper to check if a notification is needed Vikash Garodia (4): media: venus: hfi: add a check to handle OOB in sfr region media: venus: hfi: add check to handle incorrect queue size media: venus: hfi_parser: add check to avoid out of bound access media: venus: hfi_parser: refactor hfi packet parsing logic Vishal Moola (Oracle) (1): mm: fix filemap_get_folios_contig returning batches of identical folios Vladimir Oltean (3): net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails WangYuli (6): riscv: KGDB: Do not inline arch_kgdb_breakpoint() riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break nvmet-fc: Remove unused functions MIPS: dec: Declare which_prom() as static MIPS: cevt-ds1287: Add missing ds1287.h include MIPS: ds1287: Match ds1287_set_base_clock() function types Wentao Liang (4): ata: sata_sx4: Add error handling in pdc20621_i2c_read() drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() mtd: inftlcore: Add error check for inftl_read_oob() mtd: rawnand: Add status chack in r852_ready() Will Deacon (1): KVM: arm64: Tear down vGIC on failed vCPU creation Willem de Bruijn (1): bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Xiangsheng Hou (1): virtiofs: add filesystem context source name check Xingui Yang (1): scsi: hisi_sas: Enable force phy when SATA disk directly connected Xu Kuohai (1): bpf: Prevent tail call between progs attached to different hooks Yu Kuai (4): md/raid10: fix missing discard IO accounting blk-cgroup: support to track if policy is online md: factor out a helper from mddev_put() md: fix mddev uaf while iterating all_mddevs list Yuan Can (1): media: siano: Fix error handling in smsdvb_module_init() Yue Haibing (1): RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Yuli Wang (1): LoongArch: Eliminate superfluous get_numa_distances_cnt() Zheng Qixing (1): md/md-bitmap: fix stats collection for external bitmaps Zhenhua Huang (1): arm64: mm: Correct the update of max_pfn Zhikai Zhai (1): drm/amd/display: Update Cursor request mode to the beginning prefetch always Zhongqiu Han (2): pm: cpupower: bench: Prevent NULL dereference on malloc failure jfs: Fix uninit-value access of imap allocated in the diMount() function Zijun Hu (5): of/irq: Fix device node refcount leakage in API of_irq_parse_one() of/irq: Fix device node refcount leakage in API of_irq_parse_raw() of/irq: Fix device node refcount leakages in of_irq_count() of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() of/irq: Fix device node refcount leakages in of_irq_init() keenplify (1): ASoC: amd: Add DMI quirk for ACP6X mic support zhoumin (1): ftrace: Add cond_resched() to ftrace_graph_set_hash()

6 months, 2 weeks

1
1
0 0

[PATCH v4 1/2] serial: sifive: lock port in startup()/shutdown() callbacks

by Ryo Takakura

startup()/shutdown() callbacks access SIFIVE_SERIAL_IE_OFFS. The register is also accessed from write() callback. If console were printing and startup()/shutdown() callback gets called, its access to the register could be overwritten. Add port->lock to startup()/shutdown() callbacks to make sure their access to SIFIVE_SERIAL_IE_OFFS is synchronized against write() callback. Signed-off-by: Ryo Takakura <ryotkkr98(a)gmail.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/sifive.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c index 5904a2d4c..054a8e630 100644 --- a/drivers/tty/serial/sifive.c +++ b/drivers/tty/serial/sifive.c @@ -563,8 +563,11 @@ static void sifive_serial_break_ctl(struct uart_port *port, int break_state) static int sifive_serial_startup(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_enable_rxwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); return 0; } @@ -572,9 +575,12 @@ static int sifive_serial_startup(struct uart_port *port) static void sifive_serial_shutdown(struct uart_port *port) { struct sifive_serial_port *ssp = port_to_sifive_serial_port(port); + unsigned long flags; + uart_port_lock_irqsave(&ssp->port, &flags); __ssp_disable_rxwm(ssp); __ssp_disable_txwm(ssp); + uart_port_unlock_irqrestore(&ssp->port, flags); } /** -- 2.34.1

6 months, 2 weeks

4
7
0 0

Re: [PATCH 1/3 v5.4.y] dmaengine: ti: edma: Add support for handling reserved channels

by Greg KH

On Tue, Apr 22, 2025 at 07:33:03PM +0530, Hardik Gohil wrote: > > > > > I'm sorry, I have no idea what to do here :( > > > > please add all the patches 1/3,2/3 and 3/3 to v5.4.y. Please do not post in html format :( Anyway, I do not see patches 2/3 or 3/3 at all. Please resend them all as a full patch series, don't just give links. thanks, greg k-h

6 months, 2 weeks

3
16
0 0

[PATCH v2] media: ov2740: Move pm-runtime cleanup on probe-errors to proper place

by Hans de Goede

When v4l2_subdev_init_finalize() fails no changes have been made to the runtime-pm device state yet, so the probe_error_media_entity_cleanup rollback path should not touch the runtime-pm device state. Instead this should be done from the probe_error_v4l2_subdev_cleanup rollback path. Note the pm_runtime_xxx() calls are put above the v4l2_subdev_cleanup() call to have the reverse call order of probe(). Fixes: 289c25923ecd ("media: ov2740: Use sub-device active state") Cc: stable(a)vger.kernel.org Reviewed-by: Bingbu Cao <bingbu.cao(a)intel.com> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- Changes in v2: - Add Fixes: tag --- drivers/media/i2c/ov2740.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/ov2740.c b/drivers/media/i2c/ov2740.c index 80d151e8ae29..6cf461e3373c 100644 --- a/drivers/media/i2c/ov2740.c +++ b/drivers/media/i2c/ov2740.c @@ -1456,12 +1456,12 @@ static int ov2740_probe(struct i2c_client *client) return 0; probe_error_v4l2_subdev_cleanup: + pm_runtime_disable(&client->dev); + pm_runtime_set_suspended(&client->dev); v4l2_subdev_cleanup(&ov2740->sd); probe_error_media_entity_cleanup: media_entity_cleanup(&ov2740->sd.entity); - pm_runtime_disable(&client->dev); - pm_runtime_set_suspended(&client->dev); probe_error_v4l2_ctrl_handler_free: v4l2_ctrl_handler_free(ov2740->sd.ctrl_handler); -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH] wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb

by Ladislav Michl

From: Ladislav Michl <ladis(a)triops.cz> corresponding upstream commit 3e5e4a801aaf4283390cc34959c6c48f910ca5ea When removing kernel modules driver uses skb_queue_purge() to purge TX skb, but not report tx status causing "Have pending ack frames!" warning. Use ieee80211_purge_tx_queue() to correct this. As upstream commit mentioned above does not apply on linux-6.1.y tree it has been rewritten. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4072 at net/mac80211/main.c:1506 ieee80211_free_ack_frame+0x74/0xa0 [mac80211] Have pending ack frames! Modules linked in: rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core mac80211 libarc4 cfg80211 qmi_wwan usbnet mii cdc_acm [last unloaded: cfg80211] CPU: 0 PID: 4072 Comm: sh Not tainted 6.1.104 #2 Stack : 0000000000000000 000000000000068d 0000000000000008 000b24caa995d315 000b24caa995d315 0000000000000000 8000000002813958 ffffffff818f4a30 ffffffff81a673c8 0000000000000001 0000000000000001 0000000000000000 00000000000817bd 0000000000000010 ffffffff817f3720 0000000000000002 800000000281384f ffffffff81a20000 ffffffff818f4a30 0000000000000009 ffffffff81a20000 8000000003a41df8 ffffffff81a20000 0000000000000001 8000000002651570 8000000082813847 ffffffff8143a6c0 0000000000000000 ffffffff81b10000 8000000002810000 8000000002813950 0000000000000030 ffffffff817ca460 0000000000000000 ffffffff818f4a30 ffffffff817ca3e0 0000000000000001 ffffffff818f4a30 ffffffff811198b8 0000000000000000 ... Call Trace: [<ffffffff811198b8>] show_stack+0x38/0x118 [<ffffffff817ca460>] dump_stack_lvl+0x30/0x54 [<ffffffff81130f6c>] __warn+0x9c/0xe4 [<ffffffff81131054>] warn_slowpath_fmt+0xa0/0xd4 [<ffffffffc02770ec>] ieee80211_free_ack_frame+0x74/0xa0 [mac80211] [<ffffffff817ccfd8>] idr_for_each+0x88/0x150 [<ffffffffc0277538>] ieee80211_free_hw+0x48/0xf8 [mac80211] [<ffffffff813f2a54>] pci_device_remove+0x2c/0x78 [<ffffffff8144c7dc>] device_release_driver_internal+0x1e4/0x288 [<ffffffff813e8998>] pci_stop_bus_device+0x88/0xb8 [<ffffffff813e8a84>] pci_stop_and_remove_bus_device_locked+0x1c/0x38 [<ffffffff813f52d0>] remove_store+0xa0/0xb0 [<ffffffff81279be4>] kernfs_fop_write_iter+0x10c/0x230 [<ffffffff811fc49c>] vfs_write+0x1cc/0x388 [<ffffffff811fc7f8>] ksys_write+0x78/0x120 [<ffffffff81121420>] syscall_common+0x34/0x58 ---[ end trace 0000000000000000 ]--- Cc: stable(a)vger.kernel.org # 6.1.x: 53bc1b7: wifi: mac80211: export ieee80211_purge_tx_queue() for drivers Cc: stable(a)vger.kernel.org # 6.1.x Cc: Ping-Ke Shih <pkshih(a)realtek.com> Signed-off-by: Ladislav Michl <ladis(a)triops.cz> --- drivers/net/wireless/realtek/rtw88/main.c | 2 +- drivers/net/wireless/realtek/rtw88/tx.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c index 4620a0d5c77b..7c390c2c608d 100644 --- a/drivers/net/wireless/realtek/rtw88/main.c +++ b/drivers/net/wireless/realtek/rtw88/main.c @@ -2146,7 +2146,7 @@ void rtw_core_deinit(struct rtw_dev *rtwdev) destroy_workqueue(rtwdev->tx_wq); spin_lock_irqsave(&rtwdev->tx_report.q_lock, flags); - skb_queue_purge(&rtwdev->tx_report.queue); + ieee80211_purge_tx_queue(rtwdev->hw, &rtwdev->tx_report.queue); skb_queue_purge(&rtwdev->coex.queue); spin_unlock_irqrestore(&rtwdev->tx_report.q_lock, flags); diff --git a/drivers/net/wireless/realtek/rtw88/tx.c b/drivers/net/wireless/realtek/rtw88/tx.c index ab39245e9c2f..05e6911a4044 100644 --- a/drivers/net/wireless/realtek/rtw88/tx.c +++ b/drivers/net/wireless/realtek/rtw88/tx.c @@ -169,7 +169,7 @@ void rtw_tx_report_purge_timer(struct timer_list *t) rtw_warn(rtwdev, "failed to get tx report from firmware\n"); spin_lock_irqsave(&tx_report->q_lock, flags); - skb_queue_purge(&tx_report->queue); + ieee80211_purge_tx_queue(rtwdev->hw, &tx_report->queue); spin_unlock_irqrestore(&tx_report->q_lock, flags); } -- 2.39.5

6 months, 2 weeks

2
2
0 0

[PATCH 6.14 000/241] 6.14.4-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.14.4 release. There are 241 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.14.4-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.14.4-rc1 P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Alexander Tsoy <alexander(a)tsoy.me> Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process" Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/vma: add give_up_on_oom option on modify/merge, use in uffd release WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: Temporarily disable hostvm on DCN31 Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug Armin Wolf <W_Armin(a)gmx.de> platform/x86: msi-wmi-platform: Rename "data" variable Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Extend support to more laptops Kurt Borja <kuurtb(a)gmail.com> platform/x86: alienware-wmi-wmax: Add G-Mode support to Alienware m16 R1 Lukas Fischer <kernel(a)o1oo11oo.de> scripts: generate_rust_analyzer: Add ffi crate Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HFGWTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HFGRTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HFGITR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HDFGWTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Add register fields for HDFGRTR2_EL2 Anshuman Khandual <anshuman.khandual(a)arm.com> arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 Pavel Begunkov <asml.silence(a)gmail.com> io_uring: don't post tag CQEs on file/buffer registration failure Thomas Zimmermann <tzimmermann(a)suse.de> drm/mgag200: Fix value in <VBLKSTR> register ZhenGuo Yin <zhenguo.yin(a)amd.com> drm/amdgpu: fix warning of drm_mm_clean Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display/dml2: use vzalloc rather than kzalloc Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/dp: Check for HAS_DSC_3ENGINES while configuring DSC slices Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/display: Add macro for checking 3 DSC engines Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Set LRC addresses before guc load Matthew Auld <matthew.auld(a)intel.com> drm/xe/userptr: fix notifier vs folio deadlock Matthew Auld <matthew.auld(a)intel.com> drm/xe/dma_buf: stop relying on placement in unmap Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1 Huacai Chen <chenhuacai(a)kernel.org> drm/amd/display: Protect FPU in dml2_init()/dml21_init() Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes() Christian König <christian.koenig(a)amd.com> drm/amdgpu: immediately use GTT for new allocations Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/dp: Reject HBR3 when sink doesn't support TPS4 Vivek Kasireddy <vivek.kasireddy(a)intel.com> drm/i915/xe2hpd: Identify the memory type for SKUs with GDDR + ECC Jani Nikula <jani.nikula(a)intel.com> drm/i915/gvt: fix unterminated-string-initialization warning Matt Roper <matthew.d.roper(a)intel.com> drm/xe/bmg: Add one additional PCI ID Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Fix an out-of-bounds shift when invalidating TLB Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Fix scanline_offset for LNL+ and BMG+ Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Dmitry Osipenko <dmitry.osipenko(a)collabora.com> drm/virtio: Fix missed dmabuf unpinning in error path of prepare_fb() Brendan King <Brendan.King(a)imgtec.com> drm/imagination: take paired job reference Brendan King <Brendan.King(a)imgtec.com> drm/imagination: fix firmware memory leaks Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Matthew Auld <matthew.auld(a)intel.com> drm/amdgpu/dma_buf: fix page_link check Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes11: optimize MES pipe FW version fetching Huacai Chen <chenhuacai(a)kernel.org> drm/amd/display: Protect FPU in dml21_copy() Huacai Chen <chenhuacai(a)kernel.org> drm/amd/display: Protect FPU in dml2_validate()/dml21_validate() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add HP Elitebook 645 to the quirk list for eDP on DP1 Dmitry Osipenko <dmitry.osipenko(a)collabora.com> drm/virtio: Don't attach GEM to a non-created context in gem_object_open() Matthew Brost <matthew.brost(a)intel.com> drm/xe: Use local fence in error path of xe_migrate_clear Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> drm/i915/vrr: Add vrr.vsync_{start, end} in vrr_params_changed Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes12: optimize MES pipe FW version fetching Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/smu11: Prevent division by zero Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> drm/amd/pm: Add zero RPM enabled OD setting support for SMU14.0.2 Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm: Prevent division by zero Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Increase vblank offdelay for PSR panels Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Actually do immediate vblank disable Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Handle being compiled without SI or CIK support better Brendan Tam <Brendan.Tam(a)amd.com> drm/amd/display: prevent hang on link training fail Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Prefer shadow rom when available Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Fix stale rpmh votes from GPU Haoxiang Li <haoxiang_li2024(a)163.com> drm/msm/dsi: Add check for devm_kstrdup() Jocelyn Falempe <jfalempe(a)redhat.com> drm/ast: Fix ast_dp connection status Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Mario Limonciello <mario.limonciello(a)amd.com> platform/x86: amd: pmf: Fix STT limits Yazen Ghannam <yazen.ghannam(a)amd.com> RAS/AMD/FMPM: Get masked address Yazen Ghannam <yazen.ghannam(a)amd.com> RAS/AMD/ATL: Include row[13] bit in row retirement Sharath Srinivasan <sharath.srinivasan(a)oracle.com> RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure consistent phy reference counts Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Move UFS shareability value to drvdata Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: megaraid_sas: Block zero-length ATA VPD inquiry Ard Biesheuvel <ardb(a)kernel.org> x86/boot/sev: Avoid shared GHCB page for early memory acceptance Sandipan Das <sandipan.das(a)amd.com> x86/cpu/amd: Fix workaround for erratum 1054 Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Steven Rostedt <rostedt(a)goodmis.org> tracing: Fix filter string testing Peter Collingbourne <pcc(a)google.com> string: Add load_unaligned_zeropad() code path to sized_strscpy() Chunjie Zhu <chunjie.zhu(a)cloud.com> smb3 client: fix open hardlink on deferred close file error Suren Baghdasaryan <surenb(a)google.com> slab: ensure slab->obj_exts is clear in a newly allocated slab page Mark Brown <broonie(a)kernel.org> selftests/mm: generate a temporary mountpoint for cgroup filesystem Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Kuniyuki Iwashima <kuniyu(a)amazon.com> Revert "smb: client: fix TCP timers deadlock after rmmod" Kuniyuki Iwashima <kuniyu(a)amazon.com> Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix the warning from __kernel_write_iter Denis Arefev <arefev(a)swemel.ru> ksmbd: Prevent integer overflow in calculation of deadtime Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in smb_break_all_levII_oplock() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in __smb2_lease_break_noti() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix dangling pointer in krb_authenticate Miklos Szeredi <mszeredi(a)redhat.com> ovl: don't allow datadir only Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix apply_to_existing_page_range() Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm: fix filemap_get_folios_contig returning batches of identical folios Baoquan He <bhe(a)redhat.com> mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm/compaction: fix bug in hugetlb handling pathway Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: LOOP_SET_FD: send uevents for partitions Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: properly send KOBJ_CHANGED uevent for disk device Sheng Yong <shengyong1(a)xiaomi.com> lib/iov_iter: fix to increase non slab folio refcount Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Herbert Xu <herbert(a)gondor.apana.org.au> crypto: caam/qi - Fix drv_ctx refcount bug Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Sidong Yang <sidong.yang(a)furiosa.ai> btrfs: ioctl: don't free iov when btrfs_encoded_read() returns -EAGAIN Kees Cook <kees(a)kernel.org> Bluetooth: vhci: Avoid needless snprintf() calls Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Process valid commands in too long frame Rob Clark <robdclark(a)chromium.org> drm/msm/a6xx+: Don't let IB_SIZE overflow Menglong Dong <menglong8.dong(a)gmail.com> ftrace: fix incorrect hash size in register_ftrace_direct() Christoph Hellwig <hch(a)lst.de> fs: move the bdex_statx call to vfs_getattr_nosec Joe Damato <jdamato(a)fastly.com> eventpoll: Set epoll timeout if it's in the future Jens Axboe <axboe(a)kernel.dk> eventpoll: abstract out ep_try_send_events() helper Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: atr: Fix wrong include Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: decrease sc_count directly if fail to queue dl_recall Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Dan Carpenter <dan.carpenter(a)linaro.org> dma-buf/sw_sync: Decrement refcount on error in sw_sync_ioctl_get_deadline() Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> drm/msm/dpu: drop rogue intr_tear_rd_ptr values Chenyuan Yang <chenyuan0y(a)gmail.com> drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check Maíra Canal <mcanal(a)igalia.com> drm/v3d: Fix Indirect Dispatch configuration for V3D 7.1.6 and later Martin K. Petersen <martin.petersen(a)oracle.com> block: integrity: Do not call set_page_dirty_lock() Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable T.J. Mercier <tjmercier(a)google.com> alloc_tag: handle incomplete bulk allocations in vm_module_tags_populate Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Fix the NPU's DPU frequency calculation Evgeny Pimenov <pimenoveu12(a)gmail.com> ASoC: qcom: Fix sc7280 lpass potential buffer overflow Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S16 Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Herve Codina <herve.codina(a)bootlin.com> ASoC: fsl: fsl_qmc_audio: Reset audio data pointers on TRIGGER_START event Alex Williamson <alex.williamson(a)redhat.com> Revert "PCI: Avoid reset when disabled via sysfs" Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Miguel Ojeda <ojeda(a)kernel.org> rust: kbuild: use `pound` to support GNU Make < 4.3 Sami Tolvanen <samitolvanen(a)google.com> rust: kbuild: Don't export __pfx symbols Miguel Ojeda <ojeda(a)kernel.org> rust: disable `clippy::needless_continue` Miguel Ojeda <ojeda(a)kernel.org> rust: kasan/kbuild: fix missing flags on first build FUJITA Tomonori <fujita.tomonori(a)gmail.com> rust: helpers: Remove volatile qualifier from io helpers Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.86.0 Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Do not inline arch_kgdb_breakpoint() Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: intel: int340x: Fix Panther Lake DLVR support Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kunit: qemu_configs: SH: Respect kunit cmdline Samuel Holland <samuel.holland(a)sifive.com> riscv: module: Allocate PLT entries for R_RISCV_PLT32 Samuel Holland <samuel.holland(a)sifive.com> riscv: module: Fix out-of-bounds relocation access Björn Töpel <bjorn(a)rivosinc.com> riscv: Properly export reserved regions in /proc/iomem Will Pierce <wgpierce17(a)gmail.com> riscv: Use kvmalloc_array on relocation_hashtable Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for 100Mbps Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: reapply mdc divider on reset Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Fix possible NULL pointer dereference for perout request Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Add phase offset configuration for perout signal Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Add pwidth configuration for perout signal Florian Westphal <fw(a)strlen.de> netfilter: conntrack: fix erronous removal of offload bit Sagi Maimon <maimon.sagi(a)gmail.com> ptp: ocp: fix start time alignment in ptp_ocp_signal_set Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: free routing table on probe failure Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: clean up FDB, MDB, VLAN entries on unbind Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Abdun Nihaal <abdun.nihaal(a)gmail.com> net: txgbe: fix memory leak in txgbe_probe() error path Jonas Gorski <jonas.gorski(a)gmail.com> net: bridge: switchdev: do not notify new brentries as changed Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-neigh: prefix struct nfmsg members with ndm Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-link: adjust mctp attribute naming Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rtnetlink: attribute naming corrections Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-link: add an attr layer around alt-ifname Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: make sure we validate subtype of array-nest Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: individually free previous values on double set Abdun Nihaal <abdun.nihaal(a)gmail.com> cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Niklas Cassel <cassel(a)kernel.org> ata: libata-sata: Save all fields from sense data descriptor Damien Le Moal <dlemoal(a)kernel.org> nvmet: pci-epf: clear CC and CSTS when disabling the controller Damien Le Moal <dlemoal(a)kernel.org> nvmet: pci-epf: always fully initialize completion entries Christoph Hellwig <hch(a)lst.de> loop: stop using vfs_iter_{read,write} for buffered I/O Yunlong Xing <yunlong.xing(a)unisoc.com> loop: aio inherit the ioprio of original request Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: fix missing ring index trim on error path Michael Walle <mwalle(a)kernel.org> net: ethernet: ti: am65-cpsw: fix port_np reference counting Chenyuan Yang <chenyuan0y(a)gmail.com> octeontx2-pf: handle otx2_mbox_get_rsp errors Abdun Nihaal <abdun.nihaal(a)gmail.com> net: ngbe: fix memory leak in ngbe_probe() error path Weizhao Ouyang <o451686892(a)gmail.com> can: rockchip_canfd: fix broken quirks checks Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Jakub Kicinski <kuba(a)kernel.org> netlink: specs: ovs_vport: align with C codegen capabilities Zheng Qixing <zhengqixing(a)huawei.com> block: fix resource leak in blk_register_queue() error path Jijie Shao <shaojijie(a)huawei.com> net: hibmcge: fix not restore rx pause mac addr after reset issue Jijie Shao <shaojijie(a)huawei.com> net: hibmcge: fix wrong mtu log issue Jijie Shao <shaojijie(a)huawei.com> net: hibmcge: fix incorrect multicast filtering issue Jijie Shao <shaojijie(a)huawei.com> net: hibmcge: fix incorrect pause frame statistics issue Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: Set SOCK_RCU_FREE Damodharam Ammepalli <damodharam.ammepalli(a)broadcom.com> ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() Abdun Nihaal <abdun.nihaal(a)gmail.com> pds_core: fix memory leak in pdsc_debugfs_add_qcq() Baolin Wang <baolin.wang(a)linux.alibaba.com> selftests: mincore: fix tmpfs mincore test failure Matthew Wilcox (Oracle) <willy(a)infradead.org> test suite: use %zu to print size_t Kuniyuki Iwashima <kuniyu(a)amazon.com> smc: Fix lockdep false-positive for IPPROTO_SMC. Geert Uytterhoeven <geert+renesas(a)glider.be> dt-bindings: soc: fsl: fsl,ls1028a-reset: Fix maintainer entry Namhyung Kim <namhyung(a)kernel.org> perf tools: Remove evsel__handle_error_quirks() Christopher S M Hall <christopher.s.hall(a)intel.com> igc: add lock preventing multiple simultaneous PTM transactions Christopher S M Hall <christopher.s.hall(a)intel.com> igc: cleanup PTP module if probe fails Christopher S M Hall <christopher.s.hall(a)intel.com> igc: handle the IGC_PTP_ENABLED flag correctly Christopher S M Hall <christopher.s.hall(a)intel.com> igc: move ktime snapshot into PTM retry loop Christopher S M Hall <christopher.s.hall(a)intel.com> igc: increase wait time before retrying PTM Christopher S M Hall <christopher.s.hall(a)intel.com> igc: fix PTM cycle trigger logic Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: pcie: set state to no-FW before reset handshake David Thompson <davthompson(a)nvidia.com> mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show() Juergen Gross <jgross(a)suse.com> xen: fix multicall debug feature Xin Long <lucien.xin(a)gmail.com> ipv6: add exception routes to GC list in rt6_insert_exception Leon Romanovsky <leon(a)kernel.org> RDMA/bnxt_re: Remove unusable nq variable Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Check encryption key size on incoming connection Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Bluetooth: qca: fix NV variant for one of WCN3950 SoCs Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Richard Fitzgerald <rf(a)opensource.cirrus.com> firmware: cs_dsp: test_bin_error: Fix uninitialized data used as fw version Shay Drory <shayd(a)nvidia.com> RDMA/core: Silence oversized kvmalloc() warning Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Reset clamp override on jack removal Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Richard Fitzgerald <rf(a)opensource.cirrus.com> ALSA: hda/cirrus_scodec_test: Don't select dependencies Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix wrong maximum DMA segment size Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Fix budget handling of notification queue Giuseppe Scrivano <gscrivan(a)redhat.com> ovl: remove unused forward declaration Akhil R <akhilrajeev(a)nvidia.com> crypto: tegra - Fix IV usage for AES ECB Henry Martin <bsdhenrymartin(a)gmail.com> ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() Brady Norander <bradynorander(a)gmail.com> ASoC: dwc: always enable/disable i2s irqs Zheng Qixing <zhengqixing(a)huawei.com> md/md-bitmap: fix stats collection for external bitmaps Yu Kuai <yukuai3(a)huawei.com> md/raid10: fix missing discard IO accounting Martin Wilck <mwilck(a)suse.com> scsi: smartpqi: Use is_kdump_kernel() to check for kdump Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: brcmfmac: fix memory leak in brcmf_get_module_param Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Enable force phy when SATA disk directly connected ------------- Diffstat: Documentation/arch/arm64/booting.rst | 22 +++ .../bindings/soc/fsl/fsl,ls1028a-reset.yaml | 2 +- Documentation/netlink/specs/ovs_vport.yaml | 4 +- Documentation/netlink/specs/rt_link.yaml | 20 ++- Documentation/netlink/specs/rt_neigh.yaml | 14 +- Documentation/wmi/devices/msi-wmi-platform.rst | 4 + Makefile | 5 +- arch/arm64/include/asm/el2_setup.h | 25 ++++ arch/arm64/tools/sysreg | 103 ++++++++++++++ arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/kernel/cevt-ds1287.c | 1 + arch/riscv/include/asm/kgdb.h | 9 +- arch/riscv/include/asm/syscall.h | 7 +- arch/riscv/kernel/kgdb.c | 6 + arch/riscv/kernel/module-sections.c | 13 +- arch/riscv/kernel/module.c | 11 +- arch/riscv/kernel/setup.c | 36 ++++- arch/x86/boot/compressed/mem.c | 5 +- arch/x86/boot/compressed/sev.c | 67 +++------ arch/x86/boot/compressed/sev.h | 2 + arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 107 ++------------- arch/x86/kernel/cpu/amd.c | 19 ++- arch/x86/kernel/cpu/microcode/amd.c | 9 +- arch/x86/xen/multicalls.c | 26 ++-- arch/x86/xen/smp_pv.c | 1 - arch/x86/xen/xen-ops.h | 3 - block/bdev.c | 3 +- block/bio-integrity.c | 17 +-- block/blk-sysfs.c | 2 + drivers/accel/ivpu/ivpu_drv.c | 4 +- drivers/accel/ivpu/ivpu_fw.c | 3 +- drivers/accel/ivpu/ivpu_hw.h | 11 +- drivers/accel/ivpu/ivpu_hw_btrs.c | 126 ++++++++--------- drivers/accel/ivpu/ivpu_hw_btrs.h | 6 +- drivers/ata/libata-sata.c | 15 +++ drivers/block/loop.c | 121 +++-------------- drivers/bluetooth/btqca.c | 2 +- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_vhci.c | 10 +- drivers/cpufreq/cpufreq.c | 40 +++++- drivers/crypto/caam/qi.c | 6 +- drivers/crypto/tegra/tegra-se-aes.c | 5 +- drivers/dma-buf/sw_sync.c | 19 ++- .../firmware/cirrus/test/cs_dsp_mock_mem_maps.c | 30 ----- drivers/firmware/cirrus/test/cs_dsp_test_bin.c | 2 +- .../firmware/cirrus/test/cs_dsp_test_bin_error.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 34 ++++- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +++--- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 +- drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 + drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 21 +-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 62 ++++++++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 6 +- .../drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 28 +++- drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 15 ++- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 7 +- .../amd/display/dc/resource/dcn31/dcn31_resource.c | 2 +- .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 55 +++++++- drivers/gpu/drm/ast/ast_dp.c | 6 + drivers/gpu/drm/i915/display/intel_bw.c | 14 +- drivers/gpu/drm/i915/display/intel_display.c | 4 +- .../gpu/drm/i915/display/intel_display_device.h | 1 + drivers/gpu/drm/i915/display/intel_dp.c | 58 ++++++-- drivers/gpu/drm/i915/display/intel_vblank.c | 4 +- drivers/gpu/drm/i915/gvt/opregion.c | 7 +- drivers/gpu/drm/i915/i915_drv.h | 1 + drivers/gpu/drm/i915/soc/intel_dram.c | 4 + drivers/gpu/drm/imagination/pvr_fw.c | 27 +++- drivers/gpu/drm/imagination/pvr_job.c | 7 + drivers/gpu/drm/imagination/pvr_queue.c | 4 + drivers/gpu/drm/mgag200/mgag200_mode.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 82 +++++------ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 8 +- .../drm/msm/disp/dpu1/catalog/dpu_1_14_msm8937.h | 2 - .../drm/msm/disp/dpu1/catalog/dpu_1_15_msm8917.h | 1 - .../drm/msm/disp/dpu1/catalog/dpu_1_16_msm8953.h | 3 - .../drm/msm/disp/dpu1/catalog/dpu_1_7_msm8996.h | 4 - .../gpu/drm/msm/disp/dpu1/catalog/dpu_3_2_sdm660.h | 3 - .../gpu/drm/msm/disp/dpu1/catalog/dpu_3_3_sdm630.h | 2 - drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 3 + drivers/gpu/drm/msm/dsi/dsi_host.c | 9 +- .../gpu/drm/msm/registers/adreno/adreno_pm4.xml | 7 + drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/gpu/drm/v3d/v3d_sched.c | 16 ++- drivers/gpu/drm/virtio/virtgpu_gem.c | 11 +- drivers/gpu/drm/virtio/virtgpu_plane.c | 20 ++- drivers/gpu/drm/xe/xe_device_types.h | 1 + drivers/gpu/drm/xe/xe_dma_buf.c | 5 +- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 +- drivers/gpu/drm/xe/xe_guc_ads.c | 75 ++++++----- drivers/gpu/drm/xe/xe_hmm.c | 24 ---- drivers/gpu/drm/xe/xe_migrate.c | 2 +- drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i2c/i2c-atr.c | 2 +- drivers/infiniband/core/cma.c | 4 +- drivers/infiniband/core/umem_odp.c | 6 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 10 -- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +- drivers/md/md-bitmap.c | 5 +- drivers/md/raid10.c | 1 + drivers/net/can/rockchip/rockchip_canfd-core.c | 7 +- drivers/net/dsa/b53/b53_common.c | 10 ++ drivers/net/dsa/mv88e6xxx/chip.c | 13 +- drivers/net/dsa/mv88e6xxx/devlink.c | 3 +- drivers/net/ethernet/amd/pds_core/debugfs.c | 5 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 + drivers/net/ethernet/hisilicon/hibmcge/hbg_err.c | 3 + drivers/net/ethernet/hisilicon/hibmcge/hbg_hw.c | 7 + drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c | 6 +- drivers/net/ethernet/hisilicon/hibmcge/hbg_reg.h | 3 + drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_defines.h | 6 +- drivers/net/ethernet/intel/igc/igc_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 113 ++++++++++------ drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 2 + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 49 ++++--- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 15 ++- drivers/net/ethernet/ti/icssg/icss_iep.c | 150 ++++++++++++++------- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 3 +- drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 3 +- drivers/net/wireless/ath/ath12k/dp_mon.c | 4 +- drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- .../wireless/broadcom/brcm80211/brcmfmac/common.c | 4 +- .../net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 8 +- drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/nvme/target/fc.c | 14 -- drivers/nvme/target/pci-epf.c | 74 ++++++---- drivers/pci/pci.c | 4 - drivers/platform/mellanox/mlxbf-bootctl.c | 4 +- drivers/platform/x86/amd/pmf/auto-mode.c | 4 +- drivers/platform/x86/amd/pmf/cnqf.c | 8 +- drivers/platform/x86/amd/pmf/core.c | 14 ++ drivers/platform/x86/amd/pmf/pmf.h | 1 + drivers/platform/x86/amd/pmf/sps.c | 12 +- drivers/platform/x86/amd/pmf/tee-if.c | 6 +- drivers/platform/x86/asus-laptop.c | 9 +- drivers/platform/x86/dell/alienware-wmi.c | 56 +++++++- drivers/platform/x86/msi-wmi-platform.c | 99 +++++++++----- drivers/ptp/ptp_ocp.c | 1 + drivers/ras/amd/atl/internal.h | 3 + drivers/ras/amd/atl/umc.c | 19 ++- drivers/ras/amd/fmpm.c | 9 +- drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +- drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 +- drivers/scsi/megaraid/megaraid_sas_base.c | 9 +- drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 +- drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/smartpqi/smartpqi_init.c | 13 +- .../intel/int340x_thermal/processor_thermal_rfim.c | 33 ++--- drivers/ufs/host/ufs-exynos.c | 41 ++++-- drivers/ufs/host/ufs-exynos.h | 5 +- fs/Kconfig | 1 + fs/btrfs/ioctl.c | 2 + fs/btrfs/super.c | 3 +- fs/eventpoll.c | 38 ++++-- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 + fs/hfsplus/bnode.c | 6 + fs/isofs/export.c | 2 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 7 - fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsfh.h | 7 - fs/overlayfs/overlayfs.h | 2 - fs/overlayfs/super.c | 5 + fs/smb/client/cifsproto.h | 2 + fs/smb/client/connect.c | 34 ++--- fs/smb/client/file.c | 28 ++++ fs/smb/server/connection.c | 4 +- fs/smb/server/oplock.c | 29 ++-- fs/smb/server/oplock.h | 1 - fs/smb/server/smb2pdu.c | 4 +- fs/smb/server/transport_ipc.c | 7 +- fs/smb/server/transport_tcp.c | 14 +- fs/smb/server/transport_tcp.h | 1 + fs/smb/server/vfs.c | 3 +- fs/stat.c | 32 +++-- include/drm/intel/pciids.h | 1 + include/linux/backing-dev.h | 1 + include/linux/blkdev.h | 6 +- include/linux/firmware/cirrus/cs_dsp_test_utils.h | 1 - include/linux/nfs.h | 7 - include/uapi/drm/ivpu_accel.h | 4 +- io_uring/rsrc.c | 17 ++- kernel/sched/cpufreq_schedutil.c | 46 ++++++- kernel/trace/ftrace.c | 7 +- kernel/trace/trace_events_filter.c | 4 +- lib/alloc_tag.c | 15 ++- lib/iov_iter.c | 2 +- lib/string.c | 13 +- mm/compaction.c | 6 +- mm/filemap.c | 1 + mm/gup.c | 4 +- mm/memory.c | 4 +- mm/slub.c | 10 ++ mm/userfaultfd.c | 13 +- mm/vma.c | 38 +++++- mm/vma.h | 9 +- net/bluetooth/hci_event.c | 5 +- net/bluetooth/l2cap_core.c | 21 ++- net/bridge/br_vlan.c | 4 +- net/dsa/dsa.c | 59 ++++++-- net/dsa/tag_8021q.c | 2 +- net/ethtool/cmis_cdb.c | 2 +- net/ipv6/route.c | 1 + net/mac80211/iface.c | 3 + net/mctp/af_mctp.c | 3 + net/netfilter/nf_flow_table_core.c | 10 +- net/openvswitch/flow_netlink.c | 3 +- net/smc/af_smc.c | 5 + rust/Makefile | 2 +- rust/helpers/io.c | 34 ++--- scripts/Makefile.compiler | 4 +- scripts/generate_rust_analyzer.py | 12 +- sound/pci/hda/Kconfig | 4 +- sound/pci/hda/patch_realtek.c | 23 ++-- sound/soc/codecs/cs42l43-jack.c | 3 + sound/soc/codecs/lpass-wsa-macro.c | 139 +++++++++++++------ sound/soc/dwc/dwc-i2s.c | 13 +- sound/soc/fsl/fsl_qmc_audio.c | 3 + sound/soc/intel/avs/pcm.c | 3 +- sound/soc/intel/boards/sof_sdw.c | 1 + sound/soc/qcom/lpass.h | 3 +- tools/net/ynl/pyynl/ynl_gen_c.py | 69 +++++++--- tools/objtool/check.c | 1 + tools/perf/util/evsel.c | 22 --- tools/testing/kunit/qemu_configs/sh.py | 4 +- tools/testing/selftests/mincore/mincore_selftest.c | 16 +-- .../selftests/mm/charge_reserved_hugetlb.sh | 4 +- .../selftests/mm/hugetlb_reparenting_test.sh | 2 +- tools/testing/shared/linux.c | 4 +- 250 files changed, 2269 insertions(+), 1331 deletions(-)

6 months, 2 weeks

19
261
0 0

[PATCH v4 1/2] staging: iio: frequency: ad9832: Use SLEEP bit instead of RESET to disable output

by Gabriel Shahrouzi

According to the AD9832 datasheet (Table 10, D12 description), setting the RESET bit forces the phase accumulator to zero, which corresponds to a full-scale DC output, rather than disabling the output signal. The correct way to disable the output and enter a low-power state is to set the AD9832_SLEEP bit (Table 10, D13 description), which powers down the internal DAC current sources and disables internal clocks. Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> --- v3 -> v4: - Rebase changes ontop of most recent changes. v2 -> v3: v1 -> v2: --- drivers/staging/iio/frequency/ad9832.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/iio/frequency/ad9832.c b/drivers/staging/iio/frequency/ad9832.c index 49388da5a684a..2e555084ff98a 100644 --- a/drivers/staging/iio/frequency/ad9832.c +++ b/drivers/staging/iio/frequency/ad9832.c @@ -236,7 +236,7 @@ static ssize_t ad9832_write(struct device *dev, struct device_attribute *attr, if (val) st->ctrl_src &= ~(AD9832_RESET | AD9832_SLEEP | AD9832_CLR); else - st->ctrl_src |= FIELD_PREP(AD9832_RESET, 1); + st->ctrl_src |= FIELD_PREP(AD9832_SLEEP, 1); st->data = cpu_to_be16(FIELD_PREP(AD9832_CMD_MSK, AD9832_CMD_SLEEPRESCLR) | st->ctrl_src); -- 2.43.0

6 months, 2 weeks

2
1
0 0

[PATCH 6.6 000/393] 6.6.88-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.88 release. There are 393 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 25 Apr 2025 14:25:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.88-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.88-rc1 Karolina Stolarek <karolina.stolarek(a)intel.com> drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled Haisu Wang <haisuwang(a)tencent.com> btrfs: fix the length of reserved qgroup to free WangYuli <wangyuli(a)uniontech.com> MIPS: ds1287: Match ds1287_set_base_clock() function types WangYuli <wangyuli(a)uniontech.com> MIPS: cevt-ds1287: Add missing ds1287.h include WangYuli <wangyuli(a)uniontech.com> MIPS: dec: Declare which_prom() as static Jan Stancek <jstancek(a)redhat.com> sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Jan Stancek <jstancek(a)redhat.com> sign-file,extract-cert: avoid using deprecated ERR_get_error_line() Jan Stancek <jstancek(a)redhat.com> sign-file,extract-cert: move common SSL helper functions to a header Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> xdp: Reset bpf_redirect_info before running a xdp's BPF prog. WangYuli <wangyuli(a)uniontech.com> nvmet-fc: Remove unused functions Mickaël Salaün <mic(a)digikod.net> landlock: Add the errata interface Hersen Wu <hersenxs.wu(a)amd.com> drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: pci: disable PCIE wake bit when PCIE deinit Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: pci: add pre_deinit to be called after probe complete Boris Burkov <boris(a)bur.io> btrfs: fix qgroup reserve leaks in cow_file_range GONG Ruiqi <gongruiqi1(a)huawei.com> usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() Dan Carpenter <dan.carpenter(a)linaro.org> usb: typec: fix potential array underflow in ucsi_ccg_sync_control() Yuli Wang <wangyuli(a)uniontech.com> LoongArch: Eliminate superfluous get_numa_distances_cnt() Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Chunguang.xu <chunguang.xu(a)shopee.com> nvme-rdma: unquiesce admin_q before destroy it Maksim Davydov <davydov-max(a)yandex-team.ru> x86/split_lock: Fix the delayed detection logic Vishal Annapurve <vannapurve(a)google.com> x86/tdx: Fix arch_safe_halt() execution for TDX VMs Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: fix memblock_reserve() usage on PVH Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: move xen_reserve_extra_memory() Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 Piotr Jaroszynski <pjaroszynski(a)nvidia.com> Fix mmu notifiers for range-based invalidates Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error Geliang Tang <geliang.tang(a)suse.com> selftests: mptcp: add mptcp_lib_wait_local_port_listen Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting freebind & transparent Yu Kuai <yukuai3(a)huawei.com> md: fix mddev uaf while iterating all_mddevs list Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Reference count policy in cpufreq_update_limits() Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix accept multishot handling Jani Nikula <jani.nikula(a)intel.com> drm/i915/gvt: fix unterminated-string-initialization warning Rolf Eike Beer <eb(a)emlix.com> drm/sti: remove duplicate object names Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/nouveau: prime: fix ttm_bo_delayed_delete oops Matthew Auld <matthew.auld(a)intel.com> drm/amdgpu/dma_buf: fix page_link check Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/smu11: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm/powerplay: Prevent division by zero Denis Arefev <arefev(a)swemel.ru> drm/amd/pm: Prevent division by zero Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Handle being compiled without SI or CIK support better Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Fix stale rpmh votes from GPU Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/repaper: fix integer overflows in repeat functions Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Allow to update user space GPRs from PEBS records Sharath Srinivasan <sharath.srinivasan(a)oracle.com> RDMA/cma: Fix workqueue crash in cma_netevent_work_handler Peter Griffin <peter.griffin(a)linaro.org> scsi: ufs: exynos: Ensure consistent phy reference counts Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: megaraid_sas: Block zero-length ATA VPD inquiry Ard Biesheuvel <ardb(a)kernel.org> x86/boot/sev: Avoid shared GHCB page for early memory acceptance Sandipan Das <sandipan.das(a)amd.com> x86/cpu/amd: Fix workaround for erratum 1054 Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches Xiangsheng Hou <xiangsheng.hou(a)mediatek.com> virtiofs: add filesystem context source name check Steven Rostedt <rostedt(a)goodmis.org> tracing: Fix filter string testing Peter Collingbourne <pcc(a)google.com> string: Add load_unaligned_zeropad() code path to sized_strscpy() Chunjie Zhu <chunjie.zhu(a)cloud.com> smb3 client: fix open hardlink on deferred close file error Mark Brown <broonie(a)kernel.org> selftests/mm: generate a temporary mountpoint for cgroup filesystem Nathan Chancellor <nathan(a)kernel.org> riscv: Avoid fortify warning in syscall_get_arguments() Kuniyuki Iwashima <kuniyu(a)amazon.com> Revert "smb: client: fix TCP timers deadlock after rmmod" Kuniyuki Iwashima <kuniyu(a)amazon.com> Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix the warning from __kernel_write_iter Denis Arefev <arefev(a)swemel.ru> ksmbd: Prevent integer overflow in calculation of deadtime Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in smb_break_all_levII_oplock() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix dangling pointer in krb_authenticate Miklos Szeredi <mszeredi(a)redhat.com> ovl: don't allow datadir only Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm: fix apply_to_existing_page_range() Vishal Moola (Oracle) <vishal.moola(a)gmail.com> mm: fix filemap_get_folios_contig returning batches of identical folios Baoquan He <bhe(a)redhat.com> mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: LOOP_SET_FD: send uevents for partitions Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> loop: properly send KOBJ_CHANGED uevent for disk device Edward Adam Davis <eadavis(a)qq.com> isofs: Prevent the use of too small fid Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> i2c: cros-ec-tunnel: defer probe if parent EC is not present Vasiliy Kovalev <kovalev(a)altlinux.org> hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key Herbert Xu <herbert(a)gondor.apana.org.au> crypto: caam/qi - Fix drv_ctx refcount bug Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Johannes Kimmel <kernel(a)bareminimum.eu> btrfs: correctly escape subvol in btrfs_show_options() Kees Cook <kees(a)kernel.org> Bluetooth: vhci: Avoid needless snprintf() calls Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Process valid commands in too long frame Menglong Dong <menglong8.dong(a)gmail.com> ftrace: fix incorrect hash size in register_ftrace_direct() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: atr: Fix wrong include Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: decrease sc_count directly if fail to queue dl_recall Eric Biggers <ebiggers(a)google.com> nfs: add missing selections of CONFIG_CRC32 Denis Arefev <arefev(a)swemel.ru> asus-laptop: Fix an uninitialized variable Evgeny Pimenov <pimenoveu12(a)gmail.com> ASoC: qcom: Fix sc7280 lpass potential buffer overflow Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate Alex Williamson <alex.williamson(a)redhat.com> Revert "PCI: Avoid reset when disabled via sysfs" Andreas Gruenbacher <agruenba(a)redhat.com> writeback: fix false warning in inode_to_wb() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break WangYuli <wangyuli(a)uniontech.com> riscv: KGDB: Do not inline arch_kgdb_breakpoint() Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kunit: qemu_configs: SH: Respect kunit cmdline Björn Töpel <bjorn(a)rivosinc.com> riscv: Properly export reserved regions in /proc/iomem Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: revise QDMA packet scheduler settings Bo-Cun Chen <bc-bocun.chen(a)mediatek.com> net: ethernet: mtk_eth_soc: correct the max weight of the queue limit for 100Mbps Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Fix possible NULL pointer dereference for perout request Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Add phase offset configuration for perout signal Meghana Malladi <m-malladi(a)ti.com> net: ti: icss-iep: Add pwidth configuration for perout signal Sagi Maimon <maimon.sagi(a)gmail.com> ptp: ocp: fix start time alignment in ptp_ocp_signal_set Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: free routing table on probe failure Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: clean up FDB, MDB, VLAN entries on unbind Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Jonas Gorski <jonas.gorski(a)gmail.com> net: bridge: switchdev: do not notify new brentries as changed Jonas Gorski <jonas.gorski(a)gmail.com> net: b53: enable BPDU reception for management port Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-link: adjust mctp attribute naming Jakub Kicinski <kuba(a)kernel.org> netlink: specs: rt-link: add an attr layer around alt-ifname Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: individually free previous values on double set Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: store recursive nests by a pointer Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: re-sort ignoring recursive nests Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: record information about recursive nests Jakub Kicinski <kuba(a)kernel.org> tools: ynl-gen: track attribute use Abdun Nihaal <abdun.nihaal(a)gmail.com> cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path Niklas Cassel <cassel(a)kernel.org> ata: libata-sata: Save all fields from sense data descriptor Michael Walle <mwalle(a)kernel.org> net: ethernet: ti: am65-cpsw: fix port_np reference counting Alexander Sverdlin <alexander.sverdlin(a)siemens.com> net: ethernet: ti: am65-cpsw-nuss: rename phy_node -> port_np Abdun Nihaal <abdun.nihaal(a)gmail.com> net: ngbe: fix memory leak in ngbe_probe() error path Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: fix nested key length validation in the set() action Zheng Qixing <zhengqixing(a)huawei.com> block: fix resource leak in blk_register_queue() error path Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: Set SOCK_RCU_FREE Abdun Nihaal <abdun.nihaal(a)gmail.com> pds_core: fix memory leak in pdsc_debugfs_add_qcq() Matthew Wilcox (Oracle) <willy(a)infradead.org> test suite: use %zu to print size_t Christopher S M Hall <christopher.s.hall(a)intel.com> igc: add lock preventing multiple simultaneous PTM transactions Christopher S M Hall <christopher.s.hall(a)intel.com> igc: cleanup PTP module if probe fails Christopher S M Hall <christopher.s.hall(a)intel.com> igc: handle the IGC_PTP_ENABLED flag correctly Christopher S M Hall <christopher.s.hall(a)intel.com> igc: move ktime snapshot into PTM retry loop Christopher S M Hall <christopher.s.hall(a)intel.com> igc: increase wait time before retrying PTM Christopher S M Hall <christopher.s.hall(a)intel.com> igc: fix PTM cycle trigger logic Johannes Berg <johannes.berg(a)intel.com> Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: l2cap: Check encryption key size on incoming connection Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: btrtl: Prevent potential NULL dereference Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address Shay Drory <shayd(a)nvidia.com> RDMA/core: Silence oversized kvmalloc() warning Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: cs42l43: Reset clamp override on jack removal Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix wrong maximum DMA segment size Yue Haibing <yuehaibing(a)huawei.com> RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() Giuseppe Scrivano <gscrivan(a)redhat.com> ovl: remove unused forward declaration Henry Martin <bsdhenrymartin(a)gmail.com> ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() Brady Norander <bradynorander(a)gmail.com> ASoC: dwc: always enable/disable i2s irqs Zheng Qixing <zhengqixing(a)huawei.com> md/md-bitmap: fix stats collection for external bitmaps Yu Kuai <yukuai3(a)huawei.com> md/raid10: fix missing discard IO accounting Miaoqian Lin <linmq006(a)gmail.com> scsi: iscsi: Fix missing scsi_host_put() in error path Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: wl1251: fix memory leak in wl1251_tx_work Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Purge vif txq in ieee80211_do_stop() Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: at76c50x: fix use after free access in at76_disconnect Xingui Yang <yangxingui(a)huawei.com> scsi: hisi_sas: Enable force phy when SATA disk directly connected Kaixin Wang <kxwang23(a)m.fudan.edu.cn> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Arnd Bergmann <arnd(a)arndb.de> media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Yi Liu <yi.l.liu(a)intel.com> iommufd: Fail replace if device has not been attached Nathan Chancellor <nathan(a)kernel.org> ACPI: platform-profile: Fix CFI violation when accessing sysfs files Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Cong Liu <liucong2(a)kylinos.cn> selftests: mptcp: fix incorrect fd checks in main_loop Geliang Tang <tanggeliang(a)kylinos.cn> selftests: mptcp: close fd_in before returning in main_loop Stephan Gerhold <stephan.gerhold(a)linaro.org> pinctrl: qcom: Clear latched interrupt status when changing IRQ type Stefan Eichenberger <stefan.eichenberger(a)toradex.com> phy: freescale: imx8m-pcie: assert phy reset and perst in power off Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_one() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Sean Christopherson <seanjc(a)google.com> KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly zero-initialize on-stack CPUID unions Joshua Washington <joshwash(a)google.com> gve: handle overflow when reporting TX consumed descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind Guixin Liu <kanie(a)linux.alibaba.com> gpio: tegra186: fix resource handling in ACPI probe path zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix prefetch-vs-suspend race Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: fix prefetch-vs-suspend race Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Release pm subdomains in reverse add order Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Pali Rohár <pali(a)kernel.org> cifs: Ensure that all non-client-specific reparse points are processed by the server Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Alexandra Diupina <adiupina(a)astralinux.ru> cifs: avoid NULL pointer dereference in dbg call Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not add length to print format in synthetic events Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: fix balloon target initialization for PVH dom0 Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Marc Herbert <Marc.Herbert(a)linux.intel.com> mm/hugetlb: move hugetlb_sysctl_init() to the __init section Shuai Xue <xueshuai(a)linux.alibaba.com> mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix release hang over concurrent GUP Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/mremap: correctly handle partial mremap() of VMA starting at 0 Ryan Roberts <ryan.roberts(a)arm.com> mm: fix lazy mmu docs and usage Jane Chu <jane.chu(a)oracle.com> mm: make page_mapped_in_vma() hugetlb walk aware David Hildenbrand <david(a)redhat.com> mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix uninitialized rc in iommufd_access_rw() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone finishing with missing devices Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone activation with missing devices Filipe Manana <fdmanana(a)suse.com> btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Herve Codina <herve.codina(a)bootlin.com> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Correct the update of max_pfn Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: only inc MPJoinAckHMacFailure for HMAC failures Gang Yan <yangang(a)kylinos.cn> mptcp: fix NULL pointer in can_accept_new_subflow T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Kartik Rajput <kkartik(a)nvidia.com> mailbox: tegra-hsp: Define dimensioning masks in SoC data Chenyuan Yang <chenyuan0y(a)gmail.com> mfd: ene-kb3930: Fix a potential NULL pointer dereference Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use readsb helper for reading MDB Steve French <stfrench(a)microsoft.com> smb311 client: fix missing tcon check when mounting with linux/posix extensions Chenyuan Yang <chenyuan0y(a)gmail.com> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> tpm: do not start chip while suspended Jan Kara <jack(a)suse.cz> udf: Fix inode_getblk() return value Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix oversized null mkey longer than 32bit Yeongjin Gil <youngjin.gil(a)samsung.com> f2fs: fix to avoid atomicity corruption of atomic file Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix race between unprepare and queue_buf Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm: add q6apm_get_hw_pointer helper Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: reject zero sized provided buffers Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Haoxiang Li <haoxiang_li2024(a)163.com> wifi: mt76: Add check for devm_kstrdup() Alexandre Torgue <alexandre.torgue(a)foss.st.com> clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Replace kcalloc() with devm_kcalloc() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Add check for devm_kcalloc() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting IPV6_V6ONLY Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx219: Rectify runtime PM handling in probe and remove Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: refactor hfi packet parsing logic Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in remove Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: platform: stm32: Add check for clk_enable() Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: visl: Fix ERANGE error when setting enum controls Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Fix timeout handling when waiting for TPM status Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Miquel Raynal <miquel.raynal(a)bootlin.com> spi: cadence-qspi: Fix probe on AM62A LP SK Will Deacon <will(a)kernel.org> KVM: arm64: Tear down vGIC on failed vCPU creation Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Arnd Bergmann <arnd(a)arndb.de> media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Alain Volmat <alain.volmat(a)foss.st.com> dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: rcar: Improve register calculation Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Workaround failed command reception on Infineon devices Ayush Jain <Ayush.jain3(a)amd.com> ktest: Fix Test Failures Due to Missing LOG_FILE Directories Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probe-events: Add comments about entry data storing code Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check Christian König <christian.koenig(a)amd.com> drm/amdgpu: grab an additional reference on the gang fence v2 Ryo Takakura <ryotkkr98(a)gmail.com> PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Wentao Liang <vulab(a)iscas.ac.cn> drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: debugfs hang_hws skip GPU with MES Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mode1 reset crash issue David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Lucas De Marchi <lucas.demarchi(a)intel.com> drivers: base: devres: Allow to release group on device release Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/bridge: panel: forbid initializing a panel with unknown connector type Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Brendan Tam <Brendan.Tam(a)amd.com> drm/amd/display: add workaround flag to link to force FFE preset Zhikai Zhai <zhikai.zhai(a)amd.com> drm/amd/display: Update Cursor request mode to the beginning prefetch always Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Bluetooth: qca: simplify WCN399x NVM loading Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Philipp Hahn <phahn-oss(a)avm.de> cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Chao Yu <chao(a)kernel.org> Revert "f2fs: rebuild nat_bits during umount" Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Manish Dharanenthiran <quic_mdharane(a)quicinc.com> wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Birger Koblitz <mail(a)birger-koblitz.de> net: sfp: add quirk for 2.5G OEM BX SFP Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Zhongqiu Han <quic_zhonhan(a)quicinc.com> jfs: Fix uninit-value access of imap allocated in the diMount() function Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Max Schulze <max.schulze(a)online.de> net: usb: asix_devices: add FiberGecko DeviceID Chaohai Chen <wdhh66(a)163.com> scsi: target: spc: Fix RSOC parameter data header size Chao Yu <chao(a)kernel.org> f2fs: don't retry IO for corrupted data scenario P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Syed Saba kareem <syed.sabakareem(a)amd.com> ASoC: amd: yc: update quirk data for new Lenovo model keenplify <keenplify(a)gmail.com> ASoC: amd: Add DMI quirk for ACP6X mic support Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Kaustabh Chakraborty <kauschluss(a)disroot.org> mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Add quirk for Actions UVC05 Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_audmix: register card device depends on 'dais' property Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERIODIC_SINE_ONLY quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: Add hid-universal-pidff driver and supported device ids Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add FIX_WHEEL_DIRECTION quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERMISSIVE_CONTROL quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_PBO quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_DELAY quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Zhang Heng <zhangheng(a)kylinos.cn> ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Ingo Molnar <mingo(a)kernel.org> zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Xin Li (Intel) <xin(a)zytor.com> x86/ia32: Leave NULL selector values 0~3 unchanged Matthew Wilcox (Oracle) <willy(a)infradead.org> x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Trond Myklebust <trond.myklebust(a)hammerspace.com> umount: Allow superblock owners to force umount Mateusz Guzik <mjguzik(a)gmail.com> fs: consistently deref the files table with rcu_dereference_raw() Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Florian Westphal <fw(a)strlen.de> nft_set_pipapo: fix incorrect avx2 match of 5th field octet Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Ido Schimmel <idosch(a)nvidia.com> ipv6: Align behavior across nexthops during path selection Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Daniel Wagner <wagi(a)kernel.org> nvmet-fcloop: swap list_add_tail arguments Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/huc: Fix fence not released on early probe errors Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Chenyuan Yang <chenyuan0y(a)gmail.com> net: libwx: handle page_pool_dev_alloc_pages error Maxime Ripard <mripard(a)kernel.org> drm/tests: probe-helper: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: modes: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: cmdline: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Yu-Chun Lin <eleanor15x(a)gmail.com> drm/tests: helpers: Fix compiler warning Jinjie Ruan <ruanjinjie(a)huawei.com> drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() Maxime Ripard <mripard(a)kernel.org> drm/tests: Add helper to create mock crtc Maxime Ripard <mripard(a)kernel.org> drm/tests: Add helper to create mock plane Maxime Ripard <mripard(a)kernel.org> drm/tests: helpers: Add atomic helpers Maxime Ripard <mripard(a)kernel.org> drm/tests: modeset: Fix drm_display_mode memory leak Maxime Chevallier <maxime.chevallier(a)bootlin.com> net: ethtool: Don't call .cleanup_data when prepare_data fails Toke Høiland-Jørgensen <toke(a)redhat.com> tc: Ensure we have enough buffer space when sending filter netlink notifications Pedro Tammela <pctammela(a)mojatatu.com> net/sched: cls_api: conditional notification of events Victor Nogueira <victor(a)mojatatu.com> rtnl: add helper to check if a notification is needed Jamal Hadi Salim <jhs(a)mojatatu.com> rtnl: add helper to check if rtnl group has listeners Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-pf: qos: fix VF root node parent queue index Jakub Kicinski <kuba(a)kernel.org> net: tls: explicitly disallow disconnect Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Badal Nilawar <badal.nilawar(a)intel.com> drm/i915: Disable RPG during live selftest Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/i915/dg2: wait for HuC load completion before running selftests Harish Chegondi <harish.chegondi(a)intel.com> drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ Jani Nikula <jani.nikula(a)intel.com> drm/i915/mocs: use to_gt() instead of direct &i915->gt Edward Liaw <edliaw(a)google.com> selftests/futex: futex_waitv wouldblock test should fail ------------- Diffstat: .../bindings/arm/qcom,coresight-tpda.yaml | 3 +- .../bindings/arm/qcom,coresight-tpdm.yaml | 3 +- .../bindings/media/i2c/st,st-mipid02.yaml | 2 +- Documentation/netlink/specs/rt_link.yaml | 14 +- MAINTAINERS | 1 + Makefile | 7 +- arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/spectre.h | 1 - arch/arm64/include/asm/tlbflush.h | 22 ++- arch/arm64/kernel/proton-pack.c | 208 +++++++++++--------- arch/arm64/kvm/arm.c | 6 +- arch/arm64/mm/mmu.c | 3 +- arch/loongarch/kernel/acpi.c | 12 -- arch/mips/dec/prom/init.c | 2 +- arch/mips/include/asm/ds1287.h | 2 +- arch/mips/kernel/cevt-ds1287.c | 1 + arch/powerpc/kernel/rtas.c | 4 + arch/riscv/include/asm/kgdb.h | 9 +- arch/riscv/include/asm/syscall.h | 7 +- arch/riscv/kernel/kgdb.c | 6 + arch/riscv/kernel/setup.c | 36 +++- arch/sparc/include/asm/pgtable_64.h | 2 - arch/sparc/mm/tlb.c | 5 +- arch/x86/Kconfig | 1 + arch/x86/boot/compressed/mem.c | 5 +- arch/x86/boot/compressed/sev.c | 67 ++----- arch/x86/boot/compressed/sev.h | 2 + arch/x86/coco/tdx/tdx.c | 26 ++- arch/x86/events/intel/ds.c | 8 +- arch/x86/events/intel/uncore_snbep.c | 107 +---------- arch/x86/include/asm/irqflags.h | 40 ++-- arch/x86/include/asm/paravirt.h | 20 +- arch/x86/include/asm/paravirt_types.h | 3 +- arch/x86/include/asm/tdx.h | 4 +- arch/x86/include/asm/xen/hypervisor.h | 5 - arch/x86/kernel/cpu/amd.c | 21 +- arch/x86/kernel/cpu/intel.c | 20 +- arch/x86/kernel/cpu/microcode/amd.c | 9 +- arch/x86/kernel/e820.c | 17 +- arch/x86/kernel/paravirt.c | 14 +- arch/x86/kernel/process.c | 2 +- arch/x86/kernel/signal_32.c | 62 ++++-- arch/x86/kvm/cpuid.c | 8 +- arch/x86/kvm/x86.c | 4 + arch/x86/mm/pat/set_memory.c | 6 +- arch/x86/platform/pvh/enlighten.c | 3 - arch/x86/xen/enlighten.c | 10 + arch/x86/xen/enlighten_pvh.c | 93 +++++---- arch/x86/xen/setup.c | 3 - block/blk-sysfs.c | 2 + certs/Makefile | 2 +- certs/extract-cert.c | 138 ++++++------- drivers/acpi/platform_profile.c | 20 +- drivers/ata/ahci.c | 2 + drivers/ata/libata-eh.c | 11 +- drivers/ata/libata-sata.c | 15 ++ drivers/ata/pata_pxa.c | 6 + drivers/ata/sata_sx4.c | 13 +- drivers/base/devres.c | 7 + drivers/block/loop.c | 7 +- drivers/bluetooth/btqca.c | 13 +- drivers/bluetooth/btrtl.c | 2 + drivers/bluetooth/hci_ldisc.c | 19 +- drivers/bluetooth/hci_uart.h | 1 + drivers/bluetooth/hci_vhci.c | 10 +- drivers/bus/mhi/host/main.c | 16 +- drivers/char/tpm/tpm-chip.c | 5 + drivers/char/tpm/tpm-interface.c | 7 - drivers/char/tpm/tpm_tis_core.c | 20 +- drivers/char/tpm/tpm_tis_core.h | 1 + drivers/clk/qcom/clk-branch.c | 4 +- drivers/clk/qcom/gdsc.c | 61 +++--- drivers/clocksource/timer-stm32-lp.c | 4 +- drivers/cpufreq/cpufreq.c | 40 +++- drivers/crypto/caam/qi.c | 6 +- drivers/crypto/ccp/sp-pci.c | 15 +- drivers/firmware/efi/libstub/efistub.h | 2 +- drivers/gpio/gpio-tegra186.c | 25 +-- drivers/gpio/gpio-zynq.c | 1 + drivers/gpu/drm/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 44 +++-- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 ++ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +- drivers/gpu/drm/amd/display/dc/dc.h | 2 + .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 22 +-- drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hubp.c | 2 +- .../display/dc/link/protocols/link_dp_training.c | 2 + drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 + .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega10_thermal.c | 4 +- .../drm/amd/pm/powerplay/hwmgr/vega20_thermal.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 2 +- drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_panel.c | 5 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 ++++- drivers/gpu/drm/i915/gt/intel_engine_cs.c | 3 +- drivers/gpu/drm/i915/gt/intel_mocs.c | 4 +- drivers/gpu/drm/i915/gt/intel_rc6.c | 19 +- drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 +- drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 + drivers/gpu/drm/i915/gvt/opregion.c | 7 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/selftests/i915_selftest.c | 54 +++++- drivers/gpu/drm/mediatek/mtk_dpi.c | 23 ++- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 82 ++++---- drivers/gpu/drm/nouveau/nouveau_bo.c | 3 + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 - drivers/gpu/drm/sti/Makefile | 2 - drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 + drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 +- drivers/gpu/drm/tests/drm_kunit_helpers.c | 213 +++++++++++++++++++++ drivers/gpu/drm/tests/drm_modes_test.c | 22 +++ drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 +- drivers/gpu/drm/tiny/repaper.c | 4 +- drivers/hid/Kconfig | 14 ++ drivers/hid/Makefile | 1 + drivers/hid/hid-ids.h | 31 +++ drivers/hid/hid-universal-pidff.c | 197 +++++++++++++++++++ drivers/hid/usbhid/hid-pidff.c | 173 ++++++++++++----- drivers/hsi/clients/ssi_protocol.c | 1 + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 + drivers/i2c/i2c-atr.c | 2 +- drivers/i3c/master.c | 3 + drivers/i3c/master/svc-i3c-master.c | 2 +- drivers/infiniband/core/cma.c | 4 +- drivers/infiniband/core/umem_odp.c | 6 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +- drivers/iommu/iommufd/device.c | 18 +- drivers/iommu/mtk_iommu.c | 26 +-- drivers/leds/rgb/leds-qcom-lpg.c | 8 +- drivers/mailbox/tegra-hsp.c | 72 +++++-- drivers/md/dm-ebs-target.c | 7 + drivers/md/dm-integrity.c | 3 + drivers/md/dm-verity-target.c | 8 + drivers/md/md-bitmap.c | 5 +- drivers/md/md.c | 22 ++- drivers/md/raid10.c | 1 + drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ccs/ccs-core.c | 6 +- drivers/media/i2c/imx219.c | 13 +- drivers/media/i2c/ov7251.c | 4 +- .../mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 +- .../vcodec/decoder/vdec/vdec_vp9_req_lat_if.c | 3 +- .../mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +- drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++++++--- drivers/media/platform/qcom/venus/hfi_venus.c | 18 +- drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +- drivers/media/rc/streamzap.c | 68 ++++--- drivers/media/test-drivers/vim2m.c | 6 +- drivers/media/test-drivers/visl/visl-core.c | 12 ++ drivers/media/usb/uvc/uvc_driver.c | 9 + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/mfd/ene-kb3930.c | 2 +- drivers/misc/pci_endpoint_test.c | 6 +- drivers/mmc/host/dw_mmc.c | 94 ++++++++- drivers/mmc/host/dw_mmc.h | 27 +++ drivers/mtd/inftlcore.c | 9 +- drivers/mtd/mtdpstore.c | 12 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/dsa/b53/b53_common.c | 10 + drivers/net/dsa/mv88e6xxx/chip.c | 30 ++- drivers/net/dsa/mv88e6xxx/devlink.c | 3 +- drivers/net/ethernet/amd/pds_core/debugfs.c | 5 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 + drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +- drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_defines.h | 6 +- drivers/net/ethernet/intel/igc/igc_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 113 +++++++---- drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 19 +- drivers/net/ethernet/ti/am65-cpsw-nuss.h | 2 +- drivers/net/ethernet/ti/icssg/icss_iep.c | 150 ++++++++++----- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 3 +- drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 3 +- drivers/net/phy/sfp.c | 2 + drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/usb/asix_devices.c | 17 ++ drivers/net/usb/cdc_ether.c | 7 + drivers/net/usb/r8152.c | 6 + drivers/net/usb/r8153_ecm.c | 6 + drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +++- drivers/net/wireless/atmel/at76c50x-usb.c | 2 +- drivers/net/wireless/mediatek/mt76/eeprom.c | 4 + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/realtek/rtw89/core.c | 2 + drivers/net/wireless/realtek/rtw89/core.h | 6 + drivers/net/wireless/realtek/rtw89/pci.c | 10 + drivers/net/wireless/ti/wl1251/tx.c | 4 +- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/host/rdma.c | 8 +- drivers/nvme/target/fc.c | 14 -- drivers/nvme/target/fcloop.c | 2 +- drivers/of/irq.c | 78 ++++---- drivers/pci/controller/pcie-brcmstb.c | 13 +- drivers/pci/controller/vmd.c | 12 +- drivers/pci/pci.c | 4 - drivers/pci/probe.c | 5 +- drivers/perf/arm_pmu.c | 8 +- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 ++ drivers/pinctrl/qcom/pinctrl-msm.c | 12 +- drivers/platform/x86/asus-laptop.c | 9 +- drivers/ptp/ptp_ocp.c | 1 + drivers/pwm/pwm-fsl-ftm.c | 6 + drivers/pwm/pwm-mediatek.c | 8 +- drivers/pwm/pwm-rcar.c | 24 +-- drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +- drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 +- drivers/scsi/megaraid/megaraid_sas_base.c | 9 +- drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 +- drivers/scsi/scsi_transport_iscsi.c | 7 +- drivers/scsi/st.c | 2 +- drivers/soc/samsung/exynos-chipid.c | 2 + drivers/spi/spi-cadence-quadspi.c | 6 + drivers/target/target_core_spc.c | 2 +- drivers/thermal/rockchip_thermal.c | 1 + drivers/ufs/host/ufs-exynos.c | 6 + drivers/usb/typec/ucsi/ucsi_ccg.c | 5 + drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/video/backlight/led_bl.c | 5 +- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/balloon.c | 34 +++- drivers/xen/xenfs/xensyms.c | 4 +- fs/Kconfig | 1 + fs/btrfs/disk-io.c | 12 ++ fs/btrfs/inode.c | 6 +- fs/btrfs/super.c | 3 +- fs/btrfs/zoned.c | 6 + fs/ext4/inode.c | 68 +++++-- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 17 ++ fs/ext4/xattr.c | 11 +- fs/f2fs/checkpoint.c | 21 +- fs/f2fs/f2fs.h | 32 +++- fs/f2fs/inode.c | 8 +- fs/f2fs/node.c | 110 +++-------- fs/f2fs/super.c | 4 + fs/file.c | 26 ++- fs/fuse/virtio_fs.c | 3 + fs/hfs/bnode.c | 6 + fs/hfsplus/bnode.c | 6 + fs/isofs/export.c | 2 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 4 +- fs/namespace.c | 3 +- fs/nfs/Kconfig | 2 +- fs/nfs/internal.h | 7 - fs/nfs/nfs4session.h | 4 - fs/nfsd/Kconfig | 1 + fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsfh.h | 7 - fs/overlayfs/overlayfs.h | 2 - fs/overlayfs/super.c | 5 + fs/smb/client/cifsproto.h | 2 + fs/smb/client/connect.c | 36 ++-- fs/smb/client/file.c | 28 +++ fs/smb/client/fs_context.c | 5 + fs/smb/client/inode.c | 10 + fs/smb/client/reparse.c | 4 - fs/smb/client/smb2misc.c | 9 +- fs/smb/server/oplock.c | 29 +-- fs/smb/server/oplock.h | 1 - fs/smb/server/smb2pdu.c | 4 +- fs/smb/server/transport_ipc.c | 7 +- fs/smb/server/vfs.c | 3 +- fs/udf/inode.c | 1 + fs/userfaultfd.c | 51 +++-- include/drm/drm_kunit_helpers.h | 28 +++ include/linux/backing-dev.h | 1 + include/linux/hid.h | 9 + include/linux/nfs.h | 7 - include/linux/pgtable.h | 14 +- include/linux/rtnetlink.h | 22 +++ include/linux/tpm.h | 1 + include/net/sctp/structs.h | 3 +- include/net/xdp.h | 9 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/landlock.h | 2 + include/xen/interface/xen-mca.h | 2 +- io_uring/kbuf.c | 2 + io_uring/net.c | 2 + kernel/locking/lockdep.c | 3 + kernel/sched/cpufreq_schedutil.c | 18 +- kernel/trace/ftrace.c | 8 +- kernel/trace/trace_events.c | 4 +- kernel/trace/trace_events_filter.c | 4 +- kernel/trace/trace_events_synth.c | 1 - kernel/trace/trace_probe.c | 28 +++ lib/sg_split.c | 2 - lib/string.c | 13 +- lib/zstd/common/portability_macros.h | 2 +- mm/filemap.c | 1 + mm/gup.c | 4 +- mm/hugetlb.c | 2 +- mm/memory-failure.c | 11 +- mm/memory.c | 4 +- mm/mremap.c | 10 +- mm/page_vma_mapped.c | 13 +- mm/rmap.c | 2 +- mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +-- net/bluetooth/hci_event.c | 5 +- net/bluetooth/l2cap_core.c | 21 +- net/bridge/br_vlan.c | 4 +- net/core/filter.c | 80 ++++---- net/core/page_pool.c | 8 +- net/dsa/dsa.c | 59 +++++- net/dsa/tag_8021q.c | 2 +- net/ethtool/netlink.c | 8 +- net/ipv6/route.c | 8 +- net/mac80211/iface.c | 3 + net/mac80211/mesh_hwmp.c | 14 +- net/mctp/af_mctp.c | 3 + net/mptcp/sockopt.c | 28 +++ net/mptcp/subflow.c | 19 +- net/netfilter/nft_set_pipapo_avx2.c | 3 +- net/openvswitch/flow_netlink.c | 3 +- net/sched/cls_api.c | 74 +++++-- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_sfq.c | 66 +++++-- net/sctp/socket.c | 22 ++- net/sctp/transport.c | 2 + net/tipc/link.c | 1 + net/tls/tls_main.c | 6 + scripts/sign-file.c | 132 ++++++------- scripts/ssl-common.h | 32 ++++ security/landlock/errata.h | 87 +++++++++ security/landlock/setup.c | 30 +++ security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 ++- sound/pci/hda/hda_intel.c | 44 ++++- sound/soc/amd/yc/acp6x-mach.c | 14 ++ sound/soc/codecs/cs42l43-jack.c | 3 + sound/soc/codecs/lpass-wsa-macro.c | 139 +++++++++----- sound/soc/dwc/dwc-i2s.c | 13 +- sound/soc/fsl/fsl_audmix.c | 16 +- sound/soc/intel/avs/pcm.c | 3 +- sound/soc/qcom/lpass.h | 3 +- sound/soc/qcom/qdsp6/q6apm-dai.c | 9 +- sound/soc/qcom/qdsp6/q6apm.c | 18 +- sound/soc/qcom/qdsp6/q6apm.h | 3 + sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +- sound/soc/sof/topology.c | 4 +- sound/usb/midi.c | 80 +++++++- tools/net/ynl/ynl-gen-c.py | 165 ++++++++++++---- tools/objtool/check.c | 5 + tools/power/cpupower/bench/parse.c | 4 + tools/testing/ktest/ktest.pl | 8 + tools/testing/kunit/qemu_configs/sh.py | 4 +- tools/testing/radix-tree/linux.c | 4 +- .../futex/functional/futex_wait_wouldblock.c | 2 +- tools/testing/selftests/landlock/base_test.c | 46 ++++- .../selftests/mm/charge_reserved_hugetlb.sh | 4 +- .../selftests/mm/hugetlb_reparenting_test.sh | 2 +- tools/testing/selftests/net/mptcp/diag.sh | 23 +-- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/mptcp_connect.sh | 19 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 20 +- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 18 ++ tools/testing/selftests/net/mptcp/simult_flows.sh | 19 +- 376 files changed, 4360 insertions(+), 1914 deletions(-)

6 months, 2 weeks

9
400
0 0

Re: [PATCH v3 1/1] iommu: Allow attaching static domains in iommu_attach_device_pasid()

by Dave Jiang

On 4/24/25 5:55 PM, Jack Vogel wrote: > > >> On Apr 24, 2025, at 16:15, Dave Jiang <dave.jiang(a)intel.com> wrote: >> >> >> >> On 4/24/25 3:59 PM, Jack Vogel wrote: >>> >>> >>>> On Apr 24, 2025, at 15:40, Dave Jiang <dave.jiang(a)intel.com> wrote: >>>> >>>> >>>> >>>> On 4/24/25 3:34 PM, Jack Vogel wrote: >>>>> I am having test issues with this patch, test system is running OL9, basically RHEL 9.5, the kernel boots ok, and the dmesg is clean… but the tests in accel-config dont pass. Specifically the crypto tests, this is due to vfio_pci_core not loading. Right now I’m not sure if any of this is my mistake, but at least it’s something I need to keep looking at. >>>>> >>>>> Also, since I saw that issue on the latest I did a backport to our UEK8 kernel which is 6.12.23, and on that kernel it still exhibited these messages on boot: >>>>> >>>>> *idxd*0000:6a:01.0: enabling device (0144 -> 0146) >>>>> >>>>> [ 21.112733] *idxd*0000:6a:01.0: failed to attach device pasid 1, domain type 4 >>>>> >>>>> [ 21.120770] *idxd*0000:6a:01.0: No in-kernel DMA with PASID. -95 >>>>> >>>>> >>>>> Again, maybe an issue in my backporting… however I’d like to be sure. >>>> >>>> Can you verify against latest upstream kernel plus the patch and see if you still see the error? >>>> >>>> DJ >>> >>> Yes, the kernel was build from the tip this morning. Like I said, it got no messages booting up, all looked fine. But when running the actual test suite in the accel-config tarball specifically the iaa crypt tests, they failed and the dmesg was from vfio_pci_core failed to load with an unknown symbol. >> >> I'm not sure what the test consists of (haven't worked on this device for almost 2 years). But usually the device is either bound to the idxd driver or the vfio_pci driver. Not both. And if the idxd driver didn't emit any errors while loading, then the test failure may be something else... >> >> Another way to verify is to set CONFIG_IOMMU_DEFAULT_DMA_LAZY vs PASSTHROUGH. If the tests still fail then it's something else. >> >> DJ > > There isn’t a lot of ways to test this driver, yes DPDK will use it, but apart from that? So, the tests that are part of your (Intel) accel-config package are the only convenient way that I’ve found to do so. It is also convenient, there is a “make check” target in the top Makefile that will invoke both set of DMA tests, and some crypto (IAA) tests. I have been planning to give this to our QA group as a verification suite. Do you have an alternative to this? This should be the right test package. Let me talk to our QA people and see if there are any issues. We can resolve this off list. If there's any issues that end up pointing to the original bug, we can raise that then. DJ > > Jack > >> >>> >>> This sounds like the module was wrong, but i would think it was installed with the v6.15 kernel….. >>> >>> Jack >>> >>>> >>>>> >>>>> Cheers, >>>>> >>>>> Jack >>>>> >>>>> >>>>>> On Apr 23, 2025, at 20:41, Lu Baolu <baolu.lu(a)linux.intel.com> wrote: >>>>>> >>>>>> The idxd driver attaches the default domain to a PASID of the device to >>>>>> perform kernel DMA using that PASID. The domain is attached to the >>>>>> device's PASID through iommu_attach_device_pasid(), which checks if the >>>>>> domain->owner matches the iommu_ops retrieved from the device. If they >>>>>> do not match, it returns a failure. >>>>>> >>>>>> if (ops != domain->owner || pasid == IOMMU_NO_PASID) >>>>>> return -EINVAL; >>>>>> >>>>>> The static identity domain implemented by the intel iommu driver doesn't >>>>>> specify the domain owner. Therefore, kernel DMA with PASID doesn't work >>>>>> for the idxd driver if the device translation mode is set to passthrough. >>>>>> >>>>>> Generally the owner field of static domains are not set because they are >>>>>> already part of iommu ops. Add a helper domain_iommu_ops_compatible() >>>>>> that checks if a domain is compatible with the device's iommu ops. This >>>>>> helper explicitly allows the static blocked and identity domains associated >>>>>> with the device's iommu_ops to be considered compatible. >>>>>> >>>>>> Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") >>>>>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 >>>>>> Cc: stable(a)vger.kernel.org >>>>>> Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> >>>>>> Link: https://lore.kernel.org/linux-iommu/20250422191554.GC1213339@ziepe.ca/ >>>>>> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> >>>>>> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> >>>>>> Reviewed-by: Robin Murphy <robin.murphy(a)arm.com> >>>>>> --- >>>>>> drivers/iommu/iommu.c | 21 ++++++++++++++++++--- >>>>>> 1 file changed, 18 insertions(+), 3 deletions(-) >>>>>> >>>>>> Change log: >>>>>> v3: >>>>>> - Convert all places checking domain->owner to the new helper. >>>>>> v2: https://lore.kernel.org/linux-iommu/20250423021839.2189204-1-baolu.lu@linux… >>>>>> - Make the solution generic for all static domains as suggested by >>>>>> Jason. >>>>>> v1: https://lore.kernel.org/linux-iommu/20250422075422.2084548-1-baolu.lu@linux… >>>>>> >>>>>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c >>>>>> index 4f91a740c15f..b26fc3ed9f01 100644 >>>>>> --- a/drivers/iommu/iommu.c >>>>>> +++ b/drivers/iommu/iommu.c >>>>>> @@ -2204,6 +2204,19 @@ static void *iommu_make_pasid_array_entry(struct iommu_domain *domain, >>>>>> return xa_tag_pointer(domain, IOMMU_PASID_ARRAY_DOMAIN); >>>>>> } >>>>>> >>>>>> +static bool domain_iommu_ops_compatible(const struct iommu_ops *ops, >>>>>> +struct iommu_domain *domain) >>>>>> +{ >>>>>> +if (domain->owner == ops) >>>>>> +return true; >>>>>> + >>>>>> +/* For static domains, owner isn't set. */ >>>>>> +if (domain == ops->blocked_domain || domain == ops->identity_domain) >>>>>> +return true; >>>>>> + >>>>>> +return false; >>>>>> +} >>>>>> + >>>>>> static int __iommu_attach_group(struct iommu_domain *domain, >>>>>> struct iommu_group *group) >>>>>> { >>>>>> @@ -2214,7 +2227,8 @@ static int __iommu_attach_group(struct iommu_domain *domain, >>>>>> return -EBUSY; >>>>>> >>>>>> dev = iommu_group_first_dev(group); >>>>>> -if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) >>>>>> +if (!dev_has_iommu(dev) || >>>>>> + !domain_iommu_ops_compatible(dev_iommu_ops(dev), domain)) >>>>>> return -EINVAL; >>>>>> >>>>>> return __iommu_group_set_domain(group, domain); >>>>>> @@ -3435,7 +3449,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, >>>>>> !ops->blocked_domain->ops->set_dev_pasid) >>>>>> return -EOPNOTSUPP; >>>>>> >>>>>> -if (ops != domain->owner || pasid == IOMMU_NO_PASID) >>>>>> +if (!domain_iommu_ops_compatible(ops, domain) || >>>>>> + pasid == IOMMU_NO_PASID) >>>>>> return -EINVAL; >>>>>> >>>>>> mutex_lock(&group->mutex); >>>>>> @@ -3511,7 +3526,7 @@ int iommu_replace_device_pasid(struct iommu_domain *domain, >>>>>> if (!domain->ops->set_dev_pasid) >>>>>> return -EOPNOTSUPP; >>>>>> >>>>>> -if (dev_iommu_ops(dev) != domain->owner || >>>>>> +if (!domain_iommu_ops_compatible(dev_iommu_ops(dev), domain) || >>>>>> pasid == IOMMU_NO_PASID || !handle) >>>>>> return -EINVAL; >>>>>> >>>>>> -- >>>>>> 2.43.0 >

6 months, 2 weeks

1
0
0 0

+ mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/userfaultfd: fix uninitialized output field for -EAGAIN race has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Peter Xu <peterx(a)redhat.com> Subject: mm/userfaultfd: fix uninitialized output field for -EAGAIN race Date: Thu, 24 Apr 2025 17:57:28 -0400 While discussing some userfaultfd relevant issues recently, Andrea noticed a potential ABI breakage with -EAGAIN on almost all userfaultfd ioctl()s. Quote from Andrea, explaining how -EAGAIN was processed, and how this should fix it (taking example of UFFDIO_COPY ioctl): The "mmap_changing" and "stale pmd" conditions are already reported as -EAGAIN written in the copy field, this does not change it. This change removes the subnormal case that left copy.copy uninitialized and required apps to explicitly set the copy field to get deterministic behavior (which is a requirement contrary to the documentation in both the manpage and source code). In turn there's no alteration to backwards compatibility as result of this change because userland will find the copy field consistently set to -EAGAIN, and not anymore sometime -EAGAIN and sometime uninitialized. Even then the change only can make a difference to non cooperative users of userfaultfd, so when UFFD_FEATURE_EVENT_* is enabled, which is not true for the vast majority of apps using userfaultfd or this unintended uninitialized field may have been noticed sooner. Meanwhile, since this bug existed for years, it also almost affects all ioctl()s that was introduced later. Besides UFFDIO_ZEROPAGE, these also get affected in the same way: - UFFDIO_CONTINUE - UFFDIO_POISON - UFFDIO_MOVE This patch should have fixed all of them. Link: https://lkml.kernel.org/r/20250424215729.194656-2-peterx@redhat.com Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races") Fixes: f619147104c8 ("userfaultfd: add UFFDIO_CONTINUE ioctl") Fixes: fc71884a5f59 ("mm: userfaultfd: add new UFFDIO_POISON ioctl") Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Peter Xu <peterx(a)redhat.com> Reported-by: Andrea Arcangeli <aarcange(a)redhat.com> Suggested-by: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/userfaultfd.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) --- a/fs/userfaultfd.c~mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race +++ a/fs/userfaultfd.c @@ -1585,8 +1585,11 @@ static int userfaultfd_copy(struct userf user_uffdio_copy = (struct uffdio_copy __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_copy, user_uffdio_copy, @@ -1641,8 +1644,11 @@ static int userfaultfd_zeropage(struct u user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage, @@ -1744,8 +1750,11 @@ static int userfaultfd_continue(struct u user_uffdio_continue = (struct uffdio_continue __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_continue->mapped))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_continue, user_uffdio_continue, @@ -1801,8 +1810,11 @@ static inline int userfaultfd_poison(str user_uffdio_poison = (struct uffdio_poison __user *)arg; ret = -EAGAIN; - if (atomic_read(&ctx->mmap_changing)) + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_poison->updated))) + return -EFAULT; goto out; + } ret = -EFAULT; if (copy_from_user(&uffdio_poison, user_uffdio_poison, @@ -1870,8 +1882,12 @@ static int userfaultfd_move(struct userf user_uffdio_move = (struct uffdio_move __user *) arg; - if (atomic_read(&ctx->mmap_changing)) - return -EAGAIN; + ret = -EAGAIN; + if (unlikely(atomic_read(&ctx->mmap_changing))) { + if (unlikely(put_user(ret, &user_uffdio_move->move))) + return -EFAULT; + goto out; + } if (copy_from_user(&uffdio_move, user_uffdio_move, /* don't copy "move" last field */ _ Patches currently in -mm which might be from peterx(a)redhat.com are mm-userfaultfd-fix-uninitialized-output-field-for-eagain-race.patch mm-selftests-add-a-test-to-verify-mmap_changing-race-with-eagain.patch

6 months, 2 weeks

1
0
0 0

[PATCH stable] xdp: Reset bpf_redirect_info before running a xdp's BPF prog.

by Sebastian Andrzej Siewior

Ricardo reported a KASAN discovered use after free in v6.6-stable. The syzbot starts a BPF program via xdp_test_run_batch() which assigns ri->tgt_value via dev_hash_map_redirect() and the return code isn't XDP_REDIRECT it looks like nonsense. So the output in bpf_warn_invalid_xdp_action() appears once. Then the TUN driver runs another BPF program (on the same CPU) which returns XDP_REDIRECT without setting ri->tgt_value first. It invokes bpf_trace_printk() to print four characters and obtain the required return value. This is enough to get xdp_do_redirect() invoked which then accesses the pointer in tgt_value which might have been already deallocated. This problem does not affect upstream because since commit 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the per-CPU variable is referenced via task's task_struct and exists on the stack during NAPI callback. Therefore it is cleared once before the first invocation and remains valid within the RCU section of the NAPI callback. Instead of performing the huge backport of the commit (plus its fix ups) here is an alternative version which only resets the variable in question prior invoking the BPF program. Acked-by: Toke Høiland-Jørgensen <toke(a)kernel.org> Reported-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> Closes: https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-rea… Fixes: 97f91a7cf04ff ("bpf: add bpf_redirect_map helper routine") Signed-off-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> --- I discussed this with Toke, thread starts at https://lore.kernel.org/all/20250313183911.SPAmGLyw@linutronix.de/ The commit, which this by accident, is part of v6.11-rc1. I added the commit introducing map redirects as the origin of the problem which is v4.14-rc1. The code is a bit different there but it seems to work similar. Affected kernels would be from v4.14 to v6.10. include/net/xdp.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/include/net/xdp.h b/include/net/xdp.h index de08c8e0d1348..b39ac83618a55 100644 --- a/include/net/xdp.h +++ b/include/net/xdp.h @@ -486,7 +486,14 @@ static __always_inline u32 bpf_prog_run_xdp(const struct bpf_prog *prog, * under local_bh_disable(), which provides the needed RCU protection * for accessing map entries. */ - u32 act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); + struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); + u32 act; + + if (ri->map_id || ri->map_type) { + ri->map_id = 0; + ri->map_type = BPF_MAP_TYPE_UNSPEC; + } + act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); if (static_branch_unlikely(&bpf_master_redirect_enabled_key)) { if (act == XDP_TX && netif_is_bond_slave(xdp->rxq->dev)) -- 2.49.0

6 months, 2 weeks

3
7
0 0

[PATCH 5.15] Bluetooth: SCO: Fix UAF on sco_sock_timeout

by Xiangyu Chen

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Upstream commit 1bf4470a3939c678fb822073e9ea77a0560bc6bb ] conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. Reported-by: syzbot+4c0d0c4cde787116d465(a)syzkaller.appspotmail.com Tested-by: syzbot+4c0d0c4cde787116d465(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4c0d0c4cde787116d465 Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified on the build test --- include/net/bluetooth/bluetooth.h | 1 + net/bluetooth/af_bluetooth.c | 22 ++++++++++++++++++++++ net/bluetooth/sco.c | 18 ++++++++++++------ 3 files changed, 35 insertions(+), 6 deletions(-) diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h index 7d2bd562da4b..b08b559f5242 100644 --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -314,6 +314,7 @@ int bt_sock_register(int proto, const struct net_proto_family *ops); void bt_sock_unregister(int proto); void bt_sock_link(struct bt_sock_list *l, struct sock *s); void bt_sock_unlink(struct bt_sock_list *l, struct sock *s); +bool bt_sock_linked(struct bt_sock_list *l, struct sock *s); int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, int flags); int bt_sock_stream_recvmsg(struct socket *sock, struct msghdr *msg, diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c index 9c9c855b9736..aebef5cf12d4 100644 --- a/net/bluetooth/af_bluetooth.c +++ b/net/bluetooth/af_bluetooth.c @@ -154,6 +154,28 @@ void bt_sock_unlink(struct bt_sock_list *l, struct sock *sk) } EXPORT_SYMBOL(bt_sock_unlink); +bool bt_sock_linked(struct bt_sock_list *l, struct sock *s) +{ + struct sock *sk; + + if (!l || !s) + return false; + + read_lock(&l->lock); + + sk_for_each(sk, &l->head) { + if (s == sk) { + read_unlock(&l->lock); + return true; + } + } + + read_unlock(&l->lock); + + return false; +} +EXPORT_SYMBOL(bt_sock_linked); + void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh) { BT_DBG("parent %p, sk %p", parent, sk); diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index f5192116922d..83412efe2895 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -76,6 +76,16 @@ struct sco_pinfo { #define SCO_CONN_TIMEOUT (HZ * 40) #define SCO_DISCONN_TIMEOUT (HZ * 2) +static struct sock *sco_sock_hold(struct sco_conn *conn) +{ + if (!conn || !bt_sock_linked(&sco_sk_list, conn->sk)) + return NULL; + + sock_hold(conn->sk); + + return conn->sk; +} + static void sco_sock_timeout(struct work_struct *work) { struct sco_conn *conn = container_of(work, struct sco_conn, @@ -87,9 +97,7 @@ static void sco_sock_timeout(struct work_struct *work) sco_conn_unlock(conn); return; } - sk = conn->sk; - if (sk) - sock_hold(sk); + sk = sco_sock_hold(conn); sco_conn_unlock(conn); if (!sk) @@ -191,9 +199,7 @@ static void sco_conn_del(struct hci_conn *hcon, int err) /* Kill socket */ sco_conn_lock(conn); - sk = conn->sk; - if (sk) - sock_hold(sk); + sk = sco_sock_hold(conn); sco_conn_unlock(conn); if (sk) { -- 2.43.0

6 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] drm/amd/display: fix double free issue during amdgpu module unload

by Xiangyu Chen

From: Tim Huang <tim.huang(a)amd.com> [ Upstream commit 20b5a8f9f4670a8503aa9fa95ca632e77c6bf55d ] Flexible endpoints use DIGs from available inflexible endpoints, so only the encoders of inflexible links need to be freed. Otherwise, a double free issue may occur when unloading the amdgpu module. [ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0 [ 279.190577] Call Trace: [ 279.190580] <TASK> [ 279.190582] ? show_regs+0x69/0x80 [ 279.190590] ? die+0x3b/0x90 [ 279.190595] ? do_trap+0xc8/0xe0 [ 279.190601] ? do_error_trap+0x73/0xa0 [ 279.190605] ? __slab_free+0x152/0x2f0 [ 279.190609] ? exc_invalid_op+0x56/0x70 [ 279.190616] ? __slab_free+0x152/0x2f0 [ 279.190642] ? asm_exc_invalid_op+0x1f/0x30 [ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191096] ? __slab_free+0x152/0x2f0 [ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191469] kfree+0x260/0x2b0 [ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191821] link_destroy+0xd7/0x130 [amdgpu] [ 279.192248] dc_destruct+0x90/0x270 [amdgpu] [ 279.192666] dc_destroy+0x19/0x40 [amdgpu] [ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu] [ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu] [ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu] [ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu] [ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu] [ 279.194632] pci_device_remove+0x3a/0xa0 [ 279.194638] device_remove+0x40/0x70 [ 279.194642] device_release_driver_internal+0x1ad/0x210 [ 279.194647] driver_detach+0x4e/0xa0 [ 279.194650] bus_remove_driver+0x6f/0xf0 [ 279.194653] driver_unregister+0x33/0x60 [ 279.194657] pci_unregister_driver+0x44/0x90 [ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu] [ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0 [ 279.194946] __x64_sys_delete_module+0x16/0x20 [ 279.194950] do_syscall_64+0x58/0x120 [ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 279.194980] </TASK> Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Signed-off-by: Tim Huang <tim.huang(a)amd.com> Reviewed-by: Roman Li <roman.li(a)amd.com> Signed-off-by: Roman Li <roman.li(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ dc_link_destruct() moved from core/dc_link.c to link/link_factory.c since commit: 54618888d1ea ("drm/amd/display: break down dc_link.c"), so modified the path to apply on 5.15.y ] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified on the build test --- drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c index b727bd7e039d..6696372b82f4 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c @@ -79,7 +79,7 @@ static void dc_link_destruct(struct dc_link *link) if (link->panel_cntl) link->panel_cntl->funcs->destroy(&link->panel_cntl); - if (link->link_enc) { + if (link->link_enc && !link->is_dig_mapping_flexible) { /* Update link encoder resource tracking variables. These are used for * the dynamic assignment of link encoders to streams. Virtual links * are not assigned encoder resources on creation. -- 2.34.1

6 months, 2 weeks

2
1
0 0

Re: [PATCH v3 1/1] iommu: Allow attaching static domains in iommu_attach_device_pasid()

by Dave Jiang

On 4/24/25 3:59 PM, Jack Vogel wrote: > > >> On Apr 24, 2025, at 15:40, Dave Jiang <dave.jiang(a)intel.com> wrote: >> >> >> >> On 4/24/25 3:34 PM, Jack Vogel wrote: >>> I am having test issues with this patch, test system is running OL9, basically RHEL 9.5, the kernel boots ok, and the dmesg is clean… but the tests in accel-config dont pass. Specifically the crypto tests, this is due to vfio_pci_core not loading. Right now I’m not sure if any of this is my mistake, but at least it’s something I need to keep looking at. >>> >>> Also, since I saw that issue on the latest I did a backport to our UEK8 kernel which is 6.12.23, and on that kernel it still exhibited these messages on boot: >>> >>> *idxd*0000:6a:01.0: enabling device (0144 -> 0146) >>> >>> [ 21.112733] *idxd*0000:6a:01.0: failed to attach device pasid 1, domain type 4 >>> >>> [ 21.120770] *idxd*0000:6a:01.0: No in-kernel DMA with PASID. -95 >>> >>> >>> Again, maybe an issue in my backporting… however I’d like to be sure. >> >> Can you verify against latest upstream kernel plus the patch and see if you still see the error? >> >> DJ > > Yes, the kernel was build from the tip this morning. Like I said, it got no messages booting up, all looked fine. But when running the actual test suite in the accel-config tarball specifically the iaa crypt tests, they failed and the dmesg was from vfio_pci_core failed to load with an unknown symbol. I'm not sure what the test consists of (haven't worked on this device for almost 2 years). But usually the device is either bound to the idxd driver or the vfio_pci driver. Not both. And if the idxd driver didn't emit any errors while loading, then the test failure may be something else... Another way to verify is to set CONFIG_IOMMU_DEFAULT_DMA_LAZY vs PASSTHROUGH. If the tests still fail then it's something else. DJ > > This sounds like the module was wrong, but i would think it was installed with the v6.15 kernel….. > > Jack > >> >>> >>> Cheers, >>> >>> Jack >>> >>> >>>> On Apr 23, 2025, at 20:41, Lu Baolu <baolu.lu(a)linux.intel.com> wrote: >>>> >>>> The idxd driver attaches the default domain to a PASID of the device to >>>> perform kernel DMA using that PASID. The domain is attached to the >>>> device's PASID through iommu_attach_device_pasid(), which checks if the >>>> domain->owner matches the iommu_ops retrieved from the device. If they >>>> do not match, it returns a failure. >>>> >>>> if (ops != domain->owner || pasid == IOMMU_NO_PASID) >>>> return -EINVAL; >>>> >>>> The static identity domain implemented by the intel iommu driver doesn't >>>> specify the domain owner. Therefore, kernel DMA with PASID doesn't work >>>> for the idxd driver if the device translation mode is set to passthrough. >>>> >>>> Generally the owner field of static domains are not set because they are >>>> already part of iommu ops. Add a helper domain_iommu_ops_compatible() >>>> that checks if a domain is compatible with the device's iommu ops. This >>>> helper explicitly allows the static blocked and identity domains associated >>>> with the device's iommu_ops to be considered compatible. >>>> >>>> Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") >>>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 >>>> Cc: stable(a)vger.kernel.org >>>> Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> >>>> Link: https://lore.kernel.org/linux-iommu/20250422191554.GC1213339@ziepe.ca/ >>>> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> >>>> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> >>>> Reviewed-by: Robin Murphy <robin.murphy(a)arm.com> >>>> --- >>>> drivers/iommu/iommu.c | 21 ++++++++++++++++++--- >>>> 1 file changed, 18 insertions(+), 3 deletions(-) >>>> >>>> Change log: >>>> v3: >>>> - Convert all places checking domain->owner to the new helper. >>>> v2: https://lore.kernel.org/linux-iommu/20250423021839.2189204-1-baolu.lu@linux… >>>> - Make the solution generic for all static domains as suggested by >>>> Jason. >>>> v1: https://lore.kernel.org/linux-iommu/20250422075422.2084548-1-baolu.lu@linux… >>>> >>>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c >>>> index 4f91a740c15f..b26fc3ed9f01 100644 >>>> --- a/drivers/iommu/iommu.c >>>> +++ b/drivers/iommu/iommu.c >>>> @@ -2204,6 +2204,19 @@ static void *iommu_make_pasid_array_entry(struct iommu_domain *domain, >>>> return xa_tag_pointer(domain, IOMMU_PASID_ARRAY_DOMAIN); >>>> } >>>> >>>> +static bool domain_iommu_ops_compatible(const struct iommu_ops *ops, >>>> +struct iommu_domain *domain) >>>> +{ >>>> +if (domain->owner == ops) >>>> +return true; >>>> + >>>> +/* For static domains, owner isn't set. */ >>>> +if (domain == ops->blocked_domain || domain == ops->identity_domain) >>>> +return true; >>>> + >>>> +return false; >>>> +} >>>> + >>>> static int __iommu_attach_group(struct iommu_domain *domain, >>>> struct iommu_group *group) >>>> { >>>> @@ -2214,7 +2227,8 @@ static int __iommu_attach_group(struct iommu_domain *domain, >>>> return -EBUSY; >>>> >>>> dev = iommu_group_first_dev(group); >>>> -if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) >>>> +if (!dev_has_iommu(dev) || >>>> + !domain_iommu_ops_compatible(dev_iommu_ops(dev), domain)) >>>> return -EINVAL; >>>> >>>> return __iommu_group_set_domain(group, domain); >>>> @@ -3435,7 +3449,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, >>>> !ops->blocked_domain->ops->set_dev_pasid) >>>> return -EOPNOTSUPP; >>>> >>>> -if (ops != domain->owner || pasid == IOMMU_NO_PASID) >>>> +if (!domain_iommu_ops_compatible(ops, domain) || >>>> + pasid == IOMMU_NO_PASID) >>>> return -EINVAL; >>>> >>>> mutex_lock(&group->mutex); >>>> @@ -3511,7 +3526,7 @@ int iommu_replace_device_pasid(struct iommu_domain *domain, >>>> if (!domain->ops->set_dev_pasid) >>>> return -EOPNOTSUPP; >>>> >>>> -if (dev_iommu_ops(dev) != domain->owner || >>>> +if (!domain_iommu_ops_compatible(dev_iommu_ops(dev), domain) || >>>> pasid == IOMMU_NO_PASID || !handle) >>>> return -EINVAL; >>>> >>>> -- >>>> 2.43.0 >

6 months, 2 weeks

1
0
0 0

Re: [PATCH v3 1/1] iommu: Allow attaching static domains in iommu_attach_device_pasid()

by Dave Jiang

On 4/24/25 3:34 PM, Jack Vogel wrote: > I am having test issues with this patch, test system is running OL9, basically RHEL 9.5, the kernel boots ok, and the dmesg is clean… but the tests in accel-config dont pass. Specifically the crypto tests, this is due to vfio_pci_core not loading. Right now I’m not sure if any of this is my mistake, but at least it’s something I need to keep looking at. > > Also, since I saw that issue on the latest I did a backport to our UEK8 kernel which is 6.12.23, and on that kernel it still exhibited these messages on boot: > > *idxd*0000:6a:01.0: enabling device (0144 -> 0146) > > [ 21.112733] *idxd*0000:6a:01.0: failed to attach device pasid 1, domain type 4 > > [ 21.120770] *idxd*0000:6a:01.0: No in-kernel DMA with PASID. -95 > > > Again, maybe an issue in my backporting… however I’d like to be sure. Can you verify against latest upstream kernel plus the patch and see if you still see the error? DJ > > Cheers, > > Jack > > >> On Apr 23, 2025, at 20:41, Lu Baolu <baolu.lu(a)linux.intel.com> wrote: >> >> The idxd driver attaches the default domain to a PASID of the device to >> perform kernel DMA using that PASID. The domain is attached to the >> device's PASID through iommu_attach_device_pasid(), which checks if the >> domain->owner matches the iommu_ops retrieved from the device. If they >> do not match, it returns a failure. >> >> if (ops != domain->owner || pasid == IOMMU_NO_PASID) >> return -EINVAL; >> >> The static identity domain implemented by the intel iommu driver doesn't >> specify the domain owner. Therefore, kernel DMA with PASID doesn't work >> for the idxd driver if the device translation mode is set to passthrough. >> >> Generally the owner field of static domains are not set because they are >> already part of iommu ops. Add a helper domain_iommu_ops_compatible() >> that checks if a domain is compatible with the device's iommu ops. This >> helper explicitly allows the static blocked and identity domains associated >> with the device's iommu_ops to be considered compatible. >> >> Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") >> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 >> Cc: stable(a)vger.kernel.org >> Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> >> Link: https://lore.kernel.org/linux-iommu/20250422191554.GC1213339@ziepe.ca/ >> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> >> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> >> Reviewed-by: Robin Murphy <robin.murphy(a)arm.com> >> --- >> drivers/iommu/iommu.c | 21 ++++++++++++++++++--- >> 1 file changed, 18 insertions(+), 3 deletions(-) >> >> Change log: >> v3: >> - Convert all places checking domain->owner to the new helper. >> v2: https://lore.kernel.org/linux-iommu/20250423021839.2189204-1-baolu.lu@linux… >> - Make the solution generic for all static domains as suggested by >> Jason. >> v1: https://lore.kernel.org/linux-iommu/20250422075422.2084548-1-baolu.lu@linux… >> >> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c >> index 4f91a740c15f..b26fc3ed9f01 100644 >> --- a/drivers/iommu/iommu.c >> +++ b/drivers/iommu/iommu.c >> @@ -2204,6 +2204,19 @@ static void *iommu_make_pasid_array_entry(struct iommu_domain *domain, >> return xa_tag_pointer(domain, IOMMU_PASID_ARRAY_DOMAIN); >> } >> >> +static bool domain_iommu_ops_compatible(const struct iommu_ops *ops, >> +struct iommu_domain *domain) >> +{ >> +if (domain->owner == ops) >> +return true; >> + >> +/* For static domains, owner isn't set. */ >> +if (domain == ops->blocked_domain || domain == ops->identity_domain) >> +return true; >> + >> +return false; >> +} >> + >> static int __iommu_attach_group(struct iommu_domain *domain, >> struct iommu_group *group) >> { >> @@ -2214,7 +2227,8 @@ static int __iommu_attach_group(struct iommu_domain *domain, >> return -EBUSY; >> >> dev = iommu_group_first_dev(group); >> -if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner) >> +if (!dev_has_iommu(dev) || >> + !domain_iommu_ops_compatible(dev_iommu_ops(dev), domain)) >> return -EINVAL; >> >> return __iommu_group_set_domain(group, domain); >> @@ -3435,7 +3449,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, >> !ops->blocked_domain->ops->set_dev_pasid) >> return -EOPNOTSUPP; >> >> -if (ops != domain->owner || pasid == IOMMU_NO_PASID) >> +if (!domain_iommu_ops_compatible(ops, domain) || >> + pasid == IOMMU_NO_PASID) >> return -EINVAL; >> >> mutex_lock(&group->mutex); >> @@ -3511,7 +3526,7 @@ int iommu_replace_device_pasid(struct iommu_domain *domain, >> if (!domain->ops->set_dev_pasid) >> return -EOPNOTSUPP; >> >> -if (dev_iommu_ops(dev) != domain->owner || >> +if (!domain_iommu_ops_compatible(dev_iommu_ops(dev), domain) || >> pasid == IOMMU_NO_PASID || !handle) >> return -EINVAL; >> >> -- >> 2.43.0 >> >

6 months, 2 weeks

1
0
0 0

[alternative-merged] smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: smaps: fix crash in smaps_hugetlb_range for non-present hugetlb entries has been removed from the -mm tree. Its filename was smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries.patch This patch was dropped because an alternative patch was or shall be merged ------------------------------------------------------ From: Ming Wang <wangming01(a)loongson.cn> Subject: smaps: fix crash in smaps_hugetlb_range for non-present hugetlb entries Date: Wed, 23 Apr 2025 09:03:59 +0800 When reading /proc/pid/smaps for a process that has mapped a hugetlbfs file with MAP_PRIVATE, the kernel might crash inside pfn_swap_entry_to_page. This occurs on LoongArch under specific conditions. The root cause involves several steps: 1. When the hugetlbfs file is mapped (MAP_PRIVATE), the initial PMD (or relevant level) entry is often populated by the kernel during mmap() with a non-present entry pointing to the architecture's invalid_pte_table On the affected LoongArch system, this address was observed to be 0x90000000031e4000. 2. The smaps walker (walk_hugetlb_range -> smaps_hugetlb_range) reads this entry. 3. The generic is_swap_pte() macro checks `!pte_present() && !pte_none()`. The entry (invalid_pte_table address) is not present. Crucially, the generic pte_none() check (`!(pte_val(pte) & ~_PAGE_GLOBAL)`) returns false because the invalid_pte_table address is non-zero. Therefore, is_swap_pte() incorrectly returns true. 4. The code enters the `else if (is_swap_pte(...))` block. 5. Inside this block, it checks `is_pfn_swap_entry()`. Due to a bit pattern coincidence in the invalid_pte_table address on LoongArch, the embedded generic `is_migration_entry()` check happens to return true (misinterpreting parts of the address as a migration type). 6. This leads to a call to pfn_swap_entry_to_page() with the bogus swap entry derived from the invalid table address. 7. pfn_swap_entry_to_page() extracts a meaningless PFN, finds an unrelated struct page, checks its lock status (unlocked), and hits the `BUG_ON(is_migration_entry(entry) && !PageLocked(p))` assertion. The original code's intent in the `else if` block seems aimed at handling potential migration entries, as indicated by the inner `is_pfn_swap_entry()` check. The issue arises because the outer `is_swap_pte()` check incorrectly includes the invalid table pointer case on LoongArch. This patch fixes the issue by changing the condition in smaps_hugetlb_range() from the broad `is_swap_pte()` to the specific `is_hugetlb_entry_migration()`. The `is_hugetlb_entry_migration()` helper function correctly handles this by first checking `huge_pte_none()`. Architectures like LoongArch can provide an override for `huge_pte_none()` that specifically recognizes the `invalid_pte_table` address as a "none" state for HugeTLB entries. This ensures `is_hugetlb_entry_migration()` returns false for the invalid entry, preventing the code from entering the faulty block. This change makes the code reflect the likely original intent (handling migration) more accurately and leverages architecture-specific helpers (`huge_pte_none`) to correctly interpret special PTE/PMD values in the HugeTLB context, fixing the crash on LoongArch without altering the generic is_swap_pte() behavior. Link: https://lkml.kernel.org/r/20250423010359.2030576-1-wangming01@loongson.cn Fixes: 25ee01a2fca0 ("mm: hugetlb: proc: add hugetlb-related fields to /proc/PID/smaps") Co-developed-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> Signed-off-by: Ming Wang <wangming01(a)loongson.cn> Cc: Andrii Nakryiko <andrii(a)kernel.org> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: David Hildenbrand <david(a)redhat.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Huacai Chen <chenhuacai(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Joern Engel <joern(a)logfs.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.cz> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/task_mmu.c~smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries +++ a/fs/proc/task_mmu.c @@ -1027,7 +1027,7 @@ static int smaps_hugetlb_range(pte_t *pt if (pte_present(ptent)) { folio = page_folio(pte_page(ptent)); present = true; - } else if (is_swap_pte(ptent)) { + } else if (is_hugetlb_entry_migration(ptent)) { swp_entry_t swpent = pte_to_swp_entry(ptent); if (is_pfn_swap_entry(swpent)) _ Patches currently in -mm which might be from wangming01(a)loongson.cn are

6 months, 2 weeks

1
0
0 0

[PATCH] btrfs: adjust subpage bit start based on sectorsize

by Josef Bacik

When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit. cc: stable(a)vger.kernel.org Fixes: c4aec299fa8f ("btrfs: introduce submit_eb_subpage() to submit a subpage metadata page") Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> --- - Further testing indicated that the page tagging theoretical race isn't getting hit in practice, so we're going to limit the "hotfix" to this specific patch, and then send subsequent patches to address the other issues we're hitting. My simplify metadata writebback patches are the more wholistic fix. fs/btrfs/extent_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 5f08615b334f..6cfd286b8bbc 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2034,7 +2034,7 @@ static int submit_eb_subpage(struct folio *folio, struct writeback_control *wbc) subpage->bitmaps)) { spin_unlock_irqrestore(&subpage->lock, flags); spin_unlock(&folio->mapping->i_private_lock); - bit_start++; + bit_start += sectors_per_node; continue; } -- 2.48.1

6 months, 2 weeks

3
3
0 0

[PATCH v2] x86/sev: Fix SNP guest kdump hang/softlockup/panic

by Ashish Kalra

From: Ashish Kalra <ashish.kalra(a)amd.com> When kdump is running makedumpfile to generate vmcore and dumping SNP guest memory it touches the VMSA page of the vCPU executing kdump which then results in unrecoverable #NPF/RMP faults as the VMSA page is marked busy/in-use when the vCPU is running. This leads to guest softlockup/hang: [ 117.111097] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [cp:318] [ 117.111165] CPU: 0 UID: 0 PID: 318 Comm: cp Not tainted 6.14.0-next-20250328-snp-host-f2a41ff576cc-dirty #414 VOLUNTARY [ 117.111171] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 [ 117.111176] RIP: 0010:rep_movs_alternative+0x5b/0x70 [ 117.111200] Call Trace: [ 117.111204] <TASK> [ 117.111206] ? _copy_to_iter+0xc1/0x720 [ 117.111216] ? srso_return_thunk+0x5/0x5f [ 117.111220] ? _raw_spin_unlock+0x27/0x40 [ 117.111234] ? srso_return_thunk+0x5/0x5f [ 117.111236] ? find_vmap_area+0xd6/0xf0 [ 117.111251] ? srso_return_thunk+0x5/0x5f [ 117.111253] ? __check_object_size+0x18d/0x2e0 [ 117.111268] __copy_oldmem_page.part.0+0x64/0xa0 [ 117.111281] copy_oldmem_page_encrypted+0x1d/0x30 [ 117.111285] read_from_oldmem.part.0+0xf4/0x200 [ 117.111306] read_vmcore+0x206/0x3c0 [ 117.111309] ? srso_return_thunk+0x5/0x5f [ 117.111325] proc_reg_read_iter+0x59/0x90 [ 117.111334] vfs_read+0x26e/0x350 Additionally other APs may be halted in guest mode and their VMSA pages are marked busy and touching these VMSA pages during guest memory dump will also cause #NPF. Issue AP_DESTROY GHCB calls on other APs to ensure they are kicked out of guest mode and then clear the VMSA bit on their VMSA pages. If the vCPU running kdump is an AP, mark it's VMSA page as offline to ensure that makedumpfile excludes that page while dumping guest memory. Cc: stable(a)vger.kernel.org Fixes: 3074152e56c9 ("x86/sev: Convert shared memory back to private on kexec") Signed-off-by: Ashish Kalra <ashish.kalra(a)amd.com> --- arch/x86/coco/sev/core.c | 129 ++++++++++++++++++++++++++++++--------- 1 file changed, 101 insertions(+), 28 deletions(-) diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index dcfaa698d6cf..870f4994a13d 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -113,6 +113,8 @@ DEFINE_PER_CPU(struct sev_es_save_area *, sev_vmsa); DEFINE_PER_CPU(struct svsm_ca *, svsm_caa); DEFINE_PER_CPU(u64, svsm_caa_pa); +static void snp_cleanup_vmsa(struct sev_es_save_area *vmsa, int apic_id); + static __always_inline bool on_vc_stack(struct pt_regs *regs) { unsigned long sp = regs->sp; @@ -877,6 +879,42 @@ void snp_accept_memory(phys_addr_t start, phys_addr_t end) set_pages_state(vaddr, npages, SNP_PAGE_STATE_PRIVATE); } +static int issue_vmgexit_ap_create_destroy(u64 event, struct sev_es_save_area *vmsa, u32 apic_id) +{ + struct ghcb_state state; + unsigned long flags; + struct ghcb *ghcb; + int ret = 0; + + local_irq_save(flags); + + ghcb = __sev_get_ghcb(&state); + + vc_ghcb_invalidate(ghcb); + ghcb_set_rax(ghcb, vmsa->sev_features); + ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_AP_CREATION); + ghcb_set_sw_exit_info_1(ghcb, + ((u64)apic_id << 32) | + ((u64)snp_vmpl << 16) | + event); + ghcb_set_sw_exit_info_2(ghcb, __pa(vmsa)); + + sev_es_wr_ghcb_msr(__pa(ghcb)); + VMGEXIT(); + + if (!ghcb_sw_exit_info_1_is_valid(ghcb) || + lower_32_bits(ghcb->save.sw_exit_info_1)) { + pr_err("SNP AP %s error\n", (event == SVM_VMGEXIT_AP_CREATE ? "CREATE" : "DESTROY")); + ret = -EINVAL; + } + + __sev_put_ghcb(&state); + + local_irq_restore(flags); + + return ret; +} + static void set_pte_enc(pte_t *kpte, int level, void *va) { struct pte_enc_desc d = { @@ -973,6 +1011,66 @@ void snp_kexec_begin(void) pr_warn("Failed to stop shared<->private conversions\n"); } +/* + * Shutdown all APs except the one handling kexec/kdump and clearing + * the VMSA tag on AP's VMSA pages as they are not being used as + * VMSA page anymore. + */ +static void snp_shutdown_all_aps(void) +{ + struct sev_es_save_area *vmsa; + int apic_id, cpu; + + /* + * APs are already in HLT loop when kexec_finish() is invoked. + */ + for_each_present_cpu(cpu) { + vmsa = per_cpu(sev_vmsa, cpu); + + /* + * BSP does not have guest allocated VMSA, so it's in-use/busy + * VMSA cannot touch a guest page and there is no need to clear + * the VMSA tag for this page. + */ + if (!vmsa) + continue; + + /* + * Cannot clear the VMSA tag for the currently running vCPU. + */ + if (get_cpu() == cpu) { + unsigned long pa; + struct page *p; + + pa = __pa(vmsa); + p = pfn_to_online_page(pa >> PAGE_SHIFT); + /* + * Mark the VMSA page of the running vCPU as Offline + * so that is excluded and not touched by makedumpfile + * while generating vmcore during kdump boot. + */ + if (p) + __SetPageOffline(p); + put_cpu(); + continue; + } + put_cpu(); + + apic_id = cpuid_to_apicid[cpu]; + + /* + * Issue AP destroy on all APs (to ensure they are kicked out + * of guest mode) to allow using RMPADJUST to remove the VMSA + * tag on VMSA pages especially for guests that allow HLT to + * not be intercepted. + */ + + issue_vmgexit_ap_create_destroy(SVM_VMGEXIT_AP_DESTROY, vmsa, apic_id); + + snp_cleanup_vmsa(vmsa, apic_id); + } +} + void snp_kexec_finish(void) { struct sev_es_runtime_data *data; @@ -987,6 +1085,8 @@ void snp_kexec_finish(void) if (!IS_ENABLED(CONFIG_KEXEC_CORE)) return; + snp_shutdown_all_aps(); + unshare_all_memory(); /* @@ -1098,10 +1198,7 @@ static void snp_cleanup_vmsa(struct sev_es_save_area *vmsa, int apic_id) static int wakeup_cpu_via_vmgexit(u32 apic_id, unsigned long start_ip) { struct sev_es_save_area *cur_vmsa, *vmsa; - struct ghcb_state state; struct svsm_ca *caa; - unsigned long flags; - struct ghcb *ghcb; u8 sipi_vector; int cpu, ret; u64 cr4; @@ -1215,31 +1312,7 @@ static int wakeup_cpu_via_vmgexit(u32 apic_id, unsigned long start_ip) } /* Issue VMGEXIT AP Creation NAE event */ - local_irq_save(flags); - - ghcb = __sev_get_ghcb(&state); - - vc_ghcb_invalidate(ghcb); - ghcb_set_rax(ghcb, vmsa->sev_features); - ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_AP_CREATION); - ghcb_set_sw_exit_info_1(ghcb, - ((u64)apic_id << 32) | - ((u64)snp_vmpl << 16) | - SVM_VMGEXIT_AP_CREATE); - ghcb_set_sw_exit_info_2(ghcb, __pa(vmsa)); - - sev_es_wr_ghcb_msr(__pa(ghcb)); - VMGEXIT(); - - if (!ghcb_sw_exit_info_1_is_valid(ghcb) || - lower_32_bits(ghcb->save.sw_exit_info_1)) { - pr_err("SNP AP Creation error\n"); - ret = -EINVAL; - } - - __sev_put_ghcb(&state); - - local_irq_restore(flags); + ret = issue_vmgexit_ap_create_destroy(SVM_VMGEXIT_AP_CREATE, vmsa, apic_id); /* Perform cleanup if there was an error */ if (ret) { -- 2.34.1

6 months, 2 weeks

4
4
0 0

[PATCH] x86/sev: Fix making shared pages private during kdump

by Ashish Kalra

From: Ashish Kalra <ashish.kalra(a)amd.com> When the shared pages are being made private during kdump preparation there are additional checks to handle shared GHCB pages. These additional checks include handling the case of GHCB page being contained within a 2MB page. There is a bug in this additional check for GHCB page contained within a 2MB page which causes any shared page just below the per-cpu GHCB getting skipped from being transitioned back to private before kdump preparation which subsequently causes a 0x404 #VC exception when this shared page is accessed later while dumping guest memory during vmcore generation via kdump. Correct the detection and handling of GHCB pages contained within a 2MB page. Cc: stable(a)vger.kernel.org Fixes: 3074152e56c9 ("x86/sev: Convert shared memory back to private on kexec") Signed-off-by: Ashish Kalra <ashish.kalra(a)amd.com> --- arch/x86/coco/sev/core.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index 2c27d4b3985c..16d874f4dcd3 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -926,7 +926,13 @@ static void unshare_all_memory(void) data = per_cpu(runtime_data, cpu); ghcb = (unsigned long)&data->ghcb_page; - if (addr <= ghcb && ghcb <= addr + size) { + /* Handle the case of 2MB page containing the GHCB page */ + if (level == PG_LEVEL_4K && addr == ghcb) { + skipped_addr = true; + break; + } + if (level > PG_LEVEL_4K && addr <= ghcb && + ghcb < addr + size) { skipped_addr = true; break; } @@ -1106,6 +1112,9 @@ void snp_kexec_finish(void) ghcb = &data->ghcb_page; pte = lookup_address((unsigned long)ghcb, &level); size = page_level_size(level); + /* Handle the case of 2MB page containing the GHCB page */ + if (level > PG_LEVEL_4K) + ghcb = (struct ghcb *)((unsigned long)ghcb & PMD_MASK); set_pte_enc(pte, level, (void *)ghcb); snp_set_memory_private((unsigned long)ghcb, (size / PAGE_SIZE)); } -- 2.34.1

6 months, 2 weeks

3
2
0 0

[PATCH net] gve: Add adminq lock for creating and destroying multiple queues

by Harshitha Ramamurthy

From: Ziwei Xiao <ziweixiao(a)google.com> The original adminq lock is only protecting the gve_adminq_execute_cmd which is aimed for sending out single adminq command. However, there are other callers of gve_adminq_kick_and_wait and gve_adminq_issue_cmd that need to take the mutex lock for mutual exclusion between them, which are creating and destroying rx/tx queues. Add the adminq lock for those unprotected callers. Also this patch cleans up the error handling code of gve_adminq_destroy_tx_queue. Cc: stable(a)vger.kernel.org Fixes: 1108566ca509 ("gve: Add adminq mutex lock") Reviewed-by: Willem de Bruijn <willemb(a)google.com> Signed-off-by: Ziwei Xiao <ziweixiao(a)google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy(a)google.com> --- drivers/net/ethernet/google/gve/gve_adminq.c | 54 ++++++++++++++------ 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c index 3e8fc33cc11f..659460812276 100644 --- a/drivers/net/ethernet/google/gve/gve_adminq.c +++ b/drivers/net/ethernet/google/gve/gve_adminq.c @@ -442,6 +442,8 @@ static int gve_adminq_kick_and_wait(struct gve_priv *priv) int tail, head; int i; + lockdep_assert_held(&priv->adminq_lock); + tail = ioread32be(&priv->reg_bar0->adminq_event_counter); head = priv->adminq_prod_cnt; @@ -467,9 +469,6 @@ static int gve_adminq_kick_and_wait(struct gve_priv *priv) return 0; } -/* This function is not threadsafe - the caller is responsible for any - * necessary locks. - */ static int gve_adminq_issue_cmd(struct gve_priv *priv, union gve_adminq_command *cmd_orig) { @@ -477,6 +476,8 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, u32 opcode; u32 tail; + lockdep_assert_held(&priv->adminq_lock); + tail = ioread32be(&priv->reg_bar0->adminq_event_counter); // Check if next command will overflow the buffer. @@ -709,13 +710,19 @@ int gve_adminq_create_tx_queues(struct gve_priv *priv, u32 start_id, u32 num_que int err; int i; + mutex_lock(&priv->adminq_lock); + for (i = start_id; i < start_id + num_queues; i++) { err = gve_adminq_create_tx_queue(priv, i); if (err) - return err; + goto out; } - return gve_adminq_kick_and_wait(priv); + err = gve_adminq_kick_and_wait(priv); + +out: + mutex_unlock(&priv->adminq_lock); + return err; } static void gve_adminq_get_create_rx_queue_cmd(struct gve_priv *priv, @@ -788,19 +795,24 @@ int gve_adminq_create_rx_queues(struct gve_priv *priv, u32 num_queues) int err; int i; + mutex_lock(&priv->adminq_lock); + for (i = 0; i < num_queues; i++) { err = gve_adminq_create_rx_queue(priv, i); if (err) - return err; + goto out; } - return gve_adminq_kick_and_wait(priv); + err = gve_adminq_kick_and_wait(priv); + +out: + mutex_unlock(&priv->adminq_lock); + return err; } static int gve_adminq_destroy_tx_queue(struct gve_priv *priv, u32 queue_index) { union gve_adminq_command cmd; - int err; memset(&cmd, 0, sizeof(cmd)); cmd.opcode = cpu_to_be32(GVE_ADMINQ_DESTROY_TX_QUEUE); @@ -808,11 +820,7 @@ static int gve_adminq_destroy_tx_queue(struct gve_priv *priv, u32 queue_index) .queue_id = cpu_to_be32(queue_index), }; - err = gve_adminq_issue_cmd(priv, &cmd); - if (err) - return err; - - return 0; + return gve_adminq_issue_cmd(priv, &cmd); } int gve_adminq_destroy_tx_queues(struct gve_priv *priv, u32 start_id, u32 num_queues) @@ -820,13 +828,19 @@ int gve_adminq_destroy_tx_queues(struct gve_priv *priv, u32 start_id, u32 num_qu int err; int i; + mutex_lock(&priv->adminq_lock); + for (i = start_id; i < start_id + num_queues; i++) { err = gve_adminq_destroy_tx_queue(priv, i); if (err) - return err; + goto out; } - return gve_adminq_kick_and_wait(priv); + err = gve_adminq_kick_and_wait(priv); + +out: + mutex_unlock(&priv->adminq_lock); + return err; } static void gve_adminq_make_destroy_rx_queue_cmd(union gve_adminq_command *cmd, @@ -861,13 +875,19 @@ int gve_adminq_destroy_rx_queues(struct gve_priv *priv, u32 num_queues) int err; int i; + mutex_lock(&priv->adminq_lock); + for (i = 0; i < num_queues; i++) { err = gve_adminq_destroy_rx_queue(priv, i); if (err) - return err; + goto out; } - return gve_adminq_kick_and_wait(priv); + err = gve_adminq_kick_and_wait(priv); + +out: + mutex_unlock(&priv->adminq_lock); + return err; } static void gve_set_default_desc_cnt(struct gve_priv *priv, -- 2.49.0.777.g153de2bbd5-goog

6 months, 2 weeks

4
3
0 0

[PATCH] x86/insn: Fix CTEST instruction decoding

by Kirill A. Shutemov

insn_decoder_test found a problem with decoding APX CTEST instruction: Found an x86 instruction decoder bug, please report this. ffffffff810021df 62 54 94 05 85 ff ctestneq objdump says 6 bytes, but insn_get_length() says 5 It happens because x86-opcode-map.txt doesn't specify arguments for the instruction and the decoder doesn't expect to see ModRM byte. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: 690ca3a3067f ("x86/insn: Add support for APX EVEX instructions to the opcode map") Cc: stable(a)vger.kernel.org # v6.10+ Cc: Adrian Hunter <adrian.hunter(a)intel.com> --- arch/x86/lib/x86-opcode-map.txt | 4 ++-- tools/arch/x86/lib/x86-opcode-map.txt | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt index caedb3ef6688..f5dd84eb55dc 100644 --- a/arch/x86/lib/x86-opcode-map.txt +++ b/arch/x86/lib/x86-opcode-map.txt @@ -996,8 +996,8 @@ AVXcode: 4 83: Grp1 Ev,Ib (1A),(es) # CTESTSCC instructions are: CTESTB, CTESTBE, CTESTF, CTESTL, CTESTLE, CTESTNB, CTESTNBE, CTESTNL, # CTESTNLE, CTESTNO, CTESTNS, CTESTNZ, CTESTO, CTESTS, CTESTT, CTESTZ -84: CTESTSCC (ev) -85: CTESTSCC (es) | CTESTSCC (66),(es) +84: CTESTSCC Eb,Gb (ev) +85: CTESTSCC Ev,Gv (es) | CTESTSCC Ev,Gv (66),(es) 88: POPCNT Gv,Ev (es) | POPCNT Gv,Ev (66),(es) 8f: POP2 Bq,Rq (000),(11B),(ev) a5: SHLD Ev,Gv,CL (es) | SHLD Ev,Gv,CL (66),(es) diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt index caedb3ef6688..f5dd84eb55dc 100644 --- a/tools/arch/x86/lib/x86-opcode-map.txt +++ b/tools/arch/x86/lib/x86-opcode-map.txt @@ -996,8 +996,8 @@ AVXcode: 4 83: Grp1 Ev,Ib (1A),(es) # CTESTSCC instructions are: CTESTB, CTESTBE, CTESTF, CTESTL, CTESTLE, CTESTNB, CTESTNBE, CTESTNL, # CTESTNLE, CTESTNO, CTESTNS, CTESTNZ, CTESTO, CTESTS, CTESTT, CTESTZ -84: CTESTSCC (ev) -85: CTESTSCC (es) | CTESTSCC (66),(es) +84: CTESTSCC Eb,Gb (ev) +85: CTESTSCC Ev,Gv (es) | CTESTSCC Ev,Gv (66),(es) 88: POPCNT Gv,Ev (es) | POPCNT Gv,Ev (66),(es) 8f: POP2 Bq,Rq (000),(11B),(ev) a5: SHLD Ev,Gv,CL (es) | SHLD Ev,Gv,CL (66),(es) -- 2.47.2

6 months, 2 weeks

2
1
0 0

[PATCH v2] mm, slab: clean up slab->obj_exts always

by Zhenhua Huang

When memory allocation profiling is disabled at runtime or due to an error, shutdown_mem_profiling() is called: slab->obj_exts which previously allocated remains. It won't be cleared by unaccount_slab() because of mem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts should always be cleaned up in unaccount_slab() to avoid following error: [...]BUG: Bad page state in process... .. [...]page dumped because: page still charged to cgroup Cc: stable(a)vger.kernel.org Fixes: 21c690a349ba ("mm: introduce slabobj_ext to support slab object extensions") Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Harry Yoo <harry.yoo(a)oracle.com> Tested-by: Harry Yoo <harry.yoo(a)oracle.com> --- mm/slub.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index 566eb8b8282d..a98ce1426076 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2028,8 +2028,8 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, return 0; } -/* Should be called only if mem_alloc_profiling_enabled() */ -static noinline void free_slab_obj_exts(struct slab *slab) +/* Free only if slab_obj_exts(slab) */ +static inline void free_slab_obj_exts(struct slab *slab) { struct slabobj_ext *obj_exts; @@ -2601,8 +2601,12 @@ static __always_inline void account_slab(struct slab *slab, int order, static __always_inline void unaccount_slab(struct slab *slab, int order, struct kmem_cache *s) { - if (memcg_kmem_online() || need_slab_obj_ext()) - free_slab_obj_exts(slab); + /* + * The slab object extensions should now be freed regardless of + * whether mem_alloc_profiling_enabled() or not because profiling + * might have been disabled after slab->obj_exts got allocated. + */ + free_slab_obj_exts(slab); mod_node_page_state(slab_pgdat(slab), cache_vmstat_idx(s), -(PAGE_SIZE << order)); -- 2.34.1

6 months, 2 weeks

4
7
0 0

[PATCH v2 2/2] usb: typec: ucsi: displayport: Fix NULL pointer access

by Andrei Kuchynski

This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal. Cc: stable(a)vger.kernel.org Fixes: af8622f6a585 ("usb: typec: ucsi: Support for DisplayPort alt mode") Signed-off-by: Andrei Kuchynski <akuchynski(a)chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> --- drivers/usb/typec/ucsi/displayport.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/typec/ucsi/displayport.c b/drivers/usb/typec/ucsi/displayport.c index acd053d4e38c..8aae80b457d7 100644 --- a/drivers/usb/typec/ucsi/displayport.c +++ b/drivers/usb/typec/ucsi/displayport.c @@ -299,6 +299,8 @@ void ucsi_displayport_remove_partner(struct typec_altmode *alt) if (!dp) return; + cancel_work_sync(&dp->work); + dp->data.conf = 0; dp->data.status = 0; dp->initialized = false; -- 2.49.0.805.g082f7c87e0-goog

6 months, 2 weeks

2
1
0 0

Please apply commit 8983dc1b66c0 ("ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model") to v6.1.y (and v6.6.y)

by Salvatore Bonaccorso

Hi As per subject, can you please apply commit 8983dc1b66c0 ("ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model") to v6.1.y? The commit fixes 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort"), which is in 6.14-rc1 *but* it got backported to other stable series as well: 6.1.129, 6.6.78, 6.12.14 and 6.13.3. While 8983dc1b66c0 got then backported down to 6.12.23, 6.13.11 and and 6.14.2 it was not backported further down, the reason is likely the commit does not apply cleanly due to context changes in the struct hda_quirk alc269_fixup_tbl (as some entries are missing in older series). For context see as well: https://lore.kernel.org/linux-sound/Z95s5T6OXFPjRnKf@eldamar.lan https://lore.kernel.org/linux-sound/Z_aq9kkdswrGZRUQ@eldamar.lan/ https://bugs.debian.org/1100928 Can you please apply it down for 6.1.y? Attached is a manual backport of the change in case needed. Regards, Salvatore From 336110525d8a24cd8bbc4cfe61c2aaf6aee511d4 Mon Sep 17 00:00:00 2001 From: Takashi Iwai <tiwai(a)suse.de> Date: Wed, 2 Apr 2025 09:42:07 +0200 Subject: [PATCH] ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model [ Upstream commit 8983dc1b66c0e1928a263b8af0bb06f6cb9229c4 ] There is another VivoBook model which built-in mic got broken recently by the fix of the pin sort. Apply the correct quirk ALC256_FIXUP_ASUS_MIC_NO_PRESENCE to this model for addressing the regression, too. Fixes: 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort") Closes: https://lore.kernel.org/Z95s5T6OXFPjRnKf@eldamar.lan Link: https://patch.msgid.link/20250402074208.7347-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> [Salvatore Bonaccorso: Update for context change due to missing other quirk entries in the struct snd_pci_quirk alc269_fixup_tbl] Signed-off-by: Salvatore Bonaccorso <carnil(a)debian.org> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 93e8990c23bc..61b48f2418bf 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10071,6 +10071,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c80, "ASUS VivoBook TP401", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC), -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH net V2] amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload

by Vishal Badole

According to the XGMAC specification, enabling features such as Layer 3 and Layer 4 Packet Filtering, Split Header, Receive Side Scaling (RSS), and Virtualized Network support automatically selects the IPC Full Checksum Offload Engine on the receive side. When RX checksum offload is disabled, these dependent features must also be disabled to prevent abnormal behavior caused by mismatched feature dependencies. Ensure that toggling RX checksum offload (disabling or enabling) properly disables or enables all dependent features, maintaining consistent and expected behavior in the network device. v1->v2: ------- - Combine 2 patches into a single patch - Update the "Fix: tag" - Add necessary changes to support earlier versions of the hardware as well Cc: stable(a)vger.kernel.org Fixes: 1a510ccf5869 ("amd-xgbe: Add support for VXLAN offload capabilities") Signed-off-by: Vishal Badole <Vishal.Badole(a)amd.com> --- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +++++++-- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +++++++++++++++++++++-- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 21 ++++++++++++++++++-- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++++ 4 files changed, 52 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c index 230726d7b74f..d41b58fad37b 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c @@ -373,8 +373,13 @@ static int xgbe_map_rx_buffer(struct xgbe_prv_data *pdata, } /* Set up the header page info */ - xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa, - XGBE_SKB_ALLOC_SIZE); + if (pdata->netdev->features & NETIF_F_RXCSUM) { + xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa, + XGBE_SKB_ALLOC_SIZE); + } else { + xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa, + pdata->rx_buf_size); + } /* Set up the buffer page info */ xgbe_set_buffer_data(&rdata->rx.buf, &ring->rx_buf_pa, diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c index 7a923b6e83df..d0a35aab7355 100644 --- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c @@ -321,6 +321,18 @@ static void xgbe_config_sph_mode(struct xgbe_prv_data *pdata) XGMAC_IOWRITE_BITS(pdata, MAC_RCR, HDSMS, XGBE_SPH_HDSMS_SIZE); } +static void xgbe_disable_sph_mode(struct xgbe_prv_data *pdata) +{ + unsigned int i; + + for (i = 0; i < pdata->channel_count; i++) { + if (!pdata->channel[i]->rx_ring) + break; + + XGMAC_DMA_IOWRITE_BITS(pdata->channel[i], DMA_CH_CR, SPH, 0); + } +} + static int xgbe_write_rss_reg(struct xgbe_prv_data *pdata, unsigned int type, unsigned int index, unsigned int val) { @@ -3750,8 +3762,12 @@ static int xgbe_init(struct xgbe_prv_data *pdata) xgbe_config_tx_coalesce(pdata); xgbe_config_rx_buffer_size(pdata); xgbe_config_tso_mode(pdata); - xgbe_config_sph_mode(pdata); - xgbe_config_rss(pdata); + + if (pdata->netdev->features & NETIF_F_RXCSUM) { + xgbe_config_sph_mode(pdata); + xgbe_config_rss(pdata); + } + desc_if->wrapper_tx_desc_init(pdata); desc_if->wrapper_rx_desc_init(pdata); xgbe_enable_dma_interrupts(pdata); @@ -3910,5 +3926,9 @@ void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *hw_if) hw_if->disable_vxlan = xgbe_disable_vxlan; hw_if->set_vxlan_id = xgbe_set_vxlan_id; + /* For Split Header*/ + hw_if->enable_sph = xgbe_config_sph_mode; + hw_if->disable_sph = xgbe_disable_sph_mode; + DBGPR("<--xgbe_init_function_ptrs\n"); } diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c index f249f89fec38..4d290ec934a8 100755 --- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c @@ -2267,6 +2267,16 @@ static netdev_features_t xgbe_fix_features(struct net_device *netdev, } } + if (features & NETIF_F_RXCSUM) { + netdev_notice(netdev, + "forcing receive hashing on\n"); + features |= NETIF_F_RXHASH; + } else { + netdev_notice(netdev, + "forcing receive hashing off\n"); + features &= ~NETIF_F_RXHASH; + } + return features; } @@ -2290,10 +2300,17 @@ static int xgbe_set_features(struct net_device *netdev, if (ret) return ret; - if ((features & NETIF_F_RXCSUM) && !rxcsum) + if ((features & NETIF_F_RXCSUM) && !rxcsum) { + hw_if->enable_sph(pdata); + hw_if->enable_vxlan(pdata); hw_if->enable_rx_csum(pdata); - else if (!(features & NETIF_F_RXCSUM) && rxcsum) + schedule_work(&pdata->restart_work); + } else if (!(features & NETIF_F_RXCSUM) && rxcsum) { + hw_if->disable_sph(pdata); + hw_if->disable_vxlan(pdata); hw_if->disable_rx_csum(pdata); + schedule_work(&pdata->restart_work); + } if ((features & NETIF_F_HW_VLAN_CTAG_RX) && !rxvlan) hw_if->enable_rx_vlan_stripping(pdata); diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h index db73c8f8b139..92b61a318f66 100755 --- a/drivers/net/ethernet/amd/xgbe/xgbe.h +++ b/drivers/net/ethernet/amd/xgbe/xgbe.h @@ -902,6 +902,10 @@ struct xgbe_hw_if { void (*enable_vxlan)(struct xgbe_prv_data *); void (*disable_vxlan)(struct xgbe_prv_data *); void (*set_vxlan_id)(struct xgbe_prv_data *); + + /* For Split Header */ + void (*enable_sph)(struct xgbe_prv_data *pdata); + void (*disable_sph)(struct xgbe_prv_data *pdata); }; /* This structure represents implementation specific routines for an -- 2.34.1

6 months, 2 weeks

5
5
0 0

FAILED: patch "[PATCH] lib/Kconfig.ubsan: Remove 'default UBSAN' from" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x cdc2e1d9d929d7f7009b3a5edca52388a2b0891f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042120-backward-waged-41cf@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cdc2e1d9d929d7f7009b3a5edca52388a2b0891f Mon Sep 17 00:00:00 2001 From: Nathan Chancellor <nathan(a)kernel.org> Date: Mon, 14 Apr 2025 15:00:59 -0700 Subject: [PATCH] lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP CONFIG_UBSAN_INTEGER_WRAP is 'default UBSAN', which is problematic for a couple of reasons. The first is that this sanitizer is under active development on the compiler side to come up with a solution that is maintainable on the compiler side and usable on the kernel side. As a result of this, there are many warnings when the sanitizer is enabled that have no clear path to resolution yet but users may see them and report them in the meantime. The second is that this option was renamed from CONFIG_UBSAN_SIGNED_WRAP, meaning that if a configuration has CONFIG_UBSAN=y but CONFIG_UBSAN_SIGNED_WRAP=n and it is upgraded via olddefconfig (common in non-interactive scenarios such as CI), CONFIG_UBSAN_INTEGER_WRAP will be silently enabled again. Remove 'default UBSAN' from CONFIG_UBSAN_INTEGER_WRAP until it is ready for regular usage and testing from a broader community than the folks actively working on the feature. Cc: stable(a)vger.kernel.org Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Link: https://lore.kernel.org/r/20250414-drop-default-ubsan-integer-wrap-v1-1-392… Signed-off-by: Kees Cook <kees(a)kernel.org> diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 4216b3a4ff21..f6ea0c5b5da3 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -118,7 +118,6 @@ config UBSAN_UNREACHABLE config UBSAN_INTEGER_WRAP bool "Perform checking for integer arithmetic wrap-around" - default UBSAN depends on !COMPILE_TEST depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all) depends on $(cc-option,-fsanitize=signed-integer-overflow)

6 months, 2 weeks

5
6
0 0

FAILED: patch "[PATCH] lib/Kconfig.ubsan: Remove 'default UBSAN' from" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x cdc2e1d9d929d7f7009b3a5edca52388a2b0891f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042119-imbecile-greeter-0ce1@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cdc2e1d9d929d7f7009b3a5edca52388a2b0891f Mon Sep 17 00:00:00 2001 From: Nathan Chancellor <nathan(a)kernel.org> Date: Mon, 14 Apr 2025 15:00:59 -0700 Subject: [PATCH] lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP CONFIG_UBSAN_INTEGER_WRAP is 'default UBSAN', which is problematic for a couple of reasons. The first is that this sanitizer is under active development on the compiler side to come up with a solution that is maintainable on the compiler side and usable on the kernel side. As a result of this, there are many warnings when the sanitizer is enabled that have no clear path to resolution yet but users may see them and report them in the meantime. The second is that this option was renamed from CONFIG_UBSAN_SIGNED_WRAP, meaning that if a configuration has CONFIG_UBSAN=y but CONFIG_UBSAN_SIGNED_WRAP=n and it is upgraded via olddefconfig (common in non-interactive scenarios such as CI), CONFIG_UBSAN_INTEGER_WRAP will be silently enabled again. Remove 'default UBSAN' from CONFIG_UBSAN_INTEGER_WRAP until it is ready for regular usage and testing from a broader community than the folks actively working on the feature. Cc: stable(a)vger.kernel.org Fixes: 557f8c582a9b ("ubsan: Reintroduce signed overflow sanitizer") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Link: https://lore.kernel.org/r/20250414-drop-default-ubsan-integer-wrap-v1-1-392… Signed-off-by: Kees Cook <kees(a)kernel.org> diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index 4216b3a4ff21..f6ea0c5b5da3 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -118,7 +118,6 @@ config UBSAN_UNREACHABLE config UBSAN_INTEGER_WRAP bool "Perform checking for integer arithmetic wrap-around" - default UBSAN depends on !COMPILE_TEST depends on $(cc-option,-fsanitize-undefined-ignore-overflow-pattern=all) depends on $(cc-option,-fsanitize=signed-integer-overflow)

6 months, 2 weeks

5
8
0 0

[PATCH 5.10/5.15/6.1] netfilter: ipt_CLUSTERIP: change mutex location

by Evgeny Pimenov

No upstream commit exists for this patch. The file ipt_CLUSTERIP.c was deleted in commit 9db5d918e2c0 ("netfilter: ip_tables: remove clusterip target"), but races still exist in stable branches. Thread A in clusterip_config_entry_put() decrements refcount and removes config from the list but doesn't call proc_remove(). Thread B searches the config, doesn't find it, re-adds it to the list, and calls proc_create_data() with an IP that still exists in the tree. |A| refcount_dec_and_lock() |A| list_del_rcu() === Must be here |A| proc_remove() === |B| __clusterip_config_find() |B| list_add_rcu() |B| proc_create_data() |B| WARN() As a fix, also cover with mutex the places of interaction with the list of configs before proc_remove() and proc_create_data() functions. ------------[ cut here ]------------ proc_dir_entry 'ipt_CLUSTERIP/100.1.1.2' already registered WARNING: CPU: 0 PID: 2597 at fs/proc/generic.c:381 proc_register+0x517/0x6e0 fs/proc/generic.c:381 [...] Call Trace: proc_create_data+0x130/0x1a0 fs/proc/generic.c:583 clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:281 [inline] clusterip_tg_check+0xb8d/0x1380 net/ipv4/netfilter/ipt_CLUSTERIP.c:502 xt_check_target+0x27c/0xa00 net/netfilter/x_tables.c:1018 check_target net/ipv4/netfilter/ip_tables.c:511 [inline] find_check_entry.constprop.0+0x7b0/0x9b0 net/ipv4/netfilter/ip_tables.c:553 translate_table+0xc6a/0x16a0 net/ipv4/netfilter/ip_tables.c:717 do_replace net/ipv4/netfilter/ip_tables.c:1138 [inline] do_ipt_set_ctl+0x54e/0xb00 net/ipv4/netfilter/ip_tables.c:1636 nf_setsockopt+0x88/0xf0 net/netfilter/nf_sockopt.c:101 ip_setsockopt+0xe4d/0x3d10 net/ipv4/ip_sockglue.c:1442 sctp_setsockopt+0x135/0xa390 net/sctp/socket.c:4475 __sys_setsockopt+0x234/0x5a0 net/socket.c:2145 __do_sys_setsockopt net/socket.c:2156 [inline] __se_sys_setsockopt net/socket.c:2153 [inline] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:2153 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 2a61d8b883bb ("netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_put()") Cc: stable(a)vger.kernel.org # v5.4+ Suggested-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Suggested-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Evgeny Pimenov <pimenoveu12(a)gmail.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 77e3b67e8790..61ccfd97841f 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -79,6 +79,22 @@ static inline struct clusterip_net *clusterip_pernet(struct net *net) return net_generic(net, clusterip_net_id); } +static inline void +clusterip_net_lock(struct clusterip_net *cn) +{ +#ifdef CONFIG_PROC_FS + mutex_lock(&cn->mutex); +#endif +}; + +static inline void +clusterip_net_unlock(struct clusterip_net *cn) +{ +#ifdef CONFIG_PROC_FS + mutex_unlock(&cn->mutex); +#endif +}; + static inline void clusterip_config_get(struct clusterip_config *c) { @@ -114,6 +130,7 @@ clusterip_config_entry_put(struct clusterip_config *c) { struct clusterip_net *cn = clusterip_pernet(c->net); + clusterip_net_lock(cn); local_bh_disable(); if (refcount_dec_and_lock(&c->entries, &cn->lock)) { list_del_rcu(&c->list); @@ -123,14 +140,14 @@ clusterip_config_entry_put(struct clusterip_config *c) * functions are also incrementing the refcount on their own, * so it's safe to remove the entry even if it's in use. */ #ifdef CONFIG_PROC_FS - mutex_lock(&cn->mutex); if (cn->procdir) proc_remove(c->pde); - mutex_unlock(&cn->mutex); #endif + clusterip_net_unlock(cn); return; } local_bh_enable(); + clusterip_net_unlock(cn); } static struct clusterip_config * @@ -262,6 +279,7 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i, c->net = net; refcount_set(&c->refcount, 1); + clusterip_net_lock(cn); spin_lock_bh(&cn->lock); if (__clusterip_config_find(net, ip)) { err = -EBUSY; @@ -277,11 +295,9 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i, /* create proc dir entry */ sprintf(buffer, "%pI4", &ip); - mutex_lock(&cn->mutex); c->pde = proc_create_data(buffer, 0600, cn->procdir, &clusterip_proc_ops, c); - mutex_unlock(&cn->mutex); if (!c->pde) { err = -ENOMEM; goto err; @@ -290,6 +306,7 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i, #endif refcount_set(&c->entries, 1); + clusterip_net_unlock(cn); return c; #ifdef CONFIG_PROC_FS @@ -300,6 +317,7 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i, out_config_put: spin_unlock_bh(&cn->lock); clusterip_config_put(c); + clusterip_net_unlock(cn); return ERR_PTR(err); } @@ -848,10 +866,10 @@ static void clusterip_net_exit(struct net *net) #ifdef CONFIG_PROC_FS struct clusterip_net *cn = clusterip_pernet(net); - mutex_lock(&cn->mutex); + clusterip_net_lock(cn); proc_remove(cn->procdir); cn->procdir = NULL; - mutex_unlock(&cn->mutex); + clusterip_net_unlock(cn); #endif nf_unregister_net_hook(net, &cip_arp_ops); } -- 2.39.5

6 months, 2 weeks

2
1
0 0

[tip: irq/urgent] irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()

by tip-bot2 for Suzuki K Poulose

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 637cf959dac97d5b7b5ce5e6cd91dd3a2c2fc324 Gitweb: https://git.kernel.org/tip/637cf959dac97d5b7b5ce5e6cd91dd3a2c2fc324 Author: Suzuki K Poulose <suzuki.poulose(a)arm.com> AuthorDate: Tue, 22 Apr 2025 17:16:16 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 24 Apr 2025 14:47:52 +02:00 irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use. Fixes: 0644b3daca28 ("irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support") Signed-off-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/all/20250422161616.1584405-1-suzuki.poulose@arm.com Link: https://lkml.kernel.org/r/68053cf43bb54_7205294cc@dwillia2-xfh.jf.intel.com… --- drivers/irqchip/irq-gic-v2m.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-gic-v2m.c b/drivers/irqchip/irq-gic-v2m.c index c698948..dc98c39 100644 --- a/drivers/irqchip/irq-gic-v2m.c +++ b/drivers/irqchip/irq-gic-v2m.c @@ -421,7 +421,7 @@ static int __init gicv2m_of_init(struct fwnode_handle *parent_handle, #ifdef CONFIG_ACPI static int acpi_num_msi; -static __init struct fwnode_handle *gicv2m_get_fwnode(struct device *dev) +static struct fwnode_handle *gicv2m_get_fwnode(struct device *dev) { struct v2m_data *data;

6 months, 2 weeks

1
0
0 0

+ smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: smaps: fix crash in smaps_hugetlb_range for non-present hugetlb entries has been added to the -mm mm-hotfixes-unstable branch. Its filename is smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ming Wang <wangming01(a)loongson.cn> Subject: smaps: fix crash in smaps_hugetlb_range for non-present hugetlb entries Date: Wed, 23 Apr 2025 09:03:59 +0800 When reading /proc/pid/smaps for a process that has mapped a hugetlbfs file with MAP_PRIVATE, the kernel might crash inside pfn_swap_entry_to_page. This occurs on LoongArch under specific conditions. The root cause involves several steps: 1. When the hugetlbfs file is mapped (MAP_PRIVATE), the initial PMD (or relevant level) entry is often populated by the kernel during mmap() with a non-present entry pointing to the architecture's invalid_pte_table On the affected LoongArch system, this address was observed to be 0x90000000031e4000. 2. The smaps walker (walk_hugetlb_range -> smaps_hugetlb_range) reads this entry. 3. The generic is_swap_pte() macro checks `!pte_present() && !pte_none()`. The entry (invalid_pte_table address) is not present. Crucially, the generic pte_none() check (`!(pte_val(pte) & ~_PAGE_GLOBAL)`) returns false because the invalid_pte_table address is non-zero. Therefore, is_swap_pte() incorrectly returns true. 4. The code enters the `else if (is_swap_pte(...))` block. 5. Inside this block, it checks `is_pfn_swap_entry()`. Due to a bit pattern coincidence in the invalid_pte_table address on LoongArch, the embedded generic `is_migration_entry()` check happens to return true (misinterpreting parts of the address as a migration type). 6. This leads to a call to pfn_swap_entry_to_page() with the bogus swap entry derived from the invalid table address. 7. pfn_swap_entry_to_page() extracts a meaningless PFN, finds an unrelated struct page, checks its lock status (unlocked), and hits the `BUG_ON(is_migration_entry(entry) && !PageLocked(p))` assertion. The original code's intent in the `else if` block seems aimed at handling potential migration entries, as indicated by the inner `is_pfn_swap_entry()` check. The issue arises because the outer `is_swap_pte()` check incorrectly includes the invalid table pointer case on LoongArch. This patch fixes the issue by changing the condition in smaps_hugetlb_range() from the broad `is_swap_pte()` to the specific `is_hugetlb_entry_migration()`. The `is_hugetlb_entry_migration()` helper function correctly handles this by first checking `huge_pte_none()`. Architectures like LoongArch can provide an override for `huge_pte_none()` that specifically recognizes the `invalid_pte_table` address as a "none" state for HugeTLB entries. This ensures `is_hugetlb_entry_migration()` returns false for the invalid entry, preventing the code from entering the faulty block. This change makes the code reflect the likely original intent (handling migration) more accurately and leverages architecture-specific helpers (`huge_pte_none`) to correctly interpret special PTE/PMD values in the HugeTLB context, fixing the crash on LoongArch without altering the generic is_swap_pte() behavior. Link: https://lkml.kernel.org/r/20250423010359.2030576-1-wangming01@loongson.cn Fixes: 25ee01a2fca0 ("mm: hugetlb: proc: add hugetlb-related fields to /proc/PID/smaps") Co-developed-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> Signed-off-by: Ming Wang <wangming01(a)loongson.cn> Cc: Andrii Nakryiko <andrii(a)kernel.org> Cc: Christophe Leroy <christophe.leroy(a)csgroup.eu> Cc: David Hildenbrand <david(a)redhat.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Huacai Chen <chenhuacai(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Joern Engel <joern(a)logfs.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.cz> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/proc/task_mmu.c~smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries +++ a/fs/proc/task_mmu.c @@ -1027,7 +1027,7 @@ static int smaps_hugetlb_range(pte_t *pt if (pte_present(ptent)) { folio = page_folio(pte_page(ptent)); present = true; - } else if (is_swap_pte(ptent)) { + } else if (is_hugetlb_entry_migration(ptent)) { swp_entry_t swpent = pte_to_swp_entry(ptent); if (is_pfn_swap_entry(swpent)) _ Patches currently in -mm which might be from wangming01(a)loongson.cn are smaps-fix-crash-in-smaps_hugetlb_range-for-non-present-hugetlb-entries.patch

6 months, 2 weeks

2
1
0 0

[PATCH] usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version

by Pawel Laszczak

The controllers with rtl version greeter than RTL_REVISION_NEW_LPM (0x00002700) has bug which causes that controller doesn't resume from L1 state. It happens if after receiving LPM packet controller starts transitioning to L1 and in this moment the driver force resuming by write operation to PORTSC.PLS. It's corner case and happens when write operation to PORTSC occurs during device delay before transitioning to L1 after transmitting ACK time (TL1TokenRetry). Forcing transition from L1->L0 by driver for revision greeter than RTL_REVISION_NEW_LPM is not needed, so driver can simply fix this issue through block call of cdnsp_force_l0_go function. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: stable(a)vger.kernel.org Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- drivers/usb/cdns3/cdnsp-gadget.c | 2 ++ drivers/usb/cdns3/cdnsp-gadget.h | 3 +++ drivers/usb/cdns3/cdnsp-ring.c | 3 ++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/cdnsp-gadget.c b/drivers/usb/cdns3/cdnsp-gadget.c index 7f5534db2086..4824a10df07e 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.c +++ b/drivers/usb/cdns3/cdnsp-gadget.c @@ -1793,6 +1793,8 @@ static void cdnsp_get_rev_cap(struct cdnsp_device *pdev) reg += cdnsp_find_next_ext_cap(reg, 0, RTL_REV_CAP); pdev->rev_cap = reg; + pdev->rtl_revision = readl(&pdev->rev_cap->rtl_revision); + dev_info(pdev->dev, "Rev: %08x/%08x, eps: %08x, buff: %08x/%08x\n", readl(&pdev->rev_cap->ctrl_revision), readl(&pdev->rev_cap->rtl_revision), diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h index 87ac0cd113e7..fa02f861217f 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.h +++ b/drivers/usb/cdns3/cdnsp-gadget.h @@ -1360,6 +1360,7 @@ struct cdnsp_port { * @rev_cap: Controller Capabilities Registers. * @hcs_params1: Cached register copies of read-only HCSPARAMS1 * @hcc_params: Cached register copies of read-only HCCPARAMS1 + * @rtl_revision: Cached controller rtl revision. * @setup: Temporary buffer for setup packet. * @ep0_preq: Internal allocated request used during enumeration. * @ep0_stage: ep0 stage during enumeration process. @@ -1414,6 +1415,8 @@ struct cdnsp_device { __u32 hcs_params1; __u32 hcs_params3; __u32 hcc_params; + #define RTL_REVISION_NEW_LPM 0x00002701 + __u32 rtl_revision; /* Lock used in interrupt thread context. */ spinlock_t lock; struct usb_ctrlrequest setup; diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c index 46852529499d..fd06cb85c4ea 100644 --- a/drivers/usb/cdns3/cdnsp-ring.c +++ b/drivers/usb/cdns3/cdnsp-ring.c @@ -308,7 +308,8 @@ static bool cdnsp_ring_ep_doorbell(struct cdnsp_device *pdev, writel(db_value, reg_addr); - cdnsp_force_l0_go(pdev); + if (pdev->rtl_revision < RTL_REVISION_NEW_LPM) + cdnsp_force_l0_go(pdev); /* Doorbell was set. */ return true; -- 2.43.0

6 months, 2 weeks

2
3
0 0

[PATCH 6.1 0/2] md: fix mddev uaf while iterating all_mddevs list

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> Hi, Greg This is the manual adaptation version for 6.1, for 6.6/6.12 commit 8542870237c3 ("md: fix mddev uaf while iterating all_mddevs list") can be applied cleanly, can you queue them as well? Thanks! Yu Kuai (2): md: factor out a helper from mddev_put() md: fix mddev uaf while iterating all_mddevs list drivers/md/md.c | 50 +++++++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 20 deletions(-) -- 2.39.2

6 months, 2 weeks

4
8
0 0

[PATCH 6.13 000/414] 6.13.12-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.13.12 release. There are 414 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.13.12-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.13.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.13.12-rc1 Thomas Richter <tmricht(a)linux.ibm.com> s390/cpumf: Fix double free on error in cpumf_pmu_event_init() Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Jeff Layton <jlayton(a)kernel.org> nfsd: don't ignore the return code of svc_proc_register() Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix CB_GETATTR status fix Olga Kornievskaia <okorniev(a)redhat.com> NFSD: fix decoding in nfs4_xdr_dec_cb_getattr Nathan Chancellor <nathan(a)kernel.org> ACPI: platform-profile: Fix CFI violation when accessing sysfs files Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT Yi Liu <yi.l.liu(a)intel.com> iommufd: Fail replace if device has not been attached Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Make attach_handle generic than fault specific Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable monitor mode during suspend Kevin Hao <haokexin(a)gmail.com> spi: fsl-qspi: Fix double cleanup in probe error path Han Xu <han.xu(a)nxp.com> spi: fsl-qspi: use devm function instead of driver remove Cong Liu <liucong2(a)kylinos.cn> selftests: mptcp: fix incorrect fd checks in main_loop Geliang Tang <geliang(a)kernel.org> selftests: mptcp: close fd_in before returning in main_loop Jake Hillion <jake(a)hillion.co.uk> sched_ext: create_dsq: Return -EEXIST on duplicate request Sumanth Korikkar <sumanthk(a)linux.ibm.com> s390: Fix linker error when -no-pie option is unavailable David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() Peter Griffin <peter.griffin(a)linaro.org> pinctrl: samsung: add support for eint_fltcon_offset Stephan Gerhold <stephan.gerhold(a)linaro.org> pinctrl: qcom: Clear latched interrupt status when changing IRQ type Stefan Eichenberger <stefan.eichenberger(a)toradex.com> phy: freescale: imx8m-pcie: assert phy reset and perst in power off Philipp Stanner <phasta(a)kernel.org> PCI: Fix wrong length of devres array Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_register_host_bridge() Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Lukas Wunner <lukas(a)wunner.de> PCI: pciehp: Avoid unnecessary device replacement check Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_one() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Switch to page pool for jumbo frames Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Add a new test for setuid() Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Split signal_scoping_threads tests Mickaël Salaün <mic(a)digikod.net> landlock: Prepare to add second errata Mickaël Salaün <mic(a)digikod.net> landlock: Always allow signals between threads of the same process Mickaël Salaün <mic(a)digikod.net> landlock: Add erratum for TCP fix Mickaël Salaün <mic(a)digikod.net> landlock: Add the errata interface Mickaël Salaün <mic(a)digikod.net> landlock: Move code to ease future backports Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Sean Christopherson <seanjc(a)google.com> KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly zero-initialize on-stack CPUID unions Amit Machhiwal <amachhiw(a)linux.ibm.com> KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests Sean Christopherson <seanjc(a)google.com> KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Joshua Washington <joshwash(a)google.com> gve: handle overflow when reporting TX consumed descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind Guixin Liu <kanie(a)linux.alibaba.com> gpio: tegra186: fix resource handling in ACPI probe path Andy Chiu <andybnac(a)gmail.com> ftrace: Properly merge notrace hashes zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix prefetch-vs-suspend race Jo Van Bulck <jo.vanbulck(a)kuleuven.be> dm-integrity: fix non-constant-time tag verification Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: fix prefetch-vs-suspend race Alexander Aring <aahringo(a)redhat.com> dlm: fix error if active rsb is not hashed Alexander Aring <aahringo(a)redhat.com> dlm: fix error if inactive rsb is not hashed Dionna Glaze <dionnaglaze(a)google.com> crypto: ccp - Fix uAPI definitions of PSP errors Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Release pm subdomains in reverse add order Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Pali Rohár <pali(a)kernel.org> cifs: Ensure that all non-client-specific reparse points are processed by the server Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Alexandra Diupina <adiupina(a)astralinux.ru> cifs: avoid NULL pointer dereference in dbg call Aman <aman1(a)microsoft.com> CIFS: Propagate min offload along with other parameters from primary to secondary channels. Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not add length to print format in synthetic events Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe events: Fix possible UAF on modules Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: fix balloon target initialization for PVH dom0 Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Jinjiang Tu <tujinjiang(a)huawei.com> mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Marc Herbert <Marc.Herbert(a)linux.intel.com> mm/hugetlb: move hugetlb_sysctl_init() to the __init section Shuai Xue <xueshuai(a)linux.alibaba.com> mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix release hang over concurrent GUP Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/mremap: correctly handle partial mremap() of VMA starting at 0 Ryan Roberts <ryan.roberts(a)arm.com> mm: fix lazy mmu docs and usage Jane Chu <jane.chu(a)oracle.com> mm: make page_mapped_in_vma() hugetlb walk aware David Hildenbrand <david(a)redhat.com> mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Usama Arif <usamaarif642(a)gmail.com> mm/damon/ops: have damon_get_folio return folio even for tail pages Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix possible circular locking dependency Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Don't clobber posted vCPU IRTE when host IRQ affinity changes Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled Nicolin Chen <nicolinc(a)nvidia.com> iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix uninitialized rc in iommufd_access_rw() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone finishing with missing devices Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone activation with missing devices Filipe Manana <fdmanana(a)suse.com> btrfs: tests: fix chunk map leak after failure to add it to the tree Filipe Manana <fdmanana(a)suse.com> btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Herve Codina <herve.codina(a)bootlin.com> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Peter Griffin <peter.griffin(a)linaro.org> arm64: dts: exynos: gs101: disable pinctrl_gsacore node Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8188: Assign apll1 clock as parent to avoid hang Siddharth Vadapalli <s-vadapalli(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Fix serdes_ln_ctrl reg-masks Keerthy <j-keerthy(a)ti.com> arm64: dts: ti: k3-j784s4-j742s2-main-common: Correct the GICD size Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Correct the update of max_pfn Ninad Malwade <nmalwade(a)nvidia.com> arm64: tegra: Remove the Orin NX/Nano suspend key Keir Fraser <keirf(a)google.com> arm64: mops: Do not dereference src reg for a set operation Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: only inc MPJoinAckHMacFailure for HMAC failures Gang Yan <yangang(a)kylinos.cn> mptcp: fix NULL pointer in can_accept_new_subflow T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Kartik Rajput <kkartik(a)nvidia.com> mailbox: tegra-hsp: Define dimensioning masks in SoC data Chenyuan Yang <chenyuan0y(a)gmail.com> mfd: ene-kb3930: Fix a potential NULL pointer dereference Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Kris Van Hees <kris.van.hees(a)oracle.com> kbuild: exclude .rodata.(cst|str)* when building ranges Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use readsb helper for reading MDB Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of ToMToU integrity violations Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of open-writers integrity violations Steve French <stfrench(a)microsoft.com> smb311 client: fix missing tcon check when mounting with linux/posix extensions Chenyuan Yang <chenyuan0y(a)gmail.com> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Olga Kornievskaia <okorniev(a)redhat.com> svcrdma: do not unregister device for listeners Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> tpm: do not start chip while suspended Jan Kara <jack(a)suse.cz> udf: Fix inode_getblk() return value Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix oversized null mkey longer than 32bit Yeongjin Gil <youngjin.gil(a)samsung.com> f2fs: fix to avoid atomicity corruption of atomic file Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix the missing write pointer correction Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix race between unprepare and queue_buf Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() Sharan Kumar M <sharweshraajan(a)gmail.com> ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: make use of q6apm_get_hw_pointer Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm: add q6apm_get_hw_pointer helper Haoxiang Li <haoxiang_li2024(a)163.com> ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: reject zero sized provided buffers Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix io_req_post_cqe abuse by send bundle Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix accept multishot handling Qingfang Deng <dqfext(a)gmail.com> net: stmmac: Fix accessing freed irq affinity_hint Ewan D. Milne <emilne(a)redhat.com> scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix country count limitation for CLC Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: ensure wow pattern command align fw format Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Haoxiang Li <haoxiang_li2024(a)163.com> wifi: mt76: Add check for devm_kstrdup() Alexandre Torgue <alexandre.torgue(a)foss.st.com> clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Replace kcalloc() with devm_kcalloc() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix internal PHYs for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Add check for devm_kcalloc() Ming Lei <ming.lei(a)redhat.com> block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting freebind & transparent Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting IPV6_V6ONLY Harshitha Ramamurthy <hramamurthy(a)google.com> gve: unlink old napi only if page pool exists Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type() Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix a hang after seeking Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Avoid race condition in the interrupt handler Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix gray color on screen Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx214: Rectify probe error handling related to runtime PM Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx219: Rectify runtime PM handling in probe and remove Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx319: Rectify runtime PM handling probe and remove Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: refactor hfi packet parsing logic Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Ricardo Ribalda <ribalda(a)chromium.org> media: nuvoton: Fix reference handling of ece_pdev Ricardo Ribalda <ribalda(a)chromium.org> media: nuvoton: Fix reference handling of ece_node Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in remove Sakari Ailus <sakari.ailus(a)linux.intel.com> Revert "media: imx214: Fix the error handling in imx214_probe()" Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: imx219: Adjust PLL settings based on the number of MIPI lanes Dan Carpenter <dan.carpenter(a)linaro.org> media: xilinx-tpg: fix double put in xtpg_parse_of() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: platform: stm32: Add check for clk_enable() Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: visl: Fix ERANGE error when setting enum controls Hans de Goede <hdegoede(a)redhat.com> media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Hans de Goede <hdegoede(a)redhat.com> media: ov08x40: Properly turn sensor on/off when runtime-suspended Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix PM related deadlocks in MS IOCTLs Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Fix timeout handling when waiting for TPM status Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Miquel Raynal <miquel.raynal(a)bootlin.com> spi: cadence-qspi: Fix probe on AM62A LP SK Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: Set HCR_EL2.TID1 unconditionally Will Deacon <will(a)kernel.org> KVM: arm64: Tear down vGIC on failed vCPU creation Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Akihiko Odaki <akihiko.odaki(a)daynix.com> KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR} Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication John Keeping <jkeeping(a)inmusicbrands.com> media: rockchip: rga: fix rga offset lookup Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Bingbu Cao <bingbu.cao(a)intel.com> media: intel/ipu6: set the dev_parent of video device to pdev Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: mgb4: Fix switched CMT frequency range "magic values" sets Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: mgb4: Fix CMT registers update logic Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: uapi: rkisp1-config: Fix typo in extensible params example Arnd Bergmann <arnd(a)arndb.de> media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Alain Volmat <alain.volmat(a)foss.st.com> dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Haoxiang Li <haoxiang_li2024(a)163.com> auxdisplay: hd44780: Fix an API misuse in hd44780.c Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Fix set_device_control() Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Fix 90 degrees direction name North -> East Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Clamp effect playback LOOP_COUNT value Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Rename two functions to align them with naming convention Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Remove redundant call to pidff_find_special_keys Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Support device error response from PID_BLOCK_LOAD Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Comment and code style update Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: hid-universal-pidff: Add Asetek wheelbases support Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Factor out pool report fetch and remove excess declaration Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Use macros instead of hardcoded min/max values for shorts Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Simplify pidff_rescale_signed Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Move all hid-pidff definitions to a dedicated header Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Factor out code for setting gain Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Rescale time values to match field units Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Define values used in pidff_find_special_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Simplify pidff_upload_effect function Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Completely rework and fix pidff_reset function Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Stop all effects before enabling actuators Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Clamp PERIODIC effect period to device's logical range Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix s390_mmio_read/write syscall page fault handling Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Sheng Yong <shengyong1(a)xiaomi.com> erofs: set error to bio if file-backed IO fails Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: stm32: Search an appropriate duty_cycle if period cannot be modified Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: rcar: Improve register calculation Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Jonathan McDowell <noodles(a)meta.com> tpm: End any active auth session before shutdown Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Workaround failed command reception on Infineon devices Ayush Jain <Ayush.jain3(a)amd.com> ktest: Fix Test Failures Due to Missing LOG_FILE Directories Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probe-events: Add comments about entry data storing code Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check Christian König <christian.koenig(a)amd.com> drm/amdgpu: grab an additional reference on the gang fence v2 Ryo Takakura <ryotkkr98(a)gmail.com> PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Philipp Stanner <phasta(a)kernel.org> PCI: Check BAR index for validity Emily Deng <Emily.Deng(a)amd.com> drm/amdgpu: Fix the race condition for draining retry fault Bjorn Helgaas <bhelgaas(a)google.com> PCI: Enable Configuration RRS SV early Ryan Seto <ryanseto(a)amd.com> drm/amd/display: Prevent VStartup Overflow Wentao Liang <vulab(a)iscas.ac.cn> drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Shawn Lin <shawn.lin(a)rock-chips.com> PCI: Add Rockchip Vendor ID AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: debugfs hang_hws skip GPU with MES Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mode1 reset crash issue David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Lucas De Marchi <lucas.demarchi(a)intel.com> drivers: base: devres: Allow to release group on device release Mike Katsnelson <mike.katsnelson(a)amd.com> drm/amd/display: stop DML2 from removing pipes based on planes Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Update FIXED_VS Link Rate Toggle Workaround Usage Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/bridge: panel: forbid initializing a panel with unknown connector type Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/debugfs: fix printk format for bridge index Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Philip Yang <Philip.Yang(a)amd.com> drm/amdgpu: Unlocked unmap only clear page table leaves Brendan Tam <Brendan.Tam(a)amd.com> drm/amd/display: add workaround flag to link to force FFE preset Zhikai Zhai <zhikai.zhai(a)amd.com> drm/amd/display: Update Cursor request mode to the beginning prefetch always Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/vf: Don't try to trigger a full GT reset if VF Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Don't send BEGIN_ID if VF has no context/doorbells Shekhar Chauhan <shekhar.chauhan(a)intel.com> drm/xe/bmg: Add new PCI IDs Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Pedro Nishiyama <nishiyama.pedro(a)gmail.com> Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE Pedro Nishiyama <nishiyama.pedro(a)gmail.com> Bluetooth: Add quirk for broken READ_VOICE_SETTING Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Bluetooth: qca: simplify WCN399x NVM loading Janaki Ramaiah Thota <quic_janathot(a)quicinc.com> Bluetooth: hci_qca: use the power sequencer for wcn6750 Jiande Lu <jiande.lu(a)mediatek.com> Bluetooth: btusb: Add 2 HWIDs for MT7922 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Add device id of Whale Peak Dorian Cruveiller <doriancruveiller(a)gmail.com> Bluetooth: btusb: Add new VID/PID for WCN785x Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Boris Burkov <boris(a)bur.io> btrfs: harden block_group::bg_list against list_del() races Huacai Chen <chenhuacai(a)kernel.org> ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Philipp Hahn <phahn-oss(a)avm.de> cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Chao Yu <chao(a)kernel.org> Revert "f2fs: rebuild nat_bits during umount" Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Martin Schiller <ms(a)dev.tdt.de> net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Manish Dharanenthiran <quic_mdharane(a)quicinc.com> wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Birger Koblitz <mail(a)birger-koblitz.de> net: sfp: add quirk for 2.5G OEM BX SFP Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Zhongqiu Han <quic_zhonhan(a)quicinc.com> jfs: Fix uninit-value access of imap allocated in the diMount() function Ciprian Marian Costea <ciprianmarian.costea(a)oss.nxp.com> can: flexcan: add NXP S32G2/S32G3 SoC support Ciprian Marian Costea <ciprianmarian.costea(a)oss.nxp.com> can: flexcan: Add quirk to handle separate interrupt lines for mailboxes Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Max Schulze <max.schulze(a)online.de> net: usb: asix_devices: add FiberGecko DeviceID Chaohai Chen <wdhh66(a)163.com> scsi: target: spc: Fix RSOC parameter data header size Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: ensure sdata->work is canceled before initialized. Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: add strict mode disabling workarounds Chao Yu <chao(a)kernel.org> f2fs: don't retry IO for corrupted data scenario Pavel Begunkov <asml.silence(a)gmail.com> net: page_pool: don't cast mp param to devmem Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Avoid reply queue full condition Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Add 'external' to the libata.force kernel parameter P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Miaoqing Pan <quic_miaoqing(a)quicinc.com> wifi: ath12k: fix memory leak in ath12k_pci_remove() Miaoqing Pan <quic_miaoqing(a)quicinc.com> wifi: ath11k: fix memory leak in ath11k_xxx_remove() P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig Syed Saba kareem <syed.sabakareem(a)amd.com> ASoC: amd: yc: update quirk data for new Lenovo model keenplify <keenplify(a)gmail.com> ASoC: amd: Add DMI quirk for ACP6X mic support Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Kaustabh Chakraborty <kauschluss(a)disroot.org> mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Aakarsh Jain <aakarsh.jain(a)samsung.com> media: s5p-mfc: Corrected NV12M/NV21M plane-sizes Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Add quirk for Actions UVC05 Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_audmix: register card device depends on 'dais' property Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: amd_sdw: Add quirks for Dell SKU's Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: ps: use macro for ACP6.3 pci revision id Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERIODIC_SINE_ONLY quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: Add hid-universal-pidff driver and supported device ids Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add FIX_WHEEL_DIRECTION quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERMISSIVE_CONTROL quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_PBO quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_DELAY quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Zhang Heng <zhangheng(a)kylinos.cn> ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Daniel Schaefer <dhs(a)frame.work> platform/chrome: cros_ec_lpc: Match on Framework ACPI device Josh Poimboeuf <jpoimboe(a)kernel.org> tracing: Disable branch profiling in noinstr code Ingo Molnar <mingo(a)kernel.org> zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Paul E. McKenney <paulmck(a)kernel.org> Flush console log from kernel_power_off() Lizhi Xu <lizhi.xu(a)windriver.com> PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() Yunhui Cui <cuiyunhui(a)bytedance.com> perf/dwc_pcie: fix some unreleased resources Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Xin Li (Intel) <xin(a)zytor.com> x86/ia32: Leave NULL selector values 0~3 unchanged Uros Bizjak <ubizjak(a)gmail.com> x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 Matthew Wilcox (Oracle) <willy(a)infradead.org> x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Dmitry Osipenko <dmitry.osipenko(a)collabora.com> irqchip/gic-v3: Add Rockchip 3568002 erratum workaround Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Paul E. McKenney <paulmck(a)kernel.org> srcu: Force synchronization for srcu_get_delay() Trond Myklebust <trond.myklebust(a)hammerspace.com> umount: Allow superblock owners to force umount Mateusz Guzik <mjguzik(a)gmail.com> fs: consistently deref the files table with rcu_dereference_raw() Frederic Weisbecker <frederic(a)kernel.org> perf: Fix hang while freeing sigtrap event Peter Zijlstra <peterz(a)infradead.org> perf/core: Simplify the perf_event_alloc() error path Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Marek Szyprowski <m.szyprowski(a)samsung.com> iommu/exynos: Fix suspend/resume with IDENTITY domain Ido Schimmel <idosch(a)nvidia.com> ethtool: cmis_cdb: Fix incorrect read / write length extension Florian Westphal <fw(a)strlen.de> nft_set_pipapo: fix incorrect avx2 match of 5th field octet Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Ido Schimmel <idosch(a)nvidia.com> ipv6: Align behavior across nexthops during path selection Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix UAF in decryption with multichannel Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Daniel Wagner <wagi(a)kernel.org> nvmet-fcloop: swap list_add_tail arguments Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/huc: Fix fence not released on early probe errors Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Chenyuan Yang <chenyuan0y(a)gmail.com> net: libwx: handle page_pool_dev_alloc_pages error Maxime Ripard <mripard(a)kernel.org> drm/tests: probe-helper: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: modes: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: cmdline: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Maxime Ripard <mripard(a)kernel.org> drm/tests: modeset: Fix drm_display_mode memory leak Maxime Chevallier <maxime.chevallier(a)bootlin.com> net: ethtool: Don't call .cleanup_data when prepare_data fails Toke Høiland-Jørgensen <toke(a)redhat.com> tc: Ensure we have enough buffer space when sending filter netlink notifications Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-pf: qos: fix VF root node parent queue index Jakub Kicinski <kuba(a)kernel.org> net: tls: explicitly disallow disconnect Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe: Restore EIO errno return when GuC PC start fails Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/hw_engine: define sysfs_ops on all directories Petr Vaněk <arkamar(a)atlas.cz> x86/acpi: Don't limit CPUs to 1 for Xen PV guests due to disabled ACPI Badal Nilawar <badal.nilawar(a)intel.com> drm/i915: Disable RPG during live selftest Ming Lei <ming.lei(a)redhat.com> ublk: fix handling recovery & reissue in ublk_abort_queue() Edward Liaw <edliaw(a)google.com> selftests/futex: futex_waitv wouldblock test should fail Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: of: Fix the choice for Ingenic NAND quirk Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix race between newly created partition and dying one Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix error handling in remote_partition_disable() Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: adl: add 2xrt1316 audio configuration ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 + Documentation/arch/arm64/silicon-errata.rst | 2 + .../bindings/arm/qcom,coresight-tpda.yaml | 3 +- .../bindings/arm/qcom,coresight-tpdm.yaml | 3 +- .../bindings/media/i2c/st,st-mipid02.yaml | 2 +- Makefile | 7 +- arch/arm64/Kconfig | 9 + arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- arch/arm64/boot/dts/mediatek/mt8188.dtsi | 2 +- .../boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi | 7 - .../boot/dts/ti/k3-j784s4-j742s2-main-common.dtsi | 6 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/kvm_arm.h | 4 +- arch/arm64/include/asm/spectre.h | 1 - arch/arm64/include/asm/traps.h | 4 +- arch/arm64/kernel/proton-pack.c | 208 ++++---- arch/arm64/kvm/arm.c | 6 +- arch/arm64/kvm/sys_regs.c | 204 ++++---- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/kvm/powerpc.c | 5 +- arch/s390/Makefile | 2 +- arch/s390/kernel/perf_cpum_cf.c | 9 +- arch/s390/kernel/perf_cpum_sf.c | 3 - arch/s390/pci/pci_bus.c | 3 + arch/s390/pci/pci_mmio.c | 18 +- arch/sparc/include/asm/pgtable_64.h | 2 - arch/sparc/mm/tlb.c | 5 +- arch/x86/Kbuild | 4 + arch/x86/Kconfig | 20 +- arch/x86/include/asm/irqflags.h | 40 +- arch/x86/include/asm/paravirt.h | 20 +- arch/x86/include/asm/paravirt_types.h | 3 +- arch/x86/kernel/acpi/boot.c | 11 + arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/e820.c | 17 +- arch/x86/kernel/head64.c | 2 - arch/x86/kernel/paravirt.c | 14 +- arch/x86/kernel/signal_32.c | 62 ++- arch/x86/kvm/cpuid.c | 8 +- arch/x86/kvm/x86.c | 4 + arch/x86/mm/kasan_init_64.c | 1 - arch/x86/mm/mem_encrypt_amd.c | 2 - arch/x86/mm/mem_encrypt_identity.c | 2 - arch/x86/mm/pat/set_memory.c | 6 +- arch/x86/xen/enlighten.c | 10 + arch/x86/xen/setup.c | 3 - block/blk-mq.c | 1 + drivers/accel/ivpu/ivpu_debugfs.c | 4 +- drivers/accel/ivpu/ivpu_ipc.c | 3 +- drivers/accel/ivpu/ivpu_ms.c | 24 + drivers/acpi/Makefile | 4 + drivers/acpi/platform_profile.c | 20 +- drivers/ata/ahci.c | 11 + drivers/ata/ahci.h | 1 + drivers/ata/libahci.c | 4 + drivers/ata/libata-core.c | 38 ++ drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 + drivers/ata/sata_sx4.c | 13 +- drivers/auxdisplay/hd44780.c | 4 +- drivers/base/devres.c | 7 + drivers/block/ublk_drv.c | 30 +- drivers/bluetooth/btintel_pcie.c | 1 + drivers/bluetooth/btqca.c | 13 +- drivers/bluetooth/btusb.c | 32 ++ drivers/bluetooth/hci_ldisc.c | 19 +- drivers/bluetooth/hci_qca.c | 2 +- drivers/bluetooth/hci_uart.h | 1 + drivers/bus/mhi/host/main.c | 16 +- drivers/char/tpm/tpm-chip.c | 6 + drivers/char/tpm/tpm-interface.c | 7 - drivers/char/tpm/tpm_tis_core.c | 20 +- drivers/char/tpm/tpm_tis_core.h | 1 + drivers/clk/qcom/clk-branch.c | 4 +- drivers/clk/qcom/gdsc.c | 61 ++- drivers/clk/renesas/r9a07g043-cpg.c | 7 + drivers/clocksource/timer-stm32-lp.c | 4 +- drivers/cpuidle/Makefile | 3 + drivers/crypto/ccp/sp-pci.c | 15 +- drivers/gpio/gpio-tegra186.c | 25 +- drivers/gpio/gpio-zynq.c | 1 + drivers/gpio/gpiolib-of.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 43 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 + .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 31 +- drivers/gpu/drm/amd/display/dc/dc.h | 2 + drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 8 + .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 2 + .../amd/display/dc/dml2/dml2_dc_resource_mgmt.c | 26 - .../gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c | 2 +- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 22 +- .../display/dc/link/protocols/link_dp_capability.c | 12 +- .../display/dc/link/protocols/link_dp_training.c | 2 + .../link_dp_training_fixed_vs_pe_retimer.c | 3 +- drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 + drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_debugfs.c | 2 +- drivers/gpu/drm/drm_panel.c | 5 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 +- drivers/gpu/drm/i915/gt/intel_rc6.c | 19 +- drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 +- drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 + drivers/gpu/drm/i915/selftests/i915_selftest.c | 18 + drivers/gpu/drm/mediatek/mtk_dpi.c | 23 +- drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 + drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 +- drivers/gpu/drm/tests/drm_kunit_helpers.c | 22 + drivers/gpu/drm/tests/drm_modes_test.c | 22 + drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 +- drivers/gpu/drm/xe/xe_gt.c | 4 + drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 4 +- drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 16 + drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 1 + drivers/gpu/drm/xe/xe_guc_pc.c | 1 + drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c | 108 ++-- drivers/gpu/drm/xe/xe_tuning.c | 8 - drivers/gpu/drm/xe/xe_wa.c | 7 + drivers/hid/Kconfig | 14 + drivers/hid/Makefile | 1 + drivers/hid/hid-ids.h | 37 ++ drivers/hid/hid-universal-pidff.c | 202 ++++++++ drivers/hid/usbhid/hid-core.c | 1 + drivers/hid/usbhid/hid-pidff.c | 571 ++++++++++++++------- drivers/hid/usbhid/hid-pidff.h | 33 ++ drivers/i3c/master.c | 3 + drivers/i3c/master/svc-i3c-master.c | 2 +- drivers/idle/Makefile | 5 +- drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 32 +- drivers/iommu/exynos-iommu.c | 4 +- drivers/iommu/intel/iommu.c | 2 + drivers/iommu/intel/irq_remapping.c | 71 +-- drivers/iommu/iommufd/device.c | 123 ++++- drivers/iommu/iommufd/fault.c | 8 +- drivers/iommu/iommufd/iommufd_private.h | 33 +- drivers/iommu/mtk_iommu.c | 26 +- drivers/irqchip/irq-gic-v3-its.c | 23 +- drivers/irqchip/irq-renesas-rzv2h.c | 2 +- drivers/leds/rgb/leds-qcom-lpg.c | 8 +- drivers/mailbox/tegra-hsp.c | 72 ++- drivers/md/dm-ebs-target.c | 7 + drivers/md/dm-integrity.c | 48 +- drivers/md/dm-verity-target.c | 8 + drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ccs/ccs-core.c | 6 +- drivers/media/i2c/hi556.c | 5 +- drivers/media/i2c/imx214.c | 25 +- drivers/media/i2c/imx219.c | 106 ++-- drivers/media/i2c/imx319.c | 9 +- drivers/media/i2c/ov08x40.c | 8 +- drivers/media/i2c/ov7251.c | 4 +- drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 + drivers/media/pci/mgb4/mgb4_cmt.c | 8 +- .../media/platform/chips-media/wave5/wave5-hw.c | 2 +- .../platform/chips-media/wave5/wave5-vpu-dec.c | 31 +- .../media/platform/chips-media/wave5/wave5-vpu.c | 4 +- .../platform/chips-media/wave5/wave5-vpuapi.c | 10 + .../mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 +- .../mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +- drivers/media/platform/nuvoton/npcm-video.c | 6 +- drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++- drivers/media/platform/qcom/venus/hfi_venus.c | 18 +- drivers/media/platform/rockchip/rga/rga-hw.c | 2 +- .../platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c | 5 +- drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +- drivers/media/platform/xilinx/xilinx-tpg.c | 2 - drivers/media/rc/streamzap.c | 68 +-- drivers/media/test-drivers/vim2m.c | 6 +- drivers/media/test-drivers/visl/visl-core.c | 12 + drivers/media/usb/uvc/uvc_driver.c | 9 + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/mfd/ene-kb3930.c | 2 +- drivers/misc/pci_endpoint_test.c | 3 +- drivers/mmc/host/dw_mmc.c | 94 +++- drivers/mmc/host/dw_mmc.h | 27 + drivers/mtd/inftlcore.c | 9 +- drivers/mtd/mtdpstore.c | 12 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/can/flexcan/flexcan-core.c | 35 +- drivers/net/can/flexcan/flexcan.h | 5 + drivers/net/dsa/mv88e6xxx/chip.c | 23 +- drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 3 +- drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 + drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 3 +- drivers/net/phy/phy_device.c | 57 +- drivers/net/phy/sfp.c | 13 +- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/usb/asix_devices.c | 17 + drivers/net/usb/cdc_ether.c | 7 + drivers/net/usb/r8152.c | 6 + drivers/net/usb/r8153_ecm.c | 6 + drivers/net/wireless/ath/ath11k/ahb.c | 4 +- drivers/net/wireless/ath/ath11k/core.c | 3 +- drivers/net/wireless/ath/ath11k/dp.c | 35 +- drivers/net/wireless/ath/ath11k/fw.c | 3 +- drivers/net/wireless/ath/ath11k/pci.c | 3 +- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +- drivers/net/wireless/ath/ath12k/pci.c | 1 + drivers/net/wireless/mediatek/mt76/eeprom.c | 4 + drivers/net/wireless/mediatek/mt76/mt76.h | 1 + .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 16 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 4 +- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/target/fcloop.c | 2 +- drivers/of/irq.c | 78 +-- drivers/pci/controller/cadence/pci-j721e.c | 5 +- drivers/pci/controller/pcie-brcmstb.c | 13 +- drivers/pci/controller/pcie-rockchip-host.c | 2 +- drivers/pci/controller/pcie-rockchip.h | 1 - drivers/pci/controller/vmd.c | 12 +- drivers/pci/devres.c | 18 +- drivers/pci/hotplug/pciehp_core.c | 5 +- drivers/pci/iomap.c | 29 +- drivers/pci/pci.c | 6 + drivers/pci/pci.h | 16 + drivers/pci/probe.c | 22 +- drivers/perf/arm_pmu.c | 8 +- drivers/perf/dwc_pcie_pmu.c | 33 +- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 12 +- drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++-- drivers/pinctrl/samsung/pinctrl-exynos.h | 22 + drivers/pinctrl/samsung/pinctrl-samsung.c | 1 + drivers/pinctrl/samsung/pinctrl-samsung.h | 4 + drivers/platform/chrome/cros_ec_lpc.c | 22 +- drivers/platform/x86/x86-android-tablets/Kconfig | 1 + drivers/pwm/pwm-fsl-ftm.c | 6 + drivers/pwm/pwm-mediatek.c | 8 +- drivers/pwm/pwm-rcar.c | 24 +- drivers/pwm/pwm-stm32.c | 12 +- drivers/s390/virtio/virtio_ccw.c | 16 +- drivers/scsi/lpfc/lpfc_sli.c | 2 + drivers/scsi/mpi3mr/mpi3mr.h | 14 +- drivers/scsi/mpi3mr/mpi3mr_app.c | 24 + drivers/scsi/mpi3mr/mpi3mr_fw.c | 99 +++- drivers/scsi/st.c | 2 +- drivers/soc/samsung/exynos-chipid.c | 2 + drivers/spi/spi-cadence-quadspi.c | 6 + drivers/spi/spi-fsl-qspi.c | 36 +- drivers/target/target_core_spc.c | 2 +- drivers/thermal/mediatek/lvts_thermal.c | 52 +- drivers/thermal/rockchip_thermal.c | 1 + drivers/ufs/host/ufs-qcom.c | 2 +- drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/video/backlight/led_bl.c | 5 +- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/balloon.c | 34 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/btrfs/disk-io.c | 12 + fs/btrfs/extent-tree.c | 8 + fs/btrfs/tests/extent-map-tests.c | 1 + fs/btrfs/transaction.c | 12 + fs/btrfs/zoned.c | 6 + fs/dlm/lock.c | 2 + fs/erofs/fileio.c | 2 + fs/ext4/inode.c | 68 ++- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 17 + fs/ext4/xattr.c | 11 +- fs/f2fs/checkpoint.c | 21 +- fs/f2fs/f2fs.h | 32 +- fs/f2fs/inode.c | 8 +- fs/f2fs/node.c | 110 ++-- fs/f2fs/super.c | 8 +- fs/file.c | 26 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 4 +- fs/namespace.c | 3 +- fs/nfsd/nfs4callback.c | 2 +- fs/nfsd/nfsctl.c | 9 +- fs/nfsd/stats.c | 4 +- fs/nfsd/stats.h | 2 +- fs/smb/client/cifsencrypt.c | 16 +- fs/smb/client/connect.c | 3 + fs/smb/client/fs_context.c | 5 + fs/smb/client/inode.c | 10 + fs/smb/client/reparse.c | 4 - fs/smb/client/sess.c | 7 + fs/smb/client/smb2misc.c | 9 +- fs/smb/client/smb2ops.c | 6 +- fs/smb/client/smb2pdu.c | 11 +- fs/udf/inode.c | 1 + fs/userfaultfd.c | 51 +- include/drm/drm_kunit_helpers.h | 3 + include/drm/intel/pciids.h | 5 +- include/linux/cgroup-defs.h | 1 + include/linux/cgroup.h | 2 +- include/linux/hid.h | 6 - include/linux/io_uring_types.h | 3 + include/linux/kvm_host.h | 2 +- include/linux/page-flags.h | 6 + include/linux/pci_ids.h | 2 + include/linux/perf_event.h | 17 +- include/linux/pgtable.h | 14 +- include/linux/printk.h | 6 + include/linux/tpm.h | 1 + include/net/bluetooth/hci.h | 16 + include/net/bluetooth/hci_core.h | 4 + include/net/mac80211.h | 6 + include/net/sctp/structs.h | 3 +- include/net/sock.h | 40 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/landlock.h | 2 + include/uapi/linux/psp-sev.h | 21 +- include/uapi/linux/rkisp1-config.h | 2 +- include/xen/interface/xen-mca.h | 2 +- io_uring/io_uring.c | 4 +- io_uring/kbuf.c | 2 + io_uring/net.c | 3 + kernel/Makefile | 5 + kernel/cgroup/cgroup.c | 6 + kernel/cgroup/cpuset.c | 55 +- kernel/entry/Makefile | 3 + kernel/events/core.c | 184 +++---- kernel/locking/lockdep.c | 3 + kernel/power/hibernate.c | 6 +- kernel/printk/printk.c | 4 +- kernel/rcu/srcutree.c | 11 +- kernel/reboot.c | 1 + kernel/sched/Makefile | 5 + kernel/sched/ext.c | 4 +- kernel/time/Makefile | 6 + kernel/trace/ftrace.c | 9 +- kernel/trace/ring_buffer.c | 5 +- kernel/trace/trace_events.c | 4 +- kernel/trace/trace_events_synth.c | 1 - kernel/trace/trace_fprobe.c | 26 +- kernel/trace/trace_probe.c | 28 + lib/Makefile | 5 + lib/sg_split.c | 2 - lib/zstd/common/portability_macros.h | 2 +- mm/damon/ops-common.c | 2 +- mm/damon/paddr.c | 24 +- mm/hugetlb.c | 2 +- mm/memory-failure.c | 11 +- mm/memory_hotplug.c | 3 +- mm/mremap.c | 10 +- mm/page_vma_mapped.c | 13 +- mm/rmap.c | 2 +- mm/shmem.c | 3 +- mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +- net/bluetooth/hci_sync.c | 6 +- net/core/filter.c | 80 +-- net/core/page_pool.c | 8 +- net/core/page_pool_user.c | 2 +- net/core/sock.c | 5 + net/ethtool/cmis.h | 1 - net/ethtool/cmis_cdb.c | 18 +- net/ethtool/netlink.c | 8 +- net/ipv6/route.c | 8 +- net/mac80211/debugfs.c | 44 +- net/mac80211/iface.c | 5 +- net/mac80211/mesh_hwmp.c | 14 +- net/mac80211/mlme.c | 45 +- net/mptcp/sockopt.c | 28 + net/mptcp/subflow.c | 19 +- net/netfilter/nft_set_pipapo_avx2.c | 3 +- net/sched/cls_api.c | 66 ++- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_sfq.c | 66 ++- net/sctp/socket.c | 22 +- net/sctp/transport.c | 2 + net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 +- net/tipc/link.c | 1 + net/tls/tls_main.c | 6 + scripts/generate_builtin_ranges.awk | 5 + security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_main.c | 18 +- security/landlock/errata.h | 99 ++++ security/landlock/errata/abi-4.h | 15 + security/landlock/errata/abi-6.h | 19 + security/landlock/fs.c | 39 +- security/landlock/setup.c | 38 +- security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 +- security/landlock/task.c | 12 + sound/pci/hda/hda_intel.c | 44 +- sound/pci/hda/patch_realtek.c | 22 + sound/soc/amd/acp/acp-sdw-legacy-mach.c | 34 ++ sound/soc/amd/acp/soc_amd_sdw_common.h | 1 + sound/soc/amd/ps/acp63.h | 1 + sound/soc/amd/ps/pci-ps.c | 2 +- sound/soc/amd/yc/acp6x-mach.c | 14 + sound/soc/codecs/wcd937x.c | 2 + sound/soc/fsl/fsl_audmix.c | 16 +- sound/soc/intel/common/soc-acpi-intel-adl-match.c | 29 ++ sound/soc/qcom/qdsp6/q6apm-dai.c | 60 ++- sound/soc/qcom/qdsp6/q6apm.c | 18 +- sound/soc/qcom/qdsp6/q6apm.h | 3 + sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +- sound/soc/sof/topology.c | 4 +- sound/usb/midi.c | 80 ++- tools/objtool/check.c | 5 + tools/power/cpupower/bench/parse.c | 4 + tools/testing/ktest/ktest.pl | 8 + .../futex/functional/futex_wait_wouldblock.c | 2 +- tools/testing/selftests/landlock/base_test.c | 46 +- tools/testing/selftests/landlock/common.h | 1 + .../selftests/landlock/scoped_signal_test.c | 108 +++- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- virt/kvm/Kconfig | 2 +- virt/kvm/eventfd.c | 10 +- 421 files changed, 5137 insertions(+), 2163 deletions(-)

6 months, 2 weeks

5
419
0 0

[PATCH] HID: amd_sfh: Fix SRA sensor when it's the only sensor

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> On systems that only have an SRA sensor connected to SFH the sensor doesn't get enabled due to a bad optimization condition of breaking the sensor walk loop. This optimization is unnecessary in the first place because if there is only one device then the loop only runs once. Drop the condition and explicitly mark sensor as enabled. Reported-by: Yijun Shen <Yijun.Shen(a)dell.com> Fixes: d1c444b47100d ("HID: amd_sfh: Add support to export device operating states") Cc: stable(a)vger.kernel.org Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c index 25f0ebfcbd5f5..c1bdf1e0d44af 100644 --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c @@ -134,9 +134,6 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) for (i = 0; i < cl_data->num_hid_devices; i++) { cl_data->sensor_sts[i] = SENSOR_DISABLED; - if (cl_data->num_hid_devices == 1 && cl_data->sensor_idx[0] == SRA_IDX) - break; - if (cl_data->sensor_idx[i] == SRA_IDX) { info.sensor_idx = cl_data->sensor_idx[i]; writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); @@ -145,8 +142,10 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) (privdata, cl_data->sensor_idx[i], ENABLE_SENSOR); cl_data->sensor_sts[i] = (status == 0) ? SENSOR_ENABLED : SENSOR_DISABLED; - if (cl_data->sensor_sts[i] == SENSOR_ENABLED) + if (cl_data->sensor_sts[i] == SENSOR_ENABLED) { + cl_data->is_any_sensor_enabled = true; privdata->dev_en.is_sra_present = true; + } continue; } -- 2.43.0

6 months, 2 weeks

4
3
0 0

[PATCH v2 RESEND] HID: wacom: fix shift OOB in kfifo allocation for zero pktlen

by Qasim Ijaz

During wacom_parse_and_register() the code calls wacom_devm_kfifo_alloc to allocate a fifo. During this operation it passes kfifo_alloc a fifo_size of 0. Kfifo attempts to round the size passed to it to the next power of 2 via roundup_pow_of_two (queue-type data structures do this to maintain efficiency of operations). However during this phase a problem arises when the roundup_pow_of_two() function utilises a shift exponent of fls_long(n-1), where n is the fifo_size. Since n is 0 in this case and n is also an unsigned long, doing n-1 causes unsigned integer wrap-around to occur making the fifo_size 4294967295. So the code effectively does fls_long(4294967295) which results in 64. Returning back to roundup_pow_of_two(), the code utilises a shift exponent of 64. When a shift exponent of 64 is used on a 64-bit type such as 1UL it results in a shift-out-of-bounds. The root cause of the issue seems to stem from insufficient validation of wacom_compute_pktlen(), since in this case the fifo_size comes from wacom_wac->features.pktlen. During wacom_parse_and_register() the wacom_compute_pktlen() function sets the pktlen as 0. To fix this, we should handle cases where wacom_compute_pktlen() results in 0. Reported-by: syzbot <syzbot+d5204cbbdd921f1f7cad(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=d5204cbbdd921f1f7cad Fixes: 5e013ad20689 ("HID: wacom: Remove static WACOM_PKGLEN_MAX limit") Tested-by: Qasim Ijaz <qasdev00(a)gmail.com> Reviewed-by: Jason Gerecke <jason.gerecke(a)wacom.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- v2: - Added Fixes tag as suggested by Jason Gerecke drivers/hid/wacom_sys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c index 97393a3083ca..9b2f3dbca467 100644 --- a/drivers/hid/wacom_sys.c +++ b/drivers/hid/wacom_sys.c @@ -2361,6 +2361,8 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless) unsigned int connect_mask = HID_CONNECT_HIDRAW; features->pktlen = wacom_compute_pktlen(hdev); + if (!features->pktlen) + return -ENODEV; if (!devres_open_group(&hdev->dev, wacom, GFP_KERNEL)) return -ENOMEM; -- 2.39.5

6 months, 2 weeks

2
1
0 0

Potential Linux Crash: WARNING in release_bp_slot in linux6.12.24(longterm maintenance)

by ffhgfv

Hello, I found a potential bug titled " WARNING in release_bp_slot " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <xnxc22xnxc22(a)qq.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 The reproduction program written in C language is at the end. ------------[ cut here ]----------------------------------------- TITLE: WARNING in release_bp_slot ------------[ cut here ]------------ loop2: detected capacity change from 0 to 64 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 __release_bp_slot kernel/events/hw_breakpoint.c:614 [inline] WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 __release_bp_slot kernel/events/hw_breakpoint.c:607 [inline] WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 release_bp_slot+0x6b/0x90 kernel/events/hw_breakpoint.c:621 Modules linked in: CPU: 1 UID: 0 PID: 38650 Comm: syz.2.3497 Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__release_bp_slot kernel/events/hw_breakpoint.c:614 [inline] RIP: 0010:__release_bp_slot kernel/events/hw_breakpoint.c:607 [inline] RIP: 0010:release_bp_slot+0x6b/0x90 kernel/events/hw_breakpoint.c:621 Code: e8 8a c1 ff ff 31 ff 89 c5 89 c6 e8 7f 95 ce ff 85 ed 75 10 e8 86 9a ce ff 4c 89 e7 5d 41 5c e9 7b b7 ff ff e8 76 9a ce ff 90 <0f> 0b 90 e8 6d 9a ce ff 4c 89 e7 5d 41 5c e9 62 b7 ff ff e8 3d c3 RSP: 0018:ffffc90006effc58 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff888027788620 RCX: ffffc90010ce2000 RDX: 0000000000080000 RSI: ffffffff81bd948a RDI: 0000000000000005 RBP: 00000000fffffffe R08: 0000000000000001 R09: ffff88804cc82fd8 R10: 00000000fffffffe R11: 0000000000000000 R12: ffff88804cc83928 R13: ffff8880277886b8 R14: ffff888027788b98 R15: 00000000ffffffa1 FS: 00007ff310df6640(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2000b85150 CR3: 000000007ce38000 CR4: 0000000000752ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <task> __free_event+0x1d9/0x870 kernel/events/core.c:5330 perf_event_alloc.part.0+0x1225/0x3620 kernel/events/core.c:12437 perf_event_alloc kernel/events/core.c:12749 [inline] __do_sys_perf_event_open+0x4c9/0x2c40 kernel/events/core.c:12847 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff312fad5ad Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff310df5f98 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007ff3131e5fa0 RCX: 00007ff312fad5ad RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000004c0 RBP: 00007ff313046d56 R08: 000000000000000a R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007ff3131e5fa0 R15: 00007ff310dd6000 </task> ================================================================== The following is the poc： -------------------------------------------------------------------------------------- #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys syscall.h=""> #include <sys types.h=""> #include <unistd.h> #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ *(type*)(addr) = \ htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } *(uint32_t*)0x2000000004c0 = 5; *(uint32_t*)0x2000000004c4 = 0x80; *(uint8_t*)0x2000000004c8 = 8; *(uint8_t*)0x2000000004c9 = 0xaf; *(uint8_t*)0x2000000004ca = 0; *(uint8_t*)0x2000000004cb = 8; *(uint32_t*)0x2000000004cc = 0; *(uint64_t*)0x2000000004d0 = 4; *(uint64_t*)0x2000000004d8 = 0x402; *(uint64_t*)0x2000000004e0 = 0xc; STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 0, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 1, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 2, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 3, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 4, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 5, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 6, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 7, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 8, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 9, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 10, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 11, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 12, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 13, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 14, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 15, 2); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 17, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 18, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 19, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 20, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 21, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 22, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 23, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 24, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 25, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 26, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 27, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 28, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 29, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 30, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 31, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 32, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 33, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 34, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 35, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 36, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 37, 1); STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 38, 26); *(uint32_t*)0x2000000004f0 = 2; *(uint32_t*)0x2000000004f4 = 2; *(uint64_t*)0x2000000004f8 = 0x8000; *(uint64_t*)0x200000000500 = 2; *(uint64_t*)0x200000000508 = 0x100001; *(uint64_t*)0x200000000510 = 0x839; *(uint32_t*)0x200000000518 = 8; *(uint32_t*)0x20000000051c = 7; *(uint64_t*)0x200000000520 = 0x8000000000000000; *(uint32_t*)0x200000000528 = 0x5e4; *(uint16_t*)0x20000000052c = 0xfefd; *(uint16_t*)0x20000000052e = 0; *(uint32_t*)0x200000000530 = 0x10000004; *(uint32_t*)0x200000000534 = 0; *(uint64_t*)0x200000000538 = 0x40000000000002; syscall(__NR_perf_event_open, /*attr=*/0x2000000004c0ul, /*pid=*/0, /*cpu=*/0ul, /*group=*/(intptr_t)-1, /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_OUTPUT*/ 0xaul); return 0; } I hope it helps. Best regards Jianzhou Zhao</unistd.h></sys></sys></string.h></stdlib.h></stdio.h></stdint.h></endian.h></superman.xpt(a)gmail.com></xrivendell7(a)gmail.com></xnxc22xnxc22(a)qq.com>

6 months, 2 weeks

2
1
0 0

[PATCH v1] HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()

by Terry Junge

Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors. Reported-by: syzbot+c52569baf0c843f35495(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 Fixes: f043bfc98c19 ("HID: usbhid: fix out-of-bounds bug") Cc: stable(a)vger.kernel.org Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com> --- v1: Remove unnecessary for loop searching for the report descriptor size. base-commit: 58c9bf3363e596d744f56616d407278ef5f97f5a P.S. This is an alternative to the solution proposed by Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Link: https://lore.kernel.org/all/20250131151600.410242-1-n.zhandarovich@fintech.… include/linux/hid.h | 3 ++- drivers/usb/gadget/function/f_hid.c | 12 ++++++------ drivers/hid/hid-hyperv.c | 4 ++-- drivers/hid/usbhid/hid-core.c | 25 ++++++++++++++----------- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/include/linux/hid.h b/include/linux/hid.h index cdc0dc13c87f..7abc8c74bdd5 100644 --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -738,8 +738,9 @@ struct hid_descriptor { __le16 bcdHID; __u8 bCountryCode; __u8 bNumDescriptors; + struct hid_class_descriptor rpt_desc; - struct hid_class_descriptor desc[1]; + struct hid_class_descriptor opt_descs[]; } __attribute__ ((packed)); #define HID_DEVICE(b, g, ven, prod) \ diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c index 740311c4fa24..c7a05f842745 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -144,8 +144,8 @@ static struct hid_descriptor hidg_desc = { .bcdHID = cpu_to_le16(0x0101), .bCountryCode = 0x00, .bNumDescriptors = 0x1, - /*.desc[0].bDescriptorType = DYNAMIC */ - /*.desc[0].wDescriptorLenght = DYNAMIC */ + /*.rpt_desc.bDescriptorType = DYNAMIC */ + /*.rpt_desc.wDescriptorLength = DYNAMIC */ }; /* Super-Speed Support */ @@ -939,8 +939,8 @@ static int hidg_setup(struct usb_function *f, struct hid_descriptor hidg_desc_copy = hidg_desc; VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n"); - hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT; - hidg_desc_copy.desc[0].wDescriptorLength = + hidg_desc_copy.rpt_desc.bDescriptorType = HID_DT_REPORT; + hidg_desc_copy.rpt_desc.wDescriptorLength = cpu_to_le16(hidg->report_desc_length); length = min_t(unsigned short, length, @@ -1210,8 +1210,8 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f) * We can use hidg_desc struct here but we should not relay * that its content won't change after returning from this function. */ - hidg_desc.desc[0].bDescriptorType = HID_DT_REPORT; - hidg_desc.desc[0].wDescriptorLength = + hidg_desc.rpt_desc.bDescriptorType = HID_DT_REPORT; + hidg_desc.rpt_desc.wDescriptorLength = cpu_to_le16(hidg->report_desc_length); hidg_hs_in_ep_desc.bEndpointAddress = diff --git a/drivers/hid/hid-hyperv.c b/drivers/hid/hid-hyperv.c index 0fb210e40a41..9eafff0b6ea4 100644 --- a/drivers/hid/hid-hyperv.c +++ b/drivers/hid/hid-hyperv.c @@ -192,7 +192,7 @@ static void mousevsc_on_receive_device_info(struct mousevsc_dev *input_device, goto cleanup; input_device->report_desc_size = le16_to_cpu( - desc->desc[0].wDescriptorLength); + desc->rpt_desc.wDescriptorLength); if (input_device->report_desc_size == 0) { input_device->dev_info_status = -EINVAL; goto cleanup; @@ -210,7 +210,7 @@ static void mousevsc_on_receive_device_info(struct mousevsc_dev *input_device, memcpy(input_device->report_desc, ((unsigned char *)desc) + desc->bLength, - le16_to_cpu(desc->desc[0].wDescriptorLength)); + le16_to_cpu(desc->rpt_desc.wDescriptorLength)); /* Send the ack */ memset(&ack, 0, sizeof(struct mousevsc_prt_msg)); diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index a6eb6fe6130d..e668143b559d 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -983,12 +983,11 @@ static int usbhid_parse(struct hid_device *hid) struct usb_host_interface *interface = intf->cur_altsetting; struct usb_device *dev = interface_to_usbdev (intf); struct hid_descriptor *hdesc; + struct hid_class_descriptor *hcdesc; u32 quirks = 0; unsigned int rsize = 0; char *rdesc; - int ret, n; - int num_descriptors; - size_t offset = offsetof(struct hid_descriptor, desc); + int ret; quirks = hid_lookup_quirk(hid); @@ -1010,20 +1009,19 @@ static int usbhid_parse(struct hid_device *hid) return -ENODEV; } - if (hdesc->bLength < sizeof(struct hid_descriptor)) { - dbg_hid("hid descriptor is too short\n"); + if (!hdesc->bNumDescriptors || + hdesc->bLength != sizeof(*hdesc) + + (hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) { + dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n", + hdesc->bLength, hdesc->bNumDescriptors); return -EINVAL; } hid->version = le16_to_cpu(hdesc->bcdHID); hid->country = hdesc->bCountryCode; - num_descriptors = min_t(int, hdesc->bNumDescriptors, - (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); - - for (n = 0; n < num_descriptors; n++) - if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) - rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); + if (hdesc->rpt_desc.bDescriptorType == HID_DT_REPORT) + rsize = le16_to_cpu(hdesc->rpt_desc.wDescriptorLength); if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) { dbg_hid("weird size of report descriptor (%u)\n", rsize); @@ -1051,6 +1049,11 @@ static int usbhid_parse(struct hid_device *hid) goto err; } + if (hdesc->bNumDescriptors > 1) + hid_warn(intf, + "%hhu unsupported optional hid class descriptors\n", + hdesc->bNumDescriptors - 1); + hid->quirks |= quirks; return 0; -- 2.43.0

6 months, 2 weeks

4
4
0 0

[PATCH v3] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

by Wojciech Dubowik

Define vqmmc regulator-gpio for usdhc2 with vin-supply coming from LDO5. Without this definition LDO5 will be powered down, disabling SD card after bootup. This has been introduced in commit f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") Cc: stable(a)vger.kernel.org Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> --- v1 -> v2: https://lore.kernel.org/all/20250417112012.785420-1-Wojciech.Dubowik@mt.com/ - define gpio regulator for LDO5 vin controlled by vselect signal v2 -> v3: https://lore.kernel.org/all/20250422130127.GA238494@francesco-nb/ - specify vselect as gpio --- .../boot/dts/freescale/imx8mm-verdin.dtsi | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi index 7251ad3a0017..b46566f3ce20 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi @@ -144,6 +144,19 @@ reg_usdhc2_vmmc: regulator-usdhc2 { startup-delay-us = <20000>; }; + reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { + compatible = "regulator-gpio"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc2_vsel>; + gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <1800000>; + states = <1800000 0x1>, + <3300000 0x0>; + regulator-name = "PMIC_USDHC_VSELECT"; + vin-supply = <&reg_nvcc_sd>; + }; + reserved-memory { #address-cells = <2>; #size-cells = <2>; @@ -269,7 +282,7 @@ &gpio1 { "SODIMM_19", "", "", - "", + "PMIC_USDHC_VSELECT", "", "", "", @@ -785,6 +798,7 @@ &usdhc2 { pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; vmmc-supply = <&reg_usdhc2_vmmc>; + vqmmc-supply = <&reg_usdhc2_vqmmc>; }; &wdog1 { @@ -1206,13 +1220,17 @@ pinctrl_usdhc2_pwr_en: usdhc2pwrengrp { <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */ }; + pinctrl_usdhc2_vsel: usdhc2vselgrp { + fsl,pins = + <MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x10>; /* PMIC_USDHC_VSELECT */ + }; + /* * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. */ pinctrl_usdhc2: usdhc2grp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */ @@ -1223,7 +1241,6 @@ pinctrl_usdhc2: usdhc2grp { pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>, @@ -1234,7 +1251,6 @@ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>, @@ -1246,7 +1262,6 @@ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { /* Avoid backfeeding with removed card power */ pinctrl_usdhc2_sleep: usdhc2slpgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>, -- 2.47.2

6 months, 2 weeks

4
12
0 0

[PATCH 5.10.y] perf: Fix perf_pending_task() UaF

by Xiangyu Chen

From: Peter Zijlstra <peterz(a)infradead.org> [ Upstream commit 517e6a301f34613bff24a8e35b5455884f2d83d8 ] Per syzbot it is possible for perf_pending_task() to run after the event is free()'d. There are two related but distinct cases: - the task_work was already queued before destroying the event; - destroying the event itself queues the task_work. The first cannot be solved using task_work_cancel() since perf_release() itself might be called from a task_work (____fput), which means the current->task_works list is already empty and task_work_cancel() won't be able to find the perf_pending_task() entry. The simplest alternative is extending the perf_event lifetime to cover the task_work. The second is just silly, queueing a task_work while you know the event is going away makes no sense and is easily avoided by re-arranging how the event is marked STATE_DEAD and ensuring it goes through STATE_OFF on the way down. Reported-by: syzbot+9228d6098455bb209ec8(a)syzkaller.appspotmail.com Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Tested-by: Marco Elver <elver(a)google.com> [ Discard the changes in event_sched_out() due to 5.10 don't have the commit: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events") and commit: ca6c21327c6a ("perf: Fix missing SIGTRAPs") ] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test. --- kernel/events/core.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 8f19d6ab039e..798c839a00b3 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2419,6 +2419,7 @@ group_sched_out(struct perf_event *group_event, } #define DETACH_GROUP 0x01UL +#define DETACH_DEAD 0x04UL /* * Cross CPU call to remove a performance event @@ -2439,10 +2440,18 @@ __perf_remove_from_context(struct perf_event *event, update_cgrp_time_from_cpuctx(cpuctx, false); } + /* + * Ensure event_sched_out() switches to OFF, at the very least + * this avoids raising perf_pending_task() at this time. + */ + if (flags & DETACH_DEAD) + event->pending_disable = 1; event_sched_out(event, cpuctx, ctx); if (flags & DETACH_GROUP) perf_group_detach(event); list_del_event(event, ctx); + if (flags & DETACH_DEAD) + event->state = PERF_EVENT_STATE_DEAD; if (!ctx->nr_events && ctx->is_active) { if (ctx == &cpuctx->ctx) @@ -5111,9 +5120,7 @@ int perf_event_release_kernel(struct perf_event *event) ctx = perf_event_ctx_lock(event); WARN_ON_ONCE(ctx->parent_ctx); - perf_remove_from_context(event, DETACH_GROUP); - raw_spin_lock_irq(&ctx->lock); /* * Mark this event as STATE_DEAD, there is no external reference to it * anymore. @@ -5125,8 +5132,7 @@ int perf_event_release_kernel(struct perf_event *event) * Thus this guarantees that we will in fact observe and kill _ALL_ * child events. */ - event->state = PERF_EVENT_STATE_DEAD; - raw_spin_unlock_irq(&ctx->lock); + perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); perf_event_ctx_unlock(event, ctx); @@ -6533,6 +6539,8 @@ static void perf_pending_event(struct irq_work *entry) if (rctx >= 0) perf_swevent_put_recursion_context(rctx); + + put_event(event); } /* -- 2.34.1

6 months, 2 weeks

3
5
0 0

[PATCH v2 RESEND] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()

by Haoxiang Li

Add video_device_release() in label 'err_m2m' to release the memory allocated by video_device_alloc() and prevent potential memory leaks. Remove the reduntant code in label 'err_m2m'. Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> --- Changes in v2: - Remove the reduntant code. Thanks, Dan! --- drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/media/imx/imx-media-csc-scaler.c b/drivers/staging/media/imx/imx-media-csc-scaler.c index e5e08c6f79f2..19fd31cb9bb0 100644 --- a/drivers/staging/media/imx/imx-media-csc-scaler.c +++ b/drivers/staging/media/imx/imx-media-csc-scaler.c @@ -912,7 +912,7 @@ imx_media_csc_scaler_device_init(struct imx_media_dev *md) return &priv->vdev; err_m2m: - video_set_drvdata(vfd, NULL); + video_device_release(vfd); err_vfd: kfree(priv); return ERR_PTR(ret); -- 2.25.1

6 months, 2 weeks

1
0
0 0

[PATCH 2/2] drm/dp: Add handling for partially read under I2-readC-over-AUX

by Wayne Lin

[Why] There is no handling for I2C-read-over-AUX when receive reply of I2C_ACK|AUX_ACK followed by the total number of data bytes Fewer than LEN + 1 [How] Refer to DP v2.1: 2.11.7.1.6.3 & 2.11.7.1.6.4, repeat the identical I2C-read-over-AUX transaction with the updated LEN value equal to the original LEN value minus the total number of data bytes received so far. Fixes: 68ec2a2a2481 ("drm/dp: Use I2C_WRITE_STATUS_UPDATE to drain partial I2C_WRITE requests") Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> --- drivers/gpu/drm/display/drm_dp_helper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c index 28f0708c3b27..938214a980a9 100644 --- a/drivers/gpu/drm/display/drm_dp_helper.c +++ b/drivers/gpu/drm/display/drm_dp_helper.c @@ -1812,10 +1812,11 @@ static int drm_dp_i2c_do_msg(struct drm_dp_aux *aux, struct drm_dp_aux_msg *msg) drm_dbg_kms(aux->drm_dev, "%s: I2C partially ack (result=%d, size=%zu)\n", aux->name, ret, msg->size); - if (!(msg->request & DP_AUX_I2C_READ)) { - usleep_range(AUX_RETRY_INTERVAL, AUX_RETRY_INTERVAL + 100); + usleep_range(AUX_RETRY_INTERVAL, AUX_RETRY_INTERVAL + 100); + if (msg->request & DP_AUX_I2C_READ) + msg->size -= ret; + else drm_dp_i2c_msg_write_status_update(msg); - } continue; } -- 2.43.0

6 months, 2 weeks

1
0
0 0

[PATCH RESEND] scsi: esas2r: Add check for alloc_ordered_workqueue()

by Haoxiang Li

Add check for the return value of alloc_ordered_workqueue() in esas2r_init_adapter() to catch potential exception. Fixes: 4cb1b41a5ee4 ("scsi: esas2r: Simplify an alloc_ordered_workqueue() invocation") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/scsi/esas2r/esas2r_init.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/esas2r/esas2r_init.c b/drivers/scsi/esas2r/esas2r_init.c index 04a07fe57be2..9c0225a1f208 100644 --- a/drivers/scsi/esas2r/esas2r_init.c +++ b/drivers/scsi/esas2r/esas2r_init.c @@ -313,6 +313,11 @@ int esas2r_init_adapter(struct Scsi_Host *host, struct pci_dev *pcid, esas2r_fw_event_off(a); a->fw_event_q = alloc_ordered_workqueue("esas2r/%d", WQ_MEM_RECLAIM, a->index); + if (!a->fw_event_q) { + esas2r_log(ESAS2R_LOG_CRIT, "failed to create work queue\n"); + esas2r_kill_adapter(index); + return 0; + } init_waitqueue_head(&a->buffered_ioctl_waiter); init_waitqueue_head(&a->nvram_waiter); -- 2.25.1

6 months, 2 weeks

1
0
0 0

[PATCH RESEND] drm/xe: Add check for alloc_ordered_workqueue()

by Haoxiang Li

Add check for the return value of alloc_ordered_workqueue() in xe_gt_alloc() to catch potential exception. Fixes: e2d84e5b2205 ("drm/xe: Mark GT work queue with WQ_MEM_RECLAIM") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_gt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c index 10a9e3c72b36..1f50f26fb657 100644 --- a/drivers/gpu/drm/xe/xe_gt.c +++ b/drivers/gpu/drm/xe/xe_gt.c @@ -81,6 +81,8 @@ struct xe_gt *xe_gt_alloc(struct xe_tile *tile) gt->tile = tile; gt->ordered_wq = alloc_ordered_workqueue("gt-ordered-wq", WQ_MEM_RECLAIM); + if (!gt->ordered_wq) + return ERR_PTR(-ENOMEM); err = drmm_add_action_or_reset(&gt_to_xe(gt)->drm, gt_fini, gt); if (err) -- 2.25.1

6 months, 2 weeks

1
0
0 0

[PATCH v2 1/1] iommu: Allow attaching static domains in iommu_attach_device_pasid()

by Lu Baolu

The idxd driver attaches the default domain to a PASID of the device to perform kernel DMA using that PASID. The domain is attached to the device's PASID through iommu_attach_device_pasid(), which checks if the domain->owner matches the iommu_ops retrieved from the device. If they do not match, it returns a failure. if (ops != domain->owner || pasid == IOMMU_NO_PASID) return -EINVAL; The static identity domain implemented by the intel iommu driver doesn't specify the domain owner. Therefore, kernel DMA with PASID doesn't work for the idxd driver if the device translation mode is set to passthrough. Generally the owner field of static domains are not set because they are already part of iommu ops. Add a helper domain_iommu_ops_compatible() that checks if a domain is compatible with the device's iommu ops. This helper explicitly allows the static blocked and identity domains associated with the device's iommu_ops to be considered compatible. Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 Cc: stable(a)vger.kernel.org Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Link: https://lore.kernel.org/linux-iommu/20250422191554.GC1213339@ziepe.ca/ Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/iommu.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) Change log: -v2: - Make the solution generic for all static domains as suggested by Jason. -v1: https://lore.kernel.org/linux-iommu/20250422075422.2084548-1-baolu.lu@linux… diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 4f91a740c15f..abda40ec377a 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -3402,6 +3402,19 @@ static void __iommu_remove_group_pasid(struct iommu_group *group, iommu_remove_dev_pasid(device->dev, pasid, domain); } +static bool domain_iommu_ops_compatible(const struct iommu_ops *ops, + struct iommu_domain *domain) +{ + if (domain->owner == ops) + return true; + + /* For static domains, owner isn't set. */ + if (domain == ops->blocked_domain || domain == ops->identity_domain) + return true; + + return false; +} + /* * iommu_attach_device_pasid() - Attach a domain to pasid of device * @domain: the iommu domain. @@ -3435,7 +3448,8 @@ int iommu_attach_device_pasid(struct iommu_domain *domain, !ops->blocked_domain->ops->set_dev_pasid) return -EOPNOTSUPP; - if (ops != domain->owner || pasid == IOMMU_NO_PASID) + if (!domain_iommu_ops_compatible(ops, domain) || + pasid == IOMMU_NO_PASID) return -EINVAL; mutex_lock(&group->mutex); -- 2.43.0

6 months, 2 weeks

5
4
0 0

[PATCH net 0/2] mptcp: pm: Defer freeing userspace pm entries

by Matthieu Baerts (NGI0)

Here are two unrelated fixes for MPTCP: - Patch 1: free userspace PM entry with RCU helpers. A fix for v6.14. - Patch 2: avoid a warning when running diag.sh selftest. A fix for v6.15-rc1. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Geliang Tang (1): selftests: mptcp: diag: use mptcp_lib_get_info_value Mat Martineau (1): mptcp: pm: Defer freeing of MPTCP userspace path manager entries net/mptcp/pm_userspace.c | 6 +++++- tools/testing/selftests/net/mptcp/diag.sh | 5 ++--- 2 files changed, 7 insertions(+), 4 deletions(-) --- base-commit: 750d0ac001e85b754404178ee8ce01cbc76a03be change-id: 20250421-net-mptcp-pm-defer-freeing-f9cd01b70043 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

6 months, 2 weeks

2
2
0 0

+ selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftests/mm: compaction_test: support platform with huge mount of memory has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Feng Tang <feng.tang(a)linux.alibaba.com> Subject: selftests/mm: compaction_test: support platform with huge mount of memory Date: Wed, 23 Apr 2025 18:36:45 +0800 When running mm selftest to verify mm patches, 'compaction_test' case failed on an x86 server with 1TB memory. And the root cause is that it has too much free memory than what the test supports. The test case tries to allocate 100000 huge pages, which is about 200 GB for that x86 server, and when it succeeds, it expects it's large than 1/3 of 80% of the free memory in system. This logic only works for platform with 750 GB ( 200 / (1/3) / 80% ) or less free memory, and may raise false alarm for others. Fix it by changing the fixed page number to self-adjustable number according to the real number of free memory. Link: https://lkml.kernel.org/r/20250423103645.2758-1-feng.tang@linux.alibaba.com Fixes: bd67d5c15cc19 ("Test compaction of mlocked memory") Signed-off-by: Feng Tang <feng.tang(a)linux.alibaba.com> Acked-by: Dev Jain <dev.jain(a)arm.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Sri Jayaramappa <sjayaram(a)akamai.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/compaction_test.c | 19 ++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- a/tools/testing/selftests/mm/compaction_test.c~selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory +++ a/tools/testing/selftests/mm/compaction_test.c @@ -90,6 +90,8 @@ int check_compaction(unsigned long mem_f int compaction_index = 0; char nr_hugepages[20] = {0}; char init_nr_hugepages[24] = {0}; + char target_nr_hugepages[24] = {0}; + int slen; snprintf(init_nr_hugepages, sizeof(init_nr_hugepages), "%lu", initial_nr_hugepages); @@ -106,11 +108,18 @@ int check_compaction(unsigned long mem_f goto out; } - /* Request a large number of huge pages. The Kernel will allocate - as much as it can */ - if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { - ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", - strerror(errno)); + /* + * Request huge pages for about half of the free memory. The Kernel + * will allocate as much as it can, and we expect it will get at least 1/3 + */ + nr_hugepages_ul = mem_free / hugepage_size / 2; + snprintf(target_nr_hugepages, sizeof(target_nr_hugepages), + "%lu", nr_hugepages_ul); + + slen = strlen(target_nr_hugepages); + if (write(fd, target_nr_hugepages, slen) != slen) { + ksft_print_msg("Failed to write %lu to /proc/sys/vm/nr_hugepages: %s\n", + nr_hugepages_ul, strerror(errno)); goto close_fd; } _ Patches currently in -mm which might be from feng.tang(a)linux.alibaba.com are selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch

6 months, 2 weeks

1
0
0 0

[PATCH 1/2] Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary

by longli＠linuxonhyperv.com

From: Long Li <longli(a)microsoft.com> There are use cases that interrupt and monitor pages are mapped to user-mode through UIO, they need to be system page aligned. Some Hyper-V allocation APIs introduced earlier broke those requirements. Fix those APIs by always allocating Hyper-V page at system page boundaries. Cc: stable(a)vger.kernel.org Fixes: ca48739e59df ("Drivers: hv: vmbus: Move Hyper-V page allocator to arch neutral code") Signed-off-by: Long Li <longli(a)microsoft.com> --- drivers/hv/hv_common.c | 29 +++++++---------------------- 1 file changed, 7 insertions(+), 22 deletions(-) diff --git a/drivers/hv/hv_common.c b/drivers/hv/hv_common.c index a7d7494feaca..f426aaa9b8f9 100644 --- a/drivers/hv/hv_common.c +++ b/drivers/hv/hv_common.c @@ -106,41 +106,26 @@ void __init hv_common_free(void) } /* - * Functions for allocating and freeing memory with size and - * alignment HV_HYP_PAGE_SIZE. These functions are needed because - * the guest page size may not be the same as the Hyper-V page - * size. We depend upon kmalloc() aligning power-of-two size - * allocations to the allocation size boundary, so that the - * allocated memory appears to Hyper-V as a page of the size - * it expects. + * A Hyper-V page can be used by UIO for mapping to user-space, it should + * always be allocated on system page boundaries. */ - void *hv_alloc_hyperv_page(void) { - BUILD_BUG_ON(PAGE_SIZE < HV_HYP_PAGE_SIZE); - - if (PAGE_SIZE == HV_HYP_PAGE_SIZE) - return (void *)__get_free_page(GFP_KERNEL); - else - return kmalloc(HV_HYP_PAGE_SIZE, GFP_KERNEL); + BUILD_BUG_ON(PAGE_SIZE < HV_HYP_PAGE_SIZE); + return (void *)__get_free_page(GFP_KERNEL); } EXPORT_SYMBOL_GPL(hv_alloc_hyperv_page); void *hv_alloc_hyperv_zeroed_page(void) { - if (PAGE_SIZE == HV_HYP_PAGE_SIZE) - return (void *)__get_free_page(GFP_KERNEL | __GFP_ZERO); - else - return kzalloc(HV_HYP_PAGE_SIZE, GFP_KERNEL); + BUILD_BUG_ON(PAGE_SIZE < HV_HYP_PAGE_SIZE); + return (void *)__get_free_page(GFP_KERNEL | __GFP_ZERO); } EXPORT_SYMBOL_GPL(hv_alloc_hyperv_zeroed_page); void hv_free_hyperv_page(void *addr) { - if (PAGE_SIZE == HV_HYP_PAGE_SIZE) - free_page((unsigned long)addr); - else - kfree(addr); + free_page((unsigned long)addr); } EXPORT_SYMBOL_GPL(hv_free_hyperv_page); -- 2.34.1

6 months, 2 weeks

3
3
0 0

[PATCH 2/2] uio_hv_generic: Use correct size for interrupt and monitor pages

by longli＠linuxonhyperv.com

From: Long Li <longli(a)microsoft.com> Interrupt and monitor pages should be in Hyper-V page size (4k bytes). This can be different to the system page size. Cc: stable(a)vger.kernel.org Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus") Signed-off-by: Long Li <longli(a)microsoft.com> --- drivers/uio/uio_hv_generic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 1b19b5647495..08385b04c4ab 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -287,13 +287,13 @@ hv_uio_probe(struct hv_device *dev, pdata->info.mem[INT_PAGE_MAP].name = "int_page"; pdata->info.mem[INT_PAGE_MAP].addr = (uintptr_t)vmbus_connection.int_page; - pdata->info.mem[INT_PAGE_MAP].size = PAGE_SIZE; + pdata->info.mem[INT_PAGE_MAP].size = HV_HYP_PAGE_SIZE; pdata->info.mem[INT_PAGE_MAP].memtype = UIO_MEM_LOGICAL; pdata->info.mem[MON_PAGE_MAP].name = "monitor_page"; pdata->info.mem[MON_PAGE_MAP].addr = (uintptr_t)vmbus_connection.monitor_pages[1]; - pdata->info.mem[MON_PAGE_MAP].size = PAGE_SIZE; + pdata->info.mem[MON_PAGE_MAP].size = HV_HYP_PAGE_SIZE; pdata->info.mem[MON_PAGE_MAP].memtype = UIO_MEM_LOGICAL; if (channel->device_id == HV_NIC) { -- 2.34.1

6 months, 2 weeks

3
3
0 0

[PATCH] ext4: fix off-by-one error in do_split

by Artem Sadovnikov

Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Cc: stable(a)vger.kernel.org Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()") Signed-off-by: Artem Sadovnikov <a.sadovnikov(a)ispras.ru> --- fs/ext4/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index cb5cb33b1d91..e9712e64ec8f 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1971,7 +1971,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, * split it in half by count; each resulting block will have at least * half the space free. */ - if (i > 0) + if (i >= 0) split = count - move; else split = count/2; -- 2.43.0

6 months, 2 weeks

3
4
0 0

[PATCH v4 5/6] media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval

by Mathis Foerst

Getting / Setting the frame interval using the V4L2 subdev pad ops get_frame_interval/set_frame_interval causes a deadlock, as the subdev state is locked in the [1] but also in the driver itself. In [2] it's described that the caller is responsible to acquire and release the lock in this case. Therefore, acquiring the lock in the driver is wrong. Remove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval() and mt9m114_ifp_set_frame_interval(). [1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129 [2] Documentation/driver-api/media/v4l2-subdev.rst Fixes: 24d756e914fc ("media: i2c: Add driver for onsemi MT9M114 camera sensor") Cc: stable(a)vger.kernel.org Signed-off-by: Mathis Foerst <mathis.foerst(a)mt.com> --- drivers/media/i2c/mt9m114.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/drivers/media/i2c/mt9m114.c b/drivers/media/i2c/mt9m114.c index 65b9124e464f..79c97ab19be9 100644 --- a/drivers/media/i2c/mt9m114.c +++ b/drivers/media/i2c/mt9m114.c @@ -1644,13 +1644,9 @@ static int mt9m114_ifp_get_frame_interval(struct v4l2_subdev *sd, if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) return -EINVAL; - mutex_lock(sensor->ifp.hdl.lock); - ival->numerator = 1; ival->denominator = sensor->ifp.frame_rate; - mutex_unlock(sensor->ifp.hdl.lock); - return 0; } @@ -1669,8 +1665,6 @@ static int mt9m114_ifp_set_frame_interval(struct v4l2_subdev *sd, if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) return -EINVAL; - mutex_lock(sensor->ifp.hdl.lock); - if (ival->numerator != 0 && ival->denominator != 0) sensor->ifp.frame_rate = min_t(unsigned int, ival->denominator / ival->numerator, @@ -1684,8 +1678,6 @@ static int mt9m114_ifp_set_frame_interval(struct v4l2_subdev *sd, if (sensor->streaming) ret = mt9m114_set_frame_rate(sensor); - mutex_unlock(sensor->ifp.hdl.lock); - return ret; } -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI

by bin.lan.cn＠windriver.com

From: James Smart <jsmart2021(a)gmail.com> [ Upstream commit 577a942df3de2666f6947bdd3a5c9e8d30073424 ] If lpfc_issue_els_flogi() fails and returns non-zero status, the node reference count is decremented to trigger the release of the nodelist structure. However, if there is a prior registration or dev-loss-evt work pending, the node may be released prematurely. When dev-loss-evt completes, the released node is referenced causing a use-after-free null pointer dereference. Similarly, when processing non-zero ELS PLOGI completion status in lpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport registration before triggering node removal. If dev-loss-evt work is pending, the node may be released prematurely and a subsequent call to lpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference. Add test for pending dev-loss before decrementing the node reference count for FLOGI, PLOGI, PRLI, and ADISC handling. Link: https://lore.kernel.org/r/20220412222008.126521-9-jsmart2021@gmail.com Co-developed-by: Justin Tee <justin.tee(a)broadcom.com> Signed-off-by: Justin Tee <justin.tee(a)broadcom.com> Signed-off-by: James Smart <jsmart2021(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/scsi/lpfc/lpfc_els.c | 51 +++++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 16 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c index 5f44a0763f37..134d56bd00da 100644 --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -1517,10 +1517,13 @@ lpfc_initial_flogi(struct lpfc_vport *vport) } if (lpfc_issue_els_flogi(vport, ndlp, 0)) { - /* This decrement of reference count to node shall kick off - * the release of the node. + /* A node reference should be retained while registered with a + * transport or dev-loss-evt work is pending. + * Otherwise, decrement node reference to trigger release. */ - lpfc_nlp_put(ndlp); + if (!(ndlp->fc4_xpt_flags & (SCSI_XPT_REGD | NVME_XPT_REGD)) && + !(ndlp->nlp_flag & NLP_IN_DEV_LOSS)) + lpfc_nlp_put(ndlp); return 0; } return 1; @@ -1563,10 +1566,13 @@ lpfc_initial_fdisc(struct lpfc_vport *vport) } if (lpfc_issue_els_fdisc(vport, ndlp, 0)) { - /* decrement node reference count to trigger the release of - * the node. + /* A node reference should be retained while registered with a + * transport or dev-loss-evt work is pending. + * Otherwise, decrement node reference to trigger release. */ - lpfc_nlp_put(ndlp); + if (!(ndlp->fc4_xpt_flags & (SCSI_XPT_REGD | NVME_XPT_REGD)) && + !(ndlp->nlp_flag & NLP_IN_DEV_LOSS)) + lpfc_nlp_put(ndlp); return 0; } return 1; @@ -1967,6 +1973,7 @@ lpfc_cmpl_els_plogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, struct lpfc_dmabuf *prsp; int disc; struct serv_parm *sp = NULL; + bool release_node = false; /* we pass cmdiocb to state machine which needs rspiocb as well */ cmdiocb->context_un.rsp_iocb = rspiocb; @@ -2047,19 +2054,21 @@ lpfc_cmpl_els_plogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, spin_unlock_irq(&ndlp->lock); goto out; } - spin_unlock_irq(&ndlp->lock); /* No PLOGI collision and the node is not registered with the * scsi or nvme transport. It is no longer an active node. Just * start the device remove process. */ if (!(ndlp->fc4_xpt_flags & (SCSI_XPT_REGD | NVME_XPT_REGD))) { - spin_lock_irq(&ndlp->lock); ndlp->nlp_flag &= ~NLP_NPR_2B_DISC; - spin_unlock_irq(&ndlp->lock); + if (!(ndlp->nlp_flag & NLP_IN_DEV_LOSS)) + release_node = true; + } + spin_unlock_irq(&ndlp->lock); + + if (release_node) lpfc_disc_state_machine(vport, ndlp, cmdiocb, NLP_EVT_DEVICE_RM); - } } else { /* Good status, call state machine */ prsp = list_entry(((struct lpfc_dmabuf *) @@ -2269,6 +2278,7 @@ lpfc_cmpl_els_prli(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, struct lpfc_nodelist *ndlp; char *mode; u32 loglevel; + bool release_node = false; /* we pass cmdiocb to state machine which needs rspiocb as well */ cmdiocb->context_un.rsp_iocb = rspiocb; @@ -2335,14 +2345,18 @@ lpfc_cmpl_els_prli(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, * it is no longer an active node. Otherwise devloss * handles the final cleanup. */ + spin_lock_irq(&ndlp->lock); if (!(ndlp->fc4_xpt_flags & (SCSI_XPT_REGD | NVME_XPT_REGD)) && !ndlp->fc4_prli_sent) { - spin_lock_irq(&ndlp->lock); ndlp->nlp_flag &= ~NLP_NPR_2B_DISC; - spin_unlock_irq(&ndlp->lock); + if (!(ndlp->nlp_flag & NLP_IN_DEV_LOSS)) + release_node = true; + } + spin_unlock_irq(&ndlp->lock); + + if (release_node) lpfc_disc_state_machine(vport, ndlp, cmdiocb, NLP_EVT_DEVICE_RM); - } } else { /* Good status, call state machine. However, if another * PRLI is outstanding, don't call the state machine @@ -2713,6 +2727,7 @@ lpfc_cmpl_els_adisc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, IOCB_t *irsp; struct lpfc_nodelist *ndlp; int disc; + bool release_node = false; /* we pass cmdiocb to state machine which needs rspiocb as well */ cmdiocb->context_un.rsp_iocb = rspiocb; @@ -2771,13 +2786,17 @@ lpfc_cmpl_els_adisc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, * transport, it is no longer an active node. Otherwise * devloss handles the final cleanup. */ + spin_lock_irq(&ndlp->lock); if (!(ndlp->fc4_xpt_flags & (SCSI_XPT_REGD | NVME_XPT_REGD))) { - spin_lock_irq(&ndlp->lock); ndlp->nlp_flag &= ~NLP_NPR_2B_DISC; - spin_unlock_irq(&ndlp->lock); + if (!(ndlp->nlp_flag & NLP_IN_DEV_LOSS)) + release_node = true; + } + spin_unlock_irq(&ndlp->lock); + + if (release_node) lpfc_disc_state_machine(vport, ndlp, cmdiocb, NLP_EVT_DEVICE_RM); - } } else /* Good status, call state machine */ lpfc_disc_state_machine(vport, ndlp, cmdiocb, -- 2.34.1

6 months, 2 weeks

2
1
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) variable 'is_redirect' is used uninitialized whenever 'if' conditi...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- variable 'is_redirect' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] in net/sched/act_mirred.o (net/sched/act_mirred.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:72f9cc14e764580fd20bda28956c2ddf82023571 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: dd688b41d9038dbc86718bae12ed995d596c1de5 Log excerpt: ===================================================== net/sched/act_mirred.c:264:6: error: variable 'is_redirect' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] 264 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ net/sched/act_mirred.c:331:6: note: uninitialized use occurs here 331 | if (is_redirect) | ^~~~~~~~~~~ net/sched/act_mirred.c:264:2: note: remove the 'if' if its condition is always false 264 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 265 | net_notice_ratelimited("tc mirred to Houston: device %s is down\n", | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 266 | dev->name); | ~~~~~~~~~~~ 267 | goto err_cant_do; | ~~~~~~~~~~~~~~~~~ 268 | } | ~ net/sched/act_mirred.c:264:6: error: variable 'is_redirect' is used uninitialized whenever '||' condition is true [-Werror,-Wsometimes-uninitialized] 264 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ net/sched/act_mirred.c:331:6: note: uninitialized use occurs here 331 | if (is_redirect) | ^~~~~~~~~~~ net/sched/act_mirred.c:264:6: note: remove the '||' if its condition is always false 264 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ net/sched/act_mirred.c:259:6: error: variable 'is_redirect' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] 259 | if (unlikely(!dev)) { | ^~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ net/sched/act_mirred.c:331:6: note: uninitialized use occurs here 331 | if (is_redirect) | ^~~~~~~~~~~ net/sched/act_mirred.c:259:2: note: remove the 'if' if its condition is always false 259 | if (unlikely(!dev)) { | ^~~~~~~~~~~~~~~~~~~~~ 260 | pr_notice_once("tc mirred: target device is gone\n"); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 261 | goto err_cant_do; | ~~~~~~~~~~~~~~~~~ 262 | } | ~ net/sched/act_mirred.c:237:18: note: initialize the variable 'is_redirect' to silence this warning 237 | bool is_redirect; | ^ | = 0 3 errors generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6808fe8b43948caad9509059 #kernelci issue maestro:72f9cc14e764580fd20bda28956c2ddf82023571 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

6 months, 2 weeks

1
0
0 0

[PATCH v2 1/2] drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

by Philipp Stanner

Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (race) a signaled fence remains in the pending list for a while, until it gets removed by nouveau_fence_update(). Should nouveau_fence_context_kill() run in the meantime, this would be a bug because the function would attempt to set an error code on an already signaled fence. Have nouveau_fence_context_kill() check for a fence being signaled. Cc: <stable(a)vger.kernel.org> # v5.10+ Fixes: ea13e5abf807 ("drm/nouveau: signal pending fences when channel has been killed") Suggested-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c index 7622587f149e..6ded8c2b6d3b 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fence.c +++ b/drivers/gpu/drm/nouveau/nouveau_fence.c @@ -90,7 +90,7 @@ nouveau_fence_context_kill(struct nouveau_fence_chan *fctx, int error) while (!list_empty(&fctx->pending)) { fence = list_entry(fctx->pending.next, typeof(*fence), head); - if (error) + if (error && !dma_fence_is_signaled_locked(&fence->base)) dma_fence_set_error(&fence->base, error); if (nouveau_fence_signal(fence)) -- 2.48.1

6 months, 2 weeks

2
1
0 0

Potential Linux Crash: WARNING in ext4_mb_load_buddy_gfp in linux6.12.24(longterm maintenance)

by ffhgfv

Hello, I found a potential bug titled " WARNING in ext4_mb_load_buddy_gfp " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). It seems to be a problem with the ext4 subsystem. Unfortunately, I am unable to reproduce this bug. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <xnxc22xnxc22(a)qq.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: WARNING in ext4_mb_load_buddy_gfp ------------[ cut here ]------------ WARNING: CPU: 0 PID: 96 at mm/page_alloc.c:4240 __alloc_pages_slowpath mm/page_alloc.c:4240 [inline] WARNING: CPU: 0 PID: 96 at mm/page_alloc.c:4240 __alloc_pages_noprof+0x1a1d/0x21f0 mm/page_alloc.c:4767 Modules linked in: CPU: 0 UID: 0 PID: 96 Comm: kswapd0 Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__alloc_pages_slowpath mm/page_alloc.c:4240 [inline] RIP: 0010:__alloc_pages_noprof+0x1a1d/0x21f0 mm/page_alloc.c:4767 Code: 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 a2 07 00 00 f6 43 2d 08 0f 84 bd ea ff ff 90 <0f> 0b 90 e9 b4 ea ff ff 65 8b 15 70 e5 23 7e 83 fa 07 0f 87 56 06 RSP: 0000:ffffc90001376e18 EFLAGS: 00010202 RAX: 0000000000000007 RBX: ffff888042ac4a00 RCX: ffffc90001376f44 RDX: 0000000000000000 RSI: 1ffff9200026edb0 RDI: ffff888042ac4a2c RBP: ffff88803fffbc80 R08: 000000000000699a R09: 0000000000000400 R10: ffff88807ffda357 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffffffffffff R14: 0000000000048c40 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4969a4e7b0 CR3: 000000002719c000 CR4: 0000000000752ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <task> alloc_pages_mpol_noprof+0x2b6/0x600 mm/mempolicy.c:2269 folio_alloc_noprof+0x21/0xc0 mm/mempolicy.c:2356 filemap_alloc_folio_noprof+0x3d2/0x470 mm/filemap.c:1010 __filemap_get_folio+0x57f/0xb00 mm/filemap.c:1952 ext4_mb_load_buddy_gfp+0x74d/0x10c0 fs/ext4/mballoc.c:1640 ext4_discard_preallocations+0x539/0xf00 fs/ext4/mballoc.c:5592 ext4_clear_inode+0x3d/0x230 fs/ext4/super.c:1523 ext4_evict_inode+0x243/0x18c0 fs/ext4/inode.c:323 evict+0x3ef/0x940 fs/inode.c:725 dispose_list+0x117/0x1e0 fs/inode.c:774 prune_icache_sb+0xeb/0x150 fs/inode.c:963 super_cache_scan+0x37f/0x570 fs/super.c:223 do_shrink_slab+0x44b/0x1190 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0xb61/0x12a0 mm/shrinker.c:628 shrink_one+0x4ad/0x7c0 mm/vmscan.c:4835 shrink_many mm/vmscan.c:4896 [inline] lru_gen_shrink_node mm/vmscan.c:4974 [inline] shrink_node+0x2420/0x3890 mm/vmscan.c:5954 kswapd_shrink_node mm/vmscan.c:6782 [inline] balance_pgdat+0xbe5/0x18c0 mm/vmscan.c:6974 kswapd+0x702/0xd50 mm/vmscan.c:7243 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </task> ================================================================== I hope it helps. Best regards Jianzhou Zhao</superman.xpt(a)gmail.com></xrivendell7(a)gmail.com></xnxc22xnxc22(a)qq.com>

6 months, 2 weeks

1
0
0 0

[tip: x86/urgent] x86/mm: Fix _pgd_alloc() for Xen PV mode

by tip-bot2 for Juergen Gross

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 4ce385f56434f3810ef103e1baea357ddcc6667e Gitweb: https://git.kernel.org/tip/4ce385f56434f3810ef103e1baea357ddcc6667e Author: Juergen Gross <jgross(a)suse.com> AuthorDate: Tue, 22 Apr 2025 15:17:17 +02:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Wed, 23 Apr 2025 07:49:14 -07:00 x86/mm: Fix _pgd_alloc() for Xen PV mode Recently _pgd_alloc() was switched from using __get_free_pages() to pagetable_alloc_noprof(), which might return a compound page in case the allocation order is larger than 0. On x86 this will be the case if CONFIG_MITIGATION_PAGE_TABLE_ISOLATION is set, even if PTI has been disabled at runtime. When running as a Xen PV guest (this will always disable PTI), using a compound page for a PGD will result in VM_BUG_ON_PGFLAGS being triggered when the Xen code tries to pin the PGD. Fix the Xen issue together with the not needed 8k allocation for a PGD with PTI disabled by replacing PGD_ALLOCATION_ORDER with an inline helper returning the needed order for PGD allocations. Fixes: a9b3c355c2e6 ("asm-generic: pgalloc: provide generic __pgd_{alloc,free}") Reported-by: Petr Vaněk <arkamar(a)atlas.cz> Signed-off-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Tested-by: Petr Vaněk <arkamar(a)atlas.cz> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250422131717.25724-1-jgross%40suse.com --- arch/x86/include/asm/pgalloc.h | 19 +++++++++++-------- arch/x86/kernel/machine_kexec_32.c | 4 ++-- arch/x86/mm/pgtable.c | 4 ++-- arch/x86/platform/efi/efi_64.c | 4 ++-- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index a331475..c88691b 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -6,6 +6,8 @@ #include <linux/mm.h> /* for struct page */ #include <linux/pagemap.h> +#include <asm/cpufeature.h> + #define __HAVE_ARCH_PTE_ALLOC_ONE #define __HAVE_ARCH_PGD_FREE #include <asm-generic/pgalloc.h> @@ -29,16 +31,17 @@ static inline void paravirt_release_pud(unsigned long pfn) {} static inline void paravirt_release_p4d(unsigned long pfn) {} #endif -#ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION /* - * Instead of one PGD, we acquire two PGDs. Being order-1, it is - * both 8k in size and 8k-aligned. That lets us just flip bit 12 - * in a pointer to swap between the two 4k halves. + * In case of Page Table Isolation active, we acquire two PGDs instead of one. + * Being order-1, it is both 8k in size and 8k-aligned. That lets us just + * flip bit 12 in a pointer to swap between the two 4k halves. */ -#define PGD_ALLOCATION_ORDER 1 -#else -#define PGD_ALLOCATION_ORDER 0 -#endif +static inline unsigned int pgd_allocation_order(void) +{ + if (cpu_feature_enabled(X86_FEATURE_PTI)) + return 1; + return 0; +} /* * Allocate and free page tables. diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c index 8026516..1f32530 100644 --- a/arch/x86/kernel/machine_kexec_32.c +++ b/arch/x86/kernel/machine_kexec_32.c @@ -42,7 +42,7 @@ static void load_segments(void) static void machine_kexec_free_page_tables(struct kimage *image) { - free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER); + free_pages((unsigned long)image->arch.pgd, pgd_allocation_order()); image->arch.pgd = NULL; #ifdef CONFIG_X86_PAE free_page((unsigned long)image->arch.pmd0); @@ -59,7 +59,7 @@ static void machine_kexec_free_page_tables(struct kimage *image) static int machine_kexec_alloc_page_tables(struct kimage *image) { image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, - PGD_ALLOCATION_ORDER); + pgd_allocation_order()); #ifdef CONFIG_X86_PAE image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL); image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index a05fcdd..f7ae44d 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -360,7 +360,7 @@ static inline pgd_t *_pgd_alloc(struct mm_struct *mm) * We allocate one page for pgd. */ if (!SHARED_KERNEL_PMD) - return __pgd_alloc(mm, PGD_ALLOCATION_ORDER); + return __pgd_alloc(mm, pgd_allocation_order()); /* * Now PAE kernel is not running as a Xen domain. We can allocate @@ -380,7 +380,7 @@ static inline void _pgd_free(struct mm_struct *mm, pgd_t *pgd) static inline pgd_t *_pgd_alloc(struct mm_struct *mm) { - return __pgd_alloc(mm, PGD_ALLOCATION_ORDER); + return __pgd_alloc(mm, pgd_allocation_order()); } static inline void _pgd_free(struct mm_struct *mm, pgd_t *pgd) diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c index ac57259..a4b4ebd 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -73,7 +73,7 @@ int __init efi_alloc_page_tables(void) gfp_t gfp_mask; gfp_mask = GFP_KERNEL | __GFP_ZERO; - efi_pgd = (pgd_t *)__get_free_pages(gfp_mask, PGD_ALLOCATION_ORDER); + efi_pgd = (pgd_t *)__get_free_pages(gfp_mask, pgd_allocation_order()); if (!efi_pgd) goto fail; @@ -96,7 +96,7 @@ free_p4d: if (pgtable_l5_enabled()) free_page((unsigned long)pgd_page_vaddr(*pgd)); free_pgd: - free_pages((unsigned long)efi_pgd, PGD_ALLOCATION_ORDER); + free_pages((unsigned long)efi_pgd, pgd_allocation_order()); fail: return -ENOMEM; }

6 months, 2 weeks

1
0
0 0

[PATCH] fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()

by Max Kellermann

Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadlock because folio_unlock() was called twice, and the second call would XOR back the `PG_locked` flag. Most of the time (depending on the timing of the truncation), nobody notices the problem because folio_unlock() gets called three times, which flips `PG_locked` back off: 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio, nfs_return_empty_folio 2. vfs_read, nfs_read_folio, ... netfs_read_collection, netfs_unlock_abandoned_read_pages 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio, nfs_return_empty_folio The problem is that nfs_read_add_folio() is not supposed to unlock the folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is missing in nfs_return_empty_folio(). Rarely this leads to a warning in netfs_read_collection(): ------------[ cut here ]------------ R=0000031c: folio 10 is not locked WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00 [...] Workqueue: events_unbound netfs_read_collection_worker RIP: 0010:netfs_read_collection+0x7c0/0xf00 [...] Call Trace: <TASK> netfs_read_collection_worker+0x67/0x80 process_one_work+0x12e/0x2c0 worker_thread+0x295/0x3a0 Most of the time, however, processes just get stuck forever in folio_wait_bit_common(), waiting for `PG_locked` to disappear, which never happens because nobody is really holding the folio lock. Fixes: 000dbe0bec05 ("NFS: Convert buffered read paths to use netfs when fscache is enabled") Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- fs/nfs/read.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfs/read.c b/fs/nfs/read.c index 81bd1b9aba17..3c1fa320b3f1 100644 --- a/fs/nfs/read.c +++ b/fs/nfs/read.c @@ -56,7 +56,8 @@ static int nfs_return_empty_folio(struct folio *folio) { folio_zero_segment(folio, 0, folio_size(folio)); folio_mark_uptodate(folio); - folio_unlock(folio); + if (nfs_netfs_folio_unlock(folio)) + folio_unlock(folio); return 0; } -- 2.47.2

6 months, 2 weeks

2
1
0 0

[PATCH v5.4.y] usb: dwc3: core: Do core softreset when switch mode

by Hardik Gohil

From: Yu Chen <chenyu56(a)huawei.com> commit f88359e1588b85cf0e8209ab7d6620085f3441d9 upstream. From: John Stultz <john.stultz(a)linaro.org> According to the programming guide, to switch mode for DRD controller, the driver needs to do the following. To switch from device to host: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(host mode) 3. Reset the host with USBCMD.HCRESET 4. Then follow up with the initializing host registers sequence To switch from host to device: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(device mode) 3. Reset the device with DCTL.CSftRst 4. Then follow up with the initializing registers sequence Currently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of switching from host to device. John Stult reported a lockup issue seen with HiKey960 platform without these steps[1]. Similar issue is observed with Ferry's testing platform[2]. So, apply the required steps along with some fixes to Yu Chen's and John Stultz's version. The main fixes to their versions are the missing wait for clocks synchronization before clearing GCTL.CoreSoftReset and only apply DCTL.CSftRst when switching from host to device. [1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro… [2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmai… Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly") Cc: Andy Shevchenko <andy.shevchenko(a)gmail.com> Cc: Ferry Toth <fntoth(a)gmail.com> Cc: Wesley Cheng <wcheng(a)codeaurora.org> Cc: <stable(a)vger.kernel.org> Tested-by: John Stultz <john.stultz(a)linaro.org> Tested-by: Wesley Cheng <wcheng(a)codeaurora.org> Signed-off-by: Yu Chen <chenyu56(a)huawei.com> Signed-off-by: John Stultz <john.stultz(a)linaro.org> Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/374440f8dcd4f06c02c2caf4b1efde86774e02d9.16185216… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Hardik Gohil <hgohil(a)mvista.com> --- this fix is missing in v5.4.y stable version apply the following dependend patch before applying this patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… drivers/usb/dwc3/core.c | 25 +++++++++++++++++++++++++ drivers/usb/dwc3/core.h | 5 +++++ 2 files changed, 30 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 1a420c00d6ca..650eb4f735f9 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -122,6 +122,8 @@ static void __dwc3_set_mode(struct work_struct *work) if (dwc->dr_mode != USB_DR_MODE_OTG) return; + mutex_lock(&dwc->mutex); + pm_runtime_get_sync(dwc->dev); if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_OTG) @@ -155,6 +157,25 @@ static void __dwc3_set_mode(struct work_struct *work) break; } + /* For DRD host or device mode only */ + if (dwc->desired_dr_role != DWC3_GCTL_PRTCAP_OTG) { + reg = dwc3_readl(dwc->regs, DWC3_GCTL); + reg |= DWC3_GCTL_CORESOFTRESET; + dwc3_writel(dwc->regs, DWC3_GCTL, reg); + + /* + * Wait for internal clocks to synchronized. DWC_usb31 and + * DWC_usb32 may need at least 50ms (less for DWC_usb3). To + * keep it consistent across different IPs, let's wait up to + * 100ms before clearing GCTL.CORESOFTRESET. + */ + msleep(100); + + reg = dwc3_readl(dwc->regs, DWC3_GCTL); + reg &= ~DWC3_GCTL_CORESOFTRESET; + dwc3_writel(dwc->regs, DWC3_GCTL, reg); + } + spin_lock_irqsave(&dwc->lock, flags); dwc3_set_prtcap(dwc, dwc->desired_dr_role); @@ -179,6 +200,8 @@ static void __dwc3_set_mode(struct work_struct *work) } break; case DWC3_GCTL_PRTCAP_DEVICE: + dwc3_core_soft_reset(dwc); + dwc3_event_buffers_setup(dwc); if (dwc->usb2_phy) @@ -201,6 +224,7 @@ static void __dwc3_set_mode(struct work_struct *work) out: pm_runtime_mark_last_busy(dwc->dev); pm_runtime_put_autosuspend(dwc->dev); + mutex_unlock(&dwc->mutex); } void dwc3_set_mode(struct dwc3 *dwc, u32 mode) @@ -1511,6 +1535,7 @@ static int dwc3_probe(struct platform_device *pdev) dwc3_cache_hwparams(dwc); spin_lock_init(&dwc->lock); + mutex_init(&dwc->mutex); pm_runtime_get_noresume(dev); pm_runtime_set_active(dev); diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 34f3fbba391b..44b0239676a1 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -13,6 +13,7 @@ #include <linux/device.h> #include <linux/spinlock.h> +#include <linux/mutex.h> #include <linux/ioport.h> #include <linux/list.h> #include <linux/bitops.h> @@ -929,6 +930,7 @@ struct dwc3_scratchpad_array { * @scratch_addr: dma address of scratchbuf * @ep0_in_setup: one control transfer is completed and enter setup phase * @lock: for synchronizing + * @mutex: for mode switching * @dev: pointer to our struct device * @sysdev: pointer to the DMA-capable device * @xhci: pointer to our xHCI child @@ -1061,6 +1063,9 @@ struct dwc3 { /* device lock */ spinlock_t lock; + /* mode switching lock */ + struct mutex mutex; + struct device *dev; struct device *sysdev; -- 2.25.1

6 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 723ef0e20dbb2aa1b5406d2bb75374fc48187daa # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032414-unsheathe-greedily-1d17@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 723ef0e20dbb2aa1b5406d2bb75374fc48187daa Mon Sep 17 00:00:00 2001 From: Kamal Dasu <kamal.dasu(a)broadcom.com> Date: Tue, 11 Mar 2025 12:59:35 -0400 Subject: [PATCH] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops cqhci timeouts observed on brcmstb platforms during suspend: ... [ 164.832853] mmc0: cqhci: timeout for tag 18 ... Adding cqhci_suspend()/resume() calls to disable cqe in sdhci_brcmstb_suspend()/resume() respectively to fix CQE timeouts seen on PM suspend. Fixes: d46ba2d17f90 ("mmc: sdhci-brcmstb: Add support for Command Queuing (CQE)") Cc: stable(a)vger.kernel.org Signed-off-by: Kamal Dasu <kamal.dasu(a)broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://lore.kernel.org/r/20250311165946.28190-1-kamal.dasu@broadcom.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/sdhci-brcmstb.c b/drivers/mmc/host/sdhci-brcmstb.c index 0ef4d578ade8..48cdcba0f39c 100644 --- a/drivers/mmc/host/sdhci-brcmstb.c +++ b/drivers/mmc/host/sdhci-brcmstb.c @@ -503,8 +503,15 @@ static int sdhci_brcmstb_suspend(struct device *dev) struct sdhci_host *host = dev_get_drvdata(dev); struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host); + int ret; clk_disable_unprepare(priv->base_clk); + if (host->mmc->caps2 & MMC_CAP2_CQE) { + ret = cqhci_suspend(host->mmc); + if (ret) + return ret; + } + return sdhci_pltfm_suspend(dev); } @@ -529,6 +536,9 @@ static int sdhci_brcmstb_resume(struct device *dev) ret = clk_set_rate(priv->base_clk, priv->base_freq_hz); } + if (host->mmc->caps2 & MMC_CAP2_CQE) + ret = cqhci_resume(host->mmc); + return ret; } #endif

6 months, 2 weeks

3
7
0 0

[PATCH 0/2] regulator: max20086: Fixes chip id and enable gpio

by João Paulo Gonçalves

Hello, I'm working on integrating a system with a MAX20086 and noticed these small issues in the driver: the chip ID for MAX20086 is 0x30 and not 0x40. Also, in my use case, the enable pin is always enabled by hardware, so the enable GPIO isn't needed. Without these changes, the driver fails to probe. Signed-off-by: João Paulo Gonçalves <jpaulo.silvagoncalves(a)gmail.com> --- João Paulo Gonçalves (2): regulator: max20086: Fix MAX200086 chip id regulator: max20086: Change enable gpio to optional drivers/regulator/max20086-regulator.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- base-commit: 6fea5fabd3323cd27b2ab5143263f37ff29550cb change-id: 20250420-fix-max20086-430a63f7a9eb Best regards, -- João Paulo Gonçalves <jpaulo.silvagoncalves(a)gmail.com>

6 months, 2 weeks

2
3
0 0

[PATCH] usb: typec: ucsi: fix Clang -Wsign-conversion warning

by Qasim Ijaz

debugfs.c emits the following warnings when compiling with the -Wsign-conversion flag with clang 15: drivers/usb/typec/ucsi/debugfs.c:58:27: warning: implicit conversion changes signedness: 'int' to 'u32' (aka 'unsigned int') [-Wsign-conversion] ucsi->debugfs->status = ret; ~ ^~~ drivers/usb/typec/ucsi/debugfs.c:71:25: warning: implicit conversion changes signedness: 'u32' (aka 'unsigned int') to 'int' [-Wsign-conversion] return ucsi->debugfs->status; ~~~~~~ ~~~~~~~~~~~~~~~^~~~~~ During ucsi_cmd() we see: if (ret < 0) { ucsi->debugfs->status = ret; return ret; } But "status" is u32 meaning unsigned wrap-around occurs when assigning a value which is < 0 to it, this obscures the real status. To fix this make the "status" of type int since ret is also of type int. Fixes: df0383ffad64 ("usb: typec: ucsi: Add debugfs for ucsi commands") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/usb/typec/ucsi/ucsi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h index 3a2c1762bec1..525d28160413 100644 --- a/drivers/usb/typec/ucsi/ucsi.h +++ b/drivers/usb/typec/ucsi/ucsi.h @@ -432,7 +432,7 @@ struct ucsi_debugfs_entry { u64 low; u64 high; } response; - u32 status; + int status; struct dentry *dentry; }; -- 2.39.5

6 months, 2 weeks

2
1
0 0

[PATCH stable 6.12 0/8] bpf: track changes_pkt_data property for global functions

by Shung-Hsi Yu

While stable 6.12 has commit 1a4607ffba35 ("bpf: consider that tail calls invalidate packet pointers") backported, that alone is not enough to fix the issue reported by Nick Zavaritsky[1]. This is evident when running the verifier_sock/invalidate_pkt_pointers_from_global_func and verifier_sock/invalidate_pkt_pointers_by_tail_call BPF selftests[2]. Error: #529 verifier_sock Error: #529/57 verifier_sock/invalidate_pkt_pointers_from_global_func run_subtest:PASS:obj_open_mem 0 nsec run_subtest:FAIL:unexpected_load_success unexpected success: 0 Error: #529/58 verifier_sock/invalidate_pkt_pointers_by_tail_call run_subtest:PASS:obj_open_mem 0 nsec run_subtest:FAIL:unexpected_load_success unexpected success: 0 Fix the issue by backporting the entire "bpf: track changes_pkt_data property for global functions" series[3], along with the follow up, "bpf: fix NPE when computing changes_pkt_data of program w/o subprograms" series[4]; both from Eduard. With this series applied the test above no longer fails[5]. 1: https://lore.kernel.org/bpf/0498CA22-5779-4767-9C0C-A9515CEA711F@gmail.com/ 2: https://github.com/shunghsiyu/libbpf/actions/runs/14591085098/job/409263031… 3: https://lore.kernel.org/all/20241210041100.1898468-1-eddyz87@gmail.com/ 4: https://lore.kernel.org/all/20241212070711.427443-1-eddyz87@gmail.com/ 5: https://github.com/shunghsiyu/libbpf/actions/runs/14609494070/job/409847569… Eduard Zingerman (8): bpf: add find_containing_subprog() utility function bpf: track changes_pkt_data property for global functions selftests/bpf: test for changing packet data from global functions bpf: check changes_pkt_data property for extension programs selftests/bpf: freplace tests for tracking of changes_packet_data selftests/bpf: validate that tail call invalidates packet pointers bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs selftests/bpf: extend changes_pkt_data with cases w/o subprograms include/linux/bpf.h | 1 + include/linux/bpf_verifier.h | 1 + kernel/bpf/verifier.c | 79 +++++++++++-- .../bpf/prog_tests/changes_pkt_data.c | 107 ++++++++++++++++++ .../selftests/bpf/progs/changes_pkt_data.c | 39 +++++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 +++ .../selftests/bpf/progs/verifier_sock.c | 56 +++++++++ 7 files changed, 292 insertions(+), 9 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/changes_pkt_data.c create mode 100644 tools/testing/selftests/bpf/progs/changes_pkt_data.c create mode 100644 tools/testing/selftests/bpf/progs/changes_pkt_data_freplace.c -- 2.49.0

6 months, 2 weeks

2
16
0 0

[PATCH 5.15.y] net/sched: act_mirred: don't override retval if we already lost the skb

by jianqi.ren.cn＠windriver.com

From: Jakub Kicinski <kuba(a)kernel.org> [ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ] If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it. Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Acked-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- net/sched/act_mirred.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index 97cd4b2377d6..e1c183b28306 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -258,13 +258,13 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, dev = rcu_dereference_bh(m->tcfm_dev); if (unlikely(!dev)) { pr_notice_once("tc mirred: target device is gone\n"); - goto out; + goto err_cant_do; } if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { net_notice_ratelimited("tc mirred to Houston: device %s is down\n", dev->name); - goto out; + goto err_cant_do; } /* we could easily avoid the clone only if called by ingress and clsact; @@ -278,7 +278,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, if (!use_reinsert) { skb2 = skb_clone(skb, GFP_ATOMIC); if (!skb2) - goto out; + goto err_cant_do; } want_ingress = tcf_mirred_act_wants_ingress(m_eaction); @@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, } err = tcf_mirred_forward(want_ingress, skb2); - if (err) { -out: + if (err) tcf_action_inc_overlimit_qstats(&m->common); - if (tcf_mirred_is_act_redirect(m_eaction)) - retval = TC_ACT_SHOT; - } + __this_cpu_dec(mirred_nest_level); + + return retval; + +err_cant_do: + if (is_redirect) + retval = TC_ACT_SHOT; + tcf_action_inc_overlimit_qstats(&m->common); __this_cpu_dec(mirred_nest_level); return retval; -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.10.y/5.15.y] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init

by Feng Liu

From: Kunwu Chan <chentao(a)kylinos.cn> [ Upstream commit 5d7f58ee08434a33340f75ac7ac5071eea9673b3 ] devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. Signed-off-by: Kunwu Chan <chentao(a)kylinos.cn> Link: https://lore.kernel.org/r/20240118054257.200814-1-chentao@kylinos.cn Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Minor context change fixed] Signed-off-by: Feng Liu <Feng.Liu3(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- drivers/soc/ti/omap_prm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/soc/ti/omap_prm.c b/drivers/soc/ti/omap_prm.c index 4a782bfd753c..d4c0c700b35c 100644 --- a/drivers/soc/ti/omap_prm.c +++ b/drivers/soc/ti/omap_prm.c @@ -381,6 +381,8 @@ static int omap_prm_domain_init(struct device *dev, struct omap_prm *prm) data = prm->data; name = devm_kasprintf(dev, GFP_KERNEL, "prm_%s", data->name); + if (!name) + return -ENOMEM; prmd->dev = dev; prmd->prm = prm; -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] net/sched: act_mirred: don't override retval if we already lost the skb

by jianqi.ren.cn＠windriver.com

From: Jakub Kicinski <kuba(a)kernel.org> [ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ] If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it. Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Acked-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- net/sched/act_mirred.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index 91a19460cb57..89201c223d7c 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -260,13 +260,13 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, dev = rcu_dereference_bh(m->tcfm_dev); if (unlikely(!dev)) { pr_notice_once("tc mirred: target device is gone\n"); - goto out; + goto err_cant_do; } if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { net_notice_ratelimited("tc mirred to Houston: device %s is down\n", dev->name); - goto out; + goto err_cant_do; } /* we could easily avoid the clone only if called by ingress and clsact; @@ -280,7 +280,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, if (!use_reinsert) { skb2 = skb_clone(skb, GFP_ATOMIC); if (!skb2) - goto out; + goto err_cant_do; } want_ingress = tcf_mirred_act_wants_ingress(m_eaction); @@ -323,12 +323,16 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, } err = tcf_mirred_forward(want_ingress, skb2); - if (err) { -out: + if (err) tcf_action_inc_overlimit_qstats(&m->common); - if (tcf_mirred_is_act_redirect(m_eaction)) - retval = TC_ACT_SHOT; - } + __this_cpu_dec(mirred_nest_level); + + return retval; + +err_cant_do: + if (is_redirect) + retval = TC_ACT_SHOT; + tcf_action_inc_overlimit_qstats(&m->common); __this_cpu_dec(mirred_nest_level); return retval; -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] xfs: add bounds checking to xlog_recover_process_data

by Zhi Yang

From: lei lu <llfamsec(a)gmail.com> commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream. There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header. Signed-off-by: lei lu <llfamsec(a)gmail.com> Reviewed-by: Dave Chinner <dchinner(a)redhat.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Signed-off-by: Zhi Yang <Zhi.Yang(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/xfs/xfs_log_recover.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 705cd5a60fbc..9eb120801979 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2444,7 +2444,10 @@ xlog_recover_process_data( ohead = (struct xlog_op_header *)dp; dp += sizeof(*ohead); - ASSERT(dp <= end); + if (dp > end) { + xfs_warn(log->l_mp, "%s: op header overrun", __func__); + return -EFSCORRUPTED; + } /* errors will abort recovery */ error = xlog_recover_process_ophdr(log, rhash, rhead, ohead, -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.15.y] xfs: add bounds checking to xlog_recover_process_data

by Zhi Yang

From: lei lu <llfamsec(a)gmail.com> commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream. There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header. Signed-off-by: lei lu <llfamsec(a)gmail.com> Reviewed-by: Dave Chinner <dchinner(a)redhat.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Signed-off-by: Zhi Yang <Zhi.Yang(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/xfs/xfs_log_recover.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 705cd5a60fbc..9eb120801979 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2444,7 +2444,10 @@ xlog_recover_process_data( ohead = (struct xlog_op_header *)dp; dp += sizeof(*ohead); - ASSERT(dp <= end); + if (dp > end) { + xfs_warn(log->l_mp, "%s: op header overrun", __func__); + return -EFSCORRUPTED; + } /* errors will abort recovery */ error = xlog_recover_process_ophdr(log, rhash, rhead, ohead, -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] xfs: add bounds checking to xlog_recover_process_data

by Zhi Yang

From: lei lu <llfamsec(a)gmail.com> commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream. There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header. Signed-off-by: lei lu <llfamsec(a)gmail.com> Reviewed-by: Dave Chinner <dchinner(a)redhat.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Signed-off-by: Zhi Yang <Zhi.Yang(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/xfs/xfs_log_recover.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index e61f28ce3e44..eafe76f304ef 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2419,7 +2419,10 @@ xlog_recover_process_data( ohead = (struct xlog_op_header *)dp; dp += sizeof(*ohead); - ASSERT(dp <= end); + if (dp > end) { + xfs_warn(log->l_mp, "%s: op header overrun", __func__); + return -EFSCORRUPTED; + } /* errors will abort recovery */ error = xlog_recover_process_ophdr(log, rhash, rhead, ohead, -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.10.y] xfs: add bounds checking to xlog_recover_process_data

by Zhi Yang

From: lei lu <llfamsec(a)gmail.com> commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream. There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header. Signed-off-by: lei lu <llfamsec(a)gmail.com> Reviewed-by: Dave Chinner <dchinner(a)redhat.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Signed-off-by: Zhi Yang <Zhi.Yang(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/xfs/xfs_log_recover.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index e61f28ce3e44..eafe76f304ef 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2419,7 +2419,10 @@ xlog_recover_process_data( ohead = (struct xlog_op_header *)dp; dp += sizeof(*ohead); - ASSERT(dp <= end); + if (dp > end) { + xfs_warn(log->l_mp, "%s: op header overrun", __func__); + return -EFSCORRUPTED; + } /* errors will abort recovery */ error = xlog_recover_process_ophdr(log, rhash, rhead, ohead, -- 2.34.1

6 months, 2 weeks

3
2
0 0

[PATCH] platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7

by Kurt Borja

Extend thermal control support to Alienware m15 R7. Cc: stable(a)vger.kernel.org Tested-by: Romain THERY <romain.thery(a)ik.me> Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> --- drivers/platform/x86/dell/alienware-wmi-wmax.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/platform/x86/dell/alienware-wmi-wmax.c b/drivers/platform/x86/dell/alienware-wmi-wmax.c index 3f9e1e986ecf0a906ca16b85fd60e675f1885171..08b82c151e07103885dbe3354542f18776fe0b2e 100644 --- a/drivers/platform/x86/dell/alienware-wmi-wmax.c +++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c @@ -69,6 +69,14 @@ static const struct dmi_system_id awcc_dmi_table[] __initconst = { }, .driver_data = &generic_quirks, }, + { + .ident = "Alienware m15 R7", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), + DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m15 R7"), + }, + .driver_data = &generic_quirks, + }, { .ident = "Alienware m16 R1", .matches = { --- base-commit: 4a8e04e2bdcb98d513e97b039899bda03b07bcf2 change-id: 20250418-m15-r7-61df0a388cee Best regards, -- ~ Kurt

6 months, 2 weeks

2
1
0 0

[PATCH v2] arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

by Wojciech Dubowik

Define vqmmc regulator-gpio for usdhc2 with vin-supply coming from LDO5. Without this definition LDO5 will be powered down, disabling SD card after bootup. This has been introduced in commit f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5"). Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") Cc: stable(a)vger.kernel.org Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> --- v1 -> v2: https://lore.kernel.org/all/20250417112012.785420-1-Wojciech.Dubowik@mt.com/ - define gpio regulator for LDO5 vin controlled by vselect signal --- .../boot/dts/freescale/imx8mm-verdin.dtsi | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi index 7251ad3a0017..9b56a36c5f77 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi @@ -144,6 +144,19 @@ reg_usdhc2_vmmc: regulator-usdhc2 { startup-delay-us = <20000>; }; + reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { + compatible = "regulator-gpio"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_usdhc2_vsel>; + gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <1800000>; + states = <1800000 0x1>, + <3300000 0x0>; + regulator-name = "PMIC_USDHC_VSELECT"; + vin-supply = <&reg_nvcc_sd>; + }; + reserved-memory { #address-cells = <2>; #size-cells = <2>; @@ -785,6 +798,7 @@ &usdhc2 { pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; vmmc-supply = <&reg_usdhc2_vmmc>; + vqmmc-supply = <&reg_usdhc2_vqmmc>; }; &wdog1 { @@ -1206,13 +1220,17 @@ pinctrl_usdhc2_pwr_en: usdhc2pwrengrp { <MX8MM_IOMUXC_NAND_CLE_GPIO3_IO5 0x6>; /* SODIMM 76 */ }; + pinctrl_usdhc2_vsel: usdhc2vselgrp { + fsl,pins = + <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>; /* PMIC_USDHC_VSELECT */ + }; + /* * Note: Due to ERR050080 we use discrete external on-module resistors pulling-up to the * on-module +V3.3_1.8_SD (LDO5) rail and explicitly disable the internal pull-ups here. */ pinctrl_usdhc2: usdhc2grp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x90>, /* SODIMM 78 */ <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x90>, /* SODIMM 74 */ <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x90>, /* SODIMM 80 */ @@ -1223,7 +1241,6 @@ pinctrl_usdhc2: usdhc2grp { pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x94>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x94>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x94>, @@ -1234,7 +1251,6 @@ pinctrl_usdhc2_100mhz: usdhc2-100mhzgrp { pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x10>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x96>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x96>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x96>, @@ -1246,7 +1262,6 @@ pinctrl_usdhc2_200mhz: usdhc2-200mhzgrp { /* Avoid backfeeding with removed card power */ pinctrl_usdhc2_sleep: usdhc2slpgrp { fsl,pins = - <MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x0>, <MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x0>, <MX8MM_IOMUXC_SD2_CMD_USDHC2_CMD 0x0>, <MX8MM_IOMUXC_SD2_DATA0_USDHC2_DATA0 0x0>, -- 2.47.2

6 months, 2 weeks

3
6
0 0

[PATCH v3] dm-bufio: don't schedule in atomic context

by LongPing Wei

A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled. [ 129.444685][ T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421 [ 129.444723][ T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4 [ 129.444740][ T934] preempt_count: 201, expected: 0 [ 129.444756][ T934] RCU nest depth: 0, expected: 0 [ 129.444781][ T934] Preemption disabled at: [ 129.444789][ T934] [<ffffffd816231900>] shrink_work+0x21c/0x248 [ 129.445167][ T934] kernel BUG at kernel/sched/walt/walt_debug.c:16! [ 129.445183][ T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 129.445204][ T934] Skip md ftrace buffer dump for: 0x1609e0 [ 129.447348][ T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G W OE 6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8 [ 129.447362][ T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT) [ 129.447373][ T934] Workqueue: dm_bufio_cache shrink_work [ 129.447394][ T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 129.447406][ T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug] [ 129.447435][ T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c [ 129.447451][ T934] sp : ffffffc0843dbc90 [ 129.447459][ T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b [ 129.447479][ T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68 [ 129.447497][ T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900 [ 129.447517][ T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030 [ 129.447535][ T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358 [ 129.447554][ T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003 [ 129.447572][ T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400 [ 129.447591][ T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8 [ 129.447610][ T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0 [ 129.447629][ T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000 [ 129.447647][ T934] Call trace: [ 129.447655][ T934] android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6] [ 129.447681][ T934] __might_resched+0x190/0x1a8 [ 129.447694][ T934] shrink_work+0x180/0x248 [ 129.447706][ T934] process_one_work+0x260/0x624 [ 129.447718][ T934] worker_thread+0x28c/0x454 [ 129.447729][ T934] kthread+0x118/0x158 [ 129.447742][ T934] ret_from_fork+0x10/0x20 [ 129.447761][ T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000) [ 129.447772][ T934] ---[ end trace 0000000000000000 ]--- dm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet is enabled, and __scan will be called in atomic context. Fixes: 7cd326747f46 ("dm bufio: remove dm_bufio_cond_resched()") Signed-off-by: LongPing Wei <weilongping(a)oppo.com> Cc: stable(a)vger.kernel.org --- v3: Always drops the lock after every 16 iterations and calls cond_resched() with the lock dropped; Change the judgment condition to a more understandable way. v2: When no_sleep is enabled, drops the lock after every 16 iterations and calls cond_resched() with the lock dropped. v1: skip cond_resched when no_sleep is enabled --- drivers/md/dm-bufio.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c index 9c8ed65cd87e..3088f9f9169a 100644 --- a/drivers/md/dm-bufio.c +++ b/drivers/md/dm-bufio.c @@ -68,6 +68,8 @@ #define LIST_DIRTY 1 #define LIST_SIZE 2 +#define SCAN_RESCHED_CYCLE 16 + /*--------------------------------------------------------------*/ /* @@ -2424,8 +2426,13 @@ static void __scan(struct dm_bufio_client *c) atomic_long_dec(&c->need_shrink); freed++; - cond_resched(); - } + + if (unlikely(freed % SCAN_RESCHED_CYCLE == 0)) { + dm_bufio_unlock(c); + cond_resched(); + dm_bufio_lock(c); + } + } } } -- 2.34.1

6 months, 2 weeks

3
4
0 0

[PATCH v2] staging: bcm2835-camera: Initialise dev in v4l2_dev

by Dave Stevenson

Commit 42a2f6664e18 ("staging: vc04_services: Move global g_state to vchiq_state") changed mmal_init to pass dev->v4l2_dev.dev to vchiq_mmal_init, however nothing iniitialised dev->v4l2_dev, so we got a NULL pointer dereference. Set dev->v4l2_dev.dev during bcm2835_mmal_probe. The device pointer could be passed into v4l2_device_register to set it, however that also has other effects that would need additional changes. Fixes: 42a2f6664e18 ("staging: vc04_services: Move global g_state to vchiq_state") Cc: stable(a)vger.kernel.org Signed-off-by: Dave Stevenson <dave.stevenson(a)raspberrypi.com> Reviewed-by: Stefan Wahren <wahrenst(a)gmx.net> --- Noted as we switched to 6.12 that the driver would fail during probe with an invalid dereference if a camera module was actually configured for the legacy camera stack. https://github.com/raspberrypi/linux/issues/6753 --- Changes in v2: - cc stable - Add Stefan's R-b - Link to v1: https://lore.kernel.org/r/20250414-staging-bcm2835-v4l2-fix-v1-1-2b2db9a8f2… --- drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c index b839b50ac26a..fa7ea4ca4c36 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c +++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c @@ -1900,6 +1900,7 @@ static int bcm2835_mmal_probe(struct vchiq_device *device) __func__, ret); goto free_dev; } + dev->v4l2_dev.dev = &device->dev; /* setup v4l controls */ ret = bcm2835_mmal_init_controls(dev, &dev->ctrl_handler); --- base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 change-id: 20250410-staging-bcm2835-v4l2-fix-b8dbd933c23b Best regards, -- Dave Stevenson <dave.stevenson(a)raspberrypi.com>

6 months, 2 weeks

1
0
0 0

Please apply d2155fe54ddb to 5.10 and 5.4

by Qingfang Deng

Hi Greg and Sasha, Please consider applying d2155fe54ddb ("mm: compaction: remove duplicate !list_empty(&sublist) check") to 5.10 and 5.4, as it resolves a -Wdangling-pointer warning in recent GCC versions: In function '__list_cut_position', inlined from 'list_cut_position' at ./include/linux/list.h:400:3, inlined from 'move_freelist_tail' at mm/compaction.c:1241:3: ./include/linux/list.h:370:21: warning: storing the address of local variable 'sublist' in '*&freepage_6(D)->D.15621.D.15566.lru.next' [-Wdangling-pointer=] Regards, Qingfang

6 months, 2 weeks

3
9
0 0

Re: [PATCH 5.10.y] xfs: add bounds checking to xlog_recover_process_data

by Greg KH

On Wed, Apr 23, 2025 at 07:24:41AM +0000, Yang, Zhi wrote: > Add xfs stable maintainer. That provided no context at all. Please do this properly.

6 months, 2 weeks

1
0
0 0

[PATCH] Input: cyttsp5 - fix power control issue on wakeup

by Hugo Villeneuve

From: Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> The power control function ignores the "on" argument when setting the report ID, and thus is always sending HID_POWER_SLEEP. This causes a problem when trying to wakeup. Fix by sending the state variable, which contains the proper HID_POWER_ON or HID_POWER_SLEEP based on the "on" argument. Fixes: 3c98b8dbdced ("Input: cyttsp5 - implement proper sleep and wakeup procedures") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/input/touchscreen/cyttsp5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/input/touchscreen/cyttsp5.c b/drivers/input/touchscreen/cyttsp5.c index eafe5a9b89648..86edcacb4ab3e 100644 --- a/drivers/input/touchscreen/cyttsp5.c +++ b/drivers/input/touchscreen/cyttsp5.c @@ -580,7 +580,7 @@ static int cyttsp5_power_control(struct cyttsp5 *ts, bool on) int rc; SET_CMD_REPORT_TYPE(cmd[0], 0); - SET_CMD_REPORT_ID(cmd[0], HID_POWER_SLEEP); + SET_CMD_REPORT_ID(cmd[0], state); SET_CMD_OPCODE(cmd[1], HID_CMD_SET_POWER); rc = cyttsp5_write(ts, HID_COMMAND_REG, cmd, sizeof(cmd)); base-commit: 7adf8b1afc14832de099f9e178f08f91dc0dd6d0 -- 2.39.5

6 months, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 723ef0e20dbb2aa1b5406d2bb75374fc48187daa # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025032413-email-washer-d578@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 723ef0e20dbb2aa1b5406d2bb75374fc48187daa Mon Sep 17 00:00:00 2001 From: Kamal Dasu <kamal.dasu(a)broadcom.com> Date: Tue, 11 Mar 2025 12:59:35 -0400 Subject: [PATCH] mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops cqhci timeouts observed on brcmstb platforms during suspend: ... [ 164.832853] mmc0: cqhci: timeout for tag 18 ... Adding cqhci_suspend()/resume() calls to disable cqe in sdhci_brcmstb_suspend()/resume() respectively to fix CQE timeouts seen on PM suspend. Fixes: d46ba2d17f90 ("mmc: sdhci-brcmstb: Add support for Command Queuing (CQE)") Cc: stable(a)vger.kernel.org Signed-off-by: Kamal Dasu <kamal.dasu(a)broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://lore.kernel.org/r/20250311165946.28190-1-kamal.dasu@broadcom.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/sdhci-brcmstb.c b/drivers/mmc/host/sdhci-brcmstb.c index 0ef4d578ade8..48cdcba0f39c 100644 --- a/drivers/mmc/host/sdhci-brcmstb.c +++ b/drivers/mmc/host/sdhci-brcmstb.c @@ -503,8 +503,15 @@ static int sdhci_brcmstb_suspend(struct device *dev) struct sdhci_host *host = dev_get_drvdata(dev); struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host); + int ret; clk_disable_unprepare(priv->base_clk); + if (host->mmc->caps2 & MMC_CAP2_CQE) { + ret = cqhci_suspend(host->mmc); + if (ret) + return ret; + } + return sdhci_pltfm_suspend(dev); } @@ -529,6 +536,9 @@ static int sdhci_brcmstb_resume(struct device *dev) ret = clk_set_rate(priv->base_clk, priv->base_freq_hz); } + if (host->mmc->caps2 & MMC_CAP2_CQE) + ret = cqhci_resume(host->mmc); + return ret; } #endif

6 months, 2 weeks

3
8
0 0

[PATCH 1/1] iommu/vt-d: Assign owner to the static identity domain

by Lu Baolu

The idxd driver attaches the default domain to a PASID of the device to perform kernel DMA using that PASID. The domain is attached to the device's PASID through iommu_attach_device_pasid(), which checks if the domain->owner matches the iommu_ops retrieved from the device. If they do not match, it returns a failure. if (ops != domain->owner || pasid == IOMMU_NO_PASID) return -EINVAL; The static identity domain implemented by the intel iommu driver doesn't specify the domain owner. Therefore, kernel DMA with PASID doesn't work for the idxd driver if the device translation mode is set to passthrough. Fix this by specifying the domain owner for the static identity domain. Fixes: 2031c469f816 ("iommu/vt-d: Add support for static identity domain") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220031 Cc: stable(a)vger.kernel.org Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/intel/iommu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c index cb0b993bebb4..63c9c97ccf69 100644 --- a/drivers/iommu/intel/iommu.c +++ b/drivers/iommu/intel/iommu.c @@ -4385,6 +4385,7 @@ static struct iommu_domain identity_domain = { .attach_dev = identity_domain_attach_dev, .set_dev_pasid = identity_domain_set_dev_pasid, }, + .owner = &intel_iommu_ops, }; const struct iommu_ops intel_iommu_ops = { -- 2.43.0

6 months, 2 weeks

4
3
0 0

+ v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: fix panic in failed foilio allocation has been added to the -mm mm-hotfixes-unstable branch. Its filename is v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Mark Tinguely <mark.tinguely(a)oracle.com> Subject: ocfs2: fix panic in failed foilio allocation Date: Fri, 11 Apr 2025 11:31:24 -0500 commit 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") and commit 9a5e08652dc4b ("ocfs2: use an array of folios instead of an array of pages") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry. Link: https://lkml.kernel.org/r/c879a52b-835c-4fa0-902b-8b2e9196dcbd@oracle.com Fixes: 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") Fixes: 9a5e08652dc4b ("ocfs2: use an array of folios instead of an array of pages") Signed-off-by: Mark Tinguely <mark.tinguely(a)oracle.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/alloc.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/ocfs2/alloc.c~v2-ocfs2-fix-panic-in-failed-foilio-allocation +++ a/fs/ocfs2/alloc.c @@ -6918,6 +6918,7 @@ static int ocfs2_grab_folios(struct inod if (IS_ERR(folios[numfolios])) { ret = PTR_ERR(folios[numfolios]); mlog_errno(ret); + folios[numfolios] = NULL; goto out; } _ Patches currently in -mm which might be from mark.tinguely(a)oracle.com are v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch

6 months, 2 weeks

1
0
0 0

[obsolete] ocfs2-fix-panic-in-failed-foilio-allocation.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix panic in failed foilio allocation has been removed from the -mm tree. Its filename was ocfs2-fix-panic-in-failed-foilio-allocation.patch This patch was dropped because it is obsolete ------------------------------------------------------ From: Mark Tinguely <mark.tinguely(a)oracle.com> Subject: ocfs2: fix panic in failed foilio allocation Date: Thu, 10 Apr 2025 14:56:11 -0500 In commit 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") the chunk page allocations became order 0 folio allocations. If an allocation failed, the folio array entry should be NULL so the error path can skip the entry. In the port it is -ENOMEM and the error path panics trying to free this bad value. Link: https://lkml.kernel.org/r/150746ad-32ae-415e-bf1d-6dfd195fbb65@oracle.com Fixes: 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") Signed-off-by: Mark Tinguely <mark.tinguely(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Jun Piao <piaojun(a)huawei.com> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/aops.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/ocfs2/aops.c~ocfs2-fix-panic-in-failed-foilio-allocation +++ a/fs/ocfs2/aops.c @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(s if (IS_ERR(wc->w_folios[i])) { ret = PTR_ERR(wc->w_folios[i]); mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } } _ Patches currently in -mm which might be from mark.tinguely(a)oracle.com are

6 months, 2 weeks

1
0
0 0

[obsolete] v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix panic in failed foilio allocation has been removed from the -mm tree. Its filename was v2-ocfs2-fix-panic-in-failed-foilio-allocation.patch This patch was dropped because it is obsolete ------------------------------------------------------ From: Mark Tinguely <mark.tinguely(a)oracle.com> Subject: ocfs2: fix panic in failed foilio allocation Date: Fri, 11 Apr 2025 11:31:24 -0500 In the page to order 0 folio conversion series, commits 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") and 9a5e08652dc4 ("ocfs2: use an array of folios instead of an array of pages") save -ENOMEM in the folio array upon allocation failure and call the folio array free code. The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry. Link: https://lkml.kernel.org/r/c879a52b-835c-4fa0-902b-8b2e9196dcbd@oracle.com Fixes: 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") FIxes: 9a5e08652dc4 ("ocfs2: use an array of folios instead of an array of pages") Signed-off-by: Mark Tinguely <mark.tinguely(a)oracle.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/alloc.c | 1 + fs/ocfs2/aops.c | 1 + 2 files changed, 2 insertions(+) --- a/fs/ocfs2/alloc.c~v2-ocfs2-fix-panic-in-failed-foilio-allocation +++ a/fs/ocfs2/alloc.c @@ -6918,6 +6918,7 @@ static int ocfs2_grab_folios(struct inod if (IS_ERR(folios[numfolios])) { ret = PTR_ERR(folios[numfolios]); mlog_errno(ret); + folios[numfolios] = NULL; goto out; } --- a/fs/ocfs2/aops.c~v2-ocfs2-fix-panic-in-failed-foilio-allocation +++ a/fs/ocfs2/aops.c @@ -1130,6 +1130,7 @@ static int ocfs2_write_cluster(struct ad (unsigned long long)OCFS2_I(inode)->ip_blkno); if (ret < 0) { mlog_errno(ret); + wc->w_folios[i] = NULL; goto out; } } else if (clear_unwritten) { _ Patches currently in -mm which might be from mark.tinguely(a)oracle.com are ocfs2-fix-panic-in-failed-foilio-allocation.patch

6 months, 2 weeks

1
0
0 0

[PATCH RESEND] drm/amdgpu: Remove redundant return value checks for amdgpu_ras_error_data_init

by Wentao Liang

The function amdgpu_ras_error_data_init() always returns 0, making its return value checks redundant. This patch changes its return type to void and removes all unnecessary checks in the callers. This simplifies the code and avoids confusion about the function's behavior. Additionally, this change keeps the usage consistent with amdgpu_ras_do_page_retirement(), which also does not check the return value. Fixes: 5b1270beb380 ("drm/amdgpu: add ras_err_info to identify RAS error source") Cc: stable(a)vger.kernel.org # 6.7+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 19 +++++-------------- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c | 8 ++------ drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c | 3 +-- drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c | 3 +-- 5 files changed, 10 insertions(+), 25 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c index 4c9fa24dd972..aef1b2b713a2 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c @@ -182,9 +182,7 @@ static int amdgpu_reserve_page_direct(struct amdgpu_device *adev, uint64_t addre return 0; } - ret = amdgpu_ras_error_data_init(&err_data); - if (ret) - return ret; + amdgpu_ras_error_data_init(&err_data); memset(&err_rec, 0x0, sizeof(struct eeprom_table_record)); err_data.err_addr = &err_rec; @@ -687,8 +685,7 @@ static struct ras_manager *amdgpu_ras_create_obj(struct amdgpu_device *adev, if (alive_obj(obj)) return NULL; - if (amdgpu_ras_error_data_init(&obj->err_data)) - return NULL; + amdgpu_ras_error_data_init(&obj->err_data) obj->head = *head; obj->adev = adev; @@ -1428,9 +1425,7 @@ static int amdgpu_ras_query_error_status_with_event(struct amdgpu_device *adev, if (!obj) return -EINVAL; - ret = amdgpu_ras_error_data_init(&err_data); - if (ret) - return ret; + amdgpu_ras_error_data_init(&err_data); if (!amdgpu_ras_get_error_query_mode(adev, &error_query_mode)) return -EINVAL; @@ -2255,9 +2250,7 @@ static void amdgpu_ras_interrupt_umc_handler(struct ras_manager *obj, if (!data->cb) return; - ret = amdgpu_ras_error_data_init(&err_data); - if (ret) - return; + amdgpu_ras_error_data_init(&err_data); /* Let IP handle its data, maybe we need get the output * from the callback to update the error type/count, etc @@ -4623,13 +4616,11 @@ void amdgpu_ras_inst_reset_ras_error_count(struct amdgpu_device *adev, } } -int amdgpu_ras_error_data_init(struct ras_err_data *err_data) +void amdgpu_ras_error_data_init(struct ras_err_data *err_data) { memset(err_data, 0, sizeof(*err_data)); INIT_LIST_HEAD(&err_data->err_node_list); - - return 0; } static void amdgpu_ras_error_node_release(struct ras_err_node *err_node) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h index 6db772ecfee4..5f88e70fbf5c 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h @@ -931,7 +931,7 @@ void amdgpu_ras_inst_reset_ras_error_count(struct amdgpu_device *adev, uint32_t reg_list_size, uint32_t instance); -int amdgpu_ras_error_data_init(struct ras_err_data *err_data); +void amdgpu_ras_error_data_init(struct ras_err_data *err_data); void amdgpu_ras_error_data_fini(struct ras_err_data *err_data); int amdgpu_ras_error_statistic_ce_count(struct ras_err_data *err_data, struct amdgpu_smuio_mcm_config_info *mcm_info, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c index 896f3609b0ee..5de6e332c2cd 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c @@ -52,9 +52,7 @@ int amdgpu_umc_page_retirement_mca(struct amdgpu_device *adev, struct ras_err_data err_data; int ret; - ret = amdgpu_ras_error_data_init(&err_data); - if (ret) - return ret; + amdgpu_ras_error_data_init(&err_data); err_data.err_addr = kcalloc(adev->umc.max_ras_err_cnt_per_query, @@ -230,9 +228,7 @@ int amdgpu_umc_pasid_poison_handler(struct amdgpu_device *adev, }; struct ras_manager *obj = amdgpu_ras_find_obj(adev, &head); - ret = amdgpu_ras_error_data_init(&err_data); - if (ret) - return ret; + amdgpu_ras_error_data_init(&err_data); ret = amdgpu_umc_do_page_retirement(adev, &err_data, NULL, reset); diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c index a26a9be58eac..d4bdfe280c88 100644 --- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c +++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c @@ -364,8 +364,7 @@ static void nbio_v7_4_handle_ras_controller_intr_no_bifring(struct amdgpu_device struct ras_err_data err_data; struct amdgpu_ras *ras = amdgpu_ras_get_context(adev); - if (amdgpu_ras_error_data_init(&err_data)) - return; + amdgpu_ras_error_data_init(&err_data); if (adev->asic_type == CHIP_ALDEBARAN) bif_doorbell_intr_cntl = RREG32_SOC15(NBIO, 0, mmBIF_DOORBELL_INT_CNTL_ALDE); diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c index 8a0a63ac88d2..c79ed1adf681 100644 --- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c +++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c @@ -537,8 +537,7 @@ static void nbio_v7_9_handle_ras_controller_intr_no_bifring(struct amdgpu_device struct ras_err_data err_data; struct amdgpu_ras *ras = amdgpu_ras_get_context(adev); - if (amdgpu_ras_error_data_init(&err_data)) - return; + amdgpu_ras_error_data_init(&err_data); bif_doorbell_intr_cntl = RREG32_SOC15(NBIO, 0, regBIF_BX0_BIF_DOORBELL_INT_CNTL); -- 2.42.0.windows.2

6 months, 2 weeks

2
2
0 0

[PATCH net v1 1/1] net: selftests: initialize TCP header and skb payload with zero

by Oleksij Rempel

Zero-initialize TCP header via memset() to avoid garbage values that may affect checksum or behavior during test transmission. Also zero-fill allocated payload and padding regions using memset() after skb_put(), ensuring deterministic content for all outgoing test packets. Fixes: 3e1e58d64c3d ("net: add generic selftest support") Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Cc: stable(a)vger.kernel.org --- net/core/selftests.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/net/core/selftests.c b/net/core/selftests.c index e99ae983fca9..35f807ea9952 100644 --- a/net/core/selftests.c +++ b/net/core/selftests.c @@ -100,10 +100,10 @@ static struct sk_buff *net_test_get_skb(struct net_device *ndev, ehdr->h_proto = htons(ETH_P_IP); if (attr->tcp) { + memset(thdr, 0, sizeof(*thdr)); thdr->source = htons(attr->sport); thdr->dest = htons(attr->dport); thdr->doff = sizeof(struct tcphdr) / 4; - thdr->check = 0; } else { uhdr->source = htons(attr->sport); uhdr->dest = htons(attr->dport); @@ -144,10 +144,18 @@ static struct sk_buff *net_test_get_skb(struct net_device *ndev, attr->id = net_test_next_id; shdr->id = net_test_next_id++; - if (attr->size) - skb_put(skb, attr->size); - if (attr->max_size && attr->max_size > skb->len) - skb_put(skb, attr->max_size - skb->len); + if (attr->size) { + void *payload = skb_put(skb, attr->size); + + memset(payload, 0, attr->size); + } + + if (attr->max_size && attr->max_size > skb->len) { + size_t pad_len = attr->max_size - skb->len; + void *pad = skb_put(skb, pad_len); + + memset(pad, 0, pad_len); + } skb->csum = 0; skb->ip_summed = CHECKSUM_PARTIAL; -- 2.39.5

6 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] platform/x86: msi-wmi-platform: Workaround a ACPI firmware" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x baf2f2c2b4c8e1d398173acd4d2fa9131a86b84e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042139-decimeter-dislike-3ca4@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From baf2f2c2b4c8e1d398173acd4d2fa9131a86b84e Mon Sep 17 00:00:00 2001 From: Armin Wolf <W_Armin(a)gmx.de> Date: Mon, 14 Apr 2025 16:04:53 +0200 Subject: [PATCH] platform/x86: msi-wmi-platform: Workaround a ACPI firmware bug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ACPI byte code inside the ACPI control method responsible for handling the WMI method calls uses a global buffer for constructing the return value, yet the ACPI control method itself is not marked as "Serialized". This means that calling WMI methods on this WMI device is not thread-safe, as concurrent WMI method calls will corrupt the global buffer. Fix this by serializing the WMI method calls using a mutex. Cc: stable(a)vger.kernel.org # 6.x.x: 912d614ac99e: platform/x86: msi-wmi-platform: Rename "data" variable Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver") Tested-by: Antheas Kapenekakis <lkml(a)antheas.dev> Signed-off-by: Armin Wolf <W_Armin(a)gmx.de> Link: https://lore.kernel.org/r/20250414140453.7691-2-W_Armin@gmx.de Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/Documentation/wmi/devices/msi-wmi-platform.rst b/Documentation/wmi/devices/msi-wmi-platform.rst index 31a136942892..73197b31926a 100644 --- a/Documentation/wmi/devices/msi-wmi-platform.rst +++ b/Documentation/wmi/devices/msi-wmi-platform.rst @@ -138,6 +138,10 @@ input data, the meaning of which depends on the subfeature being accessed. The output buffer contains a single byte which signals success or failure (``0x00`` on failure) and 31 bytes of output data, the meaning if which depends on the subfeature being accessed. +.. note:: + The ACPI control method responsible for handling the WMI method calls is not thread-safe. + This is a firmware bug that needs to be handled inside the driver itself. + WMI method Get_EC() ------------------- diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c index e15681dfca8d..dc5e9878cb68 100644 --- a/drivers/platform/x86/msi-wmi-platform.c +++ b/drivers/platform/x86/msi-wmi-platform.c @@ -10,6 +10,7 @@ #include <linux/acpi.h> #include <linux/bits.h> #include <linux/bitfield.h> +#include <linux/cleanup.h> #include <linux/debugfs.h> #include <linux/device.h> #include <linux/device/driver.h> @@ -17,6 +18,7 @@ #include <linux/hwmon.h> #include <linux/kernel.h> #include <linux/module.h> +#include <linux/mutex.h> #include <linux/printk.h> #include <linux/rwsem.h> #include <linux/types.h> @@ -76,8 +78,13 @@ enum msi_wmi_platform_method { MSI_PLATFORM_GET_WMI = 0x1d, }; -struct msi_wmi_platform_debugfs_data { +struct msi_wmi_platform_data { struct wmi_device *wdev; + struct mutex wmi_lock; /* Necessary when calling WMI methods */ +}; + +struct msi_wmi_platform_debugfs_data { + struct msi_wmi_platform_data *data; enum msi_wmi_platform_method method; struct rw_semaphore buffer_lock; /* Protects debugfs buffer */ size_t length; @@ -132,8 +139,9 @@ static int msi_wmi_platform_parse_buffer(union acpi_object *obj, u8 *output, siz return 0; } -static int msi_wmi_platform_query(struct wmi_device *wdev, enum msi_wmi_platform_method method, - u8 *input, size_t input_length, u8 *output, size_t output_length) +static int msi_wmi_platform_query(struct msi_wmi_platform_data *data, + enum msi_wmi_platform_method method, u8 *input, + size_t input_length, u8 *output, size_t output_length) { struct acpi_buffer out = { ACPI_ALLOCATE_BUFFER, NULL }; struct acpi_buffer in = { @@ -147,9 +155,15 @@ static int msi_wmi_platform_query(struct wmi_device *wdev, enum msi_wmi_platform if (!input_length || !output_length) return -EINVAL; - status = wmidev_evaluate_method(wdev, 0x0, method, &in, &out); - if (ACPI_FAILURE(status)) - return -EIO; + /* + * The ACPI control method responsible for handling the WMI method calls + * is not thread-safe. Because of this we have to do the locking ourself. + */ + scoped_guard(mutex, &data->wmi_lock) { + status = wmidev_evaluate_method(data->wdev, 0x0, method, &in, &out); + if (ACPI_FAILURE(status)) + return -EIO; + } obj = out.pointer; if (!obj) @@ -170,13 +184,13 @@ static umode_t msi_wmi_platform_is_visible(const void *drvdata, enum hwmon_senso static int msi_wmi_platform_read(struct device *dev, enum hwmon_sensor_types type, u32 attr, int channel, long *val) { - struct wmi_device *wdev = dev_get_drvdata(dev); + struct msi_wmi_platform_data *data = dev_get_drvdata(dev); u8 input[32] = { 0 }; u8 output[32]; u16 value; int ret; - ret = msi_wmi_platform_query(wdev, MSI_PLATFORM_GET_FAN, input, sizeof(input), output, + ret = msi_wmi_platform_query(data, MSI_PLATFORM_GET_FAN, input, sizeof(input), output, sizeof(output)); if (ret < 0) return ret; @@ -231,7 +245,7 @@ static ssize_t msi_wmi_platform_write(struct file *fp, const char __user *input, return ret; down_write(&data->buffer_lock); - ret = msi_wmi_platform_query(data->wdev, data->method, payload, data->length, data->buffer, + ret = msi_wmi_platform_query(data->data, data->method, payload, data->length, data->buffer, data->length); up_write(&data->buffer_lock); @@ -277,17 +291,17 @@ static void msi_wmi_platform_debugfs_remove(void *data) debugfs_remove_recursive(dir); } -static void msi_wmi_platform_debugfs_add(struct wmi_device *wdev, struct dentry *dir, +static void msi_wmi_platform_debugfs_add(struct msi_wmi_platform_data *drvdata, struct dentry *dir, const char *name, enum msi_wmi_platform_method method) { struct msi_wmi_platform_debugfs_data *data; struct dentry *entry; - data = devm_kzalloc(&wdev->dev, sizeof(*data), GFP_KERNEL); + data = devm_kzalloc(&drvdata->wdev->dev, sizeof(*data), GFP_KERNEL); if (!data) return; - data->wdev = wdev; + data->data = drvdata; data->method = method; init_rwsem(&data->buffer_lock); @@ -298,82 +312,82 @@ static void msi_wmi_platform_debugfs_add(struct wmi_device *wdev, struct dentry entry = debugfs_create_file(name, 0600, dir, data, &msi_wmi_platform_debugfs_fops); if (IS_ERR(entry)) - devm_kfree(&wdev->dev, data); + devm_kfree(&drvdata->wdev->dev, data); } -static void msi_wmi_platform_debugfs_init(struct wmi_device *wdev) +static void msi_wmi_platform_debugfs_init(struct msi_wmi_platform_data *data) { struct dentry *dir; char dir_name[64]; int ret, method; - scnprintf(dir_name, ARRAY_SIZE(dir_name), "%s-%s", DRIVER_NAME, dev_name(&wdev->dev)); + scnprintf(dir_name, ARRAY_SIZE(dir_name), "%s-%s", DRIVER_NAME, dev_name(&data->wdev->dev)); dir = debugfs_create_dir(dir_name, NULL); if (IS_ERR(dir)) return; - ret = devm_add_action_or_reset(&wdev->dev, msi_wmi_platform_debugfs_remove, dir); + ret = devm_add_action_or_reset(&data->wdev->dev, msi_wmi_platform_debugfs_remove, dir); if (ret < 0) return; for (method = MSI_PLATFORM_GET_PACKAGE; method <= MSI_PLATFORM_GET_WMI; method++) - msi_wmi_platform_debugfs_add(wdev, dir, msi_wmi_platform_debugfs_names[method - 1], + msi_wmi_platform_debugfs_add(data, dir, msi_wmi_platform_debugfs_names[method - 1], method); } -static int msi_wmi_platform_hwmon_init(struct wmi_device *wdev) +static int msi_wmi_platform_hwmon_init(struct msi_wmi_platform_data *data) { struct device *hdev; - hdev = devm_hwmon_device_register_with_info(&wdev->dev, "msi_wmi_platform", wdev, + hdev = devm_hwmon_device_register_with_info(&data->wdev->dev, "msi_wmi_platform", data, &msi_wmi_platform_chip_info, NULL); return PTR_ERR_OR_ZERO(hdev); } -static int msi_wmi_platform_ec_init(struct wmi_device *wdev) +static int msi_wmi_platform_ec_init(struct msi_wmi_platform_data *data) { u8 input[32] = { 0 }; u8 output[32]; u8 flags; int ret; - ret = msi_wmi_platform_query(wdev, MSI_PLATFORM_GET_EC, input, sizeof(input), output, + ret = msi_wmi_platform_query(data, MSI_PLATFORM_GET_EC, input, sizeof(input), output, sizeof(output)); if (ret < 0) return ret; flags = output[MSI_PLATFORM_EC_FLAGS_OFFSET]; - dev_dbg(&wdev->dev, "EC RAM version %lu.%lu\n", + dev_dbg(&data->wdev->dev, "EC RAM version %lu.%lu\n", FIELD_GET(MSI_PLATFORM_EC_MAJOR_MASK, flags), FIELD_GET(MSI_PLATFORM_EC_MINOR_MASK, flags)); - dev_dbg(&wdev->dev, "EC firmware version %.28s\n", + dev_dbg(&data->wdev->dev, "EC firmware version %.28s\n", &output[MSI_PLATFORM_EC_VERSION_OFFSET]); if (!(flags & MSI_PLATFORM_EC_IS_TIGERLAKE)) { if (!force) return -ENODEV; - dev_warn(&wdev->dev, "Loading on a non-Tigerlake platform\n"); + dev_warn(&data->wdev->dev, "Loading on a non-Tigerlake platform\n"); } return 0; } -static int msi_wmi_platform_init(struct wmi_device *wdev) +static int msi_wmi_platform_init(struct msi_wmi_platform_data *data) { u8 input[32] = { 0 }; u8 output[32]; int ret; - ret = msi_wmi_platform_query(wdev, MSI_PLATFORM_GET_WMI, input, sizeof(input), output, + ret = msi_wmi_platform_query(data, MSI_PLATFORM_GET_WMI, input, sizeof(input), output, sizeof(output)); if (ret < 0) return ret; - dev_dbg(&wdev->dev, "WMI interface version %u.%u\n", + dev_dbg(&data->wdev->dev, "WMI interface version %u.%u\n", output[MSI_PLATFORM_WMI_MAJOR_OFFSET], output[MSI_PLATFORM_WMI_MINOR_OFFSET]); @@ -381,7 +395,8 @@ static int msi_wmi_platform_init(struct wmi_device *wdev) if (!force) return -ENODEV; - dev_warn(&wdev->dev, "Loading despite unsupported WMI interface version (%u.%u)\n", + dev_warn(&data->wdev->dev, + "Loading despite unsupported WMI interface version (%u.%u)\n", output[MSI_PLATFORM_WMI_MAJOR_OFFSET], output[MSI_PLATFORM_WMI_MINOR_OFFSET]); } @@ -391,19 +406,31 @@ static int msi_wmi_platform_init(struct wmi_device *wdev) static int msi_wmi_platform_probe(struct wmi_device *wdev, const void *context) { + struct msi_wmi_platform_data *data; int ret; - ret = msi_wmi_platform_init(wdev); + data = devm_kzalloc(&wdev->dev, sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + data->wdev = wdev; + dev_set_drvdata(&wdev->dev, data); + + ret = devm_mutex_init(&wdev->dev, &data->wmi_lock); if (ret < 0) return ret; - ret = msi_wmi_platform_ec_init(wdev); + ret = msi_wmi_platform_init(data); if (ret < 0) return ret; - msi_wmi_platform_debugfs_init(wdev); + ret = msi_wmi_platform_ec_init(data); + if (ret < 0) + return ret; - return msi_wmi_platform_hwmon_init(wdev); + msi_wmi_platform_debugfs_init(data); + + return msi_wmi_platform_hwmon_init(data); } static const struct wmi_device_id msi_wmi_platform_id_table[] = {

6 months, 2 weeks

3
3
0 0

[PATCH] video: screen_info: Update framebuffers behind PCI bridges

by Thomas Zimmermann

Apply bridge window offsets to screen_info framebuffers during relocation. Fixes invalid access to I/O memory. Resources behind a PCI bridge can be located at a certain offset in the kernel's I/O range. The framebuffer memory range stored in screen_info refers to the offset as seen during boot (essentialy 0). During boot up, the kernel may assign a different memory offset to the bridge device and thereby relocating the framebuffer address of the PCI graphics device as seen by the kernel. The information in screen_info must be updated as well. The helper pcibios_bus_to_resource() performs the relocation of the screen_info resource. The result now matches the I/O-memory resource of the PCI graphics device. As before, we store away the information necessary to update the information in screen_info. Commit 78aa89d1dfba ("firmware/sysfb: Update screen_info for relocated EFI framebuffers") added the code for updating screen_info. It is based on similar functionality that pre-existed in efifb. But efifb did not handle bridges correctly, so the problem presumably exists only on newer systems. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reported-by: Tested-by: "Ivan T. Ivanov" <iivanov(a)suse.de> Closes: https://bugzilla.suse.com/show_bug.cgi?id=1240696 Tested-by: Tested-by: "Ivan T. Ivanov" <iivanov(a)suse.de> Fixes: 78aa89d1dfba ("firmware/sysfb: Update screen_info for relocated EFI framebuffers") Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.9+ --- drivers/video/screen_info_pci.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/drivers/video/screen_info_pci.c b/drivers/video/screen_info_pci.c index 6c5833517141..c46c75dc3fae 100644 --- a/drivers/video/screen_info_pci.c +++ b/drivers/video/screen_info_pci.c @@ -8,7 +8,7 @@ static struct pci_dev *screen_info_lfb_pdev; static size_t screen_info_lfb_bar; static resource_size_t screen_info_lfb_offset; -static struct resource screen_info_lfb_res = DEFINE_RES_MEM(0, 0); +static struct pci_bus_region screen_info_lfb_region; static bool __screen_info_relocation_is_valid(const struct screen_info *si, struct resource *pr) { @@ -31,7 +31,7 @@ void screen_info_apply_fixups(void) if (screen_info_lfb_pdev) { struct resource *pr = &screen_info_lfb_pdev->resource[screen_info_lfb_bar]; - if (pr->start != screen_info_lfb_res.start) { + if (pr->start != screen_info_lfb_region.start) { if (__screen_info_relocation_is_valid(si, pr)) { /* * Only update base if we have an actual @@ -69,10 +69,21 @@ static void screen_info_fixup_lfb(struct pci_dev *pdev) for (i = 0; i < numres; ++i) { struct resource *r = &res[i]; + struct pci_bus_region bus_region = { + .start = r->start, + .end = r->end, + }; const struct resource *pr; if (!(r->flags & IORESOURCE_MEM)) continue; + + /* + * Translate the address to resource if the framebuffer + * is behind a PCI bridge. + */ + pcibios_bus_to_resource(pdev->bus, r, &bus_region); + pr = pci_find_resource(pdev, r); if (!pr) continue; @@ -85,7 +96,7 @@ static void screen_info_fixup_lfb(struct pci_dev *pdev) screen_info_lfb_pdev = pdev; screen_info_lfb_bar = pr - pdev->resource; screen_info_lfb_offset = r->start - pr->start; - memcpy(&screen_info_lfb_res, r, sizeof(screen_info_lfb_res)); + memcpy(&screen_info_lfb_region, &bus_region, sizeof(screen_info_lfb_region)); } } DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_ANY_ID, PCI_ANY_ID, PCI_BASE_CLASS_DISPLAY, 16, -- 2.49.0

6 months, 2 weeks

2
2
0 0

[PATCH] media: imagination: fix a potential memory leak in e5010_probe()

by Haoxiang Li

Add video_device_release() to release the memory allocated by video_device_alloc() if something goes wrong. Fixes: a1e294045885 ("media: imagination: Add E5010 JPEG Encoder driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/media/platform/imagination/e5010-jpeg-enc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/imagination/e5010-jpeg-enc.c b/drivers/media/platform/imagination/e5010-jpeg-enc.c index c194f830577f..53e501b5ac0a 100644 --- a/drivers/media/platform/imagination/e5010-jpeg-enc.c +++ b/drivers/media/platform/imagination/e5010-jpeg-enc.c @@ -1057,8 +1057,11 @@ static int e5010_probe(struct platform_device *pdev) e5010->vdev->lock = &e5010->mutex; ret = v4l2_device_register(dev, &e5010->v4l2_dev); - if (ret) - return dev_err_probe(dev, ret, "failed to register v4l2 device\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to register v4l2 device\n"); + goto fail_after_video_device_alloc; + } + e5010->m2m_dev = v4l2_m2m_init(&e5010_m2m_ops); if (IS_ERR(e5010->m2m_dev)) { @@ -1118,6 +1121,8 @@ static int e5010_probe(struct platform_device *pdev) v4l2_m2m_release(e5010->m2m_dev); fail_after_v4l2_register: v4l2_device_unregister(&e5010->v4l2_dev); +fail_after_video_device_alloc: + video_device_release(e5010->vdev); return ret; } -- 2.25.1

6 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ASoC: qcom: Fix sc7280 lpass potential buffer overflow" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a31a4934b31faea76e735bab17e63d02fcd8e029 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042138-spherical-reabsorb-d6da@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a31a4934b31faea76e735bab17e63d02fcd8e029 Mon Sep 17 00:00:00 2001 From: Evgeny Pimenov <pimenoveu12(a)gmail.com> Date: Tue, 1 Apr 2025 23:40:58 +0300 Subject: [PATCH] ASoC: qcom: Fix sc7280 lpass potential buffer overflow Case values introduced in commit 5f78e1fb7a3e ("ASoC: qcom: Add driver support for audioreach solution") cause out of bounds access in arrays of sc7280 driver data (e.g. in case of RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()). Redefine LPASS_MAX_PORTS to consider the maximum possible port id for q6dsp as sc7280 driver utilizes some of those values. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 77d0ffef793d ("ASoC: qcom: Add macro for lpass DAI id's max limit") Cc: stable(a)vger.kernel.org # v6.0+ Suggested-by: Mikhail Kobuk <m.kobuk(a)ispras.ru> Suggested-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Evgeny Pimenov <pimenoveu12(a)gmail.com> Link: https://patch.msgid.link/20250401204058.32261-1-pimenoveu12@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/qcom/lpass.h b/sound/soc/qcom/lpass.h index 27a2bf9a6613..de3ec6f594c1 100644 --- a/sound/soc/qcom/lpass.h +++ b/sound/soc/qcom/lpass.h @@ -13,10 +13,11 @@ #include <linux/platform_device.h> #include <linux/regmap.h> #include <dt-bindings/sound/qcom,lpass.h> +#include <dt-bindings/sound/qcom,q6afe.h> #include "lpass-hdmi.h" #define LPASS_AHBIX_CLOCK_FREQUENCY 131072000 -#define LPASS_MAX_PORTS (LPASS_CDC_DMA_VA_TX8 + 1) +#define LPASS_MAX_PORTS (DISPLAY_PORT_RX_7 + 1) #define LPASS_MAX_MI2S_PORTS (8) #define LPASS_MAX_DMA_CHANNELS (8) #define LPASS_MAX_HDMI_DMA_CHANNELS (4)

6 months, 2 weeks

3
3
0 0

[PATCH 5.4/5.10] nvmet-fc: Remove unused functions

by WangYuli

[ Upstream commit 1b304c006b0fb4f0517a8c4ba8c46e88f48a069c ] The functions nvmet_fc_iodnum() and nvmet_fc_fodnum() are currently unutilized. Following commit c53432030d86 ("nvme-fabrics: Add target support for FC transport"), which introduced these two functions, they have not been used at all in practice. Remove them to resolve the compiler warnings. Fix follow errors with clang-19 when W=1e: drivers/nvme/target/fc.c:177:1: error: unused function 'nvmet_fc_iodnum' [-Werror,-Wunused-function] 177 | nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr) | ^~~~~~~~~~~~~~~ drivers/nvme/target/fc.c:183:1: error: unused function 'nvmet_fc_fodnum' [-Werror,-Wunused-function] 183 | nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr) | ^~~~~~~~~~~~~~~ 2 errors generated. make[8]: *** [scripts/Makefile.build:207: drivers/nvme/target/fc.o] Error 1 make[7]: *** [scripts/Makefile.build:465: drivers/nvme/target] Error 2 make[6]: *** [scripts/Makefile.build:465: drivers/nvme] Error 2 make[6]: *** Waiting for unfinished jobs.... Fixes: c53432030d86 ("nvme-fabrics: Add target support for FC transport") Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> --- drivers/nvme/target/fc.c | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index 846fb41da643..321859753ae8 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -169,20 +169,6 @@ struct nvmet_fc_tgt_assoc { struct work_struct del_work; }; - -static inline int -nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr) -{ - return (iodptr - iodptr->tgtport->iod); -} - -static inline int -nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr) -{ - return (fodptr - fodptr->queue->fod); -} - - /* * Association and Connection IDs: * -- 2.49.0

6 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/vma: add give_up_on_oom option on modify/merge, use in" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 41e6ddcaa0f18dda4c3fadf22533775a30d6f72f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042100-pasty-liver-e6a7@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41e6ddcaa0f18dda4c3fadf22533775a30d6f72f Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Fri, 21 Mar 2025 10:09:37 +0000 Subject: [PATCH] mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Currently, if a VMA merge fails due to an OOM condition arising on commit merge or a failure to duplicate anon_vma's, we report this so the caller can handle it. However there are cases where the caller is only ostensibly trying a merge, and doesn't mind if it fails due to this condition. Since we do not want to introduce an implicit assumption that we only actually modify VMAs after OOM conditions might arise, add a 'give up on oom' option and make an explicit contract that, should this flag be set, we absolutely will not modify any VMAs should OOM arise and just bail out. Since it'd be very unusual for a user to try to vma_modify() with this flag set but be specifying a range within a VMA which ends up being split (which can fail due to rlimit issues, not only OOM), we add a debug warning for this condition. The motivating reason for this is uffd release - syzkaller (and Pedro Falcato's VERY astute analysis) found a way in which an injected fault on allocation, triggering an OOM condition on commit merge, would result in uffd code becoming confused and treating an error value as if it were a VMA pointer. To avoid this, we make use of this new VMG flag to ensure that this never occurs, utilising the fact that, should we be clearing entire VMAs, we do not wish an OOM event to be reported to us. Many thanks to Pedro Falcato for his excellent analysis and Jann Horn for his insightful and intelligent analysis of the situation, both of whom were instrumental in this fix. Link: https://lkml.kernel.org/r/20250321100937.46634-1-lorenzo.stoakes@oracle.com Reported-by: syzbot+20ed41006cf9d842c2b5(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001e.GAE@google.com/ Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Suggested-by: Pedro Falcato <pfalcato(a)suse.de> Suggested-by: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index fbf2cf62ab9f..7d5d709cc838 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1902,6 +1902,14 @@ struct vm_area_struct *userfaultfd_clear_vma(struct vma_iterator *vmi, unsigned long end) { struct vm_area_struct *ret; + bool give_up_on_oom = false; + + /* + * If we are modifying only and not splitting, just give up on the merge + * if OOM prevents us from merging successfully. + */ + if (start == vma->vm_start && end == vma->vm_end) + give_up_on_oom = true; /* Reset ptes for the whole vma range if wr-protected */ if (userfaultfd_wp(vma)) @@ -1909,7 +1917,7 @@ struct vm_area_struct *userfaultfd_clear_vma(struct vma_iterator *vmi, ret = vma_modify_flags_uffd(vmi, prev, vma, start, end, vma->vm_flags & ~__VM_UFFD_FLAGS, - NULL_VM_UFFD_CTX); + NULL_VM_UFFD_CTX, give_up_on_oom); /* * In the vma_merge() successful mprotect-like case 8: @@ -1960,7 +1968,8 @@ int userfaultfd_register_range(struct userfaultfd_ctx *ctx, new_flags = (vma->vm_flags & ~__VM_UFFD_FLAGS) | vm_flags; vma = vma_modify_flags_uffd(&vmi, prev, vma, start, vma_end, new_flags, - (struct vm_userfaultfd_ctx){ctx}); + (struct vm_userfaultfd_ctx){ctx}, + /* give_up_on_oom = */false); if (IS_ERR(vma)) return PTR_ERR(vma); diff --git a/mm/vma.c b/mm/vma.c index 5cdc5612bfc1..839d12f02c88 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -666,6 +666,9 @@ static void vmg_adjust_set_range(struct vma_merge_struct *vmg) /* * Actually perform the VMA merge operation. * + * IMPORTANT: We guarantee that, should vmg->give_up_on_oom is set, to not + * modify any VMAs or cause inconsistent state should an OOM condition arise. + * * Returns 0 on success, or an error value on failure. */ static int commit_merge(struct vma_merge_struct *vmg) @@ -685,6 +688,12 @@ static int commit_merge(struct vma_merge_struct *vmg) init_multi_vma_prep(&vp, vma, vmg); + /* + * If vmg->give_up_on_oom is set, we're safe, because we don't actually + * manipulate any VMAs until we succeed at preallocation. + * + * Past this point, we will not return an error. + */ if (vma_iter_prealloc(vmg->vmi, vma)) return -ENOMEM; @@ -915,7 +924,13 @@ static __must_check struct vm_area_struct *vma_merge_existing_range( if (anon_dup) unlink_anon_vmas(anon_dup); - vmg->state = VMA_MERGE_ERROR_NOMEM; + /* + * We've cleaned up any cloned anon_vma's, no VMAs have been + * modified, no harm no foul if the user requests that we not + * report this and just give up, leaving the VMAs unmerged. + */ + if (!vmg->give_up_on_oom) + vmg->state = VMA_MERGE_ERROR_NOMEM; return NULL; } @@ -926,7 +941,15 @@ static __must_check struct vm_area_struct *vma_merge_existing_range( abort: vma_iter_set(vmg->vmi, start); vma_iter_load(vmg->vmi); - vmg->state = VMA_MERGE_ERROR_NOMEM; + + /* + * This means we have failed to clone anon_vma's correctly, but no + * actual changes to VMAs have occurred, so no harm no foul - if the + * user doesn't want this reported and instead just wants to give up on + * the merge, allow it. + */ + if (!vmg->give_up_on_oom) + vmg->state = VMA_MERGE_ERROR_NOMEM; return NULL; } @@ -1068,6 +1091,10 @@ int vma_expand(struct vma_merge_struct *vmg) /* This should already have been checked by this point. */ VM_WARN_ON_VMG(!can_merge_remove_vma(next), vmg); vma_start_write(next); + /* + * In this case we don't report OOM, so vmg->give_up_on_mm is + * safe. + */ ret = dup_anon_vma(middle, next, &anon_dup); if (ret) return ret; @@ -1090,9 +1117,15 @@ int vma_expand(struct vma_merge_struct *vmg) return 0; nomem: - vmg->state = VMA_MERGE_ERROR_NOMEM; if (anon_dup) unlink_anon_vmas(anon_dup); + /* + * If the user requests that we just give upon OOM, we are safe to do so + * here, as commit merge provides this contract to us. Nothing has been + * changed - no harm no foul, just don't report it. + */ + if (!vmg->give_up_on_oom) + vmg->state = VMA_MERGE_ERROR_NOMEM; return -ENOMEM; } @@ -1534,6 +1567,13 @@ static struct vm_area_struct *vma_modify(struct vma_merge_struct *vmg) if (vmg_nomem(vmg)) return ERR_PTR(-ENOMEM); + /* + * Split can fail for reasons other than OOM, so if the user requests + * this it's probably a mistake. + */ + VM_WARN_ON(vmg->give_up_on_oom && + (vma->vm_start != start || vma->vm_end != end)); + /* Split any preceding portion of the VMA. */ if (vma->vm_start < start) { int err = split_vma(vmg->vmi, vma, start, 1); @@ -1602,12 +1642,15 @@ struct vm_area_struct struct vm_area_struct *vma, unsigned long start, unsigned long end, unsigned long new_flags, - struct vm_userfaultfd_ctx new_ctx) + struct vm_userfaultfd_ctx new_ctx, + bool give_up_on_oom) { VMG_VMA_STATE(vmg, vmi, prev, vma, start, end); vmg.flags = new_flags; vmg.uffd_ctx = new_ctx; + if (give_up_on_oom) + vmg.give_up_on_oom = true; return vma_modify(&vmg); } diff --git a/mm/vma.h b/mm/vma.h index 7356ca5a22d3..149926e8a6d1 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -114,6 +114,12 @@ struct vma_merge_struct { */ bool just_expand :1; + /* + * If a merge is possible, but an OOM error occurs, give up and don't + * execute the merge, returning NULL. + */ + bool give_up_on_oom :1; + /* Internal flags set during merge process: */ /* @@ -255,7 +261,8 @@ __must_check struct vm_area_struct struct vm_area_struct *vma, unsigned long start, unsigned long end, unsigned long new_flags, - struct vm_userfaultfd_ctx new_ctx); + struct vm_userfaultfd_ctx new_ctx, + bool give_up_on_oom); __must_check struct vm_area_struct *vma_merge_new_range(struct vma_merge_struct *vmg);

6 months, 2 weeks

3
2
0 0

[PATCH 5.10.y] s390/dasd: fix double module refcount decrement

by Feng Liu

From: Miroslav Franc <mfranc(a)suse.cz> [ Upstream commit c3116e62ddeff79cae342147753ce596f01fcf06 ] Once the discipline is associated with the device, deleting the device takes care of decrementing the module's refcount. Doing it manually on this error path causes refcount to artificially decrease on each error while it should just stay the same. Fixes: c020d722b110 ("s390/dasd: fix panic during offline processing") Signed-off-by: Miroslav Franc <mfranc(a)suse.cz> Signed-off-by: Jan Höppner <hoeppner(a)linux.ibm.com> Signed-off-by: Stefan Haberland <sth(a)linux.ibm.com> Link: https://lore.kernel.org/r/20240209124522.3697827-3-sth@linux.ibm.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> [Minor context change fixed] Signed-off-by: Feng Liu <Feng.Liu3(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- drivers/s390/block/dasd.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c index 0b09ed6ac133..a3eddca14cbf 100644 --- a/drivers/s390/block/dasd.c +++ b/drivers/s390/block/dasd.c @@ -3637,12 +3637,11 @@ int dasd_generic_set_online(struct ccw_device *cdev, dasd_delete_device(device); return -EINVAL; } + device->base_discipline = base_discipline; if (!try_module_get(discipline->owner)) { - module_put(base_discipline->owner); dasd_delete_device(device); return -EINVAL; } - device->base_discipline = base_discipline; device->discipline = discipline; /* check_device will allocate block device if necessary */ @@ -3650,8 +3649,6 @@ int dasd_generic_set_online(struct ccw_device *cdev, if (rc) { pr_warn("%s Setting the DASD online with discipline %s failed with rc=%i\n", dev_name(&cdev->dev), discipline->name, rc); - module_put(discipline->owner); - module_put(base_discipline->owner); dasd_delete_device(device); return rc; } -- 2.34.1

6 months, 2 weeks

2
1
0 0

[PATCH 5.15/6.1/6.6] nvmet-fc: Remove unused functions

by WangYuli

[ Upstream commit 1b304c006b0fb4f0517a8c4ba8c46e88f48a069c ] The functions nvmet_fc_iodnum() and nvmet_fc_fodnum() are currently unutilized. Following commit c53432030d86 ("nvme-fabrics: Add target support for FC transport"), which introduced these two functions, they have not been used at all in practice. Remove them to resolve the compiler warnings. Fix follow errors with clang-19 when W=1e: drivers/nvme/target/fc.c:177:1: error: unused function 'nvmet_fc_iodnum' [-Werror,-Wunused-function] 177 | nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr) | ^~~~~~~~~~~~~~~ drivers/nvme/target/fc.c:183:1: error: unused function 'nvmet_fc_fodnum' [-Werror,-Wunused-function] 183 | nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr) | ^~~~~~~~~~~~~~~ 2 errors generated. make[8]: *** [scripts/Makefile.build:207: drivers/nvme/target/fc.o] Error 1 make[7]: *** [scripts/Makefile.build:465: drivers/nvme/target] Error 2 make[6]: *** [scripts/Makefile.build:465: drivers/nvme] Error 2 make[6]: *** Waiting for unfinished jobs.... Fixes: c53432030d86 ("nvme-fabrics: Add target support for FC transport") Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> --- drivers/nvme/target/fc.c | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index d3ca59ae4c7a..88893e78661c 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -173,20 +173,6 @@ struct nvmet_fc_tgt_assoc { struct rcu_head rcu; }; - -static inline int -nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr) -{ - return (iodptr - iodptr->tgtport->iod); -} - -static inline int -nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr) -{ - return (fodptr - fodptr->queue->fod); -} - - /* * Association and Connection IDs: * -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH 5.4+] MIPS: ds1287: Match ds1287_set_base_clock() function types

by WangYuli

[ Upstream commit a759109b234385b74d2f5f4c86b5f59b3201ec12 ] Synchronize the declaration of ds1287_set_base_clock() between cevt-ds1287.c and ds1287.h. Fix follow error with gcc-14 when -Werror: arch/mips/kernel/cevt-ds1287.c:21:5: error: conflicting types for ‘ds1287_set_base_clock’; have ‘int(unsigned int)’ 21 | int ds1287_set_base_clock(unsigned int hz) | ^~~~~~~~~~~~~~~~~~~~~ In file included from arch/mips/kernel/cevt-ds1287.c:13: ./arch/mips/include/asm/ds1287.h:11:13: note: previous declaration of ‘ds1287_set_base_clock’ with type ‘void(unsigned int)’ 11 | extern void ds1287_set_base_clock(unsigned int clock); | ^~~~~~~~~~~~~~~~~~~~~ make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1 make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2 make[6]: *** Waiting for unfinished jobs.... Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> --- arch/mips/include/asm/ds1287.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/include/asm/ds1287.h b/arch/mips/include/asm/ds1287.h index 46cfb01f9a14..51cb61fd4c03 100644 --- a/arch/mips/include/asm/ds1287.h +++ b/arch/mips/include/asm/ds1287.h @@ -8,7 +8,7 @@ #define __ASM_DS1287_H extern int ds1287_timer_state(void); -extern void ds1287_set_base_clock(unsigned int clock); +extern int ds1287_set_base_clock(unsigned int hz); extern int ds1287_clockevent_init(int irq); #endif -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH 5.4+] MIPS: dec: Declare which_prom() as static

by WangYuli

[ Upstream commit 55fa5868519bc48a7344a4c070efa2f4468f2167 ] Declare which_prom() as static to suppress gcc compiler warning that 'missing-prototypes'. This function is not intended to be called from other parts. Fix follow error with gcc-14 when -Werror: arch/mips/dec/prom/init.c:45:13: error: no previous prototype for ‘which_prom’ [-Werror=missing-prototypes] 45 | void __init which_prom(s32 magic, s32 *prom_vec) | ^~~~~~~~~~ cc1: all warnings being treated as errors make[6]: *** [scripts/Makefile.build:207: arch/mips/dec/prom/init.o] Error 1 make[5]: *** [scripts/Makefile.build:465: arch/mips/dec/prom] Error 2 make[5]: *** Waiting for unfinished jobs.... Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> --- arch/mips/dec/prom/init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/mips/dec/prom/init.c b/arch/mips/dec/prom/init.c index cb12eb211a49..8d74d7d6c05b 100644 --- a/arch/mips/dec/prom/init.c +++ b/arch/mips/dec/prom/init.c @@ -42,7 +42,7 @@ int (*__pmax_close)(int); * Detect which PROM the DECSTATION has, and set the callback vectors * appropriately. */ -void __init which_prom(s32 magic, s32 *prom_vec) +static void __init which_prom(s32 magic, s32 *prom_vec) { /* * No sign of the REX PROM's magic number means we assume a non-REX -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH] Handle Ice Lake MONITOR erratum

by Dave Hansen

From: Dave Hansen <dave.hansen(a)linux.intel.com> Andrew Cooper reported some boot issues on Ice Lake servers when running Xen that he tracked down to MWAIT not waking up. Do the safe thing and consider them buggy since there's a published erratum. Note: I've seen no reports of this occurring on Linux. Add Ice Lake servers to the list of shaky MONITOR implementations with no workaround available. Also, before the if() gets too unwieldy, move it over to a x86_cpu_id array. Additionally, add a comment to the X86_BUG_MONITOR consumption site to make it clear how and why affected CPUs get IPIs to wake them up. There is no equivalent erratum for the "Xeon D" Ice Lakes so INTEL_ICELAKE_D is not affected. The erratum is called ICX143 in the "3rd Gen Intel Xeon Scalable Processors, Codename Ice Lake Specification Update". It is Intel document 637780, currently available here: https://cdrdv2.intel.com/v1/dl/getContent/637780 Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Andrew Cooper <andrew.cooper3(a)citrix.com> Cc: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Cc: Len Brown <len.brown(a)intel.com> Cc: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- b/arch/x86/include/asm/mwait.h | 3 +++ b/arch/x86/kernel/cpu/intel.c | 17 ++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff -puN arch/x86/kernel/cpu/intel.c~ICX-MONITOR-bug arch/x86/kernel/cpu/intel.c --- a/arch/x86/kernel/cpu/intel.c~ICX-MONITOR-bug 2025-04-18 13:54:46.022590596 -0700 +++ b/arch/x86/kernel/cpu/intel.c 2025-04-18 15:15:19.374365069 -0700 @@ -513,6 +513,19 @@ static void init_intel_misc_features(str } /* + * These CPUs have buggy MWAIT/MONITOR implementations that + * usually manifest as hangs or stalls at boot. + */ +#define MWAIT_VFM(_vfm) \ + X86_MATCH_VFM_FEATURE(_vfm, X86_FEATURE_MWAIT, 0) +static const struct x86_cpu_id monitor_bug_list[] = { + MWAIT_VFM(INTEL_ATOM_GOLDMONT), + MWAIT_VFM(INTEL_LUNARLAKE_M), + MWAIT_VFM(INTEL_ICELAKE_X), /* Erratum ICX143 */ + {}, +}; + +/* * This is a list of Intel CPUs that are known to suffer from downclocking when * ZMM registers (512-bit vectors) are used. On these CPUs, when the kernel * executes SIMD-optimized code such as cryptography functions or CRCs, it @@ -565,9 +578,7 @@ static void init_intel(struct cpuinfo_x8 c->x86_vfm == INTEL_WESTMERE_EX)) set_cpu_bug(c, X86_BUG_CLFLUSH_MONITOR); - if (boot_cpu_has(X86_FEATURE_MWAIT) && - (c->x86_vfm == INTEL_ATOM_GOLDMONT || - c->x86_vfm == INTEL_LUNARLAKE_M)) + if (x86_match_cpu(monitor_bug_list)) set_cpu_bug(c, X86_BUG_MONITOR); #ifdef CONFIG_X86_64 diff -puN arch/x86/include/asm/mwait.h~ICX-MONITOR-bug arch/x86/include/asm/mwait.h --- a/arch/x86/include/asm/mwait.h~ICX-MONITOR-bug 2025-04-18 15:17:18.353749634 -0700 +++ b/arch/x86/include/asm/mwait.h 2025-04-18 15:20:06.037927656 -0700 @@ -110,6 +110,9 @@ static __always_inline void __sti_mwait( * through MWAIT. Whenever someone changes need_resched, we would be woken * up from MWAIT (without an IPI). * + * Buggy (X86_BUG_MONITOR) CPUs will never set the polling bit and will + * always be sent IPIs. + * * New with Core Duo processors, MWAIT can take some hints based on CPU * capability. */ _

6 months, 2 weeks

5
5
0 0

[PATCH 6.1/6.6/6.12] LoongArch: Eliminate superfluous get_numa_distances_cnt()

by WangYuli

From: Yuli Wang <wangyuli(a)uniontech.com> [ Upstream commit a0d3c8bcb9206ac207c7ad3182027c6b0a1319bb ] In LoongArch, get_numa_distances_cnt() isn't in use, resulting in a compiler warning. Fix follow errors with clang-18 when W=1e: arch/loongarch/kernel/acpi.c:259:28: error: unused function 'get_numa_distances_cnt' [-Werror,-Wunused-function] 259 | static inline unsigned int get_numa_distances_cnt(struct acpi_table_slit *slit) | ^~~~~~~~~~~~~~~~~~~~~~ 1 error generated. Link: https://lore.kernel.org/all/Z7bHPVUH4lAezk0E@kernel.org/ Signed-off-by: Yuli Wang <wangyuli(a)uniontech.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/acpi.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/arch/loongarch/kernel/acpi.c b/arch/loongarch/kernel/acpi.c index 382a09a7152c..1120ac2824f6 100644 --- a/arch/loongarch/kernel/acpi.c +++ b/arch/loongarch/kernel/acpi.c @@ -249,18 +249,6 @@ static __init int setup_node(int pxm) return acpi_map_pxm_to_node(pxm); } -/* - * Callback for SLIT parsing. pxm_to_node() returns NUMA_NO_NODE for - * I/O localities since SRAT does not list them. I/O localities are - * not supported at this point. - */ -unsigned int numa_distance_cnt; - -static inline unsigned int get_numa_distances_cnt(struct acpi_table_slit *slit) -{ - return slit->locality_count; -} - void __init numa_set_distance(int from, int to, int distance) { if ((u8)distance != distance || (from == to && distance != LOCAL_DISTANCE)) { -- 2.49.0

6 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/vma: add give_up_on_oom option on modify/merge, use in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 41e6ddcaa0f18dda4c3fadf22533775a30d6f72f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042101-tigress-ream-51ab@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41e6ddcaa0f18dda4c3fadf22533775a30d6f72f Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Fri, 21 Mar 2025 10:09:37 +0000 Subject: [PATCH] mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Currently, if a VMA merge fails due to an OOM condition arising on commit merge or a failure to duplicate anon_vma's, we report this so the caller can handle it. However there are cases where the caller is only ostensibly trying a merge, and doesn't mind if it fails due to this condition. Since we do not want to introduce an implicit assumption that we only actually modify VMAs after OOM conditions might arise, add a 'give up on oom' option and make an explicit contract that, should this flag be set, we absolutely will not modify any VMAs should OOM arise and just bail out. Since it'd be very unusual for a user to try to vma_modify() with this flag set but be specifying a range within a VMA which ends up being split (which can fail due to rlimit issues, not only OOM), we add a debug warning for this condition. The motivating reason for this is uffd release - syzkaller (and Pedro Falcato's VERY astute analysis) found a way in which an injected fault on allocation, triggering an OOM condition on commit merge, would result in uffd code becoming confused and treating an error value as if it were a VMA pointer. To avoid this, we make use of this new VMG flag to ensure that this never occurs, utilising the fact that, should we be clearing entire VMAs, we do not wish an OOM event to be reported to us. Many thanks to Pedro Falcato for his excellent analysis and Jann Horn for his insightful and intelligent analysis of the situation, both of whom were instrumental in this fix. Link: https://lkml.kernel.org/r/20250321100937.46634-1-lorenzo.stoakes@oracle.com Reported-by: syzbot+20ed41006cf9d842c2b5(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001e.GAE@google.com/ Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Suggested-by: Pedro Falcato <pfalcato(a)suse.de> Suggested-by: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index fbf2cf62ab9f..7d5d709cc838 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1902,6 +1902,14 @@ struct vm_area_struct *userfaultfd_clear_vma(struct vma_iterator *vmi, unsigned long end) { struct vm_area_struct *ret; + bool give_up_on_oom = false; + + /* + * If we are modifying only and not splitting, just give up on the merge + * if OOM prevents us from merging successfully. + */ + if (start == vma->vm_start && end == vma->vm_end) + give_up_on_oom = true; /* Reset ptes for the whole vma range if wr-protected */ if (userfaultfd_wp(vma)) @@ -1909,7 +1917,7 @@ struct vm_area_struct *userfaultfd_clear_vma(struct vma_iterator *vmi, ret = vma_modify_flags_uffd(vmi, prev, vma, start, end, vma->vm_flags & ~__VM_UFFD_FLAGS, - NULL_VM_UFFD_CTX); + NULL_VM_UFFD_CTX, give_up_on_oom); /* * In the vma_merge() successful mprotect-like case 8: @@ -1960,7 +1968,8 @@ int userfaultfd_register_range(struct userfaultfd_ctx *ctx, new_flags = (vma->vm_flags & ~__VM_UFFD_FLAGS) | vm_flags; vma = vma_modify_flags_uffd(&vmi, prev, vma, start, vma_end, new_flags, - (struct vm_userfaultfd_ctx){ctx}); + (struct vm_userfaultfd_ctx){ctx}, + /* give_up_on_oom = */false); if (IS_ERR(vma)) return PTR_ERR(vma); diff --git a/mm/vma.c b/mm/vma.c index 5cdc5612bfc1..839d12f02c88 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -666,6 +666,9 @@ static void vmg_adjust_set_range(struct vma_merge_struct *vmg) /* * Actually perform the VMA merge operation. * + * IMPORTANT: We guarantee that, should vmg->give_up_on_oom is set, to not + * modify any VMAs or cause inconsistent state should an OOM condition arise. + * * Returns 0 on success, or an error value on failure. */ static int commit_merge(struct vma_merge_struct *vmg) @@ -685,6 +688,12 @@ static int commit_merge(struct vma_merge_struct *vmg) init_multi_vma_prep(&vp, vma, vmg); + /* + * If vmg->give_up_on_oom is set, we're safe, because we don't actually + * manipulate any VMAs until we succeed at preallocation. + * + * Past this point, we will not return an error. + */ if (vma_iter_prealloc(vmg->vmi, vma)) return -ENOMEM; @@ -915,7 +924,13 @@ static __must_check struct vm_area_struct *vma_merge_existing_range( if (anon_dup) unlink_anon_vmas(anon_dup); - vmg->state = VMA_MERGE_ERROR_NOMEM; + /* + * We've cleaned up any cloned anon_vma's, no VMAs have been + * modified, no harm no foul if the user requests that we not + * report this and just give up, leaving the VMAs unmerged. + */ + if (!vmg->give_up_on_oom) + vmg->state = VMA_MERGE_ERROR_NOMEM; return NULL; } @@ -926,7 +941,15 @@ static __must_check struct vm_area_struct *vma_merge_existing_range( abort: vma_iter_set(vmg->vmi, start); vma_iter_load(vmg->vmi); - vmg->state = VMA_MERGE_ERROR_NOMEM; + + /* + * This means we have failed to clone anon_vma's correctly, but no + * actual changes to VMAs have occurred, so no harm no foul - if the + * user doesn't want this reported and instead just wants to give up on + * the merge, allow it. + */ + if (!vmg->give_up_on_oom) + vmg->state = VMA_MERGE_ERROR_NOMEM; return NULL; } @@ -1068,6 +1091,10 @@ int vma_expand(struct vma_merge_struct *vmg) /* This should already have been checked by this point. */ VM_WARN_ON_VMG(!can_merge_remove_vma(next), vmg); vma_start_write(next); + /* + * In this case we don't report OOM, so vmg->give_up_on_mm is + * safe. + */ ret = dup_anon_vma(middle, next, &anon_dup); if (ret) return ret; @@ -1090,9 +1117,15 @@ int vma_expand(struct vma_merge_struct *vmg) return 0; nomem: - vmg->state = VMA_MERGE_ERROR_NOMEM; if (anon_dup) unlink_anon_vmas(anon_dup); + /* + * If the user requests that we just give upon OOM, we are safe to do so + * here, as commit merge provides this contract to us. Nothing has been + * changed - no harm no foul, just don't report it. + */ + if (!vmg->give_up_on_oom) + vmg->state = VMA_MERGE_ERROR_NOMEM; return -ENOMEM; } @@ -1534,6 +1567,13 @@ static struct vm_area_struct *vma_modify(struct vma_merge_struct *vmg) if (vmg_nomem(vmg)) return ERR_PTR(-ENOMEM); + /* + * Split can fail for reasons other than OOM, so if the user requests + * this it's probably a mistake. + */ + VM_WARN_ON(vmg->give_up_on_oom && + (vma->vm_start != start || vma->vm_end != end)); + /* Split any preceding portion of the VMA. */ if (vma->vm_start < start) { int err = split_vma(vmg->vmi, vma, start, 1); @@ -1602,12 +1642,15 @@ struct vm_area_struct struct vm_area_struct *vma, unsigned long start, unsigned long end, unsigned long new_flags, - struct vm_userfaultfd_ctx new_ctx) + struct vm_userfaultfd_ctx new_ctx, + bool give_up_on_oom) { VMG_VMA_STATE(vmg, vmi, prev, vma, start, end); vmg.flags = new_flags; vmg.uffd_ctx = new_ctx; + if (give_up_on_oom) + vmg.give_up_on_oom = true; return vma_modify(&vmg); } diff --git a/mm/vma.h b/mm/vma.h index 7356ca5a22d3..149926e8a6d1 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -114,6 +114,12 @@ struct vma_merge_struct { */ bool just_expand :1; + /* + * If a merge is possible, but an OOM error occurs, give up and don't + * execute the merge, returning NULL. + */ + bool give_up_on_oom :1; + /* Internal flags set during merge process: */ /* @@ -255,7 +261,8 @@ __must_check struct vm_area_struct struct vm_area_struct *vma, unsigned long start, unsigned long end, unsigned long new_flags, - struct vm_userfaultfd_ctx new_ctx); + struct vm_userfaultfd_ctx new_ctx, + bool give_up_on_oom); __must_check struct vm_area_struct *vma_merge_new_range(struct vma_merge_struct *vmg);

6 months, 2 weeks

3
2
0 0

[PATCH 5.4+] MIPS: cevt-ds1287: Add missing ds1287.h include

by WangYuli

[ Upstream commit f3be225f338a578851a7b607a409f476354a8deb ] Address the issue of cevt-ds1287.c not including the ds1287.h header file. Fix follow errors with gcc-14 when -Werror: arch/mips/kernel/cevt-ds1287.c:15:5: error: no previous prototype for ‘ds1287_timer_state’ [-Werror=missing-prototypes] 15 | int ds1287_timer_state(void) | ^~~~~~~~~~~~~~~~~~ arch/mips/kernel/cevt-ds1287.c:20:5: error: no previous prototype for ‘ds1287_set_base_clock’ [-Werror=missing-prototypes] 20 | int ds1287_set_base_clock(unsigned int hz) | ^~~~~~~~~~~~~~~~~~~~~ arch/mips/kernel/cevt-ds1287.c:103:12: error: no previous prototype for ‘ds1287_clockevent_init’ [-Werror=missing-prototypes] 103 | int __init ds1287_clockevent_init(int irq) | ^~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[7]: *** [scripts/Makefile.build:207: arch/mips/kernel/cevt-ds1287.o] Error 1 make[7]: *** Waiting for unfinished jobs.... make[6]: *** [scripts/Makefile.build:465: arch/mips/kernel] Error 2 make[6]: *** Waiting for unfinished jobs.... Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> --- arch/mips/kernel/cevt-ds1287.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/mips/kernel/cevt-ds1287.c b/arch/mips/kernel/cevt-ds1287.c index 9a47fbcd4638..de64d6bb7ba3 100644 --- a/arch/mips/kernel/cevt-ds1287.c +++ b/arch/mips/kernel/cevt-ds1287.c @@ -10,6 +10,7 @@ #include <linux/mc146818rtc.h> #include <linux/irq.h> +#include <asm/ds1287.h> #include <asm/time.h> int ds1287_timer_state(void) -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH 6.12/6.14] nvmet-fc: Remove unused functions

by WangYuli

[ Upstream commit 1b304c006b0fb4f0517a8c4ba8c46e88f48a069c ] The functions nvmet_fc_iodnum() and nvmet_fc_fodnum() are currently unutilized. Following commit c53432030d86 ("nvme-fabrics: Add target support for FC transport"), which introduced these two functions, they have not been used at all in practice. Remove them to resolve the compiler warnings. Fix follow errors with clang-19 when W=1e: drivers/nvme/target/fc.c:177:1: error: unused function 'nvmet_fc_iodnum' [-Werror,-Wunused-function] 177 | nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr) | ^~~~~~~~~~~~~~~ drivers/nvme/target/fc.c:183:1: error: unused function 'nvmet_fc_fodnum' [-Werror,-Wunused-function] 183 | nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr) | ^~~~~~~~~~~~~~~ 2 errors generated. make[8]: *** [scripts/Makefile.build:207: drivers/nvme/target/fc.o] Error 1 make[7]: *** [scripts/Makefile.build:465: drivers/nvme/target] Error 2 make[6]: *** [scripts/Makefile.build:465: drivers/nvme] Error 2 make[6]: *** Waiting for unfinished jobs.... Fixes: c53432030d86 ("nvme-fabrics: Add target support for FC transport") Signed-off-by: WangYuli <wangyuli(a)uniontech.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> --- drivers/nvme/target/fc.c | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index 3ef4beacde32..7318b736d414 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -172,20 +172,6 @@ struct nvmet_fc_tgt_assoc { struct work_struct del_work; }; - -static inline int -nvmet_fc_iodnum(struct nvmet_fc_ls_iod *iodptr) -{ - return (iodptr - iodptr->tgtport->iod); -} - -static inline int -nvmet_fc_fodnum(struct nvmet_fc_fcp_iod *fodptr) -{ - return (fodptr - fodptr->queue->fod); -} - - /* * Association and Connection IDs: * -- 2.49.0

6 months, 2 weeks

2
1
0 0

[PATCH 6.1&6.6 V4 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0

by Huacai Chen

Backport this series to 6.1&6.6 because we get build errors with GCC14 and OpenSSL3 (or later): certs/extract-cert.c: In function 'main': certs/extract-cert.c:124:17: error: implicit declaration of function 'ENGINE_load_builtin_engines' [-Wimplicit-function-declaration] 124 | ENGINE_load_builtin_engines(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ certs/extract-cert.c:126:21: error: implicit declaration of function 'ENGINE_by_id' [-Wimplicit-function-declaration] 126 | e = ENGINE_by_id("pkcs11"); | ^~~~~~~~~~~~ certs/extract-cert.c:126:19: error: assignment to 'ENGINE *' {aka 'struct engine_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion] 126 | e = ENGINE_by_id("pkcs11"); | ^ certs/extract-cert.c:128:21: error: implicit declaration of function 'ENGINE_init' [-Wimplicit-function-declaration] 128 | if (ENGINE_init(e)) | ^~~~~~~~~~~ certs/extract-cert.c:133:30: error: implicit declaration of function 'ENGINE_ctrl_cmd_string' [-Wimplicit-function-declaration] 133 | ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); | ^~~~~~~~~~~~~~~~~~~~~~ certs/extract-cert.c:64:32: note: in definition of macro 'ERR' 64 | bool __cond = (cond); \ | ^~~~ certs/extract-cert.c:134:17: error: implicit declaration of function 'ENGINE_ctrl_cmd' [-Wimplicit-function-declaration] 134 | ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); | ^~~~~~~~~~~~~~~ In theory 5.4&5.10&5.15 also need this, but they need more efforts because file paths are different. The ENGINE interface has its limitations and it has been superseded by the PROVIDER API, it is deprecated in OpenSSL version 3.0. Some distros have started removing it from header files. Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= 3. Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM and PKCS11 and comparing that the result is identical. V1 -> V2: Add upstream commit id. V2 -> V3: Add correct version id. V3 -> V4: Use --patience to generate patches. Jan Stancek (3): sign-file,extract-cert: move common SSL helper functions to a header sign-file,extract-cert: avoid using deprecated ERR_get_error_line() sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Signed-off-by: Jan Stancek <jstancek(a)redhat.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- MAINTAINERS | 1 + certs/Makefile | 2 +- certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- scripts/ssl-common.h | 32 ++++++++++ 5 files changed, 178 insertions(+), 129 deletions(-) create mode 100644 scripts/ssl-common.h --- 2.27.0

6 months, 2 weeks

2
6
0 0

FAILED: patch "[PATCH] mm: fix apply_to_existing_page_range()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a995199384347261bb3f21b2e171fa7f988bd2f8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042114-author-badness-6b2c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a995199384347261bb3f21b2e171fa7f988bd2f8 Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Date: Wed, 9 Apr 2025 12:40:43 +0300 Subject: [PATCH] mm: fix apply_to_existing_page_range() In the case of apply_to_existing_page_range(), apply_to_pte_range() is reached with 'create' set to false. When !create, the loop over the PTE page table is broken. apply_to_pte_range() will only move to the next PTE entry if 'create' is true or if the current entry is not pte_none(). This means that the user of apply_to_existing_page_range() will not have 'fn' called for any entries after the first pte_none() in the PTE page table. Fix the loop logic in apply_to_pte_range(). There are no known runtime issues from this, but the fix is trivial enough for stable@ even without a known buggy user. Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.in… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper") Cc: Daniel Axtens <dja(a)axtens.net> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 1a35165622e1..44481fe7c629 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2938,11 +2938,11 @@ static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd, if (fn) { do { if (create || !pte_none(ptep_get(pte))) { - err = fn(pte++, addr, data); + err = fn(pte, addr, data); if (err) break; } - } while (addr += PAGE_SIZE, addr != end); + } while (pte++, addr += PAGE_SIZE, addr != end); } *mask |= PGTBL_PTE_MODIFIED;

6 months, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] mm: fix apply_to_existing_page_range()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a995199384347261bb3f21b2e171fa7f988bd2f8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042115-penholder-famished-11cb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a995199384347261bb3f21b2e171fa7f988bd2f8 Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Date: Wed, 9 Apr 2025 12:40:43 +0300 Subject: [PATCH] mm: fix apply_to_existing_page_range() In the case of apply_to_existing_page_range(), apply_to_pte_range() is reached with 'create' set to false. When !create, the loop over the PTE page table is broken. apply_to_pte_range() will only move to the next PTE entry if 'create' is true or if the current entry is not pte_none(). This means that the user of apply_to_existing_page_range() will not have 'fn' called for any entries after the first pte_none() in the PTE page table. Fix the loop logic in apply_to_pte_range(). There are no known runtime issues from this, but the fix is trivial enough for stable@ even without a known buggy user. Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.in… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper") Cc: Daniel Axtens <dja(a)axtens.net> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 1a35165622e1..44481fe7c629 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2938,11 +2938,11 @@ static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd, if (fn) { do { if (create || !pte_none(ptep_get(pte))) { - err = fn(pte++, addr, data); + err = fn(pte, addr, data); if (err) break; } - } while (addr += PAGE_SIZE, addr != end); + } while (pte++, addr += PAGE_SIZE, addr != end); } *mask |= PGTBL_PTE_MODIFIED;

6 months, 2 weeks

3
2
0 0

[PATCH 5.15.y] drm/amdgpu: fix usage slab after free

by bin.lan.cn＠windriver.com

From: Vitaly Prosyak <vitaly.prosyak(a)amd.com> [ Upstream commit b61badd20b443eabe132314669bb51a263982e5c ] [ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147 [ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1 [ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000016] Call Trace: [ +0.000008] <TASK> [ +0.000009] dump_stack_lvl+0x76/0xa0 [ +0.000017] print_report+0xce/0x5f0 [ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000019] ? srso_return_thunk+0x5/0x5f [ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200 [ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000019] kasan_report+0xbe/0x110 [ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000023] __asan_report_load8_noabort+0x14/0x30 [ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_write+0x14/0x30 [ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched] [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_write+0x14/0x30 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? enable_work+0x124/0x220 [ +0.000015] ? __pfx_enable_work+0x10/0x10 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? free_large_kmalloc+0x85/0xf0 [ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched] [ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu] [ +0.000735] ? __kasan_check_read+0x11/0x20 [ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu] [ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu] [ +0.000679] ? mutex_unlock+0x80/0xe0 [ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu] [ +0.000662] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_check_write+0x14/0x30 [ +0.000013] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? mutex_unlock+0x80/0xe0 [ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] [ +0.000663] drm_minor_release+0xc9/0x140 [drm] [ +0.000081] drm_release+0x1fd/0x390 [drm] [ +0.000082] __fput+0x36c/0xad0 [ +0.000018] __fput_sync+0x3c/0x50 [ +0.000014] __x64_sys_close+0x7d/0xe0 [ +0.000014] x64_sys_call+0x1bc6/0x2680 [ +0.000014] do_syscall_64+0x70/0x130 [ +0.000014] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? irqentry_exit+0x43/0x50 [ +0.000012] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? exc_page_fault+0x7c/0x110 [ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000014] RIP: 0033:0x7ffff7b14f67 [ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67 [ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003 [ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000 [ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8 [ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040 [ +0.000020] </TASK> [ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s: [ +0.000014] kasan_save_stack+0x28/0x60 [ +0.000008] kasan_save_track+0x18/0x70 [ +0.000007] kasan_save_alloc_info+0x38/0x60 [ +0.000007] __kasan_kmalloc+0xc1/0xd0 [ +0.000007] kmalloc_trace_noprof+0x180/0x380 [ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched] [ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu] [ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu] [ +0.000662] amdgpu_pci_probe+0x361/0xf30 [amdgpu] [ +0.000651] local_pci_probe+0xe7/0x1b0 [ +0.000009] pci_device_probe+0x248/0x890 [ +0.000008] really_probe+0x1fd/0x950 [ +0.000008] __driver_probe_device+0x307/0x410 [ +0.000007] driver_probe_device+0x4e/0x150 [ +0.000007] __driver_attach+0x223/0x510 [ +0.000006] bus_for_each_dev+0x102/0x1a0 [ +0.000007] driver_attach+0x3d/0x60 [ +0.000006] bus_add_driver+0x2ac/0x5f0 [ +0.000006] driver_register+0x13d/0x490 [ +0.000008] __pci_register_driver+0x1ee/0x2b0 [ +0.000007] llc_sap_close+0xb0/0x160 [llc] [ +0.000009] do_one_initcall+0x9c/0x3e0 [ +0.000008] do_init_module+0x241/0x760 [ +0.000008] load_module+0x51ac/0x6c30 [ +0.000006] __do_sys_init_module+0x234/0x270 [ +0.000007] __x64_sys_init_module+0x73/0xc0 [ +0.000006] x64_sys_call+0xe3/0x2680 [ +0.000006] do_syscall_64+0x70/0x130 [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000015] Freed by task 2147 on cpu 6 at 160.507651s: [ +0.000013] kasan_save_stack+0x28/0x60 [ +0.000007] kasan_save_track+0x18/0x70 [ +0.000007] kasan_save_free_info+0x3b/0x60 [ +0.000007] poison_slab_object+0x115/0x1c0 [ +0.000007] __kasan_slab_free+0x34/0x60 [ +0.000007] kfree+0xfa/0x2f0 [ +0.000007] drm_sched_fini+0x19d/0x410 [gpu_sched] [ +0.000012] amdgpu_fence_driver_sw_fini+0xc4/0x2f0 [amdgpu] [ +0.000662] amdgpu_device_fini_sw+0x77/0xfc0 [amdgpu] [ +0.000653] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] [ +0.000655] drm_minor_release+0xc9/0x140 [drm] [ +0.000071] drm_release+0x1fd/0x390 [drm] [ +0.000071] __fput+0x36c/0xad0 [ +0.000008] __fput_sync+0x3c/0x50 [ +0.000007] __x64_sys_close+0x7d/0xe0 [ +0.000007] x64_sys_call+0x1bc6/0x2680 [ +0.000007] do_syscall_64+0x70/0x130 [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000014] The buggy address belongs to the object at ffff8881b8605f80 which belongs to the cache kmalloc-64 of size 64 [ +0.000020] The buggy address is located 8 bytes inside of freed 64-byte region [ffff8881b8605f80, ffff8881b8605fc0) [ +0.000028] The buggy address belongs to the physical page: [ +0.000011] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b8605 [ +0.000008] anon flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ +0.000007] page_type: 0xffffefff(slab) [ +0.000009] raw: 0017ffffc0000000 ffff8881000428c0 0000000000000000 dead000000000001 [ +0.000006] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000 [ +0.000006] page dumped because: kasan: bad access detected [ +0.000012] Memory state around the buggy address: [ +0.000011] ffff8881b8605e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ +0.000015] ffff8881b8605f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ +0.000015] >ffff8881b8605f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ +0.000013] ^ [ +0.000011] ffff8881b8606000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ +0.000014] ffff8881b8606080: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb [ +0.000013] ================================================================== The issue reproduced on VG20 during the IGT pci_unplug test. The root cause of the issue is that the function drm_sched_fini is called before drm_sched_entity_kill. In drm_sched_fini, the drm_sched_rq structure is freed, but this structure is later accessed by each entity within the run queue, leading to invalid memory access. To resolve this, the order of cleanup calls is updated: Before: amdgpu_fence_driver_sw_fini amdgpu_device_ip_fini After: amdgpu_device_ip_fini amdgpu_fence_driver_sw_fini This updated order ensures that all entities in the IPs are cleaned up first, followed by proper cleanup of the schedulers. Additional Investigation: During debugging, another issue was identified in the amdgpu_vce_sw_fini function. The vce.vcpu_bo buffer must be freed only as the final step in the cleanup process to prevent any premature access during earlier cleanup stages. v2: Using Christian suggestion call drm_sched_entity_destroy before drm_sched_fini. Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Vitaly Prosyak <vitaly.prosyak(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c index b11a98bee4f0..6ed4b1ffa4c9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c @@ -4008,8 +4008,8 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev) void amdgpu_device_fini_sw(struct amdgpu_device *adev) { - amdgpu_fence_driver_sw_fini(adev); amdgpu_device_ip_fini(adev); + amdgpu_fence_driver_sw_fini(adev); release_firmware(adev->firmware.gpu_info_fw); adev->firmware.gpu_info_fw = NULL; adev->accel_working = false; diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c index 9f7450a8d004..6d1516c357f5 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c @@ -220,15 +220,15 @@ int amdgpu_vce_sw_fini(struct amdgpu_device *adev) drm_sched_entity_destroy(&adev->vce.entity); - amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr, - (void **)&adev->vce.cpu_addr); - for (i = 0; i < adev->vce.num_rings; i++) amdgpu_ring_fini(&adev->vce.ring[i]); release_firmware(adev->vce.fw); mutex_destroy(&adev->vce.idle_mutex); + amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr, + (void **)&adev->vce.cpu_addr); + return 0; } -- 2.34.1

6 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: fix apply_to_existing_page_range()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x a995199384347261bb3f21b2e171fa7f988bd2f8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025042115-clock-repressed-cf8e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a995199384347261bb3f21b2e171fa7f988bd2f8 Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Date: Wed, 9 Apr 2025 12:40:43 +0300 Subject: [PATCH] mm: fix apply_to_existing_page_range() In the case of apply_to_existing_page_range(), apply_to_pte_range() is reached with 'create' set to false. When !create, the loop over the PTE page table is broken. apply_to_pte_range() will only move to the next PTE entry if 'create' is true or if the current entry is not pte_none(). This means that the user of apply_to_existing_page_range() will not have 'fn' called for any entries after the first pte_none() in the PTE page table. Fix the loop logic in apply_to_pte_range(). There are no known runtime issues from this, but the fix is trivial enough for stable@ even without a known buggy user. Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.in… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper") Cc: Daniel Axtens <dja(a)axtens.net> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 1a35165622e1..44481fe7c629 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2938,11 +2938,11 @@ static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd, if (fn) { do { if (create || !pte_none(ptep_get(pte))) { - err = fn(pte++, addr, data); + err = fn(pte, addr, data); if (err) break; } - } while (addr += PAGE_SIZE, addr != end); + } while (pte++, addr += PAGE_SIZE, addr != end); } *mask |= PGTBL_PTE_MODIFIED;

6 months, 2 weeks

3
2
0 0

[REGRESSION] stable-rc/linux-6.1.y: (build) variable 'is_redirect' is used uninitialized whenever 'if' conditi...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.1.y: --- variable 'is_redirect' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] in net/sched/act_mirred.o (net/sched/act_mirred.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:596e739df5636c4348e4b5c1e97cb3db2187b60e - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 75ae2fb1c96adec2e5c35ad91b692a4e940c9edc Log excerpt: ===================================================== net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] 265 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ net/sched/act_mirred.c:331:6: note: uninitialized use occurs here 331 | if (is_redirect) | ^~~~~~~~~~~ net/sched/act_mirred.c:265:2: note: remove the 'if' if its condition is always false 265 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 266 | net_notice_ratelimited("tc mirred to Houston: device %s is down\n", | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 267 | dev->name); | ~~~~~~~~~~~ 268 | goto err_cant_do; | ~~~~~~~~~~~~~~~~~ 269 | } | ~ net/sched/act_mirred.c:265:6: error: variable 'is_redirect' is used uninitialized whenever '||' condition is true [-Werror,-Wsometimes-uninitialized] 265 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ net/sched/act_mirred.c:331:6: note: uninitialized use occurs here 331 | if (is_redirect) | ^~~~~~~~~~~ net/sched/act_mirred.c:265:6: note: remove the '||' if its condition is always false 265 | if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^ net/sched/act_mirred.c:260:6: error: variable 'is_redirect' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized] 260 | if (unlikely(!dev)) { | ^~~~~~~~~~~~~~ ./include/linux/compiler.h:78:22: note: expanded from macro 'unlikely' 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ net/sched/act_mirred.c:331:6: note: uninitialized use occurs here 331 | if (is_redirect) | ^~~~~~~~~~~ net/sched/act_mirred.c:260:2: note: remove the 'if' if its condition is always false 260 | if (unlikely(!dev)) { | ^~~~~~~~~~~~~~~~~~~~~ 261 | pr_notice_once("tc mirred: target device is gone\n"); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 262 | goto err_cant_do; | ~~~~~~~~~~~~~~~~~ 263 | } | ~ net/sched/act_mirred.c:238:18: note: initialize the variable 'is_redirect' to silence this warning 238 | bool is_redirect; | ^ | = 0 3 errors generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig on (arm64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6807ae9243948caad94dcfbb ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6807ae8e43948caad94dcfb8 ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6807aed943948caad94dcfee #kernelci issue maestro:596e739df5636c4348e4b5c1e97cb3db2187b60e Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

6 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-5.10.y: (build) use of undeclared identifier 'SDHCI_CLOCK_BASE_SHIFT' in drivers/m...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.10.y: --- use of undeclared identifier 'SDHCI_CLOCK_BASE_SHIFT' in drivers/mmc/host/sdhci-brcmstb.o (drivers/mmc/host/sdhci-brcmstb.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:1bbba9215f3aa3d5c2158789a2b0557774ea7ac1 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 09fe25955000ce514339e542e9a99a4159a45021 Log excerpt: ===================================================== drivers/mmc/host/sdhci-brcmstb.c:358:37: error: use of undeclared identifier 'SDHCI_CLOCK_BASE_SHIFT' 358 | host->caps |= (actual_clock_mhz << SDHCI_CLOCK_BASE_SHIFT); | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig on (arm64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6807ad7343948caad94dced6 ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6807ad6f43948caad94dced3 ## defconfig+arm64-chromebook+kselftest on (arm64): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:6807ad7643948caad94dced9 #kernelci issue maestro:1bbba9215f3aa3d5c2158789a2b0557774ea7ac1 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

6 months, 2 weeks

1
0
0 0

[PATCH] drm/amd/display: Fix slab-use-after-free in hdcp

by Mario Limonciello

From: Chris Bainbridge <chris.bainbridge(a)gmail.com> The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10 [ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events event_property_validate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] <TASK> [ 66.776497] dump_stack_lvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virt_addr_valid+0x243/0x450 [ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0 [ 66.776515] kasan_report+0xeb/0x1c0 [ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asan_report_load4_noabort+0x14/0x20 [ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lock_acquire+0x6b40/0x6b40 [ 66.777347] ? enable_assr+0x250/0x250 [amdgpu] [ 66.777571] process_one_work+0x86b/0x1510 [ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0 [ 66.777578] ? assign_work+0x16b/0x280 [ 66.777580] ? lock_is_held_type+0xa3/0x130 [ 66.777583] worker_thread+0x5c0/0xfa0 [ 66.777587] ? process_one_work+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777594] ? trace_hardirqs_on+0x4f/0x60 [ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60 [ 66.777599] ? calculate_sigpending+0x77/0xa0 [ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777605] ret_from_fork+0x40/0x90 [ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777609] ret_from_fork_asm+0x11/0x20 [ 66.777614] </TASK> [ 66.777643] Allocated by task 10: [ 66.777646] kasan_save_stack+0x39/0x60 [ 66.777649] kasan_save_track+0x14/0x40 [ 66.777652] kasan_save_alloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0 [ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu] [ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper] [ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper] [ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper] [ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper] [ 66.777917] process_one_work+0x86b/0x1510 [ 66.777919] worker_thread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] ret_from_fork+0x40/0x90 [ 66.777927] ret_from_fork_asm+0x11/0x20 [ 66.777932] Freed by task 1713: [ 66.777935] kasan_save_stack+0x39/0x60 [ 66.777938] kasan_save_track+0x14/0x40 [ 66.777940] kasan_save_free_info+0x3b/0x60 [ 66.777944] __kasan_slab_free+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu] [ 66.778179] drm_connector_free+0x7d/0xb0 [ 66.778184] drm_mode_object_put.part.0+0xee/0x160 [ 66.778188] drm_mode_object_put+0x37/0x50 [ 66.778191] drm_atomic_state_default_clear+0x220/0xd60 [ 66.778194] __drm_atomic_state_free+0x16e/0x2a0 [ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0 [ 66.778200] drm_ioctl_kernel+0x17a/0x310 [ 66.778203] drm_ioctl+0x584/0xd10 [ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64_sys_ioctl+0x139/0x1a0 [ 66.778378] x64_sys_call+0xee7/0xfb0 [ 66.778381] do_syscall_64+0x87/0x140 [ 66.778385] entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fix this by properly incrementing and decrementing the reference counts when making and deleting copies of the amdgpu_dm_connector pointers. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4006 Signed-off-by: Chris Bainbridge <chris.bainbridge(a)gmail.com> Cc: <Stable(a)vger.kernel.org> Fixes: da3fd7ac0bcf3 ("drm/amd/display: Update CP property based on HW query") (Mario: rebase on current code and update fixes tag) Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- .../amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c index 2bd8dee1b7c2..26922d870b89 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c @@ -202,6 +202,9 @@ void hdcp_update_display(struct hdcp_workqueue *hdcp_work, unsigned int conn_index = aconnector->base.index; guard(mutex)(&hdcp_w->mutex); + drm_connector_get(&aconnector->base); + if (hdcp_w->aconnector[conn_index]) + drm_connector_put(&hdcp_w->aconnector[conn_index]->base); hdcp_w->aconnector[conn_index] = aconnector; memset(&link_adjust, 0, sizeof(link_adjust)); @@ -249,7 +252,6 @@ static void hdcp_remove_display(struct hdcp_workqueue *hdcp_work, unsigned int conn_index = aconnector->base.index; guard(mutex)(&hdcp_w->mutex); - hdcp_w->aconnector[conn_index] = aconnector; /* the removal of display will invoke auth reset -> hdcp destroy and * we'd expect the Content Protection (CP) property changed back to @@ -265,7 +267,10 @@ static void hdcp_remove_display(struct hdcp_workqueue *hdcp_work, } mod_hdcp_remove_display(&hdcp_w->hdcp, aconnector->base.index, &hdcp_w->output); - + if (hdcp_w->aconnector[conn_index]) { + drm_connector_put(&hdcp_w->aconnector[conn_index]->base); + hdcp_w->aconnector[conn_index] = NULL; + } process_output(hdcp_w); } @@ -283,6 +288,10 @@ void hdcp_reset_display(struct hdcp_workqueue *hdcp_work, unsigned int link_inde for (conn_index = 0; conn_index < AMDGPU_DM_MAX_DISPLAY_INDEX; conn_index++) { hdcp_w->encryption_status[conn_index] = MOD_HDCP_ENCRYPTION_STATUS_HDCP_OFF; + if (hdcp_w->aconnector[conn_index]) { + drm_connector_put(&hdcp_w->aconnector[conn_index]->base); + hdcp_w->aconnector[conn_index] = NULL; + } } process_output(hdcp_w); @@ -517,6 +526,7 @@ static void update_config(void *handle, struct cp_psp_stream_config *config) struct hdcp_workqueue *hdcp_work = handle; struct amdgpu_dm_connector *aconnector = config->dm_stream_ctx; int link_index = aconnector->dc_link->link_index; + unsigned int conn_index = aconnector->base.index; struct mod_hdcp_display *display = &hdcp_work[link_index].display; struct mod_hdcp_link *link = &hdcp_work[link_index].link; struct hdcp_workqueue *hdcp_w = &hdcp_work[link_index]; @@ -573,7 +583,10 @@ static void update_config(void *handle, struct cp_psp_stream_config *config) guard(mutex)(&hdcp_w->mutex); mod_hdcp_add_display(&hdcp_w->hdcp, link, display, &hdcp_w->output); - + drm_connector_get(&aconnector->base); + if (hdcp_w->aconnector[conn_index]) + drm_connector_put(&hdcp_w->aconnector[conn_index]->base); + hdcp_w->aconnector[conn_index] = aconnector; process_output(hdcp_w); } -- 2.49.0

6 months, 2 weeks

2
1
0 0

[REGRESSION] stable-rc/linux-5.10.y: (build) ‘SDHCI_CLOCK_BASE_SHIFT’ undeclared (first use in this function); ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.10.y: --- ‘SDHCI_CLOCK_BASE_SHIFT’ undeclared (first use in this function); did you mean ‘SDHCI_CLOCK_BASE_MASK’? in drivers/mmc/host/sdhci-brcmstb.o (drivers/mmc/host/sdhci-brcmstb.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:3d78010dfd35842399e06140837eff2c84b56458 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 09fe25955000ce514339e542e9a99a4159a45021 Log excerpt: ===================================================== drivers/mmc/host/sdhci-brcmstb.c:358:44: error: ‘SDHCI_CLOCK_BASE_SHIFT’ undeclared (first use in this function); did you mean ‘SDHCI_CLOCK_BASE_MASK’? 358 | host->caps |= (actual_clock_mhz << SDHCI_CLOCK_BASE_SHIFT); | ^~~~~~~~~~~~~~~~~~~~~~ | SDHCI_CLOCK_BASE_MASK drivers/mmc/host/sdhci-brcmstb.c:358:44: note: each undeclared identifier is reported only once for each function it appears in AR drivers/iio/humidity/built-in.a ===================================================== # Builds where the incident occurred: ## defconfig+arm64-chromebook+kcidebug+lab-setup on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6807ada943948caad94dcf07 ## defconfig+lab-setup+arm64-chromebook+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6807ad6043948caad94dcec7 ## defconfig+lab-setup+kselftest on (arm64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6807ada543948caad94dcf04 ## multi_v7_defconfig on (arm): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6807ad9a43948caad94dcefb #kernelci issue maestro:3d78010dfd35842399e06140837eff2c84b56458 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

6 months, 2 weeks

1
0
0 0

[REGRESSION] stable-rc/linux-6.12.y: (build) ./include/linux/blkdev.h:1668:24: error: field ‘req_list’ has inco...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.12.y: --- ./include/linux/blkdev.h:1668:24: error: field ‘req_list’ has incomplete type in init/main.o (init/main.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:cd168bc9c0a1dd7790c10e1a2ad1b0bac8ae366a - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 98d0e5b8e62e87e5cdc3c131d5c8660e17e487a1 Log excerpt: ===================================================== In file included from init/main.c:85: ./include/linux/blkdev.h:1668:24: error: field ‘req_list’ has incomplete type 1668 | struct rq_list req_list; | ^~~~~~~~ AR drivers/clk/imx/built-in.a AR drivers/clk/ingenic/built-in.a ===================================================== # Builds where the incident occurred: ## tinyconfig on (i386): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6807b01843948caad94dd153 ## tinyconfig+kselftest on (x86_64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:6807b04243948caad94dd172 #kernelci issue maestro:cd168bc9c0a1dd7790c10e1a2ad1b0bac8ae366a Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

6 months, 2 weeks

1
0
0 0

[PATCH 6.12.y v3] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process

by Alexander Tsoy

From: P Praneesh <quic_ppranees(a)quicinc.com> [ Upstream commit 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 ] Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry to fetch the next entry from the destination ring. This is incorrect because ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination rings. This leads to invalid entry fetches, causing potential data corruption or crashes due to accessing incorrect memory locations. This happens because the source ring and destination ring have different handling mechanisms and using the wrong function results in incorrect pointer arithmetic and ring management. To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures that the correct function is used for fetching entries from the destination ring, preventing invalid memory accesses. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Signed-off-by: P Praneesh <quic_ppranees(a)quicinc.com> Link: https://patch.msgid.link/20241223060132.3506372-7-quic_ppranees@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Alexander Tsoy <alexander(a)tsoy.me> --- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 5c6749bc4039..4c98b9de1e58 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -2118,7 +2118,7 @@ int ath12k_dp_mon_srng_process(struct ath12k *ar, int mac_id, int *budget, dest_idx = 0; move_next: ath12k_dp_mon_buf_replenish(ab, buf_ring, 1); - ath12k_hal_srng_src_get_next_entry(ab, srng); + ath12k_hal_srng_dst_get_next_entry(ab, srng); num_buffs_reaped++; } -- 2.49.0

6 months, 2 weeks

1
0
0 0

[PATCH 6.14.y v3] wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process

by Alexander Tsoy

From: P Praneesh <quic_ppranees(a)quicinc.com> [ Upstream commit 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 ] Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry to fetch the next entry from the destination ring. This is incorrect because ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination rings. This leads to invalid entry fetches, causing potential data corruption or crashes due to accessing incorrect memory locations. This happens because the source ring and destination ring have different handling mechanisms and using the wrong function results in incorrect pointer arithmetic and ring management. To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures that the correct function is used for fetching entries from the destination ring, preventing invalid memory accesses. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Signed-off-by: P Praneesh <quic_ppranees(a)quicinc.com> Link: https://patch.msgid.link/20241223060132.3506372-7-quic_ppranees@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Alexander Tsoy <alexander(a)tsoy.me> --- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 8005d30a4dbe..b952e79179d0 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -2054,7 +2054,7 @@ int ath12k_dp_mon_srng_process(struct ath12k *ar, int mac_id, int *budget, dest_idx = 0; move_next: ath12k_dp_mon_buf_replenish(ab, buf_ring, 1); - ath12k_hal_srng_src_get_next_entry(ab, srng); + ath12k_hal_srng_dst_get_next_entry(ab, srng); num_buffs_reaped++; } -- 2.49.0

6 months, 2 weeks

1
0
0 0

[PATCH v2] x86/mm: fix _pgd_alloc() for Xen PV mode

by Juergen Gross

Recently _pgd_alloc() was switched from using __get_free_pages() to pagetable_alloc_noprof(), which might return a compound page in case the allocation order is larger than 0. On x86 this will be the case if CONFIG_MITIGATION_PAGE_TABLE_ISOLATION is set, even if PTI has been disabled at runtime. When running as a Xen PV guest (this will always disable PTI), using a compound page for a PGD will result in VM_BUG_ON_PGFLAGS being triggered when the Xen code tries to pin the PGD. Fix the Xen issue together with the not needed 8k allocation for a PGD with PTI disabled by replacing PGD_ALLOCATION_ORDER with an inline helper returning the needed order for PGD allocations. Reported-by: Petr Vaněk <arkamar(a)atlas.cz> Fixes: a9b3c355c2e6 ("asm-generic: pgalloc: provide generic __pgd_{alloc,free}") Cc: stable(a)vger.kernel.org Signed-off-by: Juergen Gross <jgross(a)suse.com> --- V2: - use pgd_allocation_order() instead of PGD_ALLOCATION_ORDER (Dave Hansen) --- arch/x86/include/asm/pgalloc.h | 19 +++++++++++-------- arch/x86/kernel/machine_kexec_32.c | 4 ++-- arch/x86/mm/pgtable.c | 4 ++-- arch/x86/platform/efi/efi_64.c | 4 ++-- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index a33147520044..c88691b15f3c 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -6,6 +6,8 @@ #include <linux/mm.h> /* for struct page */ #include <linux/pagemap.h> +#include <asm/cpufeature.h> + #define __HAVE_ARCH_PTE_ALLOC_ONE #define __HAVE_ARCH_PGD_FREE #include <asm-generic/pgalloc.h> @@ -29,16 +31,17 @@ static inline void paravirt_release_pud(unsigned long pfn) {} static inline void paravirt_release_p4d(unsigned long pfn) {} #endif -#ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION /* - * Instead of one PGD, we acquire two PGDs. Being order-1, it is - * both 8k in size and 8k-aligned. That lets us just flip bit 12 - * in a pointer to swap between the two 4k halves. + * In case of Page Table Isolation active, we acquire two PGDs instead of one. + * Being order-1, it is both 8k in size and 8k-aligned. That lets us just + * flip bit 12 in a pointer to swap between the two 4k halves. */ -#define PGD_ALLOCATION_ORDER 1 -#else -#define PGD_ALLOCATION_ORDER 0 -#endif +static inline unsigned int pgd_allocation_order(void) +{ + if (cpu_feature_enabled(X86_FEATURE_PTI)) + return 1; + return 0; +} /* * Allocate and free page tables. diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c index 80265162aeff..1f325304c4a8 100644 --- a/arch/x86/kernel/machine_kexec_32.c +++ b/arch/x86/kernel/machine_kexec_32.c @@ -42,7 +42,7 @@ static void load_segments(void) static void machine_kexec_free_page_tables(struct kimage *image) { - free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER); + free_pages((unsigned long)image->arch.pgd, pgd_allocation_order()); image->arch.pgd = NULL; #ifdef CONFIG_X86_PAE free_page((unsigned long)image->arch.pmd0); @@ -59,7 +59,7 @@ static void machine_kexec_free_page_tables(struct kimage *image) static int machine_kexec_alloc_page_tables(struct kimage *image) { image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, - PGD_ALLOCATION_ORDER); + pgd_allocation_order()); #ifdef CONFIG_X86_PAE image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL); image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index a05fcddfc811..f7ae44d3dd9e 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -360,7 +360,7 @@ static inline pgd_t *_pgd_alloc(struct mm_struct *mm) * We allocate one page for pgd. */ if (!SHARED_KERNEL_PMD) - return __pgd_alloc(mm, PGD_ALLOCATION_ORDER); + return __pgd_alloc(mm, pgd_allocation_order()); /* * Now PAE kernel is not running as a Xen domain. We can allocate @@ -380,7 +380,7 @@ static inline void _pgd_free(struct mm_struct *mm, pgd_t *pgd) static inline pgd_t *_pgd_alloc(struct mm_struct *mm) { - return __pgd_alloc(mm, PGD_ALLOCATION_ORDER); + return __pgd_alloc(mm, pgd_allocation_order()); } static inline void _pgd_free(struct mm_struct *mm, pgd_t *pgd) diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c index ac57259a432b..a4b4ebd41b8f 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -73,7 +73,7 @@ int __init efi_alloc_page_tables(void) gfp_t gfp_mask; gfp_mask = GFP_KERNEL | __GFP_ZERO; - efi_pgd = (pgd_t *)__get_free_pages(gfp_mask, PGD_ALLOCATION_ORDER); + efi_pgd = (pgd_t *)__get_free_pages(gfp_mask, pgd_allocation_order()); if (!efi_pgd) goto fail; @@ -96,7 +96,7 @@ int __init efi_alloc_page_tables(void) if (pgtable_l5_enabled()) free_page((unsigned long)pgd_page_vaddr(*pgd)); free_pgd: - free_pages((unsigned long)efi_pgd, PGD_ALLOCATION_ORDER); + free_pages((unsigned long)efi_pgd, pgd_allocation_order()); fail: return -ENOMEM; } -- 2.43.0

6 months, 2 weeks

2
1
0 0

Re: [PATCH 1/3 v5.4.y] dmaengine: ti: edma: Add support for handling reserved channels

by Hardik Gohil

> > > I'm sorry, I have no idea what to do here > > please add all the patches 1/3,2/3 and 3/3 to v5.4.y.

6 months, 2 weeks

1
0
0 0

[PATCH 1/3 v5.4.y] dmaengine: ti: edma: Add support for handling reserved channels

by Hardik Gohil

From: Peter Ujfalusi <peter.ujfalusi(a)ti.com> Like paRAM slots, channels could be used by other cores and in this case we need to make sure that the driver do not alter these channels. Handle the generic dma-channel-mask property to mark channels in a bitmap which can not be used by Linux and convert the legacy rsv_chans if it is provided by platform_data. Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)ti.com> Link: https://lore.kernel.org/r/20191025073056.25450-4-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Hardik Gohil <hgohil(a)mvista.com> --- The patch [dmaengine: ti: edma: Add some null pointer checks to the edma_probe] fix for CVE-2024-26771 needs to be backported to v5.4.y kernel. patch 2/3 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… patch 3/3 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… patch 2 and 3 are cleanly applicable to v5.4.y, build test was sucessful. drivers/dma/ti/edma.c | 59 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 6 deletions(-) diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 01089e5c565f..47423bbd7bc7 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -259,6 +259,13 @@ struct edma_cc { */ unsigned long *slot_inuse; + /* + * For tracking reserved channels used by DSP. + * If the bit is cleared, the channel is allocated to be used by DSP + * and Linux must not touch it. + */ + unsigned long *channels_mask; + struct dma_device dma_slave; struct dma_device *dma_memcpy; struct edma_chan *slave_chans; @@ -715,6 +722,12 @@ static int edma_alloc_channel(struct edma_chan *echan, struct edma_cc *ecc = echan->ecc; int channel = EDMA_CHAN_SLOT(echan->ch_num); + if (!test_bit(echan->ch_num, ecc->channels_mask)) { + dev_err(ecc->dev, "Channel%d is reserved, can not be used!\n", + echan->ch_num); + return -EINVAL; + } + /* ensure access through shadow region 0 */ edma_or_array2(ecc, EDMA_DRAE, 0, EDMA_REG_ARRAY_INDEX(channel), EDMA_CHANNEL_BIT(channel)); @@ -2249,7 +2262,7 @@ static int edma_probe(struct platform_device *pdev) struct edma_soc_info *info = pdev->dev.platform_data; s8 (*queue_priority_mapping)[2]; int i, off; - const s16 (*rsv_slots)[2]; + const s16 (*reserved)[2]; const s16 (*xbar_chans)[2]; int irq; char *irq_name; @@ -2330,15 +2343,32 @@ static int edma_probe(struct platform_device *pdev) if (!ecc->slot_inuse) return -ENOMEM; + ecc->channels_mask = devm_kcalloc(dev, + BITS_TO_LONGS(ecc->num_channels), + sizeof(unsigned long), GFP_KERNEL); + if (!ecc->channels_mask) + return -ENOMEM; + + /* Mark all channels available initially */ + bitmap_fill(ecc->channels_mask, ecc->num_channels); + ecc->default_queue = info->default_queue; if (info->rsv) { /* Set the reserved slots in inuse list */ - rsv_slots = info->rsv->rsv_slots; - if (rsv_slots) { - for (i = 0; rsv_slots[i][0] != -1; i++) - bitmap_set(ecc->slot_inuse, rsv_slots[i][0], - rsv_slots[i][1]); + reserved = info->rsv->rsv_slots; + if (reserved) { + for (i = 0; reserved[i][0] != -1; i++) + bitmap_set(ecc->slot_inuse, reserved[i][0], + reserved[i][1]); + } + + /* Clear channels not usable for Linux */ + reserved = info->rsv->rsv_chans; + if (reserved) { + for (i = 0; reserved[i][0] != -1; i++) + bitmap_clear(ecc->channels_mask, reserved[i][0], + reserved[i][1]); } } @@ -2398,6 +2428,7 @@ static int edma_probe(struct platform_device *pdev) if (!ecc->legacy_mode) { int lowest_priority = 0; + unsigned int array_max; struct of_phandle_args tc_args; ecc->tc_list = devm_kcalloc(dev, ecc->num_tc, @@ -2421,6 +2452,18 @@ static int edma_probe(struct platform_device *pdev) } of_node_put(tc_args.np); } + + /* See if we have optional dma-channel-mask array */ + array_max = DIV_ROUND_UP(ecc->num_channels, BITS_PER_TYPE(u32)); + ret = of_property_read_variable_u32_array(node, + "dma-channel-mask", + (u32 *)ecc->channels_mask, + 1, array_max); + if (ret > 0 && ret != array_max) + dev_warn(dev, "dma-channel-mask is not complete.\n"); + else if (ret == -EOVERFLOW || ret == -ENODATA) + dev_warn(dev, + "dma-channel-mask is out of range or empty\n"); } /* Event queue priority mapping */ @@ -2438,6 +2481,10 @@ static int edma_probe(struct platform_device *pdev) edma_dma_init(ecc, legacy_mode); for (i = 0; i < ecc->num_channels; i++) { + /* Do not touch reserved channels */ + if (!test_bit(i, ecc->channels_mask)) + continue; + /* Assign all channels to the default queue */ edma_assign_channel_eventq(&ecc->slave_chans[i], info->default_queue); -- 2.25.1

6 months, 2 weeks

3
2
0 0

[PATCH 5.15.y] fs/ntfs3: Fixed overflow check in mi_enum_attr()

by bin.lan.cn＠windriver.com

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb ] Reported-by: Robert Morris <rtm(a)csail.mit.edu> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/ntfs3/record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 383fc3437f02..fb0683c983cf 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -263,7 +263,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) return NULL; t32 = le32_to_cpu(attr->res.data_size); - if (t16 + t32 > asize) + if (t32 > asize - t16) return NULL; if (attr->name_len && -- 2.34.1

6 months, 2 weeks

3
2
0 0

[PATCH 5.15.y] jfs: define xtree root and page independently

by Aditya Dutt

From: Dave Kleikamp <dave.kleikamp(a)oracle.com> [ Upstream commit a779ed754e52d582b8c0e17959df063108bd0656 ] In order to make array bounds checking sane, provide a separate definition of the in-inode xtree root and the external xtree page. Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Tested-by: Manas Ghandat <ghandatmanas(a)gmail.com> (cherry picked from commit a779ed754e52d582b8c0e17959df063108bd0656) Closes: https://syzkaller.appspot.com/bug?extid=ccb458b6679845ee0bae Signed-off-by: Aditya Dutt <duttaditya18(a)gmail.com> --- Tested using C reproducer here: https://syzkaller.appspot.com/x/repro.c?x=113bb250e80000 (given in the dashboard link above UBSAN is not triggered when this commit is there. It is triggered when it is not. fs/jfs/jfs_dinode.h | 2 +- fs/jfs/jfs_imap.c | 6 +++--- fs/jfs/jfs_incore.h | 2 +- fs/jfs/jfs_txnmgr.c | 4 ++-- fs/jfs/jfs_xtree.c | 4 ++-- fs/jfs/jfs_xtree.h | 37 +++++++++++++++++++++++-------------- 6 files changed, 32 insertions(+), 23 deletions(-) diff --git a/fs/jfs/jfs_dinode.h b/fs/jfs/jfs_dinode.h index 5fa9fd594115..e630810a48c6 100644 --- a/fs/jfs/jfs_dinode.h +++ b/fs/jfs/jfs_dinode.h @@ -96,7 +96,7 @@ struct dinode { #define di_gengen u._file._u1._imap._gengen union { - xtpage_t _xtroot; + xtroot_t _xtroot; struct { u8 unused[16]; /* 16: */ dxd_t _dxd; /* 16: */ diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 937ca07b58b1..5a360cd54098 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -671,7 +671,7 @@ int diWrite(tid_t tid, struct inode *ip) * This is the special xtree inside the directory for storing * the directory table */ - xtpage_t *p, *xp; + xtroot_t *p, *xp; xad_t *xad; jfs_ip->xtlid = 0; @@ -685,7 +685,7 @@ int diWrite(tid_t tid, struct inode *ip) * copy xtree root from inode to dinode: */ p = &jfs_ip->i_xtroot; - xp = (xtpage_t *) &dp->di_dirtable; + xp = (xtroot_t *) &dp->di_dirtable; lv = ilinelock->lv; for (n = 0; n < ilinelock->index; n++, lv++) { memcpy(&xp->xad[lv->offset], &p->xad[lv->offset], @@ -714,7 +714,7 @@ int diWrite(tid_t tid, struct inode *ip) * regular file: 16 byte (XAD slot) granularity */ if (type & tlckXTREE) { - xtpage_t *p, *xp; + xtroot_t *p, *xp; xad_t *xad; /* diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h index a466ec41cfbb..852f4c1f2946 100644 --- a/fs/jfs/jfs_incore.h +++ b/fs/jfs/jfs_incore.h @@ -66,7 +66,7 @@ struct jfs_inode_info { lid_t xtlid; /* lid of xtree lock on directory */ union { struct { - xtpage_t _xtroot; /* 288: xtree root */ + xtroot_t _xtroot; /* 288: xtree root */ struct inomap *_imap; /* 4: inode map header */ } file; struct { diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index dca8edd2378c..7d19324f5a83 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -778,7 +778,7 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp, if (mp->xflag & COMMIT_PAGE) p = (xtpage_t *) mp->data; else - p = &jfs_ip->i_xtroot; + p = (xtpage_t *) &jfs_ip->i_xtroot; xtlck->lwm.offset = le16_to_cpu(p->header.nextindex); } @@ -1708,7 +1708,7 @@ static void xtLog(struct jfs_log * log, struct tblock * tblk, struct lrd * lrd, if (tlck->type & tlckBTROOT) { lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT); - p = &JFS_IP(ip)->i_xtroot; + p = (xtpage_t *) &JFS_IP(ip)->i_xtroot; if (S_ISDIR(ip->i_mode)) lrd->log.redopage.type |= cpu_to_le16(LOG_DIR_XTREE); diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c index 3148e9b35f3b..34db519933b4 100644 --- a/fs/jfs/jfs_xtree.c +++ b/fs/jfs/jfs_xtree.c @@ -1224,7 +1224,7 @@ xtSplitRoot(tid_t tid, struct xtlock *xtlck; int rc; - sp = &JFS_IP(ip)->i_xtroot; + sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot; INCREMENT(xtStat.split); @@ -3059,7 +3059,7 @@ static int xtRelink(tid_t tid, struct inode *ip, xtpage_t * p) */ void xtInitRoot(tid_t tid, struct inode *ip) { - xtpage_t *p; + xtroot_t *p; /* * acquire a transaction lock on the root diff --git a/fs/jfs/jfs_xtree.h b/fs/jfs/jfs_xtree.h index 5f51be8596b3..dc9b5f8d6385 100644 --- a/fs/jfs/jfs_xtree.h +++ b/fs/jfs/jfs_xtree.h @@ -65,24 +65,33 @@ struct xadlist { #define XTPAGEMAXSLOT 256 #define XTENTRYSTART 2 -/* - * xtree page: - */ -typedef union { - struct xtheader { - __le64 next; /* 8: */ - __le64 prev; /* 8: */ +struct xtheader { + __le64 next; /* 8: */ + __le64 prev; /* 8: */ - u8 flag; /* 1: */ - u8 rsrvd1; /* 1: */ - __le16 nextindex; /* 2: next index = number of entries */ - __le16 maxentry; /* 2: max number of entries */ - __le16 rsrvd2; /* 2: */ + u8 flag; /* 1: */ + u8 rsrvd1; /* 1: */ + __le16 nextindex; /* 2: next index = number of entries */ + __le16 maxentry; /* 2: max number of entries */ + __le16 rsrvd2; /* 2: */ - pxd_t self; /* 8: self */ - } header; /* (32) */ + pxd_t self; /* 8: self */ +}; +/* + * xtree root (in inode): + */ +typedef union { + struct xtheader header; xad_t xad[XTROOTMAXSLOT]; /* 16 * maxentry: xad array */ +} xtroot_t; + +/* + * xtree page: + */ +typedef union { + struct xtheader header; + xad_t xad[XTPAGEMAXSLOT]; /* 16 * maxentry: xad array */ } xtpage_t; /* -- 2.34.1

6 months, 2 weeks

3
3
0 0

[PATCH 6.12.y v2 1/2] Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process"

by Alexander Tsoy

This reverts commit 535b666118f6ddeae90a480a146c061796d37022 as it was backported incorrectly. A subsequent commit will re-backport the original patch. Signed-off-by: Alexander Tsoy <alexander(a)tsoy.me> --- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 1706ec27eb9c..5c6749bc4039 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -2533,7 +2533,7 @@ int ath12k_dp_mon_rx_process_stats(struct ath12k *ar, int mac_id, dest_idx = 0; move_next: ath12k_dp_mon_buf_replenish(ab, buf_ring, 1); - ath12k_hal_srng_dst_get_next_entry(ab, srng); + ath12k_hal_srng_src_get_next_entry(ab, srng); num_buffs_reaped++; } -- 2.49.0

6 months, 2 weeks

2
2
0 0

[PATCH 6.14.y v2 1/2] Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process"

by Alexander Tsoy

This reverts commit 0c1015493f0e3979bcbd3a12ebc0977578c87f21 as it was backported incorrectly. A subsequent commit will re-backport the original patch. Signed-off-by: Alexander Tsoy <alexander(a)tsoy.me> --- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 0b089389087d..8005d30a4dbe 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -2473,7 +2473,7 @@ int ath12k_dp_mon_rx_process_stats(struct ath12k *ar, int mac_id, dest_idx = 0; move_next: ath12k_dp_mon_buf_replenish(ab, buf_ring, 1); - ath12k_hal_srng_dst_get_next_entry(ab, srng); + ath12k_hal_srng_src_get_next_entry(ab, srng); num_buffs_reaped++; } -- 2.49.0

6 months, 2 weeks

2
2
0 0

Request for backporting hid-pidff driver patches

by tomasz.pakula.oficjalny＠gmail.com

Hello Recently AUTOSEL selected some of out patches to hid-pidff and hid-universal-pidff. Though I looked over what was selected and everything will be working, I'd like to keep the drivers up-to-date at least going back to 6.12 as these kernels are widely used and leaving said driers in an incomplete state, not up to upstream might lead to some false positive bug reports to me and Oleg. Here's the full list of the hid-pidff related patches from upstream. It might look like a lot but some granular changes were recorded as the driver was in need of an overhaul for at least 10 years. This mainly touches just two files. I tested it personally and all the patches apply cleanly on top of current 6.12.y, 6.13.y and 6.14.y branches. Thanks in advance! e2fa0bdf08a7 HID: pidff: Fix set_device_control() f98ecedbeca3 HID: pidff: Fix 90 degrees direction name North -> East 1a575044d516 HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff 0c6673e3d17b HID: pidff: Clamp effect playback LOOP_COUNT value bbeface10511 HID: pidff: Rename two functions to align them with naming convention 1bd55e79cbc0 HID: pidff: Remove redundant call to pidff_find_special_keys 9d4174dc4a23 HID: pidff: Support device error response from PID_BLOCK_LOAD e19675c24774 HID: pidff: Comment and code style update c385f61108d4 HID: hid-universal-pidff: Add Asetek wheelbases support 1f650dcec32d HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX 2c2afb50b50f MAINTAINERS: Update hid-universal-pidff entry 5d98079b2d01 HID: pidff: Factor out pool report fetch and remove excess declaration 217551624569 HID: pidff: Use macros instead of hardcoded min/max values for shorts 4eb9c2ee538b HID: pidff: Simplify pidff_rescale_signed 0d24d4b1da96 HID: pidff: Move all hid-pidff definitions to a dedicated header 22a05462c3d0 HID: pidff: Fix null pointer dereference in pidff_find_fields f7ebf0b11b9e HID: pidff: Factor out code for setting gain 8713107221a8 HID: pidff: Rescale time values to match field units 1c12f136891c HID: pidff: Define values used in pidff_find_special_fields e4bdc80ef142 HID: pidff: Simplify pidff_upload_effect function cb3fd788e3fa HID: pidff: Completely rework and fix pidff_reset function abdbf8764f49 HID: pidff: Add PERIODIC_SINE_ONLY quirk 7d3adb9695ec MAINTAINERS: Add entry for hid-universal-pidff driver f06bf8d94fff HID: Add hid-universal-pidff driver and supported device ids ce52c0c939fc HID: pidff: Stop all effects before enabling actuators 3051bf5ec773 HID: pidff: Add FIX_WHEEL_DIRECTION quirk 36de0164bbaf HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol a4119108d253 HID: pidff: Add PERMISSIVE_CONTROL quirk fc7c154e9bb3 HID: pidff: Add MISSING_PBO quirk and its detection 2d5c7ce5bf4c HID: pidff: Add MISSING_DELAY quirk and its detection f538183e997a HID: pidff: Clamp PERIODIC effect period to device's logical range 8876fc1884f5 HID: pidff: Do not send effect envelope if it's empty 37e0591fe44d HID: pidff: Convert infinite length from Linux API to PID standard Tomasz

6 months, 2 weeks

3
2
0 0

[PATCH 6.1&6.6 V3 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0

by Huacai Chen

Backport this series to 6.1&6.6 because we get build errors with GCC14 and OpenSSL3 (or later): certs/extract-cert.c: In function 'main': certs/extract-cert.c:124:17: error: implicit declaration of function 'ENGINE_load_builtin_engines' [-Wimplicit-function-declaration] 124 | ENGINE_load_builtin_engines(); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ certs/extract-cert.c:126:21: error: implicit declaration of function 'ENGINE_by_id' [-Wimplicit-function-declaration] 126 | e = ENGINE_by_id("pkcs11"); | ^~~~~~~~~~~~ certs/extract-cert.c:126:19: error: assignment to 'ENGINE *' {aka 'struct engine_st *'} from 'int' makes pointer from integer without a cast [-Wint-conversion] 126 | e = ENGINE_by_id("pkcs11"); | ^ certs/extract-cert.c:128:21: error: implicit declaration of function 'ENGINE_init' [-Wimplicit-function-declaration] 128 | if (ENGINE_init(e)) | ^~~~~~~~~~~ certs/extract-cert.c:133:30: error: implicit declaration of function 'ENGINE_ctrl_cmd_string' [-Wimplicit-function-declaration] 133 | ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); | ^~~~~~~~~~~~~~~~~~~~~~ certs/extract-cert.c:64:32: note: in definition of macro 'ERR' 64 | bool __cond = (cond); \ | ^~~~ certs/extract-cert.c:134:17: error: implicit declaration of function 'ENGINE_ctrl_cmd' [-Wimplicit-function-declaration] 134 | ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); | ^~~~~~~~~~~~~~~ In theory 5.4&5.10&5.15 also need this, but they need more efforts because file paths are different. The ENGINE interface has its limitations and it has been superseded by the PROVIDER API, it is deprecated in OpenSSL version 3.0. Some distros have started removing it from header files. Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= 3. Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM and PKCS11 and comparing that the result is identical. V1 -> V2: Add upstream commit id. V2 -> V3: Add correct version id. Jan Stancek (3): sign-file,extract-cert: move common SSL helper functions to a header sign-file,extract-cert: avoid using deprecated ERR_get_error_line() sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Signed-off-by: Jan Stancek <jstancek(a)redhat.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- MAINTAINERS | 1 + certs/Makefile | 2 +- certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- scripts/ssl-common.h | 32 ++++++++++ 5 files changed, 178 insertions(+), 129 deletions(-) create mode 100644 scripts/ssl-common.h --- 2.27.0

6 months, 2 weeks

5
16
0 0

FAILED: patch "[PATCH] block: fix ordering between checking QUEUE_FLAG_QUIESCED" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6bda857bcbb86fb9d0e54fbef93a093d51172acc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024120342-monsoon-wildcat-d0a1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6bda857bcbb86fb9d0e54fbef93a093d51172acc Mon Sep 17 00:00:00 2001 From: Muchun Song <muchun.song(a)linux.dev> Date: Mon, 14 Oct 2024 17:29:33 +0800 Subject: [PATCH] block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding Supposing the following scenario. CPU0 CPU1 blk_mq_insert_request() 1) store blk_mq_unquiesce_queue() blk_queue_flag_clear() 3) store blk_mq_run_hw_queues() blk_mq_run_hw_queue() if (!blk_mq_hctx_has_pending()) 4) load return blk_mq_run_hw_queue() if (blk_queue_quiesced()) 2) load return blk_mq_sched_dispatch_requests() The full memory barrier should be inserted between 1) and 2), as well as between 3) and 4) to make sure that either CPU0 sees QUEUE_FLAG_QUIESCED is cleared or CPU1 sees dispatch list or setting of bitmap of software queue. Otherwise, either CPU will not rerun the hardware queue causing starvation. So the first solution is to 1) add a pair of memory barrier to fix the problem, another solution is to 2) use hctx->queue->queue_lock to synchronize QUEUE_FLAG_QUIESCED. Here, we chose 2) to fix it since memory barrier is not easy to be maintained. Fixes: f4560ffe8cec ("blk-mq: use QUEUE_FLAG_QUIESCED to quiesce queue") Cc: stable(a)vger.kernel.org Cc: Muchun Song <muchun.song(a)linux.dev> Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20241014092934.53630-3-songmuchun@bytedance.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/blk-mq.c b/block/blk-mq.c index 5deb9dffca0a..bb4ee2380dce 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2227,6 +2227,24 @@ void blk_mq_delay_run_hw_queue(struct blk_mq_hw_ctx *hctx, unsigned long msecs) } EXPORT_SYMBOL(blk_mq_delay_run_hw_queue); +static inline bool blk_mq_hw_queue_need_run(struct blk_mq_hw_ctx *hctx) +{ + bool need_run; + + /* + * When queue is quiesced, we may be switching io scheduler, or + * updating nr_hw_queues, or other things, and we can't run queue + * any more, even blk_mq_hctx_has_pending() can't be called safely. + * + * And queue will be rerun in blk_mq_unquiesce_queue() if it is + * quiesced. + */ + __blk_mq_run_dispatch_ops(hctx->queue, false, + need_run = !blk_queue_quiesced(hctx->queue) && + blk_mq_hctx_has_pending(hctx)); + return need_run; +} + /** * blk_mq_run_hw_queue - Start to run a hardware queue. * @hctx: Pointer to the hardware queue to run. @@ -2247,20 +2265,23 @@ void blk_mq_run_hw_queue(struct blk_mq_hw_ctx *hctx, bool async) might_sleep_if(!async && hctx->flags & BLK_MQ_F_BLOCKING); - /* - * When queue is quiesced, we may be switching io scheduler, or - * updating nr_hw_queues, or other things, and we can't run queue - * any more, even __blk_mq_hctx_has_pending() can't be called safely. - * - * And queue will be rerun in blk_mq_unquiesce_queue() if it is - * quiesced. - */ - __blk_mq_run_dispatch_ops(hctx->queue, false, - need_run = !blk_queue_quiesced(hctx->queue) && - blk_mq_hctx_has_pending(hctx)); + need_run = blk_mq_hw_queue_need_run(hctx); + if (!need_run) { + unsigned long flags; - if (!need_run) - return; + /* + * Synchronize with blk_mq_unquiesce_queue(), because we check + * if hw queue is quiesced locklessly above, we need the use + * ->queue_lock to make sure we see the up-to-date status to + * not miss rerunning the hw queue. + */ + spin_lock_irqsave(&hctx->queue->queue_lock, flags); + need_run = blk_mq_hw_queue_need_run(hctx); + spin_unlock_irqrestore(&hctx->queue->queue_lock, flags); + + if (!need_run) + return; + } if (async || !cpumask_test_cpu(raw_smp_processor_id(), hctx->cpumask)) { blk_mq_delay_run_hw_queue(hctx, 0);

6 months, 2 weeks

4
6
0 0

FAILED: patch "[PATCH] block: fix missing dispatching request when queue is started" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2003ee8a9aa14d766b06088156978d53c2e9be3d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024120323-snowiness-subway-3844@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2003ee8a9aa14d766b06088156978d53c2e9be3d Mon Sep 17 00:00:00 2001 From: Muchun Song <muchun.song(a)linux.dev> Date: Mon, 14 Oct 2024 17:29:32 +0800 Subject: [PATCH] block: fix missing dispatching request when queue is started or unquiesced Supposing the following scenario with a virtio_blk driver. CPU0 CPU1 CPU2 blk_mq_try_issue_directly() __blk_mq_issue_directly() q->mq_ops->queue_rq() virtio_queue_rq() blk_mq_stop_hw_queue() virtblk_done() blk_mq_try_issue_directly() if (blk_mq_hctx_stopped()) blk_mq_request_bypass_insert() blk_mq_run_hw_queue() blk_mq_run_hw_queue() blk_mq_run_hw_queue() blk_mq_insert_request() return After CPU0 has marked the queue as stopped, CPU1 will see the queue is stopped. But before CPU1 puts the request on the dispatch list, CPU2 receives the interrupt of completion of request, so it will run the hardware queue and marks the queue as non-stopped. Meanwhile, CPU1 also runs the same hardware queue. After both CPU1 and CPU2 complete blk_mq_run_hw_queue(), CPU1 just puts the request to the same hardware queue and returns. It misses dispatching a request. Fix it by running the hardware queue explicitly. And blk_mq_request_issue_directly() should handle a similar situation. Fix it as well. Fixes: d964f04a8fde ("blk-mq: fix direct issue") Cc: stable(a)vger.kernel.org Cc: Muchun Song <muchun.song(a)linux.dev> Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20241014092934.53630-2-songmuchun@bytedance.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/blk-mq.c b/block/blk-mq.c index 7d05a56e3639..5deb9dffca0a 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2647,6 +2647,7 @@ static void blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) { blk_mq_insert_request(rq, 0); + blk_mq_run_hw_queue(hctx, false); return; } @@ -2677,6 +2678,7 @@ static blk_status_t blk_mq_request_issue_directly(struct request *rq, bool last) if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) { blk_mq_insert_request(rq, 0); + blk_mq_run_hw_queue(hctx, false); return BLK_STS_OK; }

6 months, 2 weeks

4
6
0 0

[PATCH 1/2 v5.4.y] mmc: mmci: stm32: use a buffer for unaligned DMA requests

by Hardik Gohil

From: Yann Gautier <yann.gautier(a)foss.st.com> [ Upstream commit 970dc9c11a17994ab878016b536612ab00d1441d ] In SDIO mode, the sg list for requests can be unaligned with what the STM32 SDMMC internal DMA can support. In that case, instead of failing, use a temporary bounce buffer to copy from/to the sg list. This buffer is limited to 1MB. But for that we need to also limit max_req_size to 1MB. It has not shown any throughput penalties for SD-cards or eMMC. Signed-off-by: Yann Gautier <yann.gautier(a)foss.st.com> Link: https://lore.kernel.org/r/20220328145114.334577-1-yann.gautier@foss.st.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Stable-dep-of: 6b1ba3f9040b ("mmc: mmci: stm32: fix DMA API overlapping mappings warning") Signed-off-by: Sasha Levin <sashal(a)kernel.org> Tested-by: Hardik A Gohil <hgohil(a)mvista.com> --- This fix was not backported to v5.4 Patch 1 and Patch 2 there were only line change. Tested build successfully dependend patch for this 2 patches https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… drivers/mmc/host/mmci_stm32_sdmmc.c | 88 ++++++++++++++++++++++++++++++------- 1 file changed, 71 insertions(+), 17 deletions(-) diff --git a/drivers/mmc/host/mmci_stm32_sdmmc.c b/drivers/mmc/host/mmci_stm32_sdmmc.c index aa8c0ab..cab3a52 100644 --- a/drivers/mmc/host/mmci_stm32_sdmmc.c +++ b/drivers/mmc/host/mmci_stm32_sdmmc.c @@ -23,11 +23,16 @@ struct sdmmc_lli_desc { struct sdmmc_idma { dma_addr_t sg_dma; void *sg_cpu; + dma_addr_t bounce_dma_addr; + void *bounce_buf; + bool use_bounce_buffer; }; int sdmmc_idma_validate_data(struct mmci_host *host, struct mmc_data *data) { + struct sdmmc_idma *idma = host->dma_priv; + struct device *dev = mmc_dev(host->mmc); struct scatterlist *sg; int i; @@ -35,41 +40,69 @@ int sdmmc_idma_validate_data(struct mmci_host *host, * idma has constraints on idmabase & idmasize for each element * excepted the last element which has no constraint on idmasize */ + idma->use_bounce_buffer = false; for_each_sg(data->sg, sg, data->sg_len - 1, i) { if (!IS_ALIGNED(sg->offset, sizeof(u32)) || !IS_ALIGNED(sg->length, SDMMC_IDMA_BURST)) { - dev_err(mmc_dev(host->mmc), + dev_dbg(mmc_dev(host->mmc), "unaligned scatterlist: ofst:%x length:%d\n", data->sg->offset, data->sg->length); - return -EINVAL; + goto use_bounce_buffer; } } if (!IS_ALIGNED(sg->offset, sizeof(u32))) { - dev_err(mmc_dev(host->mmc), + dev_dbg(mmc_dev(host->mmc), "unaligned last scatterlist: ofst:%x length:%d\n", data->sg->offset, data->sg->length); - return -EINVAL; + goto use_bounce_buffer; + } + + return 0; + +use_bounce_buffer: + if (!idma->bounce_buf) { + idma->bounce_buf = dmam_alloc_coherent(dev, + host->mmc->max_req_size, + &idma->bounce_dma_addr, + GFP_KERNEL); + if (!idma->bounce_buf) { + dev_err(dev, "Unable to map allocate DMA bounce buffer.\n"); + return -ENOMEM; + } } + idma->use_bounce_buffer = true; + return 0; } static int _sdmmc_idma_prep_data(struct mmci_host *host, struct mmc_data *data) { - int n_elem; + struct sdmmc_idma *idma = host->dma_priv; - n_elem = dma_map_sg(mmc_dev(host->mmc), - data->sg, - data->sg_len, - mmc_get_dma_dir(data)); + if (idma->use_bounce_buffer) { + if (data->flags & MMC_DATA_WRITE) { + unsigned int xfer_bytes = data->blksz * data->blocks; - if (!n_elem) { - dev_err(mmc_dev(host->mmc), "dma_map_sg failed\n"); - return -EINVAL; - } + sg_copy_to_buffer(data->sg, data->sg_len, + idma->bounce_buf, xfer_bytes); + dma_wmb(); + } + } else { + int n_elem; + n_elem = dma_map_sg(mmc_dev(host->mmc), + data->sg, + data->sg_len, + mmc_get_dma_dir(data)); + + if (!n_elem) { + dev_err(mmc_dev(host->mmc), "dma_map_sg failed\n"); + return -EINVAL; + } + } return 0; } @@ -86,8 +119,19 @@ static int sdmmc_idma_prep_data(struct mmci_host *host, static void sdmmc_idma_unprep_data(struct mmci_host *host, struct mmc_data *data, int err) { - dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len, - mmc_get_dma_dir(data)); + struct sdmmc_idma *idma = host->dma_priv; + + if (idma->use_bounce_buffer) { + if (data->flags & MMC_DATA_READ) { + unsigned int xfer_bytes = data->blksz * data->blocks; + + sg_copy_from_buffer(data->sg, data->sg_len, + idma->bounce_buf, xfer_bytes); + } + } else { + dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len, + mmc_get_dma_dir(data)); + } } static int sdmmc_idma_setup(struct mmci_host *host) @@ -112,6 +156,8 @@ static int sdmmc_idma_setup(struct mmci_host *host) host->mmc->max_segs = SDMMC_LLI_BUF_LEN / sizeof(struct sdmmc_lli_desc); host->mmc->max_seg_size = host->variant->stm32_idmabsize_mask; + + host->mmc->max_req_size = SZ_1M; } else { host->mmc->max_segs = 1; host->mmc->max_seg_size = host->mmc->max_req_size; @@ -129,8 +175,16 @@ static int sdmmc_idma_start(struct mmci_host *host, unsigned int *datactrl) struct scatterlist *sg; int i; - if (!host->variant->dma_lli || data->sg_len == 1) { - writel_relaxed(sg_dma_address(data->sg), + if (!host->variant->dma_lli || data->sg_len == 1 || + idma->use_bounce_buffer) { + u32 dma_addr; + + if (idma->use_bounce_buffer) + dma_addr = idma->bounce_dma_addr; + else + dma_addr = sg_dma_address(data->sg); + + writel_relaxed(dma_addr, host->base + MMCI_STM32_IDMABASE0R); writel_relaxed(MMCI_STM32_IDMAEN, host->base + MMCI_STM32_IDMACTRLR); -- 2.7.4

6 months, 2 weeks

3
4
0 0

[PATCH 6.1.y] ext4: filesystems without casefold feature cannot be mounted with siphash

by Miguel García

From: Lizhi Xu <lizhi.xu(a)windriver.com> commit 985b67cd86392310d9e9326de941c22fc9340eec upstream. This patch is a backport. When mounting the ext4 filesystem, if the default hash version is set to DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting. Reported-by: syzbot+9177d065333561cd6fd0(a)syzkaller.appspotmail.com Bug: https://syzkaller.appspot.com/bug?extid=9177d065333561cd6fd0 Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Miguel Garcia Roman <miguelgarciaroman8(a)gmail.com> (cherry picked from commit 985b67cd86392310d9e9326de941c22fc9340eec) --- fs/ext4/super.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 53f1deb049ec..598712a72300 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3546,6 +3545,12 @@ int ext4_feature_set_ok(struct super_block *sb, int readonly) return 0; } #endif + if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH && + !ext4_has_feature_casefold(sb)) { + ext4_msg(sb, KERN_ERR, + "Filesystem without casefold feature cannot be mounted with siphash"); + return 0; + } if (readonly) return 1; -- 2.34.1

6 months, 2 weeks

3
2
0 0

[PATCH 6.12/6.13/6.14 1/2] Revert "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process"

by Alexander Tsoy

This reverts commit 535b666118f6ddeae90a480a146c061796d37022 as it was backported incorrectly. A subsequent commit will re-backport the original patch. Signed-off-by: Alexander Tsoy <alexander(a)tsoy.me> --- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 0b089389087d..8005d30a4dbe 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -2473,7 +2473,7 @@ int ath12k_dp_mon_rx_process_stats(struct ath12k *ar, int mac_id, dest_idx = 0; move_next: ath12k_dp_mon_buf_replenish(ab, buf_ring, 1); - ath12k_hal_srng_dst_get_next_entry(ab, srng); + ath12k_hal_srng_src_get_next_entry(ab, srng); num_buffs_reaped++; } -- 2.49.0

6 months, 2 weeks

2
3
0 0

[PATCH 1/1] usb: host: tegra: Prevent host controller crash when OTG port is used

by Wayne Chang

From: Jim Lin <jilin(a)nvidia.com> When a USB device is connected to the OTG port, the tegra_xhci_id_work() routine transitions the PHY to host mode and calls xhci_hub_control() with the SetPortFeature command to enable port power. In certain cases, the XHCI controller may be in a low-power state when this operation occurs. If xhci_hub_control() is invoked while the controller is suspended, the PORTSC register may return 0xFFFFFFFF, indicating a read failure. This causes xhci_hc_died() to be triggered, leading to host controller shutdown. Example backtrace: [ 105.445736] Workqueue: events tegra_xhci_id_work [ 105.445747] dump_backtrace+0x0/0x1e8 [ 105.445759] xhci_hc_died.part.48+0x40/0x270 [ 105.445769] tegra_xhci_set_port_power+0xc0/0x240 [ 105.445774] tegra_xhci_id_work+0x130/0x240 To prevent this, ensure the controller is fully resumed before interacting with hardware registers by calling pm_runtime_get_sync() prior to the host mode transition and xhci_hub_control(). Fixes: f836e7843036 ("usb: xhci-tegra: Add OTG support") Cc: stable(a)vger.kernel.org Signed-off-by: Jim Lin <jilin(a)nvidia.com> Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- drivers/usb/host/xhci-tegra.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c index 22dc86fb5254..70ec36e4ff5f 100644 --- a/drivers/usb/host/xhci-tegra.c +++ b/drivers/usb/host/xhci-tegra.c @@ -1364,6 +1364,7 @@ static void tegra_xhci_id_work(struct work_struct *work) tegra->otg_usb3_port = tegra_xusb_padctl_get_usb3_companion(tegra->padctl, tegra->otg_usb2_port); + pm_runtime_get_sync(tegra->dev); if (tegra->host_mode) { /* switch to host mode */ if (tegra->otg_usb3_port >= 0) { @@ -1393,6 +1394,7 @@ static void tegra_xhci_id_work(struct work_struct *work) } tegra_xhci_set_port_power(tegra, true, true); + pm_runtime_mark_last_busy(tegra->dev); } else { if (tegra->otg_usb3_port >= 0) @@ -1400,6 +1402,7 @@ static void tegra_xhci_id_work(struct work_struct *work) tegra_xhci_set_port_power(tegra, true, false); } + pm_runtime_put_autosuspend(tegra->dev); } #if IS_ENABLED(CONFIG_PM) || IS_ENABLED(CONFIG_PM_SLEEP) -- 2.25.1

6 months, 2 weeks

1
0
0 0

[PATCH v2 RESEND] brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

by Wentao Liang

The function brcmf_usb_dl_writeimage() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'state.state' and the 'state.bytes' are uninitialized if the function brcmf_usb_dl_cmd() fails. It is dangerous to use uninitialized variables in the conditions. Add error handling for brcmf_usb_dl_cmd() to jump to error handling path if the brcmf_usb_dl_cmd() fails and the 'state.state' and the 'state.bytes' are uninitialized. Improve the error message to report more detailed error information. Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") Cc: stable(a)vger.kernel.org # v3.4+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c index 2821c27f317e..d06c724f63d9 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c @@ -896,14 +896,16 @@ brcmf_usb_dl_writeimage(struct brcmf_usbdev_info *devinfo, u8 *fw, int fwlen) } /* 1) Prepare USB boot loader for runtime image */ - brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state)); + err = brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state)); + if (err) + goto fail; rdlstate = le32_to_cpu(state.state); rdlbytes = le32_to_cpu(state.bytes); /* 2) Check we are in the Waiting state */ if (rdlstate != DL_WAITING) { - brcmf_err("Failed to DL_START\n"); + brcmf_err("Invalid DL state: %u\n", rdlstate); err = -EINVAL; goto fail; } -- 2.42.0.windows.2

6 months, 2 weeks

4
3
0 0

[PATCH 1/1] virtio_console: fix missing byte order handling for cols and rows

by Halil Pasic

As per virtio spec the fields cols and rows are specified as little endian. Although there is no legacy interface requirement that would state that cols and rows need to be handled as native endian when legacy interface is used, unlike for the fields of the adjacent struct virtio_console_control, I decided to err on the side of caution based on some non-conclusive virtio spec repo archaeology and opt for using virtio16_to_cpu() much like for virtio_console_control.event. Strictly by the letter of the spec virtio_le_to_cpu() would have been sufficient. But when the legacy interface is not used, it boils down to the same. And when using the legacy interface, the device formatting these as little endian when the guest is big endian would surprise me more than it using guest native byte order (which would make it compatible with the current implementation). Nevertheless somebody trying to implement the spec following it to the letter could end up forcing little endian byte order when the legacy interface is in use. So IMHO this ultimately needs a judgement call by the maintainers. Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message") Signed-off-by: Halil Pasic <pasic(a)linux.ibm.com> Cc: stable(a)vger.kernel.org # v2.6.35+ --- @Michael: I think it would be nice to add a clarification on the byte order to be used for cols and rows when the legacy interface is used to the spec, regardless of what we decide the right byte order is. If it is native endian that shall be stated much like it is stated for virtio_console_control. If it is little endian, I would like to add a sentence that states that unlike for the fields of virtio_console_control the byte order of the fields of struct virtio_console_resize is little endian also when the legacy interface is used. @Maximilian: Would you mind giving this a spin with your implementation on the device side of things in QEMU? --- drivers/char/virtio_console.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 18f92dd44d45..fc698e2b1da1 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1579,8 +1579,8 @@ static void handle_control_message(struct virtio_device *vdev, break; case VIRTIO_CONSOLE_RESIZE: { struct { - __u16 rows; - __u16 cols; + __virtio16 rows; + __virtio16 cols; } size; if (!is_console_port(port)) @@ -1588,7 +1588,8 @@ static void handle_control_message(struct virtio_device *vdev, memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt), sizeof(size)); - set_console_size(port, size.rows, size.cols); + set_console_size(port, virtio16_to_cpu(vdev, size.rows), + virtio16_to_cpu(vdev, size.cols)); port->cons.hvc->irq_requested = 1; resize_console(port); base-commit: b3ee1e4609512dfff642a96b34d7e5dfcdc92d05 -- 2.45.2

6 months, 2 weeks

4
5
0 0

[PATCH v3] staging: iio: ad5933: Correct settling cycles encoding per datasheet

by Gabriel Shahrouzi

Implement the settling cycles encoding as specified in the AD5933 datasheet, Table 13 ("Number of Settling Times Cycles Register"). The previous logic did not correctly translate the user-requested effective cycle count into the required 9-bit base + 2-bit multiplier format (D10..D0) for values exceeding 511. Clamp the user input for out_altvoltage0_settling_cycles to the maximum effective value of 2044 cycles (511 * 4x multiplier). Fixes: f94aa354d676 ("iio: impedance-analyzer: New driver for AD5933/4 Impedance Converter, Network Analyzer") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> --- Changes in v3: - Only include fix (remove refactoring which will be its own separate patch). Changes in v2: - Fix spacing in comment around '+'. - Define mask and values for settling cycle multipliers. --- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c index d5544fc2fe989..f8fcc10ea8150 100644 --- a/drivers/staging/iio/impedance-analyzer/ad5933.c +++ b/drivers/staging/iio/impedance-analyzer/ad5933.c @@ -411,7 +411,7 @@ static ssize_t ad5933_store(struct device *dev, ret = ad5933_cmd(st, 0); break; case AD5933_OUT_SETTLING_CYCLES: - val = clamp(val, (u16)0, (u16)0x7FF); + val = clamp(val, (u16)0, (u16)0x7FC); st->settling_cycles = val; /* 2x, 4x handling, see datasheet */ -- 2.43.0

6 months, 2 weeks

3
3
0 0

[PATCH] axis-fifo: Remove hardware resets for user errors

by Gabriel Shahrouzi

The axis-fifo driver performs a full hardware reset (via reset_ip_core()) in several error paths within the read and write functions. This reset flushes both TX and RX FIFOs and resets the AXI-Stream links. Allow the user to handle the error without causing hardware disruption or data loss in other FIFO paths. Fixes: 4a965c5f89de ("staging: add driver for Xilinx AXI-Stream FIFO v4.1 IP core") Cc: stable(a)vger.kernel.org Signed-off-by: Gabriel Shahrouzi <gshahrouzi(a)gmail.com> --- drivers/staging/axis-fifo/axis-fifo.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/staging/axis-fifo/axis-fifo.c b/drivers/staging/axis-fifo/axis-fifo.c index 7540c20090c78..76db29e4d2828 100644 --- a/drivers/staging/axis-fifo/axis-fifo.c +++ b/drivers/staging/axis-fifo/axis-fifo.c @@ -393,16 +393,14 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, bytes_available = ioread32(fifo->base_addr + XLLF_RLR_OFFSET); if (!bytes_available) { - dev_err(fifo->dt_device, "received a packet of length 0 - fifo core will be reset\n"); - reset_ip_core(fifo); + dev_err(fifo->dt_device, "received a packet of length 0\n"); ret = -EIO; goto end_unlock; } if (bytes_available > len) { - dev_err(fifo->dt_device, "user read buffer too small (available bytes=%zu user buffer bytes=%zu) - fifo core will be reset\n", + dev_err(fifo->dt_device, "user read buffer too small (available bytes=%zu user buffer bytes=%zu)\n", bytes_available, len); - reset_ip_core(fifo); ret = -EINVAL; goto end_unlock; } @@ -411,8 +409,7 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, /* this probably can't happen unless IP * registers were previously mishandled */ - dev_err(fifo->dt_device, "received a packet that isn't word-aligned - fifo core will be reset\n"); - reset_ip_core(fifo); + dev_err(fifo->dt_device, "received a packet that isn't word-aligned\n"); ret = -EIO; goto end_unlock; } @@ -433,7 +430,6 @@ static ssize_t axis_fifo_read(struct file *f, char __user *buf, if (copy_to_user(buf + copied * sizeof(u32), tmp_buf, copy * sizeof(u32))) { - reset_ip_core(fifo); ret = -EFAULT; goto end_unlock; } @@ -542,7 +538,6 @@ static ssize_t axis_fifo_write(struct file *f, const char __user *buf, if (copy_from_user(tmp_buf, buf + copied * sizeof(u32), copy * sizeof(u32))) { - reset_ip_core(fifo); ret = -EFAULT; goto end_unlock; } -- 2.43.0

6 months, 2 weeks

2
1
0 0

[PATCH] arm64: dts: imx8mm-verdin: Link reg_nvcc_sd to usdhc2

by Wojciech Dubowik

Link LDO5 labeled reg_nvcc_sd from PMIC to align with hardware configuration specified in the datasheet. Without this definition LDO5 will be powered down, disabling SD card after bootup. This has been introduced in commit f5aab0438ef1 (regulator: pca9450: Fix enable register for LDO5). Fixes: f5aab0438ef1 (regulator: pca9450: Fix enable register for LDO5) Cc: stable(a)vger.kernel.org Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> --- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi index 7251ad3a0017..6307c5caf3bc 100644 --- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi @@ -785,6 +785,7 @@ &usdhc2 { pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_cd>; pinctrl-3 = <&pinctrl_usdhc2_sleep>, <&pinctrl_usdhc2_cd_sleep>; vmmc-supply = <&reg_usdhc2_vmmc>; + vqmmc-supply = <&reg_nvcc_sd>; }; &wdog1 { -- 2.47.2

6 months, 2 weeks

4
5
0 0

[PATCH 5.10.y 1/2] smb: client: fix UAF in async decryption

by jianqi.ren.cn＠windriver.com

From: Enzo Matsumiya <ematsumiya(a)suse.de> commit b0abcd65ec545701b8793e12bc27dc98042b151a upstream. Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Steve French <stfrench(a)microsoft.com> [In linux-5.10, dec and enc fields are named ccmaesdecrypt and ccmaesencrypt.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/cifs/smb2ops.c | 48 +++++++++++++++++++++++++++-------------------- fs/cifs/smb2pdu.c | 6 ++++++ 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 70a4d101b542..aa1acc698caa 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -4291,7 +4291,7 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) */ static int crypt_message(struct TCP_Server_Info *server, int num_rqst, - struct smb_rqst *rqst, int enc) + struct smb_rqst *rqst, int enc, struct crypto_aead *tfm) { struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base; @@ -4302,8 +4302,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; - DECLARE_CRYPTO_WAIT(wait); - struct crypto_aead *tfm; unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; @@ -4314,15 +4312,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, return rc; } - rc = smb3_crypto_aead_allocate(server); - if (rc) { - cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__); - return rc; - } - - tfm = enc ? server->secmech.ccmaesencrypt : - server->secmech.ccmaesdecrypt; - if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE); @@ -4361,11 +4350,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &wait); - - rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) - : crypto_aead_decrypt(req), &wait); + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); @@ -4454,7 +4439,7 @@ smb3_init_transform_rq(struct TCP_Server_Info *server, int num_rqst, /* fill the 1st iov with a transform header */ fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type); - rc = crypt_message(server, num_rqst, new_rq, 1); + rc = crypt_message(server, num_rqst, new_rq, 1, server->secmech.ccmaesencrypt); cifs_dbg(FYI, "Encrypt message returned %d\n", rc); if (rc) goto err_free; @@ -4480,8 +4465,9 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, unsigned int npages, unsigned int page_data_size, bool is_offloaded) { - struct kvec iov[2]; + struct crypto_aead *tfm; struct smb_rqst rqst = {NULL}; + struct kvec iov[2]; int rc; iov[0].iov_base = buf; @@ -4496,9 +4482,31 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, rqst.rq_pagesz = PAGE_SIZE; rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE; - rc = crypt_message(server, 1, &rqst, 0); + if (is_offloaded) { + if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) || + (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) + tfm = crypto_alloc_aead("gcm(aes)", 0, 0); + else + tfm = crypto_alloc_aead("ccm(aes)", 0, 0); + if (IS_ERR(tfm)) { + rc = PTR_ERR(tfm); + cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc); + + return rc; + } + } else { + if (unlikely(!server->secmech.ccmaesdecrypt)) + return -EIO; + + tfm = server->secmech.ccmaesdecrypt; + } + + rc = crypt_message(server, 1, &rqst, 0, tfm); cifs_dbg(FYI, "Decrypt message returned %d\n", rc); + if (is_offloaded) + crypto_free_aead(tfm); + if (rc) return rc; diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 03651cc6b7a5..245e2dd5a194 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -998,6 +998,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) else cifs_server_dbg(VFS, "Missing expected negotiate contexts\n"); } + + if (server->cipher_type && !rc) { + rc = smb3_crypto_aead_allocate(server); + if (rc) + cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc); + } neg_exit: free_rsp_buf(resp_buftype, rsp); return rc; -- 2.34.1

6 months, 2 weeks

1
0
0 0

[PATCH 5.10.y 2/2] smb: client: fix NULL ptr deref in crypto_aead_setkey()

by jianqi.ren.cn＠windriver.com

From: Paulo Alcantara <pc(a)manguebit.com> commit 4bdec0d1f658f7c98749bd2c5a486e6cfa8565d2 upstream. Neither SMB3.0 or SMB3.02 supports encryption negotiate context, so when SMB2_GLOBAL_CAP_ENCRYPTION flag is set in the negotiate response, the client uses AES-128-CCM as the default cipher. See MS-SMB2 3.3.5.4. Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") added a @server->cipher_type check to conditionally call smb3_crypto_aead_allocate(), but that check would always be false as @server->cipher_type is unset for SMB3.02. Fix the following KASAN splat by setting @server->cipher_type for SMB3.02 as well. mount.cifs //srv/share /mnt -o vers=3.02,seal,... BUG: KASAN: null-ptr-deref in crypto_aead_setkey+0x2c/0x130 Read of size 8 at addr 0000000000000020 by task mount.cifs/1095 CPU: 1 UID: 0 PID: 1095 Comm: mount.cifs Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? crypto_aead_setkey+0x2c/0x130 kasan_report+0xda/0x110 ? crypto_aead_setkey+0x2c/0x130 crypto_aead_setkey+0x2c/0x130 crypt_message+0x258/0xec0 [cifs] ? __asan_memset+0x23/0x50 ? __pfx_crypt_message+0x10/0x10 [cifs] ? mark_lock+0xb0/0x6a0 ? hlock_class+0x32/0xb0 ? mark_lock+0xb0/0x6a0 smb3_init_transform_rq+0x352/0x3f0 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 smb_send_rqst+0x144/0x230 [cifs] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] ? hlock_class+0x32/0xb0 ? smb2_setup_request+0x225/0x3a0 [cifs] ? __pfx_cifs_compound_last_callback+0x10/0x10 [cifs] compound_send_recv+0x59b/0x1140 [cifs] ? __pfx_compound_send_recv+0x10/0x10 [cifs] ? __create_object+0x5e/0x90 ? hlock_class+0x32/0xb0 ? do_raw_spin_unlock+0x9a/0xf0 cifs_send_recv+0x23/0x30 [cifs] SMB2_tcon+0x3ec/0xb30 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_trylock+0xc6/0x120 ? lock_acquire+0x3f/0x90 ? _get_xid+0x16/0xd0 [cifs] ? __pfx_SMB2_tcon+0x10/0x10 [cifs] ? cifs_get_smb_ses+0xcdd/0x10a0 [cifs] cifs_get_smb_ses+0xcdd/0x10a0 [cifs] ? __pfx_cifs_get_smb_ses+0x10/0x10 [cifs] ? cifs_get_tcp_session+0xaa0/0xca0 [cifs] cifs_mount_get_session+0x8a/0x210 [cifs] dfs_mount_share+0x1b0/0x11d0 [cifs] ? __pfx___lock_acquire+0x10/0x10 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? lock_acquire.part.0+0xf4/0x2a0 ? find_held_lock+0x8a/0xa0 ? hlock_class+0x32/0xb0 ? lock_release+0x203/0x5d0 cifs_mount+0xb3/0x3d0 [cifs] ? do_raw_spin_trylock+0xc6/0x120 ? __pfx_cifs_mount+0x10/0x10 [cifs] ? lock_acquire+0x3f/0x90 ? find_nls+0x16/0xa0 ? smb3_update_mnt_flags+0x372/0x3b0 [cifs] cifs_smb3_do_mount+0x1e2/0xc80 [cifs] ? __pfx_vfs_parse_fs_string+0x10/0x10 ? __pfx_cifs_smb3_do_mount+0x10/0x10 [cifs] smb3_get_tree+0x1bf/0x330 [cifs] vfs_get_tree+0x4a/0x160 path_mount+0x3c1/0xfb0 ? kasan_quarantine_put+0xc7/0x1d0 ? __pfx_path_mount+0x10/0x10 ? kmem_cache_free+0x118/0x3e0 ? user_path_at+0x74/0xa0 __x64_sys_mount+0x1a6/0x1e0 ? __pfx___x64_sys_mount+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: Tom Talpey <tom(a)talpey.com> Reported-by: Jianhong Yin <jiyin(a)redhat.com> Cc: stable(a)vger.kernel.org # v6.12 Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [Commit b0abcd65ec54 ("smb: client: fix UAF in async decryption") fixes CVE-2024-50047 but brings NULL-pointer dereferebce. So commit 4bdec0d1f658 ("smb: client: fix NULL ptr deref in crypto_aead_setkey()") should be backported too.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/cifs/smb2pdu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 245e2dd5a194..4197096e7fdb 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -963,7 +963,9 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context * Set the cipher type manually. */ - if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) + if ((server->dialect == SMB30_PROT_ID || + server->dialect == SMB302_PROT_ID) && + (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) server->cipher_type = SMB2_ENCRYPTION_AES128_CCM; security_blob = smb2_get_data_area_len(&blob_offset, &blob_length, -- 2.34.1

6 months, 2 weeks

1
0
0 0

[PATCH v2] xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()

by Alexey Nepomnyashih

The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v5.9+ Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> --- drivers/net/xen-netfront.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 63fe51d0e64d..1d3ff57a6125 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfront_queue *queue, struct page *pdata, act = bpf_prog_run_xdp(prog, xdp); switch (act) { case XDP_TX: - get_page(pdata); xdpf = xdp_convert_buff_to_frame(xdp); - err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); - if (unlikely(!err)) - xdp_return_frame_rx_napi(xdpf); - else if (unlikely(err < 0)) + if (unlikely(!xdpf)) { trace_xdp_exception(queue->info->netdev, prog, act); + break; + } + get_page(pdata); + err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); + if (unlikely(err <= 0)) { + if (err < 0) + trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_frame_rx_napi(xdpf); + } break; case XDP_REDIRECT: get_page(pdata); err = xdp_do_redirect(queue->info->netdev, xdp, prog); *need_xdp_flush = true; - if (unlikely(err)) + if (unlikely(err)) { trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_buff(xdp); + } break; case XDP_PASS: case XDP_DROP: -- 2.43.0

6 months, 2 weeks

2
1
0 0

[PATCH 6.1 000/205] 6.1.134-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.134 release. There are 205 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 11 Apr 2025 11:58:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.134-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.134-rc2 Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not use PERF enums when perf is not defined Chuck Lever <chuck.lever(a)oracle.com> NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: put dl_stid if fail to queue dl_recall Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: fix race between device disconnection and urb callback Roman Smirnov <r.smirnov(a)omp.ru> jfs: add index corruption check to DT_GETPAGE() Qasim Ijaz <qasdev00(a)gmail.com> jfs: fix slab-out-of-bounds read in ea_get() Acs, Jakub <acsjakub(a)amazon.de> ext4: fix OOB read when checking dotdot dir Theodore Ts'o <tytso(a)mit.edu> ext4: don't over-report free space or inodes in statvfs Angelos Oikonomopoulos <angelos(a)igalia.com> arm64: Don't call NULL in do_compat_alignment_fixup() Ran Xiaokai <ran.xiaokai(a)zte.com.cn> tracing/osnoise: Fix possible recursive locking for cpus_read_lock() Douglas Raillard <douglas.raillard(a)arm.com> tracing: Fix synth event printk format for str fields Douglas Raillard <douglas.raillard(a)arm.com> tracing: Ensure module defining synth event cannot be unloaded while tracing Tengda Wu <wutengda(a)huaweicloud.com> tracing: Fix use-after-free in print_graph_function_flags during tracer switching Norbert Szetei <norbert(a)doyensec.com> ksmbd: validate zero num_subauth before sub_auth is accessed Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix session use-after-free in multichannel connection Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_sessions_deregister() Norbert Szetei <norbert(a)doyensec.com> ksmbd: add bounds check for create lease context Ulf Hansson <ulf.hansson(a)linaro.org> mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD Karel Balej <balejk(a)matfyz.cz> mmc: sdhci-pxav3: set NEED_RSP_BUSY capability Paul Menzel <pmenzel(a)molgen.mpg.de> ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP Murad Masimov <m.masimov(a)mt-integration.ru> acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Jann Horn <jannh(a)google.com> x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs Guilherme G. Piccoli <gpiccoli(a)igalia.com> x86/tsc: Always save/restore TSC sched_clock() on suspend/resume Josef Bacik <josef(a)toxicpanda.com> btrfs: handle errors from btrfs_dec_ref() properly Ivan Orlov <ivan.orlov0322(a)gmail.com> kunit/overflow: Fix UB in overflow_allocation_test Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read Peter Zijlstra (Intel) <peterz(a)infradead.org> perf/x86/intel: Apply static call for drain_pebs Markus Elfring <elfring(a)users.sourceforge.net> ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Correct command storage data length Hengqi Chen <hengqi.chen(a)gmail.com> LoongArch: BPF: Use move_addr() for BPF_PSEUDO_FUNC Hengqi Chen <hengqi.chen(a)gmail.com> LoongArch: BPF: Fix off-by-one error in build_prologue() Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Increase ARCH_DMA_MINALIGN up to 16 Ying Lu <luying1(a)xiaomi.com> usbnet:fix NPE during rx_complete Sherry Sun <sherry.sun(a)nxp.com> tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Sherry Sun <sherry.sun(a)nxp.com> tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx11: fix num_mec Jens Axboe <axboe(a)kernel.dk> io_uring/filetable: ensure node switch is always done, if needed Henry Martin <bsdhenrymartin(a)gmail.com> arcnet: Add NULL check in com20020pci_probe() Ido Schimmel <idosch(a)nvidia.com> ipv6: Do not consider link down nexthops in path selection Ido Schimmel <idosch(a)nvidia.com> ipv6: Start path selection from the first nexthop Lin Ma <linma(a)zju.edu.cn> net: fix geneve_opt length integer overflow David Oberhollenzer <david.oberhollenzer(a)sigma-star.at> net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy Fernando Fernandez Mancera <ffmancera(a)riseup.net> ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS Lin Ma <linma(a)zju.edu.cn> netfilter: nft_tunnel: fix geneve_opt type confusion addition Guillaume Nault <gnault(a)redhat.com> tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu(). Stefano Garzarella <sgarzare(a)redhat.com> vsock: avoid timeout during connect() if the socket is closing Kuniyuki Iwashima <kuniyu(a)amazon.com> udp: Fix memory accounting leak. Tobias Waldekranz <tobias(a)waldekranz.com> net: mvpp2: Prevent parser TCAM memory corruption Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: skbprio: Remove overly strict queue assertions Debin Zhu <mowenroot(a)163.com> netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only Henry Martin <bsdhenrymartin(a)gmail.com> ASoC: imx-card: Add NULL check in imx_card_probe() Nikita Shubin <n.shubin(a)yadro.com> ntb: intel: Fix using link status DB's Yajun Deng <yajun.deng(a)linux.dev> ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans Juhan Jin <juhan.jin(a)foxmail.com> riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and make_call_ra Al Viro <viro(a)zeniv.linux.org.uk> spufs: fix a leak in spufs_create_context() Al Viro <viro(a)zeniv.linux.org.uk> spufs: fix gang directory lifetimes Al Viro <viro(a)zeniv.linux.org.uk> spufs: fix a leak on spufs_new_file() failure Tasos Sahanidis <tasos(a)tasossah.com> hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} Roger Quadros <rogerq(a)kernel.org> memory: omap-gpmc: drop no compatible check Oliver Hartkopp <socketcan(a)hartkopp.net> can: statistics: use atomic access in hot path Navon John Lukose <navonjohnlukose(a)gmail.com> ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Keep display off while going into S4 Vladis Dronov <vdronov(a)redhat.com> x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled Waiman Long <longman(a)redhat.com> locking/semaphore: Use wake_q to wake up processes outside lock critical section Shrikanth Hegde <sshegde(a)linux.ibm.com> sched/deadline: Use online cpus for validating runtime Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using CS35L41 HDA Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using CS35L41 HDA Wentao Guan <guanwentao(a)uniontech.com> HID: i2c-hid: improve i2c_hid_get_report error message Dmitry Panchenko <dmitry(a)d-systems.ee> platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet Daniel Bárta <daniel.barta(a)trustlab.cz> ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0 Antheas Kapenekakis <lkml(a)antheas.dev> ALSA: hda/realtek: Fix Asus Z13 2025 audio Simon Tatham <anakin(a)pobox.com> affs: don't write overlarge OFS data block size fields Simon Tatham <anakin(a)pobox.com> affs: generate OFS sequence numbers starting at 1 Matthias Proske <email(a)matthias-proske.de> wifi: brcmfmac: keep power during suspend if board requires it Icenowy Zheng <uwu(a)icenowy.me> nvme-pci: skip CMB blocks incompatible with PCI P2P DMA Icenowy Zheng <uwu(a)icenowy.me> nvme-pci: clean up CMBMSC when registering CMB fails Sagi Grimberg <sagi(a)grimberg.me> nvme-tcp: fix possible UAF in nvme_tcp_poll Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: use the right version of the rate API Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: fw: allocate chained SG tables for dump Josh Poimboeuf <jpoimboe(a)kernel.org> rcu-tasks: Always inline rcu_irq_work_resched() Josh Poimboeuf <jpoimboe(a)kernel.org> context_tracking: Always inline ct_{nmi,irq}_{enter,exit}() Josh Poimboeuf <jpoimboe(a)kernel.org> sched/smt: Always inline sched_smt_active() Geetha sowjanya <gakula(a)marvell.com> octeontx2-af: Free NIX_AF_INT_VEC_GEN irq Geetha sowjanya <gakula(a)marvell.com> octeontx2-af: Fix mbox INTR handler when num VFs > 64 Giovanni Gherdovich <ggherdovich(a)suse.cz> ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid 谢致邦 (XIE Zhibang) <Yeking(a)Red54.com> LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig Feng Yang <yangfeng(a)kylinos.cn> ring-buffer: Fix bytes_dropped calculation issue Lama Kayal <lkayal(a)nvidia.com> net/mlx5e: SHAMPO, Make reserved size independent of page size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix multichannel connection failure Miaoqian Lin <linmq006(a)gmail.com> ksmbd: use aead_request_free to match aead_request_alloc Lubomir Rintel <lkundrak(a)v3.sk> rndis_host: Flag RNDIS modems as WWAN devices Mark Zhang <markzhang(a)nvidia.com> rtnetlink: Allocate vfinfo size for VF GUIDs when supported Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in exfat_find_last_cluster() Josh Poimboeuf <jpoimboe(a)kernel.org> objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() Marcus Meissner <meissner(a)suse.de> perf tools: annotate asm_pure_loop.S Bart Van Assche <bvanassche(a)acm.org> fs/procfs: fix the comment above proc_pid_wchan() 谢致邦 (XIE Zhibang) <Yeking(a)Red54.com> staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Check if there is space to copy all the event Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Don't keep a raw_data pointer to consumed ring buffer space Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Decrement the refcount of just created event on failure Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Fixup description of sample.id event member Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Fix missing the IBI rules Benjamin Berg <benjamin.berg(a)intel.com> um: remove copy_from_kernel_nofault_allowed Alistair Popple <apopple(a)nvidia.com> fuse: fix dax truncate/punch_hole fault path Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't trigger uneccessary scans for return-on-close delegations Anshuman Khandual <anshuman.khandual(a)arm.com> arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig Vasiliy Kovalev <kovalev(a)altlinux.org> ocfs2: validate l_tree_depth to avoid out-of-bounds access Sourabh Jain <sourabhjain(a)linux.ibm.com> kexec: initialize ELF lowest address to ULONG_MAX Arnaldo Carvalho de Melo <acme(a)redhat.com> perf units: Fix insufficient array space Ian Rogers <irogers(a)google.com> perf evlist: Add success path to evlist__create_syswide_maps Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Fix comparison of channel configs Dan Carpenter <dan.carpenter(a)linaro.org> fs/ntfs3: Fix a couple integer overflows on 32bit systems Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: correct debug message page size calculation Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: msa311: Fix failure to release runtime pm if direct mode claim fails. Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio Yuanfang Zhang <quic_yuanfang(a)quicinc.com> coresight-etm4x: add isb() before reading the TRCSTATR Ilkka Koskinen <ilkka(a)os.amperecomputing.com> coresight: catu: Fix number of pages while using 64k pages Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> soundwire: slave: fix an OF node reference leak in soundwire slave device Qasim Ijaz <qasdev00(a)gmail.com> isofs: fix KMSAN uninit-value bug in do_isofs_readdir() Barnabás Czémán <barnabas.czeman(a)mainlining.org> clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock Wenkai Lin <linwenkai6(a)hisilicon.com> crypto: hisilicon/sec2 - fix for aead auth key length Jann Horn <jannh(a)google.com> x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> mfd: sm501: Switch to BIT() to mitigate integer overflows Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> pinctrl: renesas: rzv2m: Fix missing of_node_put() call Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow Herbert Xu <herbert(a)gondor.apana.org.au> crypto: nx - Fix uninitialised hv_nxc on error Artur Weber <aweber.kernel(a)gmail.com> power: supply: max77693: Fix wrong conversion of charge input threshold value Jann Horn <jannh(a)google.com> x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 Jerome Brunet <jbrunet(a)baylibre.com> clk: amlogic: g12a: fix mmc A peripheral clock Alice Ryhl <aliceryhl(a)google.com> rust: fix signature of rust_fmt_argument Saket Kumar Bhaskar <skb99(a)linux.ibm.com> selftests/bpf: Select NUMA_NO_NODE to create map Jerome Brunet <jbrunet(a)baylibre.com> clk: amlogic: gxbb: drop non existing 32k clock parent Jerome Brunet <jbrunet(a)baylibre.com> clk: amlogic: g12b: fix cluster A parent data Prathamesh Shete <pshete(a)nvidia.com> pinctrl: tegra: Set SFIO mode to Mux Register Maher Sanalla <msanalla(a)nvidia.com> IB/mad: Check available slots before posting receive WRs Luca Weiss <luca(a)lucaweiss.eu> remoteproc: qcom_q6v5_mss: Handle platforms with one power domain Cheng Xu <chengyou(a)linux.alibaba.com> RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() Chiara Meiohas <cmeiohas(a)nvidia.com> RDMA/mlx5: Fix calculation of total invalidated pages Roman Gushchin <roman.gushchin(a)linux.dev> RDMA/core: Don't expose hw_counters outside of init net namespace Peter Geis <pgwipeout(a)gmail.com> clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> pinctrl: renesas: rzg2l: Fix missing of_node_put() call Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> pinctrl: renesas: rza2: Fix missing of_node_put() call Tanya Agarwal <tanyaagarwal25699(a)gmail.com> lib: 842: Improve error handling in sw842_compress() Hou Tao <houtao1(a)huawei.com> bpf: Use preempt_count() directly in bpf_send_signal_common() Vladimir Lypak <vladimir.lypak(a)gmail.com> clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock Will McVicker <willmcvicker(a)google.com> clk: samsung: Fix UBSAN panic in samsung_clk_init() Viktor Malik <vmalik(a)redhat.com> selftests/bpf: Fix string read in strncmp benchmark Andrii Nakryiko <andrii(a)kernel.org> libbpf: Fix hypothetical STT_SECTION extern NULL deref case Luca Weiss <luca(a)lucaweiss.eu> remoteproc: qcom_q6v5_pas: Make single-PD handling more robust Zijun Hu <quic_zijuhu(a)quicinc.com> of: property: Increase NR_FWNODE_REFERENCE_ARGS Peng Fan <peng.fan(a)nxp.com> remoteproc: core: Clear table_sz when rproc_shutdown Wenkai Lin <linwenkai6(a)hisilicon.com> crypto: hisilicon/sec2 - fix for aead authsize alignment Jerome Brunet <jbrunet(a)baylibre.com> clk: amlogic: gxbb: drop incorrect flag on 32k clock Danila Chernetsov <listdansp(a)mail.ru> fbdev: sm501fb: Add some geometry checks. Arnd Bergmann <arnd(a)arndb.de> mdacon: rework dependency list Markus Elfring <elfring(a)users.sourceforge.net> fbdev: au1100fb: Move a variable assignment behind a null pointer check Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: pciehp: Don't enable HPIE when resuming in poll mode Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> drm/amd/display: avoid NPD when ASIC does not support DMUB Dan Carpenter <dan.carpenter(a)linaro.org> drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() Thippeswamy Havalige <thippeswamy.havalige(a)amd.com> PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe Dan Carpenter <dan.carpenter(a)linaro.org> PCI: Remove stray put_device() in pci_register_host_bridge() Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() Nishanth Aravamudan <naravamudan(a)nvidia.com> PCI: Avoid reset when disabled via sysfs Feng Tang <feng.tang(a)linux.alibaba.com> PCI/portdrv: Only disable pciehp interrupts early when needed Jim Quinlan <james.quinlan(a)broadcom.com> PCI: brcmstb: Fix potential premature regulator disabling Jim Quinlan <james.quinlan(a)broadcom.com> PCI: brcmstb: Fix error path after a call to regulator_bulk_get() Jim Quinlan <james.quinlan(a)broadcom.com> PCI: brcmstb: Use internal register to change link capability Hans Zhang <18255117159(a)163.com> PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host Daniel Stodden <daniel.stodden(a)gmail.com> PCI/ASPM: Fix link state exit during switch upstream function removal AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_hdmi: Unregister audio platform device on failure Kai-Heng Feng <kaihengf(a)nvidia.com> PCI: Use downstream bridges for distributing resources José Expósito <jose.exposito89(a)gmail.com> drm/vkms: Fix use after free and double free on init error Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm: xlnx: zynqmp: Fix max dma segment size Hermes Wu <Hermes.wu(a)ite.com.tw> drm/bridge: it6505: fix HDCP V match check is not performed correctly Wayne Lin <Wayne.Lin(a)amd.com> drm/dp_mst: Fix drm RAD print Geert Uytterhoeven <geert+renesas(a)glider.be> drm/bridge: ti-sn65dsi86: Fix multiple instances Jayesh Choudhary <j-choudhary(a)ti.com> ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Always honor no_shutup_pins Jiri Kosina <jkosina(a)suse.com> HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER Vitaliy Shevtsov <v.shevtsov(a)mt-integration.ru> ASoC: cs35l41: check the return value from spi_setup() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> media: platform: allgro-dvt: unregister v4l2_device on the error path Benjamin Gaignard <benjamin.gaignard(a)collabora.com> media: verisilicon: HEVC: Initialize start_bit field Chao Gao <chao.gao(a)intel.com> x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures Tao Chen <chen.dylane(a)linux.dev> perf/ring_buffer: Allow the EPOLLRDNORM flag for poll Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: Fix handling devices with direct_complete set on errors Chenyuan Yang <chenyuan0y(a)gmail.com> thermal: int340x: Add NULL check for adev Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/ie31200: Fix the error path order of ie31200_init() Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/ie31200: Fix the DIMM size mask for several SoCs Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer Tim Schumacher <tim.schumacher1(a)huawei.com> selinux: Chain up tool resolving errors in install_policy.sh Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: Adjust check before setting power.must_resume Peter Zijlstra <peterz(a)infradead.org> lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock Kevin Loughlin <kevinloughlin(a)google.com> x86/sev: Add missing RIP_REL_REF() invocations during sme_enable() Arnd Bergmann <arnd(a)arndb.de> x86/platform: Only allow CONFIG_EISA for 32-bit Benjamin Berg <benjamin.berg(a)intel.com> x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct() Stanislav Spassov <stanspas(a)amazon.de> x86/fpu: Fix guest FPU state buffer allocation size Jie Zhan <zhanjie9(a)hisilicon.com> cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() Konstantin Andreev <andreev(a)swemel.ru> smack: dont compile ipv6 code unless ipv6 is configured zuoqian <zuoqian113(a)gmail.com> cpufreq: scpi: compare kHz instead of Hz Mike Rapoport (Microsoft) <rppt(a)kernel.org> x86/mm/pat: cpa-test: fix length for CPA_ARRAY test Eric Sandeen <sandeen(a)redhat.com> watch_queue: fix pipe accounting mismatch ------------- Diffstat: Makefile | 4 +- arch/arm64/kernel/compat_alignment.c | 2 + arch/loongarch/Kconfig | 4 +- arch/loongarch/include/asm/cache.h | 2 + arch/loongarch/net/bpf_jit.c | 7 +- arch/loongarch/net/bpf_jit.h | 5 + arch/powerpc/configs/mpc885_ads_defconfig | 2 +- arch/powerpc/platforms/cell/spufs/gang.c | 1 + arch/powerpc/platforms/cell/spufs/inode.c | 63 ++++++- arch/powerpc/platforms/cell/spufs/spufs.h | 2 + arch/riscv/include/asm/ftrace.h | 4 +- arch/um/include/shared/os.h | 1 - arch/um/kernel/Makefile | 2 +- arch/um/kernel/maccess.c | 19 -- arch/um/os-Linux/process.c | 51 ------ arch/x86/Kconfig | 2 +- arch/x86/entry/calling.h | 2 + arch/x86/events/intel/core.c | 47 ++--- arch/x86/events/intel/ds.c | 13 +- arch/x86/events/perf_event.h | 3 +- arch/x86/include/asm/tlbflush.h | 2 +- arch/x86/kernel/cpu/sgx/driver.c | 10 +- arch/x86/kernel/dumpstack.c | 5 +- arch/x86/kernel/fpu/core.c | 6 +- arch/x86/kernel/process.c | 7 +- arch/x86/kernel/tsc.c | 4 +- arch/x86/mm/mem_encrypt_identity.c | 4 +- arch/x86/mm/pat/cpa-test.c | 2 +- drivers/acpi/nfit/core.c | 2 +- drivers/acpi/processor_idle.c | 4 + drivers/acpi/resource.c | 7 + drivers/base/power/main.c | 21 +-- drivers/base/power/runtime.c | 2 +- drivers/clk/meson/g12a.c | 38 ++-- drivers/clk/meson/gxbb.c | 14 +- drivers/clk/qcom/gcc-msm8953.c | 2 +- drivers/clk/qcom/mmcc-sdm660.c | 2 +- drivers/clk/rockchip/clk-rk3328.c | 2 +- drivers/clk/samsung/clk.c | 2 +- drivers/cpufreq/cpufreq_governor.c | 45 ++--- drivers/cpufreq/scpi-cpufreq.c | 5 +- drivers/crypto/hisilicon/sec2/sec_crypto.c | 30 ++- drivers/crypto/nx/nx-common-pseries.c | 37 ++-- drivers/edac/ie31200_edac.c | 19 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 + .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 4 + .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 +- drivers/gpu/drm/bridge/ite-it6505.c | 7 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 + drivers/gpu/drm/display/drm_dp_mst_topology.c | 8 +- drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +- drivers/gpu/drm/mediatek/mtk_hdmi.c | 33 +++- drivers/gpu/drm/msm/dsi/dsi_manager.c | 32 ++-- drivers/gpu/drm/vkms/vkms_drv.c | 15 +- drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 + drivers/hid/Makefile | 1 - drivers/hid/i2c-hid/i2c-hid-core.c | 2 +- drivers/hwmon/nct6775-core.c | 4 +- drivers/hwtracing/coresight/coresight-catu.c | 2 +- drivers/hwtracing/coresight/coresight-core.c | 20 +- drivers/hwtracing/coresight/coresight-etm4x-core.c | 48 ++++- drivers/i3c/master/svc-i3c-master.c | 2 +- drivers/iio/accel/mma8452.c | 10 +- drivers/iio/accel/msa311.c | 28 +-- drivers/iio/adc/ad7124.c | 35 +++- drivers/infiniband/core/device.c | 9 + drivers/infiniband/core/mad.c | 38 ++-- drivers/infiniband/core/sysfs.c | 1 + drivers/infiniband/hw/erdma/erdma_cm.c | 1 - drivers/infiniband/hw/mlx5/cq.c | 2 +- drivers/infiniband/hw/mlx5/odp.c | 10 +- drivers/media/dvb-frontends/dib8000.c | 5 +- drivers/media/platform/allegro-dvt/allegro-core.c | 1 + .../platform/verisilicon/hantro_g2_hevc_dec.c | 1 + drivers/media/rc/streamzap.c | 2 +- drivers/memory/omap-gpmc.c | 20 -- drivers/mfd/sm501.c | 6 +- drivers/mmc/host/sdhci-omap.c | 4 +- drivers/mmc/host/sdhci-pxav3.c | 1 + drivers/net/arcnet/com20020-pci.c | 17 +- drivers/net/dsa/mv88e6xxx/chip.c | 11 +- drivers/net/dsa/mv88e6xxx/phy.c | 3 + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 3 + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 3 +- drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 201 ++++++++++++++------- drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +- .../ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- .../net/ethernet/mellanox/mlx5/core/en/params.c | 8 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/usb/usbnet.c | 6 +- .../wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 20 +- drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++--- drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 8 +- drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 + drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +- drivers/ntb/test/ntb_perf.c | 4 +- drivers/nvme/host/pci.c | 21 ++- drivers/nvme/host/tcp.c | 5 +- drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +- drivers/pci/controller/cadence/pcie-cadence.h | 2 +- drivers/pci/controller/pcie-brcmstb.c | 9 +- drivers/pci/controller/pcie-xilinx-cpm.c | 10 +- drivers/pci/hotplug/pciehp_hpc.c | 4 +- drivers/pci/pci.c | 4 + drivers/pci/pcie/aspm.c | 17 +- drivers/pci/pcie/portdrv_core.c | 8 +- drivers/pci/probe.c | 5 +- drivers/pci/setup-bus.c | 3 +- drivers/pinctrl/renesas/pinctrl-rza2.c | 2 + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 + drivers/pinctrl/renesas/pinctrl-rzv2m.c | 2 + drivers/pinctrl/tegra/pinctrl-tegra.c | 3 + drivers/platform/x86/intel/hid.c | 7 + .../x86/intel/speed_select_if/isst_if_common.c | 2 +- drivers/power/supply/max77693_charger.c | 2 +- drivers/remoteproc/qcom_q6v5_mss.c | 21 ++- drivers/remoteproc/qcom_q6v5_pas.c | 10 +- drivers/remoteproc/remoteproc_core.c | 1 + drivers/soundwire/slave.c | 1 + drivers/staging/rtl8723bs/Kconfig | 1 + .../intel/int340x_thermal/int3402_thermal.c | 3 + drivers/tty/serial/fsl_lpuart.c | 25 ++- drivers/usb/host/xhci-mem.c | 6 +- drivers/video/console/Kconfig | 2 +- drivers/video/fbdev/au1100fb.c | 4 +- drivers/video/fbdev/sm501fb.c | 7 + fs/affs/file.c | 9 +- fs/btrfs/extent-tree.c | 5 +- fs/exfat/fatent.c | 2 +- fs/ext4/dir.c | 3 + fs/ext4/super.c | 27 ++- fs/fuse/dax.c | 1 - fs/fuse/dir.c | 2 +- fs/fuse/file.c | 4 +- fs/isofs/dir.c | 3 +- fs/jfs/jfs_dtree.c | 3 +- fs/jfs/xattr.c | 13 +- fs/nfs/delegation.c | 33 ++-- fs/nfsd/nfs4state.c | 31 +++- fs/ntfs3/index.c | 4 +- fs/ocfs2/alloc.c | 8 + fs/proc/base.c | 2 +- fs/smb/server/auth.c | 6 +- fs/smb/server/mgmt/user_session.c | 33 +++- fs/smb/server/mgmt/user_session.h | 2 + fs/smb/server/oplock.c | 8 + fs/smb/server/smb2pdu.c | 19 +- fs/smb/server/smbacl.c | 5 + include/drm/display/drm_dp_mst_helper.h | 7 + include/linux/context_tracking_irq.h | 8 +- include/linux/coresight.h | 4 + include/linux/fwnode.h | 2 +- include/linux/interrupt.h | 8 +- include/linux/pm_runtime.h | 2 + include/linux/rcupdate.h | 2 +- include/linux/sched/smt.h | 2 +- include/rdma/ib_verbs.h | 1 + io_uring/filetable.c | 2 +- kernel/events/ring_buffer.c | 2 +- kernel/kexec_elf.c | 2 +- kernel/locking/semaphore.c | 13 +- kernel/sched/deadline.c | 2 +- kernel/trace/bpf_trace.c | 2 +- kernel/trace/ring_buffer.c | 4 +- kernel/trace/trace_events_synth.c | 36 +++- kernel/trace/trace_functions_graph.c | 1 + kernel/trace/trace_irqsoff.c | 2 - kernel/trace/trace_osnoise.c | 1 - kernel/trace/trace_sched_wakeup.c | 2 - kernel/watch_queue.c | 9 + lib/842/842_compress.c | 2 + lib/overflow_kunit.c | 3 +- lib/vsprintf.c | 2 +- mm/memory.c | 2 - net/can/af_can.c | 12 +- net/can/af_can.h | 12 +- net/can/proc.c | 46 +++-- net/core/rtnetlink.c | 3 + net/ipv4/ip_tunnel_core.c | 4 +- net/ipv4/udp.c | 16 +- net/ipv6/addrconf.c | 37 ++-- net/ipv6/calipso.c | 21 ++- net/ipv6/route.c | 42 ++++- net/netfilter/nft_set_hash.c | 3 +- net/netfilter/nft_tunnel.c | 6 +- net/openvswitch/actions.c | 6 - net/sched/act_tunnel_key.c | 2 +- net/sched/cls_flower.c | 2 +- net/sched/sch_skbprio.c | 3 - net/vmw_vsock/af_vsock.c | 6 +- rust/kernel/print.rs | 7 +- scripts/selinux/install_policy.sh | 15 +- security/smack/smack.h | 6 + security/smack/smack_lsm.c | 10 +- sound/pci/hda/patch_realtek.c | 32 +++- sound/soc/codecs/cs35l41-spi.c | 4 +- sound/soc/fsl/imx-card.c | 4 + sound/soc/ti/j721e-evm.c | 2 + tools/lib/bpf/linker.c | 2 +- .../shell/coresight/asm_pure_loop/asm_pure_loop.S | 2 + tools/perf/util/evlist.c | 13 +- tools/perf/util/python.c | 17 +- tools/perf/util/units.c | 2 +- .../selftests/bpf/prog_tests/bloom_filter_map.c | 5 + tools/testing/selftests/bpf/progs/strncmp_bench.c | 5 +- 207 files changed, 1401 insertions(+), 779 deletions(-)

6 months, 2 weeks

11
11
0 0

[PATCH v2] powerpc64/bpf: fix JIT code size calculation of bpf trampoline

by Hari Bathini

arch_bpf_trampoline_size() provides JIT size of the BPF trampoline before the buffer for JIT'ing it is allocated. The total number of instructions emitted for BPF trampoline JIT code depends on where the final image is located. So, the size arrived at with the dummy pass in arch_bpf_trampoline_size() can vary from the actual size needed in arch_prepare_bpf_trampoline(). When the instructions accounted in arch_bpf_trampoline_size() is less than the number of instructions emitted during the actual JIT compile of the trampoline, the below warning is produced: WARNING: CPU: 8 PID: 204190 at arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc which is: /* Make sure the trampoline generation logic doesn't overflow */ if (image && WARN_ON_ONCE(&image[ctx->idx] > (u32 *)rw_image_end - BPF_INSN_SAFETY)) { So, during the dummy pass, instead of providing some arbitrary image location, account for maximum possible instructions if and when there is a dependency with image location for JIT'ing. Fixes: d243b62b7bd3 ("powerpc64/bpf: Add support for bpf trampolines") Reported-by: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Closes: https://lore.kernel.org/all/6168bfc8-659f-4b5a-a6fb-90a916dde3b3@linux.ibm.… Cc: stable(a)vger.kernel.org # v6.13+ Signed-off-by: Hari Bathini <hbathini(a)linux.ibm.com> --- Changes since v1: - Pass NULL for image during intial pass and account for max. possible instruction during this pass as Naveen suggested. arch/powerpc/net/bpf_jit.h | 20 ++++++++++++++++--- arch/powerpc/net/bpf_jit_comp.c | 33 ++++++++++--------------------- arch/powerpc/net/bpf_jit_comp64.c | 9 +++++++++ 3 files changed, 36 insertions(+), 26 deletions(-) diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h index 6beacaec63d3..4c26912c2e3c 100644 --- a/arch/powerpc/net/bpf_jit.h +++ b/arch/powerpc/net/bpf_jit.h @@ -51,8 +51,16 @@ EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc)); \ } while (0) -/* Sign-extended 32-bit immediate load */ +/* + * Sign-extended 32-bit immediate load + * + * If this is a dummy pass (!image), account for + * maximum possible instructions. + */ #define PPC_LI32(d, i) do { \ + if (!image) \ + ctx->idx += 2; \ + else { \ if ((int)(uintptr_t)(i) >= -32768 && \ (int)(uintptr_t)(i) < 32768) \ EMIT(PPC_RAW_LI(d, i)); \ @@ -60,10 +68,15 @@ EMIT(PPC_RAW_LIS(d, IMM_H(i))); \ if (IMM_L(i)) \ EMIT(PPC_RAW_ORI(d, d, IMM_L(i))); \ - } } while(0) + } \ + } } while (0) #ifdef CONFIG_PPC64 +/* If dummy pass (!image), account for maximum possible instructions */ #define PPC_LI64(d, i) do { \ + if (!image) \ + ctx->idx += 5; \ + else { \ if ((long)(i) >= -2147483648 && \ (long)(i) < 2147483648) \ PPC_LI32(d, i); \ @@ -84,7 +97,8 @@ if ((uintptr_t)(i) & 0x000000000000ffffULL) \ EMIT(PPC_RAW_ORI(d, d, (uintptr_t)(i) & \ 0xffff)); \ - } } while (0) + } \ + } } while (0) #define PPC_LI_ADDR PPC_LI64 #ifndef CONFIG_PPC_KERNEL_PCREL diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c index 2991bb171a9b..c0684733e9d6 100644 --- a/arch/powerpc/net/bpf_jit_comp.c +++ b/arch/powerpc/net/bpf_jit_comp.c @@ -504,10 +504,11 @@ static int invoke_bpf_prog(u32 *image, u32 *ro_image, struct codegen_context *ct EMIT(PPC_RAW_ADDI(_R3, _R1, regs_off)); if (!p->jited) PPC_LI_ADDR(_R4, (unsigned long)p->insnsi); - if (!create_branch(&branch_insn, (u32 *)&ro_image[ctx->idx], (unsigned long)p->bpf_func, - BRANCH_SET_LINK)) { - if (image) - image[ctx->idx] = ppc_inst_val(branch_insn); + /* Account for max possible instructions during dummy pass for size calculation */ + if (image && !create_branch(&branch_insn, (u32 *)&ro_image[ctx->idx], + (unsigned long)p->bpf_func, + BRANCH_SET_LINK)) { + image[ctx->idx] = ppc_inst_val(branch_insn); ctx->idx++; } else { EMIT(PPC_RAW_LL(_R12, _R25, offsetof(struct bpf_prog, bpf_func))); @@ -889,7 +890,8 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im bpf_trampoline_restore_tail_call_cnt(image, ctx, func_frame_offset, r4_off); /* Reserve space to patch branch instruction to skip fexit progs */ - im->ip_after_call = &((u32 *)ro_image)[ctx->idx]; + if (ro_image) /* image is NULL for dummy pass */ + im->ip_after_call = &((u32 *)ro_image)[ctx->idx]; EMIT(PPC_RAW_NOP()); } @@ -912,7 +914,8 @@ static int __arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *rw_im } if (flags & BPF_TRAMP_F_CALL_ORIG) { - im->ip_epilogue = &((u32 *)ro_image)[ctx->idx]; + if (ro_image) /* image is NULL for dummy pass */ + im->ip_epilogue = &((u32 *)ro_image)[ctx->idx]; PPC_LI_ADDR(_R3, im); ret = bpf_jit_emit_func_call_rel(image, ro_image, ctx, (unsigned long)__bpf_tramp_exit); @@ -973,25 +976,9 @@ int arch_bpf_trampoline_size(const struct btf_func_model *m, u32 flags, struct bpf_tramp_links *tlinks, void *func_addr) { struct bpf_tramp_image im; - void *image; int ret; - /* - * Allocate a temporary buffer for __arch_prepare_bpf_trampoline(). - * This will NOT cause fragmentation in direct map, as we do not - * call set_memory_*() on this buffer. - * - * We cannot use kvmalloc here, because we need image to be in - * module memory range. - */ - image = bpf_jit_alloc_exec(PAGE_SIZE); - if (!image) - return -ENOMEM; - - ret = __arch_prepare_bpf_trampoline(&im, image, image + PAGE_SIZE, image, - m, flags, tlinks, func_addr); - bpf_jit_free_exec(image); - + ret = __arch_prepare_bpf_trampoline(&im, NULL, NULL, NULL, m, flags, tlinks, func_addr); return ret; } diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c index 233703b06d7c..91f9efe8b8d7 100644 --- a/arch/powerpc/net/bpf_jit_comp64.c +++ b/arch/powerpc/net/bpf_jit_comp64.c @@ -225,6 +225,15 @@ int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context * } #ifdef CONFIG_PPC_KERNEL_PCREL + /* + * If fimage is NULL (the initial pass to find image size), + * account for the maximum no. of instructions possible. + */ + if (!fimage) { + ctx->idx += 7; + return 0; + } + reladdr = func_addr - local_paca->kernelbase; if (reladdr < (long)SZ_8G && reladdr >= -(long)SZ_8G) { -- 2.49.0

6 months, 2 weeks

3
4
0 0

[PATCH stable 6.1] mm: Fix is_zero_page() usage in try_grab_page()

by Alex Williamson

The backport of upstream commit c8070b787519 ("mm: Don't pin ZERO_PAGE in pin_user_pages()") into v6.1.130 noted below in Fixes does not account for commit 0f0892356fa1 ("mm: allow multiple error returns in try_grab_page()"), which changed the return value of try_grab_page() from bool to int. Therefore returning 0, success in the upstream version, becomes an error here. Fix the return value. Fixes: 476c1dfefab8 ("mm: Don't pin ZERO_PAGE in pin_user_pages()") Link: https://lore.kernel.org/all/Z_6uhLQjJ7SSzI13@eldamar.lan Reported-by: Salvatore Bonaccorso <carnil(a)debian.org> Reported-by: Milan Broz <gmazyland(a)gmail.com> Cc: stable(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Cc: linux-mm(a)kvack.org Cc: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Alex Williamson <alex.williamson(a)redhat.com> --- mm/gup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/gup.c b/mm/gup.c index b1daaa9d89aa..76a2b0943e2d 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -232,7 +232,7 @@ bool __must_check try_grab_page(struct page *page, unsigned int flags) * and it is used in a *lot* of places. */ if (is_zero_page(page)) - return 0; + return true; /* * Similar to try_grab_folio(): be sure to *also* -- 2.48.1

6 months, 2 weeks

5
4
0 0

[PATCH] drm: panel: jd9365da: fix reset signal polarity in unprepare

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> commit a8972d5a49b4 ("drm: panel: jd9365da-h3: fix reset signal polarity") fixed reset signal polarity in jadard_dsi_probe() and jadard_prepare(). It was not done in jadard_unprepare() because of an incorrect assumption about reset line handling in power off mode. After looking into the datasheet, it now appears that before disabling regulators, the reset line is deasserted first, and if reset_before_power_off_vcioo is true, then the reset line is asserted. Fix reset polarity by inverting gpiod_set_value() second argument in in jadard_unprepare(). Fixes: 6b818c533dd8 ("drm: panel: Add Jadard JD9365DA-H3 DSI panel") Fixes: 2b976ad760dc ("drm/panel: jd9365da: Support for kd101ne3-40ti MIPI-DSI panel") Fixes: a8972d5a49b4 ("drm: panel: jd9365da-h3: fix reset signal polarity") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c index 7d68a8acfe2ea..eb0f8373258c3 100644 --- a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c +++ b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c @@ -129,11 +129,11 @@ static int jadard_unprepare(struct drm_panel *panel) { struct jadard *jadard = panel_to_jadard(panel); - gpiod_set_value(jadard->reset, 1); + gpiod_set_value(jadard->reset, 0); msleep(120); if (jadard->desc->reset_before_power_off_vcioo) { - gpiod_set_value(jadard->reset, 0); + gpiod_set_value(jadard->reset, 1); usleep_range(1000, 2000); } base-commit: 7adf8b1afc14832de099f9e178f08f91dc0dd6d0 -- 2.39.5

6 months, 2 weeks

2
2
0 0

[PATCH 6.12 000/393] 6.12.24-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.24 release. There are 393 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 19 Apr 2025 17:49:48 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.24-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.24-rc1 Thomas Richter <tmricht(a)linux.ibm.com> s390/cpumf: Fix double free on error in cpumf_pmu_event_init() Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: Fix another race during initialization Arnd Bergmann <arnd(a)arndb.de> media: mediatek: vcodec: mark vdec_vp9_slice_map_counts_eob_coef noinline Nathan Chancellor <nathan(a)kernel.org> kbuild: Add '-fno-builtin-wcslen' Eder Zulian <ezulian(a)redhat.com> libbpf: Prevent compiler warnings/errors Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() Jeff Layton <jlayton(a)kernel.org> nfsd: don't ignore the return code of svc_proc_register() Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix CB_GETATTR status fix Olga Kornievskaia <okorniev(a)redhat.com> NFSD: fix decoding in nfs4_xdr_dec_cb_getattr Nathan Chancellor <nathan(a)kernel.org> ACPI: platform-profile: Fix CFI violation when accessing sysfs files Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT Yi Liu <yi.l.liu(a)intel.com> iommufd: Fail replace if device has not been attached Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Make attach_handle generic than fault specific Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable monitor mode during suspend Cong Liu <liucong2(a)kylinos.cn> selftests: mptcp: fix incorrect fd checks in main_loop Geliang Tang <geliang(a)kernel.org> selftests: mptcp: close fd_in before returning in main_loop Jake Hillion <jake(a)hillion.co.uk> sched_ext: create_dsq: Return -EEXIST on duplicate request Sumanth Korikkar <sumanthk(a)linux.ibm.com> s390: Fix linker error when -no-pie option is unavailable David Hildenbrand <david(a)redhat.com> s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() Peter Griffin <peter.griffin(a)linaro.org> pinctrl: samsung: add support for eint_fltcon_offset Stephan Gerhold <stephan.gerhold(a)linaro.org> pinctrl: qcom: Clear latched interrupt status when changing IRQ type Stefan Eichenberger <stefan.eichenberger(a)toradex.com> phy: freescale: imx8m-pcie: assert phy reset and perst in power off Philipp Stanner <phasta(a)kernel.org> PCI: Fix wrong length of devres array Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_register_host_bridge() Ma Ke <make24(a)iscas.ac.cn> PCI: Fix reference leak in pci_alloc_child_bus() Lukas Wunner <lukas(a)wunner.de> PCI: pciehp: Avoid unnecessary device replacement check Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 Stanimir Varbanov <svarbanov(a)suse.de> PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_init() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakages in of_irq_count() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_raw() Zijun Hu <quic_zijuhu(a)quicinc.com> of/irq: Fix device node refcount leakage in API of_irq_parse_one() Fedor Pchelkin <pchelkin(a)ispras.ru> ntb: use 64-bit arithmetic for the MSI doorbell mask Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Switch to page pool for jumbo frames Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Add a new test for setuid() Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Split signal_scoping_threads tests Mickaël Salaün <mic(a)digikod.net> landlock: Prepare to add second errata Mickaël Salaün <mic(a)digikod.net> landlock: Always allow signals between threads of the same process Mickaël Salaün <mic(a)digikod.net> landlock: Add erratum for TCP fix Mickaël Salaün <mic(a)digikod.net> landlock: Add the errata interface Mickaël Salaün <mic(a)digikod.net> landlock: Move code to ease future backports Tudor Ambarus <tudor.ambarus(a)linaro.org> scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get Sean Christopherson <seanjc(a)google.com> KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Sean Christopherson <seanjc(a)google.com> KVM: x86: Explicitly zero-initialize on-stack CPUID unions Amit Machhiwal <amachhiw(a)linux.ibm.com> KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests Sean Christopherson <seanjc(a)google.com> KVM: Allow building irqbypass.ko as as module when kvm.ko is a module Joshua Washington <joshwash(a)google.com> gve: handle overflow when reporting TX consumed descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> gpio: zynq: Fix wakeup source leaks on device unbind Guixin Liu <kanie(a)linux.alibaba.com> gpio: tegra186: fix resource handling in ACPI probe path Andy Chiu <andybnac(a)gmail.com> ftrace: Properly merge notrace hashes zhoumin <teczm(a)foxmail.com> ftrace: Add cond_resched() to ftrace_graph_set_hash() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' Mikulas Patocka <mpatocka(a)redhat.com> dm-verity: fix prefetch-vs-suspend race Jo Van Bulck <jo.vanbulck(a)kuleuven.be> dm-integrity: fix non-constant-time tag verification Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: set ti->error on memory allocation failure Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: fix prefetch-vs-suspend race Alexander Aring <aahringo(a)redhat.com> dlm: fix error if active rsb is not hashed Alexander Aring <aahringo(a)redhat.com> dlm: fix error if inactive rsb is not hashed Dionna Glaze <dionnaglaze(a)google.com> crypto: ccp - Fix uAPI definitions of PSP errors Tom Lendacky <thomas.lendacky(a)amd.com> crypto: ccp - Fix check for the primary ASP device Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> clk: qcom: gdsc: Release pm subdomains in reverse add order Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: r9a07g043: Fix HP clock source for RZ/Five Pali Rohár <pali(a)kernel.org> cifs: Ensure that all non-client-specific reparse points are processed by the server Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Alexandra Diupina <adiupina(a)astralinux.ru> cifs: avoid NULL pointer dereference in dbg call Aman <aman1(a)microsoft.com> CIFS: Propagate min offload along with other parameters from primary to secondary channels. Trevor Woerner <twoerner(a)gmail.com> thermal/drivers/rockchip: Add missing rk3328 mapping entry Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not add length to print format in synthetic events Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe events: Fix possible UAF on modules Roger Pau Monne <roger.pau(a)citrix.com> x86/xen: fix balloon target initialization for PVH dom0 Ricardo Cañuelo Navarro <rcn(a)igalia.com> sctp: detect and prevent references to a freed transport in sendmsg Jinjiang Tu <tujinjiang(a)huawei.com> mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Marc Herbert <Marc.Herbert(a)linux.intel.com> mm/hugetlb: move hugetlb_sysctl_init() to the __init section Shuai Xue <xueshuai(a)linux.alibaba.com> mm/hwpoison: do not send SIGBUS to processes with recovered clean pages Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix release hang over concurrent GUP Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm/mremap: correctly handle partial mremap() of VMA starting at 0 Ryan Roberts <ryan.roberts(a)arm.com> mm: fix lazy mmu docs and usage Jane Chu <jane.chu(a)oracle.com> mm: make page_mapped_in_vma() hugetlb walk aware David Hildenbrand <david(a)redhat.com> mm/rmap: reject hugetlb folios in folio_make_device_exclusive() Usama Arif <usamaarif642(a)gmail.com> mm/damon/ops: have damon_get_folio return folio even for tail pages Kuniyuki Iwashima <kuniyu(a)amazon.com> net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: avoid calling arch_enter/leave_lazy_mmu() in set_ptes Ryan Roberts <ryan.roberts(a)arm.com> sparc/mm: disable preemption in lazy mmu mode Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Wire up irq_ack() to irq_move_irq() for posted MSIs Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix possible circular locking dependency Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Don't clobber posted vCPU IRTE when host IRQ affinity changes Sean Christopherson <seanjc(a)google.com> iommu/vt-d: Put IRTE back into posted MSI mode if vCPU posting is disabled Nicolin Chen <nicolinc(a)nvidia.com> iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix uninitialized rc in iommufd_access_rw() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone finishing with missing devices Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix zone activation with missing devices Filipe Manana <fdmanana(a)suse.com> btrfs: tests: fix chunk map leak after failure to add it to the tree Filipe Manana <fdmanana(a)suse.com> btrfs: fix non-empty delayed iputs list on unmount due to compressed write workers Herve Codina <herve.codina(a)bootlin.com> backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Peter Griffin <peter.griffin(a)linaro.org> arm64: dts: exynos: gs101: disable pinctrl_gsacore node Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Correct the update of max_pfn Ninad Malwade <nmalwade(a)nvidia.com> arm64: tegra: Remove the Orin NX/Nano suspend key Keir Fraser <keirf(a)google.com> arm64: mops: Do not dereference src reg for a set operation Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: Add status chack in r852_ready() Wentao Liang <vulab(a)iscas.ac.cn> mtd: inftlcore: Add error check for inftl_read_oob() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: only inc MPJoinAckHMacFailure for HMAC failures Gang Yan <yangang(a)kylinos.cn> mptcp: fix NULL pointer in can_accept_new_subflow T Pratham <t-pratham(a)ti.com> lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets Boqun Feng <boqun.feng(a)gmail.com> locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() Kartik Rajput <kkartik(a)nvidia.com> mailbox: tegra-hsp: Define dimensioning masks in SoC data Chenyuan Yang <chenyuan0y(a)gmail.com> mfd: ene-kb3930: Fix a potential NULL pointer dereference Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs Abel Vesa <abel.vesa(a)linaro.org> leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs Kris Van Hees <kris.van.hees(a)oracle.com> kbuild: exclude .rodata.(cst|str)* when building ranges Jan Kara <jack(a)suse.cz> jbd2: remove wrong sb->s_sequence check Manjunatha Venkatesh <manjunatha.venkatesh(a)nxp.com> i3c: Add NULL pointer check in i3c_master_queue_ibi() Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use readsb helper for reading MDB Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of ToMToU integrity violations Mimi Zohar <zohar(a)linux.ibm.com> ima: limit the number of open-writers integrity violations Steve French <stfrench(a)microsoft.com> smb311 client: fix missing tcon check when mounting with linux/posix extensions Chenyuan Yang <chenyuan0y(a)gmail.com> soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() Olga Kornievskaia <okorniev(a)redhat.com> svcrdma: do not unregister device for listeners Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> tpm: do not start chip while suspended Jan Kara <jack(a)suse.cz> udf: Fix inode_getblk() return value Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix oversized null mkey longer than 32bit Yeongjin Gil <youngjin.gil(a)samsung.com> f2fs: fix to avoid atomicity corruption of atomic file Artem Sadovnikov <a.sadovnikov(a)ispras.ru> ext4: fix off-by-one error in do_split Jeff Hugo <quic_jhugo(a)quicinc.com> bus: mhi: host: Fix race between unprepare and queue_buf Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() Sharan Kumar M <sharweshraajan(a)gmail.com> ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: make use of q6apm_get_hw_pointer Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm: add q6apm_get_hw_pointer helper Haoxiang Li <haoxiang_li2024(a)163.com> ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: reject zero sized provided buffers Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix io_req_post_cqe abuse by send bundle Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fix accept multishot handling Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix country count limitation for CLC Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: ensure wow pattern command align fw format Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> wifi: mac80211: fix integer overflow in hwmp_route_info_get() Haoxiang Li <haoxiang_li2024(a)163.com> wifi: mt76: Add check for devm_kstrdup() Alexandre Torgue <alexandre.torgue(a)foss.st.com> clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Replace kcalloc() with devm_kcalloc() Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: fix internal PHYs for 6320 family Marek Behún <kabel(a)kernel.org> net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mtd: Add check for devm_kcalloc() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting freebind & transparent Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: sockopt: fix getting IPV6_V6ONLY Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix a hang after seeking Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Avoid race condition in the interrupt handler Jackson.lee <jackson.lee(a)chipsnmedia.com> media: chips-media: wave5: Fix gray color on screen Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx214: Rectify probe error handling related to runtime PM Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx219: Rectify runtime PM handling in probe and remove Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: imx319: Rectify runtime PM handling probe and remove Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: refactor hfi packet parsing logic Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi_parser: add check to avoid out of bound access Ricardo Ribalda <ribalda(a)chromium.org> media: nuvoton: Fix reference handling of ece_pdev Ricardo Ribalda <ribalda(a)chromium.org> media: nuvoton: Fix reference handling of ece_node Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ov7251: Set enable GPIO low in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in probe Sakari Ailus <sakari.ailus(a)linux.intel.com> media: i2c: ccs: Set the device's runtime PM status correctly in remove Sakari Ailus <sakari.ailus(a)linux.intel.com> Revert "media: imx214: Fix the error handling in imx214_probe()" Karina Yankevich <k.yankevich(a)omp.ru> media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: imx219: Adjust PLL settings based on the number of MIPI lanes Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: platform: stm32: Add check for clk_enable() Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: visl: Fix ERANGE error when setting enum controls Hans de Goede <hdegoede(a)redhat.com> media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() Murad Masimov <m.masimov(a)mt-integration.ru> media: streamzap: prevent processing IR data on URB failure Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Fix PM related deadlocks in MS IOCTLs Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Fix timeout handling when waiting for TPM status Kamal Dasu <kamal.dasu(a)broadcom.com> mtd: rawnand: brcmnand: fix PM resume warning Miquel Raynal <miquel.raynal(a)bootlin.com> spi: cadence-qspi: Fix probe on AM62A LP SK Will Deacon <will(a)kernel.org> KVM: arm64: Tear down vGIC on failed vCPU creation Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list Douglas Anderson <dianders(a)chromium.org> arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB Douglas Anderson <dianders(a)chromium.org> arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add MIDR_CORTEX_A76AE Jan Beulich <jbeulich(a)suse.com> xenfs/xensyms: respect hypervisor's "next" indication John Keeping <jkeeping(a)inmusicbrands.com> media: rockchip: rga: fix rga offset lookup Yuan Can <yuancan(a)huawei.com> media: siano: Fix error handling in smsdvb_module_init() Matthew Majewski <mattwmajewski(a)gmail.com> media: vim2m: print device name after registering device Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add check to handle incorrect queue size Vikash Garodia <quic_vgarodia(a)quicinc.com> media: venus: hfi: add a check to handle OOB in sfr region Bingbu Cao <bingbu.cao(a)intel.com> media: intel/ipu6: set the dev_parent of video device to pdev Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: mgb4: Fix switched CMT frequency range "magic values" sets Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: i2c: adv748x: Fix test pattern selection mask Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: mgb4: Fix CMT registers update logic Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: uapi: rkisp1-config: Fix typo in extensible params example Arnd Bergmann <arnd(a)arndb.de> media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Jiasheng Jiang <jiashengjiangcool(a)gmail.com> media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Alain Volmat <alain.volmat(a)foss.st.com> dt-bindings: media: st,stmipid02: correct lane-polarities maxItems Haoxiang Li <haoxiang_li2024(a)163.com> auxdisplay: hd44780: Fix an API misuse in hd44780.c Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Fix set_device_control() Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Fix 90 degrees direction name North -> East Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Compute INFINITE value instead of using hardcoded 0xffff Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Clamp effect playback LOOP_COUNT value Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Rename two functions to align them with naming convention Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Remove redundant call to pidff_find_special_keys Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Support device error response from PID_BLOCK_LOAD Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Comment and code style update Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: hid-universal-pidff: Add Asetek wheelbases support Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Make sure to fetch pool before checking SIMULTANEOUS_MAX Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Factor out pool report fetch and remove excess declaration Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Use macros instead of hardcoded min/max values for shorts Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Simplify pidff_rescale_signed Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Move all hid-pidff definitions to a dedicated header Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Factor out code for setting gain Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Rescale time values to match field units Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Define values used in pidff_find_special_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Simplify pidff_upload_effect function Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Completely rework and fix pidff_reset function Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Stop all effects before enabling actuators Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Clamp PERIODIC effect period to device's logical range Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix s390_mmio_read/write syscall page fault handling Jann Horn <jannh(a)google.com> ext4: don't treat fhandle lookup of ea_inode as FS corruption Willem de Bruijn <willemb(a)google.com> bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags Sheng Yong <shengyong1(a)xiaomi.com> erofs: set error to bio if file-backed IO fails Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: fsl-ftm: Handle clk_get_rate() returning 0 Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: rcar: Improve register calculation Josh Poimboeuf <jpoimboe(a)kernel.org> pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() Jonathan McDowell <noodles(a)meta.com> tpm: End any active auth session before shutdown Jonathan McDowell <noodles(a)meta.com> tpm, tpm_tis: Workaround failed command reception on Infineon devices Ayush Jain <Ayush.jain3(a)amd.com> ktest: Fix Test Failures Due to Missing LOG_FILE Directories Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: probe-events: Add comments about entry data storing code Leonid Arapov <arapovl839(a)gmail.com> fbdev: omapfb: Add 'plane' value check Christian König <christian.koenig(a)amd.com> drm/amdgpu: grab an additional reference on the gang fence v2 Ryo Takakura <ryotkkr98(a)gmail.com> PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type Philipp Stanner <phasta(a)kernel.org> PCI: Check BAR index for validity Emily Deng <Emily.Deng(a)amd.com> drm/amdgpu: Fix the race condition for draining retry fault Bjorn Helgaas <bhelgaas(a)google.com> PCI: Enable Configuration RRS SV early Wentao Liang <vulab(a)iscas.ac.cn> drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Shawn Lin <shawn.lin(a)rock-chips.com> PCI: Add Rockchip Vendor ID AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/xe/xelp: Move Wa_16011163337 from tunings to workarounds Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: debugfs hang_hws skip GPU with MES Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix pqm_destroy_queue race with GPU reset Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mode1 reset crash issue David Yat Sin <David.YatSin(a)amd.com> drm/amdkfd: clamp queue size to minimum Lucas De Marchi <lucas.demarchi(a)intel.com> drivers: base: devres: Allow to release group on device release Mike Katsnelson <mike.katsnelson(a)amd.com> drm/amd/display: stop DML2 from removing pipes based on planes Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/bridge: panel: forbid initializing a panel with unknown connector type Luca Ceresoli <luca.ceresoli(a)bootlin.com> drm/debugfs: fix printk format for bridge index Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add new quirk for GPD Win 2 Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirk for AYA NEO Slide Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB Andrew Wyatt <fewtarius(a)steamfork.org> drm: panel-orientation-quirks: Add support for AYANEO 2S Philip Yang <Philip.Yang(a)amd.com> drm/amdgpu: Unlocked unmap only clear page table leaves Zhikai Zhai <zhikai.zhai(a)amd.com> drm/amd/display: Update Cursor request mode to the beginning prefetch always Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/vf: Don't try to trigger a full GT reset if VF Shekhar Chauhan <shekhar.chauhan(a)intel.com> drm/xe/bmg: Add new PCI IDs Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm: allow encoder mode_set even when connectors change for crtc Pedro Nishiyama <nishiyama.pedro(a)gmail.com> Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE Pedro Nishiyama <nishiyama.pedro(a)gmail.com> Bluetooth: Add quirk for broken READ_VOICE_SETTING Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Bluetooth: qca: simplify WCN399x NVM loading Janaki Ramaiah Thota <quic_janathot(a)quicinc.com> Bluetooth: hci_qca: use the power sequencer for wcn6750 Jiande Lu <jiande.lu(a)mediatek.com> Bluetooth: btusb: Add 2 HWIDs for MT7922 Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_uart: fix race during initialization Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Add device id of Whale Peak Gabriele Paoloni <gpaoloni(a)redhat.com> tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Stanislav Fomichev <sdf(a)fomichev.me> net: vlan: don't propagate flags on open Icenowy Zheng <uwu(a)icenowy.me> wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Boris Burkov <boris(a)bur.io> btrfs: harden block_group::bg_list against list_del() races Huacai Chen <chenhuacai(a)kernel.org> ahci: Marvell 88SE9215 controllers prefer DMA for ATAPI Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Fix array overflow in st_setup() Philipp Hahn <phahn-oss(a)avm.de> cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk Bhupesh <bhupesh(a)igalia.com> ext4: ignore xattrs past end Chao Yu <chao(a)kernel.org> Revert "f2fs: rebuild nat_bits during umount" Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: protect ext4_release_dquot against freezing Daniel Kral <d.kral(a)proxmox.com> ahci: add PCI ID for Marvell 88SE9215 SATA Controller Martin Schiller <ms(a)dev.tdt.de> net: sfp: add quirk for FS SFP-10GM-T copper SFP+ module Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Manish Dharanenthiran <quic_mdharane(a)quicinc.com> wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi Birger Koblitz <mail(a)birger-koblitz.de> net: sfp: add quirk for 2.5G OEM BX SFP Niklas Cassel <cassel(a)kernel.org> ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Edward Adam Davis <eadavis(a)qq.com> jfs: add sanity check for agwidth in dbMount Edward Adam Davis <eadavis(a)qq.com> jfs: Prevent copying of nlink with value 0 from disk inode Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: Prevent integer overflow in AG size calculation Rand Deeb <rand.sec96(a)gmail.com> fs/jfs: cast inactags to s64 to prevent potential overflow Zhongqiu Han <quic_zhonhan(a)quicinc.com> jfs: Fix uninit-value access of imap allocated in the diMount() function Ciprian Marian Costea <ciprianmarian.costea(a)oss.nxp.com> can: flexcan: add NXP S32G2/S32G3 SoC support Ciprian Marian Costea <ciprianmarian.costea(a)oss.nxp.com> can: flexcan: Add quirk to handle separate interrupt lines for mailboxes Jason Xing <kerneljasonxing(a)gmail.com> page_pool: avoid infinite loop to schedule delayed worker Max Schulze <max.schulze(a)online.de> net: usb: asix_devices: add FiberGecko DeviceID Chaohai Chen <wdhh66(a)163.com> scsi: target: spc: Fix RSOC parameter data header size Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: ensure sdata->work is canceled before initialized. Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: add strict mode disabling workarounds Chao Yu <chao(a)kernel.org> f2fs: don't retry IO for corrupted data scenario Pavel Begunkov <asml.silence(a)gmail.com> net: page_pool: don't cast mp param to devmem Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Avoid reply queue full condition Niklas Cassel <cassel(a)kernel.org> ata: libata-core: Add 'external' to the libata.force kernel parameter P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Miaoqing Pan <quic_miaoqing(a)quicinc.com> wifi: ath12k: fix memory leak in ath12k_pci_remove() Miaoqing Pan <quic_miaoqing(a)quicinc.com> wifi: ath11k: fix memory leak in ath11k_xxx_remove() P Praneesh <quic_ppranees(a)quicinc.com> wifi: ath11k: Fix DMA buffer allocation to resolve SWIOTLB issues Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Add select POWER_SUPPLY to Kconfig Syed Saba kareem <syed.sabakareem(a)amd.com> ASoC: amd: yc: update quirk data for new Lenovo model keenplify <keenplify(a)gmail.com> ASoC: amd: Add DMI quirk for ACP6X mic support Ricard Wanderlof <ricard2013(a)butoba.net> ALSA: usb-audio: Fix CME quirk for UF series keyboards Kaustabh Chakraborty <kauschluss(a)disroot.org> mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves Aakarsh Jain <aakarsh.jain(a)samsung.com> media: s5p-mfc: Corrected NV12M/NV21M plane-sizes Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Add quirk for Actions UVC05 Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_audmix: register card device depends on 'dais' property Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist Maxim Mikityanskiy <maxtram95(a)gmail.com> ALSA: hda: intel: Fix Optimus when GPU has no sound Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: amd: ps: use macro for ACP6.3 pci revision id Tomasz Pakuła <forest10pl(a)gmail.com> HID: pidff: Fix null pointer dereference in pidff_find_fields Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERIODIC_SINE_ONLY quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: Add hid-universal-pidff driver and supported device ids Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add FIX_WHEEL_DIRECTION quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add hid_pidff_init_with_quirks and export as GPL symbol Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add PERMISSIVE_CONTROL quirk Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_PBO quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Add MISSING_DELAY quirk and its detection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Do not send effect envelope if it's empty Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Convert infinite length from Linux API to PID standard Zhang Heng <zhangheng(a)kylinos.cn> ASoC: SOF: topology: Use krealloc_array() to replace krealloc() Daniel Schaefer <dhs(a)frame.work> platform/chrome: cros_ec_lpc: Match on Framework ACPI device Ingo Molnar <mingo(a)kernel.org> zstd: Increase DYNAMIC_BMI2 GCC version cutoff from 4.8 to 11.0 to work around compiler segfault Kees Cook <kees(a)kernel.org> xen/mcelog: Add __nonstring annotations for unterminated strings Douglas Anderson <dianders(a)chromium.org> arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD Paul E. McKenney <paulmck(a)kernel.org> Flush console log from kernel_power_off() Lizhi Xu <lizhi.xu(a)windriver.com> PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() Yunhui Cui <cuiyunhui(a)bytedance.com> perf/dwc_pcie: fix some unreleased resources Mark Rutland <mark.rutland(a)arm.com> perf: arm_pmu: Don't disable counter in armpmu_add() Max Grobecker <max(a)grobecker.info> x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine Xin Li (Intel) <xin(a)zytor.com> x86/ia32: Leave NULL selector values 0~3 unchanged Uros Bizjak <ubizjak(a)gmail.com> x86/percpu: Disable named address spaces for UBSAN_BOOL with KASAN for GCC < 14.2 Matthew Wilcox (Oracle) <willy(a)infradead.org> x86/mm: Clear _PAGE_DIRTY for kernel mappings when we clear _PAGE_RW Zhongqiu Han <quic_zhonhan(a)quicinc.com> pm: cpupower: bench: Prevent NULL dereference on malloc failure Trond Myklebust <trond.myklebust(a)hammerspace.com> umount: Allow superblock owners to force umount Mateusz Guzik <mjguzik(a)gmail.com> fs: consistently deref the files table with rcu_dereference_raw() Frederic Weisbecker <frederic(a)kernel.org> perf: Fix hang while freeing sigtrap event Peter Zijlstra <peterz(a)infradead.org> perf/core: Simplify the perf_event_alloc() error path Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Add aux_pause, aux_resume, aux_start_paused Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Marek Szyprowski <m.szyprowski(a)samsung.com> iommu/exynos: Fix suspend/resume with IDENTITY domain Florian Westphal <fw(a)strlen.de> nft_set_pipapo: fix incorrect avx2 match of 5th field octet Arnaud Lecomte <contact(a)arnaud-lcm.com> net: ppp: Add bound checking for skb data on ppp_sync_txmung Ido Schimmel <idosch(a)nvidia.com> ipv6: Align behavior across nexthops during path selection Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix UAF in decryption with multichannel Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: move the limit validation Octavian Purdila <tavip(a)google.com> net_sched: sch_sfq: use a temporary work area for validating configuration Daniel Wagner <wagi(a)kernel.org> nvmet-fcloop: swap list_add_tail arguments Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915/huc: Fix fence not released on early probe errors Wentao Liang <vulab(a)iscas.ac.cn> ata: sata_sx4: Add error handling in pdc20621_i2c_read() Chenyuan Yang <chenyuan0y(a)gmail.com> net: libwx: handle page_pool_dev_alloc_pages error Maxime Ripard <mripard(a)kernel.org> drm/tests: probe-helper: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: modes: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: cmdline: Fix drm_display_mode memory leak Maxime Ripard <mripard(a)kernel.org> drm/tests: helpers: Create kunit helper to destroy a drm_display_mode Maxime Ripard <mripard(a)kernel.org> drm/tests: modeset: Fix drm_display_mode memory leak Maxime Chevallier <maxime.chevallier(a)bootlin.com> net: ethtool: Don't call .cleanup_data when prepare_data fails Toke Høiland-Jørgensen <toke(a)redhat.com> tc: Ensure we have enough buffer space when sending filter netlink notifications Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-pf: qos: fix VF root node parent queue index Jakub Kicinski <kuba(a)kernel.org> net: tls: explicitly disallow disconnect Cong Wang <xiyou.wangcong(a)gmail.com> codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Tung Nguyen <tung.quang.nguyen(a)est.tech> tipc: fix memory leak in tipc_link_xmit Josh Poimboeuf <jpoimboe(a)kernel.org> objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() Henry Martin <bsdhenrymartin(a)gmail.com> ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/hw_engine: define sysfs_ops on all directories Petr Vaněk <arkamar(a)atlas.cz> x86/acpi: Don't limit CPUs to 1 for Xen PV guests due to disabled ACPI Badal Nilawar <badal.nilawar(a)intel.com> drm/i915: Disable RPG during live selftest Ming Lei <ming.lei(a)redhat.com> ublk: fix handling recovery & reissue in ublk_abort_queue() Uday Shankar <ushankar(a)purestorage.com> ublk: refactor recovery configuration flag helpers Edward Liaw <edliaw(a)google.com> selftests/futex: futex_waitv wouldblock test should fail Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpiolib: of: Fix the choice for Ingenic NAND quirk Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix race between newly created partition and dying one Waiman Long <longman(a)redhat.com> cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set Waiman Long <longman(a)redhat.com> cgroup/cpuset: Enforce at most one rebuild_sched_domains_locked() call per operation Waiman Long <longman(a)redhat.com> cgroup/cpuset: Revert "Allow suppression of sched domain rebuild in update_cpumasks_hier()" Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix error handling in remote_partition_disable() Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix incorrect isolated_cpus update in update_parent_effective_cpumask() Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: adl: add 2xrt1316 audio configuration ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 + .../bindings/arm/qcom,coresight-tpda.yaml | 3 +- .../bindings/arm/qcom,coresight-tpdm.yaml | 3 +- .../bindings/media/i2c/st,st-mipid02.yaml | 2 +- Makefile | 7 +- arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 +- .../boot/dts/nvidia/tegra234-p3768-0000+p3767.dtsi | 7 - arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/spectre.h | 1 - arch/arm64/include/asm/traps.h | 4 +- arch/arm64/kernel/proton-pack.c | 208 ++++---- arch/arm64/kvm/arm.c | 6 +- arch/arm64/mm/mmu.c | 3 +- arch/powerpc/kvm/powerpc.c | 5 +- arch/s390/Makefile | 2 +- arch/s390/kernel/perf_cpum_cf.c | 9 +- arch/s390/kernel/perf_cpum_sf.c | 3 - arch/s390/pci/pci_bus.c | 3 + arch/s390/pci/pci_mmio.c | 18 +- arch/sparc/include/asm/pgtable_64.h | 2 - arch/sparc/mm/tlb.c | 5 +- arch/x86/Kconfig | 20 +- arch/x86/include/asm/irqflags.h | 40 +- arch/x86/include/asm/paravirt.h | 20 +- arch/x86/include/asm/paravirt_types.h | 3 +- arch/x86/kernel/acpi/boot.c | 11 + arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/e820.c | 17 +- arch/x86/kernel/paravirt.c | 13 +- arch/x86/kernel/signal_32.c | 62 ++- arch/x86/kvm/cpuid.c | 8 +- arch/x86/kvm/x86.c | 4 + arch/x86/mm/pat/set_memory.c | 6 +- arch/x86/xen/enlighten.c | 10 + arch/x86/xen/setup.c | 3 - drivers/accel/ivpu/ivpu_debugfs.c | 4 +- drivers/accel/ivpu/ivpu_ipc.c | 3 +- drivers/accel/ivpu/ivpu_ms.c | 24 + drivers/acpi/platform_profile.c | 20 +- drivers/ata/ahci.c | 11 + drivers/ata/ahci.h | 1 + drivers/ata/libahci.c | 4 + drivers/ata/libata-core.c | 38 ++ drivers/ata/libata-eh.c | 11 +- drivers/ata/pata_pxa.c | 6 + drivers/ata/sata_sx4.c | 13 +- drivers/auxdisplay/hd44780.c | 4 +- drivers/base/devres.c | 7 + drivers/block/ublk_drv.c | 90 +++- drivers/bluetooth/btintel_pcie.c | 1 + drivers/bluetooth/btqca.c | 13 +- drivers/bluetooth/btusb.c | 4 + drivers/bluetooth/hci_ldisc.c | 19 +- drivers/bluetooth/hci_qca.c | 2 +- drivers/bluetooth/hci_uart.h | 1 + drivers/bus/mhi/host/main.c | 16 +- drivers/char/tpm/tpm-chip.c | 6 + drivers/char/tpm/tpm-interface.c | 7 - drivers/char/tpm/tpm_tis_core.c | 20 +- drivers/char/tpm/tpm_tis_core.h | 1 + drivers/clk/qcom/clk-branch.c | 4 +- drivers/clk/qcom/gdsc.c | 61 ++- drivers/clk/renesas/r9a07g043-cpg.c | 7 + drivers/clocksource/timer-stm32-lp.c | 4 +- drivers/crypto/ccp/sp-pci.c | 15 +- drivers/gpio/gpio-tegra186.c | 25 +- drivers/gpio/gpio-zynq.c | 1 + drivers/gpio/gpiolib-of.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 43 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 5 + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 17 + .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 31 +- .../amd/display/dc/dml2/dml2_dc_resource_mgmt.c | 26 - .../gpu/drm/amd/display/dc/hubp/dcn31/dcn31_hubp.c | 2 +- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 22 +- drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 5 + drivers/gpu/drm/drm_atomic_helper.c | 2 +- drivers/gpu/drm/drm_debugfs.c | 2 +- drivers/gpu/drm/drm_panel.c | 5 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 46 +- drivers/gpu/drm/i915/gt/intel_rc6.c | 19 +- drivers/gpu/drm/i915/gt/uc/intel_huc.c | 11 +- drivers/gpu/drm/i915/gt/uc/intel_huc.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_uc.c | 1 + drivers/gpu/drm/i915/selftests/i915_selftest.c | 18 + drivers/gpu/drm/mediatek/mtk_dpi.c | 23 +- drivers/gpu/drm/tests/drm_client_modeset_test.c | 3 + drivers/gpu/drm/tests/drm_cmdline_parser_test.c | 10 +- drivers/gpu/drm/tests/drm_kunit_helpers.c | 22 + drivers/gpu/drm/tests/drm_modes_test.c | 22 + drivers/gpu/drm/tests/drm_probe_helper_test.c | 8 +- drivers/gpu/drm/xe/xe_gt.c | 4 + drivers/gpu/drm/xe/xe_gt_sriov_vf.c | 16 + drivers/gpu/drm/xe/xe_gt_sriov_vf.h | 1 + drivers/gpu/drm/xe/xe_hw_engine_class_sysfs.c | 108 ++-- drivers/gpu/drm/xe/xe_tuning.c | 8 - drivers/gpu/drm/xe/xe_wa.c | 7 + drivers/hid/Kconfig | 14 + drivers/hid/Makefile | 1 + drivers/hid/hid-ids.h | 37 ++ drivers/hid/hid-universal-pidff.c | 202 ++++++++ drivers/hid/usbhid/hid-core.c | 1 + drivers/hid/usbhid/hid-pidff.c | 571 ++++++++++++++------- drivers/hid/usbhid/hid-pidff.h | 33 ++ drivers/i3c/master.c | 3 + drivers/i3c/master/svc-i3c-master.c | 2 +- drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 32 +- drivers/iommu/exynos-iommu.c | 4 +- drivers/iommu/intel/iommu.c | 2 + drivers/iommu/intel/irq_remapping.c | 71 +-- drivers/iommu/iommufd/device.c | 123 ++++- drivers/iommu/iommufd/fault.c | 8 +- drivers/iommu/iommufd/iommufd_private.h | 33 +- drivers/iommu/mtk_iommu.c | 26 +- drivers/leds/rgb/leds-qcom-lpg.c | 8 +- drivers/mailbox/tegra-hsp.c | 72 ++- drivers/md/dm-ebs-target.c | 7 + drivers/md/dm-integrity.c | 48 +- drivers/md/dm-verity-target.c | 8 + drivers/media/common/siano/smsdvb-main.c | 2 + drivers/media/i2c/adv748x/adv748x.h | 2 +- drivers/media/i2c/ccs/ccs-core.c | 6 +- drivers/media/i2c/hi556.c | 5 +- drivers/media/i2c/imx214.c | 25 +- drivers/media/i2c/imx219.c | 106 ++-- drivers/media/i2c/imx319.c | 9 +- drivers/media/i2c/ov7251.c | 4 +- drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 + drivers/media/pci/mgb4/mgb4_cmt.c | 8 +- .../media/platform/chips-media/wave5/wave5-hw.c | 2 +- .../platform/chips-media/wave5/wave5-vpu-dec.c | 31 +- .../media/platform/chips-media/wave5/wave5-vpu.c | 4 +- .../platform/chips-media/wave5/wave5-vpuapi.c | 10 + .../mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 +- .../vcodec/decoder/vdec/vdec_vp9_req_lat_if.c | 3 +- .../mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +- drivers/media/platform/nuvoton/npcm-video.c | 6 +- drivers/media/platform/qcom/venus/hfi_parser.c | 100 +++- drivers/media/platform/qcom/venus/hfi_venus.c | 18 +- drivers/media/platform/rockchip/rga/rga-hw.c | 2 +- .../platform/samsung/s5p-mfc/s5p_mfc_opr_v6.c | 5 +- drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 +- drivers/media/rc/streamzap.c | 68 +-- drivers/media/test-drivers/vim2m.c | 6 +- drivers/media/test-drivers/visl/visl-core.c | 12 + drivers/media/usb/uvc/uvc_driver.c | 9 + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 +- drivers/mfd/ene-kb3930.c | 2 +- drivers/misc/pci_endpoint_test.c | 3 +- drivers/mmc/host/dw_mmc.c | 94 +++- drivers/mmc/host/dw_mmc.h | 27 + drivers/mtd/inftlcore.c | 9 +- drivers/mtd/mtdpstore.c | 12 +- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- drivers/mtd/nand/raw/r852.c | 3 + drivers/net/can/flexcan/flexcan-core.c | 35 +- drivers/net/can/flexcan/flexcan.h | 5 + drivers/net/dsa/mv88e6xxx/chip.c | 23 +- drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +- drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 5 + drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 3 +- drivers/net/phy/phy_device.c | 57 +- drivers/net/phy/sfp.c | 13 +- drivers/net/ppp/ppp_synctty.c | 5 + drivers/net/usb/asix_devices.c | 17 + drivers/net/usb/cdc_ether.c | 7 + drivers/net/usb/r8152.c | 6 + drivers/net/usb/r8153_ecm.c | 6 + drivers/net/wireless/ath/ath11k/ahb.c | 4 +- drivers/net/wireless/ath/ath11k/core.c | 3 +- drivers/net/wireless/ath/ath11k/dp.c | 35 +- drivers/net/wireless/ath/ath11k/fw.c | 3 +- drivers/net/wireless/ath/ath11k/pci.c | 3 +- drivers/net/wireless/ath/ath12k/dp_mon.c | 2 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 42 +- drivers/net/wireless/ath/ath12k/pci.c | 1 + drivers/net/wireless/mediatek/mt76/eeprom.c | 4 + drivers/net/wireless/mediatek/mt76/mt76.h | 1 + .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 16 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 4 +- drivers/ntb/ntb_transport.c | 2 +- drivers/nvme/target/fcloop.c | 2 +- drivers/of/irq.c | 78 +-- drivers/pci/controller/cadence/pci-j721e.c | 5 +- drivers/pci/controller/pcie-brcmstb.c | 13 +- drivers/pci/controller/pcie-rockchip-host.c | 2 +- drivers/pci/controller/pcie-rockchip.h | 1 - drivers/pci/controller/vmd.c | 12 +- drivers/pci/devres.c | 18 +- drivers/pci/hotplug/pciehp_core.c | 5 +- drivers/pci/iomap.c | 29 +- drivers/pci/pci.c | 6 + drivers/pci/pci.h | 16 + drivers/pci/probe.c | 22 +- drivers/perf/arm_pmu.c | 8 +- drivers/perf/dwc_pcie_pmu.c | 33 +- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 + drivers/pinctrl/qcom/pinctrl-msm.c | 12 +- drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++-- drivers/pinctrl/samsung/pinctrl-exynos.h | 22 + drivers/pinctrl/samsung/pinctrl-samsung.c | 1 + drivers/pinctrl/samsung/pinctrl-samsung.h | 4 + drivers/platform/chrome/cros_ec_lpc.c | 22 +- drivers/platform/x86/x86-android-tablets/Kconfig | 1 + drivers/pwm/pwm-fsl-ftm.c | 6 + drivers/pwm/pwm-mediatek.c | 8 +- drivers/pwm/pwm-rcar.c | 24 +- drivers/s390/virtio/virtio_ccw.c | 16 +- drivers/scsi/mpi3mr/mpi3mr.h | 14 +- drivers/scsi/mpi3mr/mpi3mr_app.c | 24 + drivers/scsi/mpi3mr/mpi3mr_fw.c | 99 +++- drivers/scsi/st.c | 2 +- drivers/soc/samsung/exynos-chipid.c | 2 + drivers/spi/spi-cadence-quadspi.c | 6 + drivers/target/target_core_spc.c | 2 +- drivers/thermal/mediatek/lvts_thermal.c | 52 +- drivers/thermal/rockchip_thermal.c | 1 + drivers/ufs/host/ufs-qcom.c | 2 +- drivers/vdpa/mlx5/core/mr.c | 7 +- drivers/video/backlight/led_bl.c | 5 +- drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +- drivers/xen/balloon.c | 34 +- drivers/xen/xenfs/xensyms.c | 4 +- fs/btrfs/disk-io.c | 12 + fs/btrfs/extent-tree.c | 8 + fs/btrfs/tests/extent-map-tests.c | 1 + fs/btrfs/transaction.c | 12 + fs/btrfs/zoned.c | 6 + fs/dlm/lock.c | 2 + fs/erofs/fileio.c | 2 + fs/ext4/inode.c | 68 ++- fs/ext4/namei.c | 2 +- fs/ext4/super.c | 17 + fs/ext4/xattr.c | 11 +- fs/f2fs/checkpoint.c | 21 +- fs/f2fs/f2fs.h | 32 +- fs/f2fs/inode.c | 8 +- fs/f2fs/node.c | 110 ++-- fs/f2fs/super.c | 4 + fs/file.c | 26 +- fs/jbd2/journal.c | 1 - fs/jfs/jfs_dmap.c | 10 +- fs/jfs/jfs_imap.c | 4 +- fs/namespace.c | 3 +- fs/nfsd/nfs4callback.c | 2 +- fs/nfsd/nfsctl.c | 9 +- fs/nfsd/stats.c | 4 +- fs/nfsd/stats.h | 2 +- fs/smb/client/cifsencrypt.c | 16 +- fs/smb/client/connect.c | 3 + fs/smb/client/fs_context.c | 5 + fs/smb/client/inode.c | 10 + fs/smb/client/reparse.c | 4 - fs/smb/client/sess.c | 7 + fs/smb/client/smb2misc.c | 9 +- fs/smb/client/smb2ops.c | 6 +- fs/smb/client/smb2pdu.c | 11 +- fs/udf/inode.c | 1 + fs/userfaultfd.c | 51 +- include/drm/drm_kunit_helpers.h | 3 + include/drm/intel/i915_pciids.h | 5 +- include/linux/cgroup-defs.h | 1 + include/linux/cgroup.h | 2 +- include/linux/hid.h | 6 - include/linux/io_uring_types.h | 3 + include/linux/kvm_host.h | 2 +- include/linux/page-flags.h | 6 + include/linux/pci_ids.h | 2 + include/linux/perf_event.h | 45 +- include/linux/pgtable.h | 14 +- include/linux/printk.h | 6 + include/linux/tpm.h | 1 + include/net/bluetooth/hci.h | 16 + include/net/bluetooth/hci_core.h | 4 + include/net/mac80211.h | 6 + include/net/sctp/structs.h | 3 +- include/net/sock.h | 40 +- include/uapi/linux/kfd_ioctl.h | 2 + include/uapi/linux/landlock.h | 2 + include/uapi/linux/perf_event.h | 11 +- include/uapi/linux/psp-sev.h | 21 +- include/uapi/linux/rkisp1-config.h | 2 +- include/xen/interface/xen-mca.h | 2 +- io_uring/io_uring.c | 4 +- io_uring/kbuf.c | 2 + io_uring/net.c | 3 + kernel/cgroup/cgroup.c | 6 + kernel/cgroup/cpuset.c | 176 ++++--- kernel/events/core.c | 255 +++++---- kernel/events/internal.h | 1 + kernel/locking/lockdep.c | 3 + kernel/power/hibernate.c | 6 +- kernel/printk/printk.c | 4 +- kernel/reboot.c | 1 + kernel/sched/ext.c | 4 +- kernel/trace/ftrace.c | 9 +- kernel/trace/ring_buffer.c | 5 +- kernel/trace/trace_events.c | 4 +- kernel/trace/trace_events_synth.c | 1 - kernel/trace/trace_fprobe.c | 26 +- kernel/trace/trace_probe.c | 28 + lib/sg_split.c | 2 - lib/zstd/common/portability_macros.h | 2 +- mm/damon/ops-common.c | 2 +- mm/damon/paddr.c | 24 +- mm/hugetlb.c | 2 +- mm/memory-failure.c | 11 +- mm/memory_hotplug.c | 3 +- mm/mremap.c | 10 +- mm/page_vma_mapped.c | 13 +- mm/rmap.c | 2 +- mm/shmem.c | 3 +- mm/vmscan.c | 2 +- net/8021q/vlan_dev.c | 31 +- net/bluetooth/hci_sync.c | 6 +- net/core/filter.c | 80 +-- net/core/page_pool.c | 8 +- net/core/page_pool_user.c | 2 +- net/core/sock.c | 5 + net/ethtool/netlink.c | 8 +- net/ipv6/route.c | 8 +- net/mac80211/debugfs.c | 44 +- net/mac80211/iface.c | 5 +- net/mac80211/mesh_hwmp.c | 14 +- net/mac80211/mlme.c | 45 +- net/mptcp/sockopt.c | 28 + net/mptcp/subflow.c | 19 +- net/netfilter/nft_set_pipapo_avx2.c | 3 +- net/sched/cls_api.c | 66 ++- net/sched/sch_codel.c | 5 +- net/sched/sch_fq_codel.c | 6 +- net/sched/sch_sfq.c | 66 ++- net/sctp/socket.c | 22 +- net/sctp/transport.c | 2 + net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 +- net/tipc/link.c | 1 + net/tls/tls_main.c | 6 + scripts/generate_builtin_ranges.awk | 5 + security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_main.c | 18 +- security/landlock/errata.h | 99 ++++ security/landlock/errata/abi-4.h | 15 + security/landlock/errata/abi-6.h | 19 + security/landlock/fs.c | 39 +- security/landlock/setup.c | 38 +- security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 +- security/landlock/task.c | 12 + sound/pci/hda/hda_intel.c | 44 +- sound/pci/hda/patch_realtek.c | 22 + sound/soc/amd/ps/acp63.h | 1 + sound/soc/amd/ps/pci-ps.c | 2 +- sound/soc/amd/yc/acp6x-mach.c | 14 + sound/soc/codecs/wcd937x.c | 2 + sound/soc/fsl/fsl_audmix.c | 16 +- sound/soc/intel/common/soc-acpi-intel-adl-match.c | 29 ++ sound/soc/qcom/qdsp6/q6apm-dai.c | 60 ++- sound/soc/qcom/qdsp6/q6apm.c | 18 +- sound/soc/qcom/qdsp6/q6apm.h | 3 + sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +- sound/soc/sof/topology.c | 4 +- sound/usb/midi.c | 80 ++- tools/lib/bpf/btf_dump.c | 4 +- tools/objtool/check.c | 5 + tools/power/cpupower/bench/parse.c | 4 + tools/testing/ktest/ktest.pl | 8 + .../futex/functional/futex_wait_wouldblock.c | 2 +- tools/testing/selftests/landlock/base_test.c | 46 +- tools/testing/selftests/landlock/common.h | 1 + .../selftests/landlock/scoped_signal_test.c | 108 +++- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- virt/kvm/Kconfig | 2 +- virt/kvm/eventfd.c | 10 +- 383 files changed, 5029 insertions(+), 2064 deletions(-)

6 months, 2 weeks

8
401
0 0