- Linux-stable-mirror - lists.linaro.org

[PATCH v2] platform/chrome: cros_ec_typec: fix missing fwnode reference decrement

by Javier Carrasco

The device_for_each_child_node() macro requires explicit calls to fwnode_handle_put() upon early exits (return, break, goto) to decrement the fwnode's refcount, and avoid levaing a node reference behind. Add the missing fwnode_handle_put() after the common label for all error paths. Cc: stable(a)vger.kernel.org Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- I usually switch to the scoped variant of the macro to fix such issues, but given that the fix is relevant for stable kernels, I have provided the "classical" approach by adding the missing fwnode_handle_put(). If switching to the scoped variant is desired, please let me know. This driver and cross_typec_switch could be easily converted. --- Changes in v2: - fix typos in the commit description. - Link to v1: https://lore.kernel.org/r/20241009-cross_ec_typec_fwnode_handle_put-v1-1-f1… --- drivers/platform/chrome/cros_ec_typec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c index c7781aea0b88..f1324466efac 100644 --- a/drivers/platform/chrome/cros_ec_typec.c +++ b/drivers/platform/chrome/cros_ec_typec.c @@ -409,6 +409,7 @@ static int cros_typec_init_ports(struct cros_typec_data *typec) return 0; unregister_ports: + fwnode_handle_put(fwnode); cros_unregister_ports(typec); return ret; } --- base-commit: b6270c3bca987530eafc6a15f9d54ecd0033e0e3 change-id: 20241009-cross_ec_typec_fwnode_handle_put-9f13b4bd467f Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

2
1
0 0

[PATCH] staging: vchiq_arm: Utilize devm_kzalloc in the probe() function

by Umang Jain

The two resources, 'mgmt' and 'platform_state' are currently allocated dynamically using kzalloc(). Unfortunately, both are subject to memory leaks in the error handling paths of the probe() function. To address this issue, use device resource management helper devm_kzalloc() for proper cleanup during allocation. Cc: stable(a)vger.kernel.org Fixes: 1c9e16b73166 ("staging: vc04_services: vchiq_arm: Split driver static and runtime data") Signed-off-by: Umang Jain <umang.jain(a)ideasonboard.com> --- .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index 29e78700463f..373cfdd5b020 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -285,7 +285,7 @@ vchiq_platform_init_state(struct vchiq_state *state) { struct vchiq_arm_state *platform_state; - platform_state = kzalloc(sizeof(*platform_state), GFP_KERNEL); + platform_state = devm_kzalloc(state->dev, sizeof(*platform_state), GFP_KERNEL); if (!platform_state) return -ENOMEM; @@ -1344,7 +1344,7 @@ static int vchiq_probe(struct platform_device *pdev) return -ENOENT; } - mgmt = kzalloc(sizeof(*mgmt), GFP_KERNEL); + mgmt = devm_kzalloc(&pdev->dev, sizeof(*mgmt), GFP_KERNEL); if (!mgmt) return -ENOMEM; @@ -1402,8 +1402,6 @@ static void vchiq_remove(struct platform_device *pdev) arm_state = vchiq_platform_get_arm_state(&mgmt->state); kthread_stop(arm_state->ka_thread); - - kfree(mgmt); } static struct platform_driver vchiq_driver = { -- 2.45.2

6 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 4.19 1/6] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index cea005cc7b2ab..c762335587a43 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -407,8 +407,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

6 months, 3 weeks

2
6
0 0

[PATCH AUTOSEL 5.10 1/9] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index 06d9f19ca142a..0774d753dd316 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

6 months, 3 weeks

2
9
0 0

[PATCH AUTOSEL 6.1 01/13] ksmbd: override fsids for share path check

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit a018c1b636e79b60149b41151ded7c2606d8606e ] Sangsoo reported that a DAC denial error occurred when accessing files through the ksmbd thread. This patch override fsids for share path check. Reported-by: Sangsoo Lee <constant.lee(a)samsung.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/smb/server/mgmt/share_config.c | 15 ++++++++++++--- fs/smb/server/mgmt/share_config.h | 4 +++- fs/smb/server/mgmt/tree_connect.c | 9 +++++---- fs/smb/server/mgmt/tree_connect.h | 4 ++-- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb_common.c | 9 +++++++-- fs/smb/server/smb_common.h | 2 ++ 7 files changed, 32 insertions(+), 13 deletions(-) diff --git a/fs/smb/server/mgmt/share_config.c b/fs/smb/server/mgmt/share_config.c index e0a6b758094fc..d8d03070ae44b 100644 --- a/fs/smb/server/mgmt/share_config.c +++ b/fs/smb/server/mgmt/share_config.c @@ -15,6 +15,7 @@ #include "share_config.h" #include "user_config.h" #include "user_session.h" +#include "../connection.h" #include "../transport_ipc.h" #include "../misc.h" @@ -120,12 +121,13 @@ static int parse_veto_list(struct ksmbd_share_config *share, return 0; } -static struct ksmbd_share_config *share_config_request(struct unicode_map *um, +static struct ksmbd_share_config *share_config_request(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config_response *resp; struct ksmbd_share_config *share = NULL; struct ksmbd_share_config *lookup; + struct unicode_map *um = work->conn->um; int ret; resp = ksmbd_ipc_share_config_request(name); @@ -181,7 +183,14 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, KSMBD_SHARE_CONFIG_VETO_LIST(resp), resp->veto_list_sz); if (!ret && share->path) { + if (__ksmbd_override_fsids(work, share)) { + kill_share(share); + share = NULL; + goto out; + } + ret = kern_path(share->path, 0, &share->vfs_path); + ksmbd_revert_fsids(work); if (ret) { ksmbd_debug(SMB, "failed to access '%s'\n", share->path); @@ -214,7 +223,7 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, return share; } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config *share; @@ -227,7 +236,7 @@ struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, if (share) return share; - return share_config_request(um, name); + return share_config_request(work, name); } bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, diff --git a/fs/smb/server/mgmt/share_config.h b/fs/smb/server/mgmt/share_config.h index 5f591751b9236..d4ac2dd4de204 100644 --- a/fs/smb/server/mgmt/share_config.h +++ b/fs/smb/server/mgmt/share_config.h @@ -11,6 +11,8 @@ #include <linux/path.h> #include <linux/unicode.h> +struct ksmbd_work; + struct ksmbd_share_config { char *name; char *path; @@ -68,7 +70,7 @@ static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) __ksmbd_share_config_put(share); } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name); bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, const char *filename); diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c index d2c81a8a11dda..94a52a75014a4 100644 --- a/fs/smb/server/mgmt/tree_connect.c +++ b/fs/smb/server/mgmt/tree_connect.c @@ -16,17 +16,18 @@ #include "user_session.h" struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name) +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name) { struct ksmbd_tree_conn_status status = {-ENOENT, NULL}; struct ksmbd_tree_connect_response *resp = NULL; struct ksmbd_share_config *sc; struct ksmbd_tree_connect *tree_conn = NULL; struct sockaddr *peer_addr; + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; int ret; - sc = ksmbd_share_config_get(conn->um, share_name); + sc = ksmbd_share_config_get(work, share_name); if (!sc) return status; @@ -61,7 +62,7 @@ ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, struct ksmbd_share_config *new_sc; ksmbd_share_config_del(sc); - new_sc = ksmbd_share_config_get(conn->um, share_name); + new_sc = ksmbd_share_config_get(work, share_name); if (!new_sc) { pr_err("Failed to update stale share config\n"); status.ret = -ESTALE; diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h index 6377a70b811c8..a42cdd0510411 100644 --- a/fs/smb/server/mgmt/tree_connect.h +++ b/fs/smb/server/mgmt/tree_connect.h @@ -13,6 +13,7 @@ struct ksmbd_share_config; struct ksmbd_user; struct ksmbd_conn; +struct ksmbd_work; enum { TREE_NEW = 0, @@ -50,8 +51,7 @@ static inline int test_tree_conn_flag(struct ksmbd_tree_connect *tree_conn, struct ksmbd_session; struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name); +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name); void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon); int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 4ba6bf1535da1..d97c7982bb3ee 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -1971,7 +1971,7 @@ int smb2_tree_connect(struct ksmbd_work *work) ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", name, treename); - status = ksmbd_tree_conn_connect(conn, sess, name); + status = ksmbd_tree_conn_connect(work, name); if (status.ret == KSMBD_TREE_CONN_STATUS_OK) rsp->hdr.Id.SyncId.TreeId = cpu_to_le32(status.tree_conn->id); else diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index e90a1e8c1951d..bdcdc0fc9cad5 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -729,10 +729,10 @@ bool is_asterisk(char *p) return p && p[0] == '*'; } -int ksmbd_override_fsids(struct ksmbd_work *work) +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share) { struct ksmbd_session *sess = work->sess; - struct ksmbd_share_config *share = work->tcon->share_conf; struct cred *cred; struct group_info *gi; unsigned int uid; @@ -772,6 +772,11 @@ int ksmbd_override_fsids(struct ksmbd_work *work) return 0; } +int ksmbd_override_fsids(struct ksmbd_work *work) +{ + return __ksmbd_override_fsids(work, work->tcon->share_conf); +} + void ksmbd_revert_fsids(struct ksmbd_work *work) { const struct cred *cred; diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h index f1092519c0c28..4a3148b0167f5 100644 --- a/fs/smb/server/smb_common.h +++ b/fs/smb/server/smb_common.h @@ -447,6 +447,8 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command); int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp); +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share); int ksmbd_override_fsids(struct ksmbd_work *work); void ksmbd_revert_fsids(struct ksmbd_work *work); -- 2.43.0

6 months, 3 weeks

2
13
0 0

patch "iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 4c4834fd8696a949d1b1f1c2c5b96e1ad2083b02 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:50 +0200 Subject: iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Fixes: 2a86487786b5 ("iio: adc: ti-ads8688: add trigger and buffer support") Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Reviewed-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20241003-iio-select-v1-4-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index c1197ee3dc68..1bf915c3d053 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1483,6 +1483,8 @@ config TI_ADS8344 config TI_ADS8688 tristate "Texas Instruments ADS8688" depends on SPI + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help If you say yes here you get support for Texas Instruments ADS8684 and and ADS8688 ADC chips -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iioc: dac: ltc2664: Fix span variable usage in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iioc: dac: ltc2664: Fix span variable usage in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From ccf9af8b0dadd0aecc24503ef289cbc178208418 Mon Sep 17 00:00:00 2001 From: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Date: Sun, 6 Oct 2024 01:34:35 +0530 Subject: iioc: dac: ltc2664: Fix span variable usage in ltc2664_channel_config() In the current implementation of the ltc2664_channel_config() function, a variable named span is declared and initialized to 0, intended to capture the return value of the ltc2664_set_span() function. However, the output of ltc2664_set_span() is directly assigned to chan->span, leaving span unchanged. As a result, when the function later checks if (span < 0), this condition will never trigger an error since span remains 0, this flaw leads to ineffective error handling. Resolve this issue by using the ret variable to get the return value and later assign it if successful and remove unused span variable. Fixes: 4cc2fc445d2e ("iio: dac: ltc2664: Add driver for LTC2664 and LTC2672") Signed-off-by: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Link: https://patch.msgid.link/20241005200435.25061-1-pvmohammedanees2003@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/ltc2664.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/iio/dac/ltc2664.c b/drivers/iio/dac/ltc2664.c index 5be5345ac5c8..67f14046cf77 100644 --- a/drivers/iio/dac/ltc2664.c +++ b/drivers/iio/dac/ltc2664.c @@ -516,7 +516,7 @@ static int ltc2664_channel_config(struct ltc2664_state *st) const struct ltc2664_chip_info *chip_info = st->chip_info; struct device *dev = &st->spi->dev; u32 reg, tmp[2], mspan; - int ret, span = 0; + int ret; mspan = LTC2664_MSPAN_SOFTSPAN; ret = device_property_read_u32(dev, "adi,manual-span-operation-config", @@ -579,20 +579,21 @@ static int ltc2664_channel_config(struct ltc2664_state *st) ret = fwnode_property_read_u32_array(child, "output-range-microvolt", tmp, ARRAY_SIZE(tmp)); if (!ret && mspan == LTC2664_MSPAN_SOFTSPAN) { - chan->span = ltc2664_set_span(st, tmp[0] / 1000, - tmp[1] / 1000, reg); - if (span < 0) - return dev_err_probe(dev, span, + ret = ltc2664_set_span(st, tmp[0] / 1000, tmp[1] / 1000, reg); + if (ret < 0) + return dev_err_probe(dev, ret, "Failed to set span\n"); + chan->span = ret; } ret = fwnode_property_read_u32_array(child, "output-range-microamp", tmp, ARRAY_SIZE(tmp)); if (!ret) { - chan->span = ltc2664_set_span(st, 0, tmp[1] / 1000, reg); - if (span < 0) - return dev_err_probe(dev, span, + ret = ltc2664_set_span(st, 0, tmp[1] / 1000, reg); + if (ret < 0) + return dev_err_probe(dev, ret, "Failed to set span\n"); + chan->span = ret; } } -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: hid-sensors: Fix an error handling path in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: hid-sensors: Fix an error handling path in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 3a29b84cf7fbf912a6ab1b9c886746f02b74ea25 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Thu, 3 Oct 2024 20:41:12 +0200 Subject: iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() If hid_sensor_set_report_latency() fails, the error code should be returned instead of a value likely to be interpreted as 'success'. Fixes: 138bc7969c24 ("iio: hid-sensor-hub: Implement batch mode") Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Acked-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> Link: https://patch.msgid.link/c50640665f091a04086e5092cf50f73f2055107a.172798082… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c index ad8910e6ad59..abb09fefc792 100644 --- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c +++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c @@ -32,7 +32,7 @@ static ssize_t _hid_sensor_set_report_latency(struct device *dev, latency = integer * 1000 + fract / 1000; ret = hid_sensor_set_report_latency(attrb, latency); if (ret < 0) - return len; + return ret; attrb->latency_ms = hid_sensor_get_report_latency(attrb); -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 27b6aa68a68105086aef9f0cb541cd688e5edea8 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:40 +0200 Subject: iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig This driver makes use of regmap_mmio, but does not select the required module. Add the missing 'select REGMAP_MMIO'. Fixes: 4d4b30526eb8 ("iio: dac: add support for stm32 DAC") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-8-4019453f8c33@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/dac/Kconfig b/drivers/iio/dac/Kconfig index 25f6d1fd62df..45e337c6d256 100644 --- a/drivers/iio/dac/Kconfig +++ b/drivers/iio/dac/Kconfig @@ -489,6 +489,7 @@ config STM32_DAC config STM32_DAC_CORE tristate + select REGMAP_MMIO config TI_DAC082S085 tristate "Texas Instruments 8/10/12-bit 2/4-channel DAC driver" -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 252ff06a4cb4e572cb3c7fcfa697db96b08a7781 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:39 +0200 Subject: iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig This driver makes use of regmap_spi, but does not select the required module. Add the missing 'select REGMAP_SPI'. Fixes: 8316cebd1e59 ("iio: dac: add support for ltc1660") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-7-4019453f8c33@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/dac/Kconfig b/drivers/iio/dac/Kconfig index 2e0a9c94439f..25f6d1fd62df 100644 --- a/drivers/iio/dac/Kconfig +++ b/drivers/iio/dac/Kconfig @@ -358,6 +358,7 @@ config LPC18XX_DAC config LTC1660 tristate "Linear Technology LTC1660/LTC1665 DAC SPI driver" depends on SPI + select REGMAP_SPI help Say yes here to build support for Linear Technology LTC1660 and LTC1665 Digital to Analog Converters. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From b7983033a10baa0d98784bb411b2679bfb207d9a Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:37 +0200 Subject: iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig This driver makes use of regmap_spi, but does not select the required module. Add the missing 'select REGMAP_SPI'. Fixes: 28b4c30bfa5f ("iio: amplifiers: ada4250: add support for ADA4250") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-5-4019453f8c33@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/amplifiers/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/amplifiers/Kconfig b/drivers/iio/amplifiers/Kconfig index b54fe01734b0..55eb16b32f6c 100644 --- a/drivers/iio/amplifiers/Kconfig +++ b/drivers/iio/amplifiers/Kconfig @@ -27,6 +27,7 @@ config AD8366 config ADA4250 tristate "Analog Devices ADA4250 Instrumentation Amplifier" depends on SPI + select REGMAP_SPI help Say yes here to build support for Analog Devices ADA4250 SPI Amplifier's support. The driver provides direct access via -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From bcdab6f74c91cda19714354fd4e9e3ef3c9a78b3 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:38 +0200 Subject: iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig This driver makes use of regmap_spi, but does not select the required module. Add the missing 'select REGMAP_SPI'. Fixes: cbbb819837f6 ("iio: dac: ad5770r: Add AD5770R support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-6-4019453f8c33@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/dac/Kconfig b/drivers/iio/dac/Kconfig index bb6cb9af9ed9..2e0a9c94439f 100644 --- a/drivers/iio/dac/Kconfig +++ b/drivers/iio/dac/Kconfig @@ -266,6 +266,7 @@ config AD5766 config AD5770R tristate "Analog Devices AD5770R IDAC driver" depends on SPI_MASTER + select REGMAP_SPI help Say yes here to build support for Analog Devices AD5770R Digital to Analog Converter. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: resolver: ad2s1210: add missing select (TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: resolver: ad2s1210: add missing select (TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 2caa67b6251c802e0c2257920b225c765e86bf4a Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:34 +0200 Subject: iio: resolver: ad2s1210: add missing select (TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 128b9389db0e ("staging: iio: resolver: ad2s1210: add triggered buffer support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-2-4019453f8c33@gmail.c… Cc: <stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/resolver/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/resolver/Kconfig b/drivers/iio/resolver/Kconfig index 640aef3e5c94..de2dee3832a1 100644 --- a/drivers/iio/resolver/Kconfig +++ b/drivers/iio/resolver/Kconfig @@ -32,6 +32,8 @@ config AD2S1210 depends on COMMON_CLK depends on GPIOLIB || COMPILE_TEST select REGMAP + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for Analog Devices spi resolver to digital converters, ad2s1210, provides direct access via sysfs. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From c64643ed4eaa5dfd0b3bab7ef1c50b84f3dbaba4 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:35 +0200 Subject: iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig This driver makes use of regmap_spi, but does not select the required module. Add the missing 'select REGMAP_SPI'. Fixes: eda549e2e524 ("iio: frequency: adf4377: add support for ADF4377") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-3-4019453f8c33@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/frequency/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/frequency/Kconfig b/drivers/iio/frequency/Kconfig index c455be7d4a1c..89ae09db5ca5 100644 --- a/drivers/iio/frequency/Kconfig +++ b/drivers/iio/frequency/Kconfig @@ -53,6 +53,7 @@ config ADF4371 config ADF4377 tristate "Analog Devices ADF4377 Microwave Wideband Synthesizer" depends on SPI && COMMON_CLK + select REGMAP_SPI help Say yes here to build support for Analog Devices ADF4377 Microwave Wideband Synthesizer. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: resolver: ad2s1210 add missing select REGMAP in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: resolver: ad2s1210 add missing select REGMAP in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 17a99360184cf02b2b3bc3c1972e777326bfa63b Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 18:49:33 +0200 Subject: iio: resolver: ad2s1210 add missing select REGMAP in Kconfig This driver makes use of regmap, but does not select the required module. Add the missing 'select REGMAP'. Fixes: b3689e14415a ("staging: iio: resolver: ad2s1210: use regmap for config registers") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20241003-ad2s1210-select-v1-1-4019453f8c33@gmail.c… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/resolver/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/resolver/Kconfig b/drivers/iio/resolver/Kconfig index 424529d36080..640aef3e5c94 100644 --- a/drivers/iio/resolver/Kconfig +++ b/drivers/iio/resolver/Kconfig @@ -31,6 +31,7 @@ config AD2S1210 depends on SPI depends on COMMON_CLK depends on GPIOLIB || COMPILE_TEST + select REGMAP help Say yes here to build support for Analog Devices spi resolver to digital converters, ad2s1210, provides direct access via sysfs. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: pressure: bm1390: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: pressure: bm1390: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 3f7b25f6ad0925b9ae9b70656a49abb5af111483 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:58 +0200 Subject: iio: pressure: bm1390: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Note the original driver patch had wrong part number hence the odd fixes entry. Fixes: 81ca5979b6ed ("iio: pressure: Support ROHM BU1390") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Acked-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-12-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/pressure/Kconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/iio/pressure/Kconfig b/drivers/iio/pressure/Kconfig index df65438c771e..d2cb8c871f6a 100644 --- a/drivers/iio/pressure/Kconfig +++ b/drivers/iio/pressure/Kconfig @@ -19,6 +19,9 @@ config ABP060MG config ROHM_BM1390 tristate "ROHM BM1390GLV-Z pressure sensor driver" depends on I2C + select REGMAP_I2C + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Support for the ROHM BM1390 pressure sensor. The BM1390GLV-Z can measure pressures ranging from 300 hPa to 1300 hPa with -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 75461a0b15d7c026924d0001abce0476bbc7eda8 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:59 +0200 Subject: iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 16b05261537e ("mb1232.c: add distance iio sensor with i2c") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-13-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/proximity/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/proximity/Kconfig b/drivers/iio/proximity/Kconfig index 31c679074b25..a562a78b7d0d 100644 --- a/drivers/iio/proximity/Kconfig +++ b/drivers/iio/proximity/Kconfig @@ -86,6 +86,8 @@ config LIDAR_LITE_V2 config MB1232 tristate "MaxSonar I2CXL family ultrasonic sensors" depends on I2C + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say Y to build a driver for the ultrasonic sensors I2CXL of MaxBotix which have an i2c interface. It can be used to measure -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: magnetometer: af8133j: add missing select IIO_(TRIGGERED_)BUFFER" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: magnetometer: af8133j: add missing select IIO_(TRIGGERED_)BUFFER to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From fbb913895e3da36cb42e1e7a5a3cae1c6d150cf6 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:57 +0200 Subject: iio: magnetometer: af8133j: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 1d8f4b04621f ("iio: magnetometer: add a driver for Voltafield AF8133J magnetometer") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Reviewed-by: Andrey Skvortsov <andrej.skvortzov(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-11-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/magnetometer/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/magnetometer/Kconfig b/drivers/iio/magnetometer/Kconfig index 8eb718f5e50f..f69ac75500f9 100644 --- a/drivers/iio/magnetometer/Kconfig +++ b/drivers/iio/magnetometer/Kconfig @@ -11,6 +11,8 @@ config AF8133J depends on I2C depends on OF select REGMAP_I2C + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for Voltafield AF8133J I2C-based 3-axis magnetometer chip. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: chemical: ens160: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: chemical: ens160: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 3fd8bbf93926162eb59153a5bcd2a53b0cc04cf0 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:55 +0200 Subject: iio: chemical: ens160: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 0fc26596b4b3 ("iio: chemical: ens160: add triggered buffer support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Acked-by: Gustavo Silva <gustavograzs(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-9-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/chemical/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/chemical/Kconfig b/drivers/iio/chemical/Kconfig index 678a6adb9a75..6c87223f58d9 100644 --- a/drivers/iio/chemical/Kconfig +++ b/drivers/iio/chemical/Kconfig @@ -80,6 +80,8 @@ config ENS160 tristate "ScioSense ENS160 sensor driver" depends on (I2C || SPI) select REGMAP + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER select ENS160_I2C if I2C select ENS160_SPI if SPI help -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From aa99ef68eff5bc6df4959a372ae355b3b73f9930 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:56 +0200 Subject: iio: light: bu27008: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 41ff93d14f78 ("iio: light: ROHM BU27008 color sensor") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Acked-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-10-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/light/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig index 515ff46b5b82..f2f3e414849a 100644 --- a/drivers/iio/light/Kconfig +++ b/drivers/iio/light/Kconfig @@ -335,6 +335,8 @@ config ROHM_BU27008 depends on I2C select REGMAP_I2C select IIO_GTS_HELPER + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Enable support for the ROHM BU27008 color sensor. The ROHM BU27008 is a sensor with 5 photodiodes (red, green, -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 62ec3df342cca6a8eb7ed33fd4ac8d0fbfcb9391 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:54 +0200 Subject: iio: dac: ad5766: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 885b9790c25a ("drivers:iio:dac:ad5766.c: Add trigger buffer") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-8-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/dac/Kconfig b/drivers/iio/dac/Kconfig index 9d4600ce0427..bb6cb9af9ed9 100644 --- a/drivers/iio/dac/Kconfig +++ b/drivers/iio/dac/Kconfig @@ -254,6 +254,8 @@ config AD5764 config AD5766 tristate "Analog Devices AD5766/AD5767 DAC driver" depends on SPI_MASTER + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for Analog Devices AD5766, AD5767 Digital to Analog Converter. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 5bede948670f447154df401458aef4e2fd446ba8 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:53 +0200 Subject: iio: dac: ad3552r: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 8f2b54824b28 ("drivers:iio:dac: Add AD3552R driver support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-7-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/dac/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/dac/Kconfig b/drivers/iio/dac/Kconfig index 1cfd7e2a622f..9d4600ce0427 100644 --- a/drivers/iio/dac/Kconfig +++ b/drivers/iio/dac/Kconfig @@ -9,6 +9,8 @@ menu "Digital to analog converters" config AD3552R tristate "Analog Devices AD3552R DAC driver" depends on SPI_MASTER + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for Analog Devices AD3552R Digital to Analog Converter. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From a985576af824426e33100554a5958a6beda60a13 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:52 +0200 Subject: iio: adc: ti-lmp92064: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 6c7bc1d27bb2 ("iio: adc: ti-lmp92064: add buffering support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-6-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index 68640fa26f4e..c1197ee3dc68 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1530,6 +1530,8 @@ config TI_LMP92064 tristate "Texas Instruments LMP92064 ADC driver" depends on SPI select REGMAP_SPI + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for the LMP92064 Precision Current and Voltage sensor. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From eb143d05def52bc6d193e813018e5fa1a0e47c77 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:49 +0200 Subject: iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-3-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index 6790e62700fe..45872a4e2acf 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1493,6 +1493,8 @@ config TI_ADS8688 config TI_ADS124S08 tristate "Texas Instruments ADS124S08" depends on SPI + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help If you say yes here you get support for Texas Instruments ADS124S08 and ADS124S06 ADC chips -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From f3fe8c52c580e99c6dc0c7859472ec48176af32d Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:51 +0200 Subject: iio: adc: ti-lmp92064: add missing select REGMAP_SPI in Kconfig This driver makes use of regmap_spi, but does not select the required module. Add the missing 'select REGMAP_SPI'. Fixes: 627198942641 ("iio: adc: add ADC driver for the TI LMP92064 controller") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-5-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index 45872a4e2acf..68640fa26f4e 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -1529,6 +1529,7 @@ config TI_AM335X_ADC config TI_LMP92064 tristate "Texas Instruments LMP92064 ADC driver" depends on SPI + select REGMAP_SPI help Say yes here to build support for the LMP92064 Precision Current and Voltage sensor. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: adc: ad7944: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7944: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From f4dc96f05149d5e14d7a03c3b16171098847fee9 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:48 +0200 Subject: iio: adc: ad7944: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: d1efcf8871db ("iio: adc: ad7944: add driver for AD7944/AD7985/AD7986") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20241003-iio-select-v1-2-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig index 97ece1a4b7e3..6790e62700fe 100644 --- a/drivers/iio/adc/Kconfig +++ b/drivers/iio/adc/Kconfig @@ -328,6 +328,8 @@ config AD7923 config AD7944 tristate "Analog Devices AD7944 and similar ADCs driver" depends on SPI + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER help Say yes here to build support for Analog Devices AD7944, AD7985, AD7986 ADCs. -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 96666f05d11acf0370cedca17a4c3ab6f9554b35 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Thu, 3 Oct 2024 23:04:47 +0200 Subject: iio: accel: kx022a: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig This driver makes use of triggered buffers, but does not select the required modules. Add the missing 'select IIO_BUFFER' and 'select IIO_TRIGGERED_BUFFER'. Fixes: 7c1d1677b322 ("iio: accel: Support Kionix/ROHM KX022A accelerometer") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Acked-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Link: https://patch.msgid.link/20241003-iio-select-v1-1-67c0385197cd@gmail.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iio/accel/Kconfig b/drivers/iio/accel/Kconfig index 516c1a8e4d56..8c3f7cf55d5f 100644 --- a/drivers/iio/accel/Kconfig +++ b/drivers/iio/accel/Kconfig @@ -447,6 +447,8 @@ config IIO_ST_ACCEL_SPI_3AXIS config IIO_KX022A tristate + select IIO_BUFFER + select IIO_TRIGGERED_BUFFER config IIO_KX022A_SPI tristate "Kionix KX022A tri-axis digital accelerometer SPI interface" -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: light: veml6030: fix ALS sensor resolution" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: light: veml6030: fix ALS sensor resolution to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From c9e9746f275c45108f2b0633a4855d65d9ae0736 Mon Sep 17 00:00:00 2001 From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Date: Mon, 23 Sep 2024 00:17:49 +0200 Subject: iio: light: veml6030: fix ALS sensor resolution The driver still uses the sensor resolution provided in the datasheet until Rev. 1.6, 28-Apr-2022, which was updated with Rev 1.7, 28-Nov-2023. The original ambient light resolution has been updated from 0.0036 lx/ct to 0.0042 lx/ct, which is the value that can be found in the current device datasheet. Update the default resolution for IT = 100 ms and GAIN = 1/8 from the original 4608 mlux/cnt to the current value from the "Resolution and maximum detection range" table (Application Note 84367, page 5), 5376 mlux/cnt. Cc: <stable(a)vger.kernel.org> Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://patch.msgid.link/20240923-veml6035-v2-1-58c72a0df31c@gmail.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/light/veml6030.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/light/veml6030.c b/drivers/iio/light/veml6030.c index df2ba3078b91..9630de1c578e 100644 --- a/drivers/iio/light/veml6030.c +++ b/drivers/iio/light/veml6030.c @@ -779,7 +779,7 @@ static int veml6030_hw_init(struct iio_dev *indio_dev) /* Cache currently active measurement parameters */ data->cur_gain = 3; - data->cur_resolution = 4608; + data->cur_resolution = 5376; data->cur_integration_time = 3; return ret; -- 2.47.0

6 months, 3 weeks

1
0
0 0

patch "iio: light: opt3001: add missing full-scale range value" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: light: opt3001: add missing full-scale range value to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 530688e39c644543b71bdd9cb45fdfb458a28eaa Mon Sep 17 00:00:00 2001 From: Emil Gedenryd <emil.gedenryd(a)axis.com> Date: Fri, 13 Sep 2024 11:57:02 +0200 Subject: iio: light: opt3001: add missing full-scale range value The opt3001 driver uses predetermined full-scale range values to determine what exponent to use for event trigger threshold values. The problem is that one of the values specified in the datasheet is missing from the implementation. This causes larger values to be scaled down to an incorrect exponent, effectively reducing the maximum settable threshold value by a factor of 2. Add missing full-scale range array value. Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor") Signed-off-by: Emil Gedenryd <emil.gedenryd(a)axis.com> Cc: <Stable(a)vger.kernel.org> Link: https://patch.msgid.link/20240913-add_opt3002-v2-1-69e04f840360@axis.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/light/opt3001.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/iio/light/opt3001.c b/drivers/iio/light/opt3001.c index 887c4b776a86..176e54bb48c3 100644 --- a/drivers/iio/light/opt3001.c +++ b/drivers/iio/light/opt3001.c @@ -138,6 +138,10 @@ static const struct opt3001_scale opt3001_scales[] = { .val = 20966, .val2 = 400000, }, + { + .val = 41932, + .val2 = 800000, + }, { .val = 83865, .val2 = 600000, -- 2.47.0

6 months, 3 weeks

1
0
0 0

[PATCH] soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting()

by Javier Carrasco

of_find_compatible_node() requires a call to of_node_put() when the pointer to the node is not required anymore to decrement its refcount and avoid leaking memory. Add the missing call to of_node_put() after the node has been used. Cc: stable(a)vger.kernel.org Fixes: e95f287deed2 ("soc: fsl: handle RCPM errata A-008646 on SoC LS1021A") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/soc/fsl/rcpm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/soc/fsl/rcpm.c b/drivers/soc/fsl/rcpm.c index 3d0cae30c769..06bd94b29fb3 100644 --- a/drivers/soc/fsl/rcpm.c +++ b/drivers/soc/fsl/rcpm.c @@ -36,6 +36,7 @@ static void copy_ippdexpcr1_setting(u32 val) return; regs = of_iomap(np, 0); + of_node_put(np); if (!regs) return; --- base-commit: d61a00525464bfc5fe92c6ad713350988e492b88 change-id: 20241013-rcpm-of_node_put-5e94e5bf1230 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

1
0
0 0

[PATCH] firmware: tf: fix missing of_node_put() in of_register_trusted_foundation()

by Javier Carrasco

of_find_compatible_node() requires a call to of_node_put() when the pointer to the node is not required anymore to decrement its refcount and avoid leaking memory. Add the missing call to of_node_put() after the node has been used. Cc: stable(a)vger.kernel.org Fixes: d9a1beaa10e8 ("ARM: add basic support for Trusted Foundations") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/firmware/trusted_foundations.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/firmware/trusted_foundations.c b/drivers/firmware/trusted_foundations.c index 1389fa9418a7..e9fc79805c3e 100644 --- a/drivers/firmware/trusted_foundations.c +++ b/drivers/firmware/trusted_foundations.c @@ -175,6 +175,7 @@ void of_register_trusted_foundations(void) &pdata.version_minor); if (err != 0) panic("Trusted Foundation: missing version-minor property\n"); + of_node_put(node); register_trusted_foundations(&pdata); } --- base-commit: d61a00525464bfc5fe92c6ad713350988e492b88 change-id: 20241013-trusted_foundations-of_node_put-4b905f3ba009 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

1
0
0 0

[PATCH] soc: imx8m: Fix missing refcount decrement in error path for np

by Javier Carrasco

An error path was introduced without including the required call to of_node_put() to decrement the node's refcount and avoid leaking memory. If the call to of_clk_get_by_name() for 'clk' fails, the probe returns without decrementing the refcount. Use the automatic cleanup facility to fix the bug and protect the code against new error paths where the call to of_node_put() might be missing again. Cc: stable(a)vger.kernel.org Fixes: 836fb30949d9 ("soc: imx8m: Enable OCOTP clock before reading the register") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/soc/imx/soc-imx8m.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/soc/imx/soc-imx8m.c b/drivers/soc/imx/soc-imx8m.c index fe111bae38c8..ba8c0bdd60aa 100644 --- a/drivers/soc/imx/soc-imx8m.c +++ b/drivers/soc/imx/soc-imx8m.c @@ -99,12 +99,12 @@ static u32 __init imx8mq_soc_revision(void) static void __init imx8mm_soc_uid(void) { void __iomem *ocotp_base; - struct device_node *np; + struct device_node *np __free(device_node) = + of_find_compatible_node(NULL, NULL, "fsl,imx8mm-ocotp"); struct clk *clk; u32 offset = of_machine_is_compatible("fsl,imx8mp") ? IMX8MP_OCOTP_UID_OFFSET : 0; - np = of_find_compatible_node(NULL, NULL, "fsl,imx8mm-ocotp"); if (!np) return; @@ -125,7 +125,6 @@ static void __init imx8mm_soc_uid(void) clk_disable_unprepare(clk); clk_put(clk); iounmap(ocotp_base); - of_node_put(np); } static u32 __init imx8mm_soc_revision(void) --- base-commit: d61a00525464bfc5fe92c6ad713350988e492b88 change-id: 20241013-soc-imx8m-of_node_put-526a1c8ab540 Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

1
0
0 0

[PATCH 6.1+] HID: multitouch: Add support for lenovo Y9000P Touchpad

by WangYuli

From: He Lugang <helugang(a)uniontech.com> [ Upstream commit 251efae73bd46b097deec4f9986d926813aed744 ] The 2024 Lenovo Y9000P which use GT7868Q chip also needs a fixup. The information of the chip is as follows: I2C HID v1.00 Mouse [GXTP5100:00 27C6:01E0] Signed-off-by: He Lugang <helugang(a)uniontech.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: WangYuli <wangyuli(a)uniontech.com> --- drivers/hid/hid-ids.h | 1 + drivers/hid/hid-multitouch.c | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index 06104a4e0fdc..86820a3d9766 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -505,6 +505,7 @@ #define USB_DEVICE_ID_GENERAL_TOUCH_WIN8_PIT_E100 0xe100 #define I2C_VENDOR_ID_GOODIX 0x27c6 +#define I2C_DEVICE_ID_GOODIX_01E0 0x01e0 #define I2C_DEVICE_ID_GOODIX_01E8 0x01e8 #define I2C_DEVICE_ID_GOODIX_01E9 0x01e9 #define I2C_DEVICE_ID_GOODIX_01F0 0x01f0 diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index c4a6908bbe54..847462650549 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -1446,7 +1446,8 @@ static __u8 *mt_report_fixup(struct hid_device *hdev, __u8 *rdesc, { if (hdev->vendor == I2C_VENDOR_ID_GOODIX && (hdev->product == I2C_DEVICE_ID_GOODIX_01E8 || - hdev->product == I2C_DEVICE_ID_GOODIX_01E9)) { + hdev->product == I2C_DEVICE_ID_GOODIX_01E9 || + hdev->product == I2C_DEVICE_ID_GOODIX_01E0)) { if (rdesc[607] == 0x15) { rdesc[607] = 0x25; dev_info( @@ -2065,7 +2066,10 @@ static const struct hid_device_id mt_devices[] = { I2C_DEVICE_ID_GOODIX_01E8) }, { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU, HID_DEVICE(BUS_I2C, HID_GROUP_ANY, I2C_VENDOR_ID_GOODIX, - I2C_DEVICE_ID_GOODIX_01E8) }, + I2C_DEVICE_ID_GOODIX_01E9) }, + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU, + HID_DEVICE(BUS_I2C, HID_GROUP_ANY, I2C_VENDOR_ID_GOODIX, + I2C_DEVICE_ID_GOODIX_01E0) }, /* GoodTouch panels */ { .driver_data = MT_CLS_NSMU, -- 2.45.2

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] lockdep: fix deadlock issue between lockdep and rcu" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x a6f88ac32c6e63e69c595bfae220d8641704c9b7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100226-unselfish-triangle-e5eb@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: a6f88ac32c6e ("lockdep: fix deadlock issue between lockdep and rcu") 61cc4534b655 ("locking/lockdep: Avoid potential access of invalid memory in lock_class") 248efb2158f1 ("locking/lockdep: Rework lockdep_lock") 10476e630422 ("locking/lockdep: Fix bad recursion pattern") 25016bd7f4ca ("locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a6f88ac32c6e63e69c595bfae220d8641704c9b7 Mon Sep 17 00:00:00 2001 From: Zhiguo Niu <zhiguo.niu(a)unisoc.com> Date: Thu, 20 Jun 2024 22:54:34 +0000 Subject: [PATCH] lockdep: fix deadlock issue between lockdep and rcu There is a deadlock scenario between lockdep and rcu when rcu nocb feature is enabled, just as following call stack: rcuop/x -000|queued_spin_lock_slowpath(lock = 0xFFFFFF817F2A8A80, val = ?) -001|queued_spin_lock(inline) // try to hold nocb_gp_lock -001|do_raw_spin_lock(lock = 0xFFFFFF817F2A8A80) -002|__raw_spin_lock_irqsave(inline) -002|_raw_spin_lock_irqsave(lock = 0xFFFFFF817F2A8A80) -003|wake_nocb_gp_defer(inline) -003|__call_rcu_nocb_wake(rdp = 0xFFFFFF817F30B680) -004|__call_rcu_common(inline) -004|call_rcu(head = 0xFFFFFFC082EECC28, func = ?) -005|call_rcu_zapped(inline) -005|free_zapped_rcu(ch = ?)// hold graph lock -006|rcu_do_batch(rdp = 0xFFFFFF817F245680) -007|nocb_cb_wait(inline) -007|rcu_nocb_cb_kthread(arg = 0xFFFFFF817F245680) -008|kthread(_create = 0xFFFFFF80803122C0) -009|ret_from_fork(asm) rcuop/y -000|queued_spin_lock_slowpath(lock = 0xFFFFFFC08291BBC8, val = 0) -001|queued_spin_lock() -001|lockdep_lock() -001|graph_lock() // try to hold graph lock -002|lookup_chain_cache_add() -002|validate_chain() -003|lock_acquire -004|_raw_spin_lock_irqsave(lock = 0xFFFFFF817F211D80) -005|lock_timer_base(inline) -006|mod_timer(inline) -006|wake_nocb_gp_defer(inline)// hold nocb_gp_lock -006|__call_rcu_nocb_wake(rdp = 0xFFFFFF817F2A8680) -007|__call_rcu_common(inline) -007|call_rcu(head = 0xFFFFFFC0822E0B58, func = ?) -008|call_rcu_hurry(inline) -008|rcu_sync_call(inline) -008|rcu_sync_func(rhp = 0xFFFFFFC0822E0B58) -009|rcu_do_batch(rdp = 0xFFFFFF817F266680) -010|nocb_cb_wait(inline) -010|rcu_nocb_cb_kthread(arg = 0xFFFFFF817F266680) -011|kthread(_create = 0xFFFFFF8080363740) -012|ret_from_fork(asm) rcuop/x and rcuop/y are rcu nocb threads with the same nocb gp thread. This patch release the graph lock before lockdep call_rcu. Fixes: a0b0fd53e1e6 ("locking/lockdep: Free lock classes that are no longer in use") Cc: stable(a)vger.kernel.org Cc: Boqun Feng <boqun.feng(a)gmail.com> Cc: Waiman Long <longman(a)redhat.com> Cc: Carlos Llamas <cmllamas(a)google.com> Cc: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Zhiguo Niu <zhiguo.niu(a)unisoc.com> Signed-off-by: Xuewen Yan <xuewen.yan(a)unisoc.com> Reviewed-by: Waiman Long <longman(a)redhat.com> Reviewed-by: Carlos Llamas <cmllamas(a)google.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Acked-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Link: https://lore.kernel.org/r/20240620225436.3127927-1-cmllamas@google.com diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c index 266f57f36f69..b172ead28f1c 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -6186,25 +6186,27 @@ static struct pending_free *get_pending_free(void) static void free_zapped_rcu(struct rcu_head *cb); /* - * Schedule an RCU callback if no RCU callback is pending. Must be called with - * the graph lock held. - */ -static void call_rcu_zapped(struct pending_free *pf) +* See if we need to queue an RCU callback, must called with +* the lockdep lock held, returns false if either we don't have +* any pending free or the callback is already scheduled. +* Otherwise, a call_rcu() must follow this function call. +*/ +static bool prepare_call_rcu_zapped(struct pending_free *pf) { WARN_ON_ONCE(inside_selftest()); if (list_empty(&pf->zapped)) - return; + return false; if (delayed_free.scheduled) - return; + return false; delayed_free.scheduled = true; WARN_ON_ONCE(delayed_free.pf + delayed_free.index != pf); delayed_free.index ^= 1; - call_rcu(&delayed_free.rcu_head, free_zapped_rcu); + return true; } /* The caller must hold the graph lock. May be called from RCU context. */ @@ -6230,6 +6232,7 @@ static void free_zapped_rcu(struct rcu_head *ch) { struct pending_free *pf; unsigned long flags; + bool need_callback; if (WARN_ON_ONCE(ch != &delayed_free.rcu_head)) return; @@ -6241,14 +6244,18 @@ static void free_zapped_rcu(struct rcu_head *ch) pf = delayed_free.pf + (delayed_free.index ^ 1); __free_zapped_classes(pf); delayed_free.scheduled = false; - - /* - * If there's anything on the open list, close and start a new callback. - */ - call_rcu_zapped(delayed_free.pf + delayed_free.index); - + need_callback = + prepare_call_rcu_zapped(delayed_free.pf + delayed_free.index); lockdep_unlock(); raw_local_irq_restore(flags); + + /* + * If there's pending free and its callback has not been scheduled, + * queue an RCU callback. + */ + if (need_callback) + call_rcu(&delayed_free.rcu_head, free_zapped_rcu); + } /* @@ -6288,6 +6295,7 @@ static void lockdep_free_key_range_reg(void *start, unsigned long size) { struct pending_free *pf; unsigned long flags; + bool need_callback; init_data_structures_once(); @@ -6295,10 +6303,11 @@ static void lockdep_free_key_range_reg(void *start, unsigned long size) lockdep_lock(); pf = get_pending_free(); __lockdep_free_key_range(pf, start, size); - call_rcu_zapped(pf); + need_callback = prepare_call_rcu_zapped(pf); lockdep_unlock(); raw_local_irq_restore(flags); - + if (need_callback) + call_rcu(&delayed_free.rcu_head, free_zapped_rcu); /* * Wait for any possible iterators from look_up_lock_class() to pass * before continuing to free the memory they refer to. @@ -6392,6 +6401,7 @@ static void lockdep_reset_lock_reg(struct lockdep_map *lock) struct pending_free *pf; unsigned long flags; int locked; + bool need_callback = false; raw_local_irq_save(flags); locked = graph_lock(); @@ -6400,11 +6410,13 @@ static void lockdep_reset_lock_reg(struct lockdep_map *lock) pf = get_pending_free(); __lockdep_reset_lock(pf, lock); - call_rcu_zapped(pf); + need_callback = prepare_call_rcu_zapped(pf); graph_unlock(); out_irq: raw_local_irq_restore(flags); + if (need_callback) + call_rcu(&delayed_free.rcu_head, free_zapped_rcu); } /* @@ -6448,6 +6460,7 @@ void lockdep_unregister_key(struct lock_class_key *key) struct pending_free *pf; unsigned long flags; bool found = false; + bool need_callback = false; might_sleep(); @@ -6468,11 +6481,14 @@ void lockdep_unregister_key(struct lock_class_key *key) if (found) { pf = get_pending_free(); __lockdep_free_key_range(pf, key, 1); - call_rcu_zapped(pf); + need_callback = prepare_call_rcu_zapped(pf); } lockdep_unlock(); raw_local_irq_restore(flags); + if (need_callback) + call_rcu(&delayed_free.rcu_head, free_zapped_rcu); + /* Wait until is_dynamic_key() has finished accessing k->hash_entry. */ synchronize_rcu(); }

6 months, 3 weeks

3
3
0 0

+ mm-dont-install-pmd-mappings-when-thps-are-disabled-by-the-hw-process-vma.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: don't install PMD mappings when THPs are disabled by the hw/process/vma has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-dont-install-pmd-mappings-when-thps-are-disabled-by-the-hw-process-vma.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm: don't install PMD mappings when THPs are disabled by the hw/process/vma Date: Fri, 11 Oct 2024 12:24:45 +0200 We (or rather, readahead logic :) ) might be allocating a THP in the pagecache and then try mapping it into a process that explicitly disabled THP: we might end up installing PMD mappings. This is a problem for s390x KVM, which explicitly remaps all PMD-mapped THPs to be PTE-mapped in s390_enable_sie()->thp_split_mm(), before starting the VM. For example, starting a VM backed on a file system with large folios supported makes the VM crash when the VM tries accessing such a mapping using KVM. Is it also a problem when the HW disabled THP using TRANSPARENT_HUGEPAGE_UNSUPPORTED? At least on x86 this would be the case without X86_FEATURE_PSE. In the future, we might be able to do better on s390x and only disallow PMD mappings -- what s390x and likely TRANSPARENT_HUGEPAGE_UNSUPPORTED really wants. For now, fix it by essentially performing the same check as would be done in __thp_vma_allowable_orders() or in shmem code, where this works as expected, and disallow PMD mappings, making us fallback to PTE mappings. Link: https://lkml.kernel.org/r/20241011102445.934409-3-david@redhat.com Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: Leo Fu <bfu(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Cc: Thomas Huth <thuth(a)redhat.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Janosch Frank <frankja(a)linux.ibm.com> Cc: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/mm/memory.c~mm-dont-install-pmd-mappings-when-thps-are-disabled-by-the-hw-process-vma +++ a/mm/memory.c @@ -4931,6 +4931,15 @@ vm_fault_t do_set_pmd(struct vm_fault *v pmd_t entry; vm_fault_t ret = VM_FAULT_FALLBACK; + /* + * It is too late to allocate a small folio, we already have a large + * folio in the pagecache: especially s390 KVM cannot tolerate any + * PMD mappings, but PTE-mapped THP are fine. So let's simply refuse any + * PMD mappings if THPs are disabled. + */ + if (thp_disabled_by_hw() || vma_thp_disabled(vma, vma->vm_flags)) + return ret; + if (!thp_vma_suitable_order(vma, haddr, PMD_ORDER)) return ret; _ Patches currently in -mm which might be from david(a)redhat.com are mm-dont-install-pmd-mappings-when-thps-are-disabled-by-the-hw-process-vma.patch selftests-mm-hugetlb_fault_after_madv-use-default-hguetlb-page-size.patch selftests-mm-hugetlb_fault_after_madv-improve-test-output.patch

6 months, 3 weeks

1
0
0 0

+ mm-huge_memory-add-vma_thp_disabled-and-thp_disabled_by_hw.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-huge_memory-add-vma_thp_disabled-and-thp_disabled_by_hw.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kefeng Wang <wangkefeng.wang(a)huawei.com> Subject: mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() Date: Fri, 11 Oct 2024 12:24:44 +0200 Patch series "mm: don't install PMD mappings when THPs are disabled by the hw/process/vma". During testing, it was found that we can get PMD mappings in processes where THP (and more precisely, PMD mappings) are supposed to be disabled. While it works as expected for anon+shmem, the pagecache is the problematic bit. For s390 KVM this currently means that a VM backed by a file located on filesystem with large folio support can crash when KVM tries accessing the problematic page, because the readahead logic might decide to use a PMD-sized THP and faulting it into the page tables will install a PMD mapping, something that s390 KVM cannot tolerate. This might also be a problem with HW that does not support PMD mappings, but I did not try reproducing it. Fix it by respecting the ways to disable THPs when deciding whether we can install a PMD mapping. khugepaged should already be taking care of not collapsing if THPs are effectively disabled for the hw/process/vma. This patch (of 2): Add vma_thp_disabled() and thp_disabled_by_hw() helpers to be shared by shmem_allowable_huge_orders() and __thp_vma_allowable_orders(). [david(a)redhat.com: rename to vma_thp_disabled(), split out thp_disabled_by_hw() ] Link: https://lkml.kernel.org/r/20241011102445.934409-2-david@redhat.com Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: Leo Fu <bfu(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Boqiao Fu <bfu(a)redhat.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Janosch Frank <frankja(a)linux.ibm.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/huge_mm.h | 18 ++++++++++++++++++ mm/huge_memory.c | 13 +------------ mm/shmem.c | 7 +------ 3 files changed, 20 insertions(+), 18 deletions(-) --- a/include/linux/huge_mm.h~mm-huge_memory-add-vma_thp_disabled-and-thp_disabled_by_hw +++ a/include/linux/huge_mm.h @@ -322,6 +322,24 @@ struct thpsize { (transparent_hugepage_flags & \ (1<<TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG)) +static inline bool vma_thp_disabled(struct vm_area_struct *vma, + unsigned long vm_flags) +{ + /* + * Explicitly disabled through madvise or prctl, or some + * architectures may disable THP for some mappings, for + * example, s390 kvm. + */ + return (vm_flags & VM_NOHUGEPAGE) || + test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags); +} + +static inline bool thp_disabled_by_hw(void) +{ + /* If the hardware/firmware marked hugepage support disabled. */ + return transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED); +} + unsigned long thp_get_unmapped_area(struct file *filp, unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags); unsigned long thp_get_unmapped_area_vmflags(struct file *filp, unsigned long addr, --- a/mm/huge_memory.c~mm-huge_memory-add-vma_thp_disabled-and-thp_disabled_by_hw +++ a/mm/huge_memory.c @@ -109,18 +109,7 @@ unsigned long __thp_vma_allowable_orders if (!vma->vm_mm) /* vdso */ return 0; - /* - * Explicitly disabled through madvise or prctl, or some - * architectures may disable THP for some mappings, for - * example, s390 kvm. - * */ - if ((vm_flags & VM_NOHUGEPAGE) || - test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags)) - return 0; - /* - * If the hardware/firmware marked hugepage support disabled. - */ - if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) + if (thp_disabled_by_hw() || vma_thp_disabled(vma, vm_flags)) return 0; /* khugepaged doesn't collapse DAX vma, but page fault is fine. */ --- a/mm/shmem.c~mm-huge_memory-add-vma_thp_disabled-and-thp_disabled_by_hw +++ a/mm/shmem.c @@ -1664,12 +1664,7 @@ unsigned long shmem_allowable_huge_order loff_t i_size; int order; - if (vma && ((vm_flags & VM_NOHUGEPAGE) || - test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags))) - return 0; - - /* If the hardware/firmware marked hugepage support disabled. */ - if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_UNSUPPORTED)) + if (thp_disabled_by_hw() || (vma && vma_thp_disabled(vma, vm_flags))) return 0; global_huge = shmem_huge_global_enabled(inode, index, write_end, _ Patches currently in -mm which might be from wangkefeng.wang(a)huawei.com are mm-huge_memory-add-vma_thp_disabled-and-thp_disabled_by_hw.patch mm-remove-unused-hugepage-for-vma_alloc_folio.patch

6 months, 3 weeks

1
0
0 0

+ mm-khugepaged-fix-the-arguments-order-in-khugepaged_collapse_file-trace-point.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-khugepaged-fix-the-arguments-order-in-khugepaged_collapse_file-trace-point.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yang Shi <yang(a)os.amperecomputing.com> Subject: mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point Date: Fri, 11 Oct 2024 18:17:02 -0700 The "addr" and "is_shmem" arguments have different order in TP_PROTO and TP_ARGS. This resulted in the incorrect trace result: text-hugepage-644429 [276] 392092.878683: mm_khugepaged_collapse_file: mm=0xffff20025d52c440, hpage_pfn=0x200678c00, index=512, addr=1, is_shmem=0, filename=text-hugepage, nr=512, result=failed The value of "addr" is wrong because it was treated as bool value, the type of is_shmem. Fix the order in TP_PROTO to keep "addr" is before "is_shmem" since the original patch review suggested this order to achieve best packing. And use "lx" for "addr" instead of "ld" in TP_printk because address is typically shown in hex. After the fix, the trace result looks correct: text-hugepage-7291 [004] 128.627251: mm_khugepaged_collapse_file: mm=0xffff0001328f9500, hpage_pfn=0x20016ea00, index=512, addr=0x400000, is_shmem=0, filename=text-hugepage, nr=512, result=failed Link: https://lkml.kernel.org/r/20241012011702.1084846-1-yang@os.amperecomputing.… Fixes: 4c9473e87e75 ("mm/khugepaged: add tracepoint to collapse_file()") Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> Cc: Gautam Menghani <gautammenghani201(a)gmail.com> Cc: Steven Rostedt (Google) <rostedt(a)goodmis.org> Cc: <stable(a)vger.kernel.org> [6.2+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/trace/events/huge_memory.h | 4 ++-- mm/khugepaged.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) --- a/include/trace/events/huge_memory.h~mm-khugepaged-fix-the-arguments-order-in-khugepaged_collapse_file-trace-point +++ a/include/trace/events/huge_memory.h @@ -208,7 +208,7 @@ TRACE_EVENT(mm_khugepaged_scan_file, TRACE_EVENT(mm_khugepaged_collapse_file, TP_PROTO(struct mm_struct *mm, struct folio *new_folio, pgoff_t index, - bool is_shmem, unsigned long addr, struct file *file, + unsigned long addr, bool is_shmem, struct file *file, int nr, int result), TP_ARGS(mm, new_folio, index, addr, is_shmem, file, nr, result), TP_STRUCT__entry( @@ -233,7 +233,7 @@ TRACE_EVENT(mm_khugepaged_collapse_file, __entry->result = result; ), - TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%ld, is_shmem=%d, filename=%s, nr=%d, result=%s", + TP_printk("mm=%p, hpage_pfn=0x%lx, index=%ld, addr=%lx, is_shmem=%d, filename=%s, nr=%d, result=%s", __entry->mm, __entry->hpfn, __entry->index, --- a/mm/khugepaged.c~mm-khugepaged-fix-the-arguments-order-in-khugepaged_collapse_file-trace-point +++ a/mm/khugepaged.c @@ -2227,7 +2227,7 @@ rollback: folio_put(new_folio); out: VM_BUG_ON(!list_empty(&pagelist)); - trace_mm_khugepaged_collapse_file(mm, new_folio, index, is_shmem, addr, file, HPAGE_PMD_NR, result); + trace_mm_khugepaged_collapse_file(mm, new_folio, index, addr, is_shmem, file, HPAGE_PMD_NR, result); return result; } _ Patches currently in -mm which might be from yang(a)os.amperecomputing.com are mm-khugepaged-fix-the-arguments-order-in-khugepaged_collapse_file-trace-point.patch

6 months, 3 weeks

1
0
0 0

[PATCH net v1 1] net: macb: Avoid 20s boot delay by skipping MDIO bus registration for fixed-link PHY

by Oleksij Rempel

A boot delay was introduced by commit 79540d133ed6 ("net: macb: Fix handling of fixed-link node"). This delay was caused by the call to `mdiobus_register()` in cases where a fixed-link PHY was present. The MDIO bus registration triggered unnecessary PHY address scans, leading to a 20-second delay due to attempts to detect Clause 45 (C45) compatible PHYs, despite no MDIO bus being attached. The commit 79540d133ed6 ("net: macb: Fix handling of fixed-link node") was originally introduced to fix a regression caused by commit 7897b071ac3b4 ("net: macb: convert to phylink"), which caused the driver to misinterpret fixed-link nodes as PHY nodes. This resulted in warnings like: mdio_bus f0028000.ethernet-ffffffff: fixed-link has invalid PHY address mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 0 ... mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 31 This patch reworks the logic to avoid registering and allocation of the MDIO bus when: - The device tree contains a fixed-link node. - There is no "mdio" child node in the device tree. If a child node named "mdio" exists, the MDIO bus will be registered to support PHYs attached to the MACB's MDIO bus. Otherwise, with only a fixed-link, the MDIO bus is skipped. Tested on a sama5d35 based system with a ksz8863 switch attached to macb0. Fixes: 79540d133ed6 ("net: macb: Fix handling of fixed-link node") Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Cc: stable(a)vger.kernel.org --- drivers/net/ethernet/cadence/macb_main.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index f06babec04a0b..e4ee55bc53ba7 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -930,9 +930,6 @@ static int macb_mdiobus_register(struct macb *bp) return ret; } - if (of_phy_is_fixed_link(np)) - return mdiobus_register(bp->mii_bus); - /* Only create the PHY from the device tree if at least one PHY is * described. Otherwise scan the entire MDIO bus. We do this to support * old device tree that did not follow the best practices and did not @@ -953,8 +950,19 @@ static int macb_mdiobus_register(struct macb *bp) static int macb_mii_init(struct macb *bp) { + struct device_node *child, *np = bp->pdev->dev.of_node; int err = -ENXIO; + /* With fixed-link, we don't need to register the MDIO bus, + * except if we have a child named "mdio" in the device tree. + * In that case, some PHYs may be attached to the MACB's MDIO bus. + */ + child = of_get_child_by_name(np, "mdio"); + if (child) + of_node_put(child); + else if (of_phy_is_fixed_link(np)) + return macb_mii_probe(bp->dev); + /* Enable management port */ macb_writel(bp, NCR, MACB_BIT(MPE)); -- 2.39.5

6 months, 3 weeks

2
1
0 0

[PATCH v5 00/10] iio: add support for the ad3552r AXI DAC IP

by Angelo Dureghello

Purpose is to add ad3552r AXI DAC (fpga-based) support. The "ad3552r" AXI IP, a variant of the generic "DAC" AXI IP, has been created to reach the maximum speed (33MUPS) supported from the ad3552r. To obtain the maximum transfer rate, a custom IP core module has been implemented with a QSPI interface with DDR (Double Data Rate) mode. The design is actually using the DAC backend since the register map is the same of the generic DAC IP, except for some customized bitfields. For this reason, a new "compatible" has been added in adi-axi-dac.c. Also, backend has been extended with all the needed functions for this use case, keeping the names gneric. The following patch is actually applying to linux-iio/testing. --- Changes in v2: - use unsigned int on bus_reg_read/write - add a compatible in axi-dac backend for the ad3552r DAC IP - minor code alignment fixes - fix a return value not checked - change devicetree structure setting ad3552r-axi as a backend subnode - add synchronous_mode_available in the ABI doc Changes in v3: - changing AXI backend approach using a dac ip compatible - fdt bindings updates accordingly - fdt, ad3552r device must be a subnode of the backend - allow probe of child devices - passing QSPI bus access function by platform data - move synchronous mode as a fdt parameter - reorganizing defines in proper patches - fix make dt_binding_check errors - fix ad3552r maximum SPI speed - fix samplerate calulcation - minor code style fixes Changes in v4: - fix Kconfig - fix backend documentation - driver renamed to a more gneric "high speed" (ad3552r-hs) - restyled axi-dac register names - removed synchronous support, dead code (could be added in the future with David sugestions if needed) - renaming backend buffer enable/disable calls - using model_data in common code - using devm_add_action_or_reset - minor code style fixes Changes in v5: - patch 2/11 set before fix of ADI_DAC_R1_MODE patch - fix dt binding check error - patch 4/11 removed - fix stream enable/disable call names - fix axi-dac clock names - fix axi-dac platform device unregistering - minor code style fixes Signed-off-by: Angelo Dureghello <adureghello(a)baylibre.com> --- Angelo Dureghello (10): iio: dac: adi-axi-dac: fix wrong register bitfield iio: dac: adi-axi-dac: update register names dt-bindings: iio: dac: ad3552r: add iio backend support dt-bindings: iio: dac: adi-axi-dac: add ad3552r axi variant iio: backend: extend features iio: dac: adi-axi-dac: extend features iio: dac: ad3552r: changes to use FIELD_PREP iio: dac: ad3552r: extract common code (no changes in behavior intended) iio: dac: ad3552r: add high-speed platform driver iio: dac: adi-axi-dac: add registering of child fdt node .../devicetree/bindings/iio/dac/adi,ad3552r.yaml | 7 + .../devicetree/bindings/iio/dac/adi,axi-dac.yaml | 56 ++- drivers/iio/dac/Kconfig | 14 + drivers/iio/dac/Makefile | 3 +- drivers/iio/dac/ad3552r-common.c | 170 +++++++ drivers/iio/dac/ad3552r-hs.c | 526 +++++++++++++++++++++ drivers/iio/dac/ad3552r.c | 461 +++--------------- drivers/iio/dac/ad3552r.h | 207 ++++++++ drivers/iio/dac/adi-axi-dac.c | 483 ++++++++++++++++--- drivers/iio/industrialio-backend.c | 78 +++ include/linux/iio/backend.h | 17 + include/linux/platform_data/ad3552r-hs.h | 18 + 12 files changed, 1573 insertions(+), 467 deletions(-) --- base-commit: a620cae575523a8c922ad0842647ca38fc6ccd3c change-id: 20241008-wip-bl-ad3552r-axi-v0-iio-testing-3d15e90e1eb5 Best regards, -- Angelo Dureghello <adureghello(a)baylibre.com>

6 months, 3 weeks

2
2
0 0

[PATCH AUTOSEL 5.15 1/9] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index d56e276e4d805..4485388dcff2e 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

6 months, 3 weeks

1
8
0 0

[PATCH AUTOSEL 6.6 01/20] ksmbd: override fsids for share path check

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit a018c1b636e79b60149b41151ded7c2606d8606e ] Sangsoo reported that a DAC denial error occurred when accessing files through the ksmbd thread. This patch override fsids for share path check. Reported-by: Sangsoo Lee <constant.lee(a)samsung.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/smb/server/mgmt/share_config.c | 15 ++++++++++++--- fs/smb/server/mgmt/share_config.h | 4 +++- fs/smb/server/mgmt/tree_connect.c | 9 +++++---- fs/smb/server/mgmt/tree_connect.h | 4 ++-- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb_common.c | 9 +++++++-- fs/smb/server/smb_common.h | 2 ++ 7 files changed, 32 insertions(+), 13 deletions(-) diff --git a/fs/smb/server/mgmt/share_config.c b/fs/smb/server/mgmt/share_config.c index e0a6b758094fc..d8d03070ae44b 100644 --- a/fs/smb/server/mgmt/share_config.c +++ b/fs/smb/server/mgmt/share_config.c @@ -15,6 +15,7 @@ #include "share_config.h" #include "user_config.h" #include "user_session.h" +#include "../connection.h" #include "../transport_ipc.h" #include "../misc.h" @@ -120,12 +121,13 @@ static int parse_veto_list(struct ksmbd_share_config *share, return 0; } -static struct ksmbd_share_config *share_config_request(struct unicode_map *um, +static struct ksmbd_share_config *share_config_request(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config_response *resp; struct ksmbd_share_config *share = NULL; struct ksmbd_share_config *lookup; + struct unicode_map *um = work->conn->um; int ret; resp = ksmbd_ipc_share_config_request(name); @@ -181,7 +183,14 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, KSMBD_SHARE_CONFIG_VETO_LIST(resp), resp->veto_list_sz); if (!ret && share->path) { + if (__ksmbd_override_fsids(work, share)) { + kill_share(share); + share = NULL; + goto out; + } + ret = kern_path(share->path, 0, &share->vfs_path); + ksmbd_revert_fsids(work); if (ret) { ksmbd_debug(SMB, "failed to access '%s'\n", share->path); @@ -214,7 +223,7 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, return share; } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config *share; @@ -227,7 +236,7 @@ struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, if (share) return share; - return share_config_request(um, name); + return share_config_request(work, name); } bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, diff --git a/fs/smb/server/mgmt/share_config.h b/fs/smb/server/mgmt/share_config.h index 5f591751b9236..d4ac2dd4de204 100644 --- a/fs/smb/server/mgmt/share_config.h +++ b/fs/smb/server/mgmt/share_config.h @@ -11,6 +11,8 @@ #include <linux/path.h> #include <linux/unicode.h> +struct ksmbd_work; + struct ksmbd_share_config { char *name; char *path; @@ -68,7 +70,7 @@ static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) __ksmbd_share_config_put(share); } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name); bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, const char *filename); diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c index d2c81a8a11dda..94a52a75014a4 100644 --- a/fs/smb/server/mgmt/tree_connect.c +++ b/fs/smb/server/mgmt/tree_connect.c @@ -16,17 +16,18 @@ #include "user_session.h" struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name) +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name) { struct ksmbd_tree_conn_status status = {-ENOENT, NULL}; struct ksmbd_tree_connect_response *resp = NULL; struct ksmbd_share_config *sc; struct ksmbd_tree_connect *tree_conn = NULL; struct sockaddr *peer_addr; + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; int ret; - sc = ksmbd_share_config_get(conn->um, share_name); + sc = ksmbd_share_config_get(work, share_name); if (!sc) return status; @@ -61,7 +62,7 @@ ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, struct ksmbd_share_config *new_sc; ksmbd_share_config_del(sc); - new_sc = ksmbd_share_config_get(conn->um, share_name); + new_sc = ksmbd_share_config_get(work, share_name); if (!new_sc) { pr_err("Failed to update stale share config\n"); status.ret = -ESTALE; diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h index 6377a70b811c8..a42cdd0510411 100644 --- a/fs/smb/server/mgmt/tree_connect.h +++ b/fs/smb/server/mgmt/tree_connect.h @@ -13,6 +13,7 @@ struct ksmbd_share_config; struct ksmbd_user; struct ksmbd_conn; +struct ksmbd_work; enum { TREE_NEW = 0, @@ -50,8 +51,7 @@ static inline int test_tree_conn_flag(struct ksmbd_tree_connect *tree_conn, struct ksmbd_session; struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name); +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name); void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon); int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 592a2cdfd0670..646c874d151a8 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -1955,7 +1955,7 @@ int smb2_tree_connect(struct ksmbd_work *work) ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", name, treename); - status = ksmbd_tree_conn_connect(conn, sess, name); + status = ksmbd_tree_conn_connect(work, name); if (status.ret == KSMBD_TREE_CONN_STATUS_OK) rsp->hdr.Id.SyncId.TreeId = cpu_to_le32(status.tree_conn->id); else diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 474dadf6b7b8b..13818ecb6e1b2 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -732,10 +732,10 @@ bool is_asterisk(char *p) return p && p[0] == '*'; } -int ksmbd_override_fsids(struct ksmbd_work *work) +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share) { struct ksmbd_session *sess = work->sess; - struct ksmbd_share_config *share = work->tcon->share_conf; struct cred *cred; struct group_info *gi; unsigned int uid; @@ -775,6 +775,11 @@ int ksmbd_override_fsids(struct ksmbd_work *work) return 0; } +int ksmbd_override_fsids(struct ksmbd_work *work) +{ + return __ksmbd_override_fsids(work, work->tcon->share_conf); +} + void ksmbd_revert_fsids(struct ksmbd_work *work) { const struct cred *cred; diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h index f1092519c0c28..4a3148b0167f5 100644 --- a/fs/smb/server/smb_common.h +++ b/fs/smb/server/smb_common.h @@ -447,6 +447,8 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command); int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp); +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share); int ksmbd_override_fsids(struct ksmbd_work *work); void ksmbd_revert_fsids(struct ksmbd_work *work); -- 2.43.0

6 months, 3 weeks

1
19
0 0

[PATCH AUTOSEL 6.11 01/16] drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

by Sasha Levin

From: Hans de Goede <hdegoede(a)redhat.com> [ Upstream commit d92b90f9a54d9300a6e883258e79f36dab53bfae ] Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA to fix a "memcpy: detected field-spanning write error" warning: [ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) [ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] [ 13.320038] Call Trace: [ 13.320173] hgsmi_update_pointer_shape [vboxvideo] [ 13.320184] vbox_cursor_atomic_update [vboxvideo] Note as mentioned in the added comment it seems the original length calculation for the allocated and send hgsmi buffer is 4 bytes too large. Changing this is not the goal of this patch, so this behavior is kept. Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Reviewed-by: Jani Nikula <jani.nikula(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240827104523.17442-1-hdegoe… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +++++++++- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/vboxvideo/hgsmi_base.c b/drivers/gpu/drm/vboxvideo/hgsmi_base.c index 8c041d7ce4f1b..87dccaecc3e57 100644 --- a/drivers/gpu/drm/vboxvideo/hgsmi_base.c +++ b/drivers/gpu/drm/vboxvideo/hgsmi_base.c @@ -139,7 +139,15 @@ int hgsmi_update_pointer_shape(struct gen_pool *ctx, u32 flags, flags |= VBOX_MOUSE_POINTER_VISIBLE; } - p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len, HGSMI_CH_VBVA, + /* + * The 4 extra bytes come from switching struct vbva_mouse_pointer_shape + * from having a 4 bytes fixed array at the end to using a proper VLA + * at the end. These 4 extra bytes were not subtracted from sizeof(*p) + * before the switch to the VLA, so this way the behavior is unchanged. + * Chances are these 4 extra bytes are not necessary but they are kept + * to avoid regressions. + */ + p = hgsmi_buffer_alloc(ctx, sizeof(*p) + pixel_len + 4, HGSMI_CH_VBVA, VBVA_MOUSE_POINTER_SHAPE); if (!p) return -ENOMEM; diff --git a/drivers/gpu/drm/vboxvideo/vboxvideo.h b/drivers/gpu/drm/vboxvideo/vboxvideo.h index f60d82504da02..79ec8481de0e4 100644 --- a/drivers/gpu/drm/vboxvideo/vboxvideo.h +++ b/drivers/gpu/drm/vboxvideo/vboxvideo.h @@ -351,10 +351,8 @@ struct vbva_mouse_pointer_shape { * Bytes in the gap between the AND and the XOR mask are undefined. * XOR mask scanlines have no gap between them and size of XOR mask is: * xor_len = width * 4 * height. - * - * Preallocate 4 bytes for accessing actual data as p->data. */ - u8 data[4]; + u8 data[]; } __packed; /* pointer is visible */ -- 2.43.0

6 months, 3 weeks

1
15
0 0

[PATCH] ASoC: qcom: sc7280: Fix missing Soundwire runtime stream alloc

by Krzysztof Kozlowski

Commit 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc to soundcards") moved the allocation of Soundwire stream runtime from the Qualcomm Soundwire driver to each individual machine sound card driver, except that it forgot to update SC7280 card. Just like for other Qualcomm sound cards using Soundwire, the card driver should allocate and release the runtime. Otherwise sound playback will result in a NULL pointer dereference or other effect of uninitialized memory accesses (which was confirmed on SDM845 having similar issue). Cc: stable(a)vger.kernel.org Cc: Alexey Klimov <alexey.klimov(a)linaro.org> Cc: Steev Klimaszewski <steev(a)kali.org> Fixes: 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc to soundcards") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Not tested on hardware. The sc7280 sound card differs a bit from the ones I am working on, thus please kindly test and confirm. Without the patch KASAN should show something similar to: https://lore.kernel.org/linux-sound/20241009213922.999355-1-alexey.klimov@l… The patch should fix it. --- sound/soc/qcom/sc7280.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/sound/soc/qcom/sc7280.c b/sound/soc/qcom/sc7280.c index 207ac5da4dd4..230af8d7b205 100644 --- a/sound/soc/qcom/sc7280.c +++ b/sound/soc/qcom/sc7280.c @@ -23,6 +23,7 @@ #include "common.h" #include "lpass.h" #include "qdsp6/q6afe.h" +#include "sdw.h" #define DEFAULT_MCLK_RATE 19200000 #define RT5682_PLL_FREQ (48000 * 512) @@ -316,6 +317,7 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_card *card = rtd->card; struct sc7280_snd_data *data = snd_soc_card_get_drvdata(card); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); + struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; switch (cpu_dai->id) { case MI2S_PRIMARY: @@ -333,6 +335,9 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) default: break; } + + data->sruntime[cpu_dai->id] = NULL; + sdw_release_stream(sruntime); } static int sc7280_snd_startup(struct snd_pcm_substream *substream) @@ -347,6 +352,8 @@ static int sc7280_snd_startup(struct snd_pcm_substream *substream) switch (cpu_dai->id) { case MI2S_PRIMARY: ret = sc7280_rt5682_init(rtd); + if (ret) + return ret; break; case SECONDARY_MI2S_RX: codec_dai_fmt |= SND_SOC_DAIFMT_NB_NF | SND_SOC_DAIFMT_I2S; @@ -360,7 +367,8 @@ static int sc7280_snd_startup(struct snd_pcm_substream *substream) default: break; } - return ret; + + return qcom_snd_sdw_startup(substream); } static const struct snd_soc_ops sc7280_ops = { -- 2.43.0

6 months, 3 weeks

3
2
0 0

[PATCH] drm/xe/xe_sync: initialise ufence.signalled

by Matthew Auld

We can incorrectly think that the fence has signalled, if we get a non-zero value here from the kmalloc, which is quite plausible. Just use kzalloc to prevent stuff like this. Fixes: 977e5b82e090 ("drm/xe: Expose user fence from xe_sync_entry") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Mika Kuoppala <mika.kuoppala(a)linux.intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Nirmoy Das <nirmoy.das(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.10+ --- drivers/gpu/drm/xe/xe_sync.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_sync.c b/drivers/gpu/drm/xe/xe_sync.c index bb3c2a830362..c6cf227ead40 100644 --- a/drivers/gpu/drm/xe/xe_sync.c +++ b/drivers/gpu/drm/xe/xe_sync.c @@ -58,7 +58,7 @@ static struct xe_user_fence *user_fence_create(struct xe_device *xe, u64 addr, if (!access_ok(ptr, sizeof(*ptr))) return ERR_PTR(-EFAULT); - ufence = kmalloc(sizeof(*ufence), GFP_KERNEL); + ufence = kzalloc(sizeof(*ufence), GFP_KERNEL); if (!ufence) return ERR_PTR(-ENOMEM); -- 2.46.2

6 months, 3 weeks

3
2
0 0

[PATCH 6.1.y] rust: macros: provide correct provenance when constructing THIS_MODULE

by Boqun Feng

commit a5a3c952e82c1ada12bf8c55b73af26f1a454bd2 upstream. Currently while defining `THIS_MODULE` symbol in `module!()`, the pointer used to construct `ThisModule` is derived from an immutable reference of `__this_module`, which means the pointer doesn't have the provenance for writing, and that means any write to that pointer is UB regardless of data races or not. However, the usage of `THIS_MODULE` includes passing this pointer to functions that may write to it (probably in unsafe code), and this will create soundness issues. One way to fix this is using `addr_of_mut!()` but that requires the unstable feature "const_mut_refs". So instead of `addr_of_mut()!`, an extern static `Opaque` is used here: since `Opaque<T>` is transparent to `T`, an extern static `Opaque` will just wrap the C symbol (defined in a C compile unit) in an `Opaque`, which provides a pointer with writable provenance via `Opaque::get()`. This fix the potential UBs because of pointer provenance unmatched. Reported-by: Alice Ryhl <aliceryhl(a)google.com> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Reviewed-by: Trevor Gross <tmgross(a)umich.edu> Reviewed-by: Benno Lossin <benno.lossin(a)proton.me> Reviewed-by: Gary Guo <gary(a)garyguo.net> Closes: https://rust-for-linux.zulipchat.com/#narrow/stream/x/topic/x/near/465412664 Fixes: 1fbde52bde73 ("rust: add `macros` crate") Cc: stable(a)vger.kernel.org # 6.6.x: be2ca1e03965: ("rust: types: Make Opaque::get const") Link: https://lore.kernel.org/r/20240828180129.4046355-1-boqun.feng@gmail.com [ Fixed two typos, reworded title. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> [ Boqun: Use `UnsafeCell` since `Opaque` is not in v6.1, as suggested by Gary Guo, `UnsafeCell` also suffices for this particular case because `__this_module` is only used to create `THIS_MODULE`, no other Rust code will touch it. ] Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> --- Backports for 6.6+ are already done automatically, we have to do a special backport for 6.1 because of lacking an API. I've tested it on x86 with the rust_minimal module based on 6.1.112 rust/macros/module.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rust/macros/module.rs b/rust/macros/module.rs index 031028b3dc41..94a92ab82b6b 100644 --- a/rust/macros/module.rs +++ b/rust/macros/module.rs @@ -183,7 +183,11 @@ pub(crate) fn module(ts: TokenStream) -> TokenStream { // freed until the module is unloaded. #[cfg(MODULE)] static THIS_MODULE: kernel::ThisModule = unsafe {{ - kernel::ThisModule::from_ptr(&kernel::bindings::__this_module as *const _ as *mut _) + extern \"C\" {{ + static __this_module: core::cell::UnsafeCell<kernel::bindings::module>; + }} + + kernel::ThisModule::from_ptr(__this_module.get()) }}; #[cfg(not(MODULE))] static THIS_MODULE: kernel::ThisModule = unsafe {{ -- 2.45.2

6 months, 3 weeks

1
0
0 0

[PATCH v4 net 0/4] net: enetc: fix some issues of XDP

by Wei Fang

We found some bugs when testing the XDP function of enetc driver, and these bugs are easy to reproduce. This is not only causes XDP to not work, but also the network cannot be restored after exiting the XDP program. So the patch set is mainly to fix these bugs. For details, please see the commit message of each patch. --- v1 link: https://lore.kernel.org/bpf/20240919084104.661180-1-wei.fang@nxp.com/T/ v2 link: https://lore.kernel.org/netdev/20241008224806.2onzkt3gbslw5jxb@skbuf/T/ v3 link: https://lore.kernel.org/imx/20241009090327.146461-1-wei.fang@nxp.com/T/ --- Wei Fang (4): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: block concurrent XDP transmissions during ring reconfiguration net: enetc: disable Tx BD rings after they are empty net: enetc: disable NAPI after all rings are disabled drivers/net/ethernet/freescale/enetc/enetc.c | 56 +++++++++++++++----- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + 2 files changed, 44 insertions(+), 13 deletions(-) -- 2.34.1

6 months, 3 weeks

3
8
0 0

[PATCH 5.15.y 5.10.y 5.4.y] RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

by Sherry Yang

From: Bob Pearson <rpearsonhpe(a)gmail.com> [ Upstream commit 2b23b6097303ed0ba5f4bc036a1c07b6027af5c6 ] In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the resp_pkts queue and then a decision is made whether to run the completer task inline or schedule it. Finally the skb is dereferenced to bump a 'hw' performance counter. This is wrong because if the completer task is already running in a separate thread it may have already processed the skb and freed it which can cause a seg fault. This has been observed infrequently in testing at high scale. This patch fixes this by changing the order of enqueuing the packet until after the counter is accessed. Link: https://lore.kernel.org/r/20240329145513.35381-4-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson <rpearsonhpe(a)gmail.com> Fixes: 0b1e5b99a48b ("IB/rxe: Add port protocol stats") Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Sherry: bp to fix CVE-2024-38544. Fix conflict due to missing commit: dccb23f6c312 ("RDMA/rxe: Split rxe_run_task() into two subroutines") which is not necessary to backport] Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> --- drivers/infiniband/sw/rxe/rxe_comp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_comp.c b/drivers/infiniband/sw/rxe/rxe_comp.c index 48a3864ada29..250494306932 100644 --- a/drivers/infiniband/sw/rxe/rxe_comp.c +++ b/drivers/infiniband/sw/rxe/rxe_comp.c @@ -124,12 +124,12 @@ void rxe_comp_queue_pkt(struct rxe_qp *qp, struct sk_buff *skb) { int must_sched; - skb_queue_tail(&qp->resp_pkts, skb); - - must_sched = skb_queue_len(&qp->resp_pkts) > 1; + must_sched = skb_queue_len(&qp->resp_pkts) > 0; if (must_sched != 0) rxe_counter_inc(SKB_TO_PKT(skb)->rxe, RXE_CNT_COMPLETER_SCHED); + skb_queue_tail(&qp->resp_pkts, skb); + rxe_run_task(&qp->comp.task, must_sched); } -- 2.46.0

6 months, 3 weeks

1
0
0 0

[PATCH 5.15.y] platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses

by Sherry Yang

From: Hans de Goede <hdegoede(a)redhat.com> commit f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 upstream. The panasonic laptop code in various places uses the SINF array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array is big enough. Not all panasonic laptops have this many SINF array entries, for example the Toughbook CF-18 model only has 10 SINF array entries. So it only supports the AC+DC brightness entries and mute. Check that the SINF array has a minimum size which covers all AC+DC brightness entries and refuse to load if the SINF array is smaller. For higher SINF indexes hide the sysfs attributes when the SINF array does not contain an entry for that attribute, avoiding show()/store() accessing the array out of bounds and add bounds checking to the probe() and resume() code accessing these. Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Link: https://lore.kernel.org/r/20240909113227.254470-1-hdegoede@redhat.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Sherry: clean cherry-pick backport, fix CVE-2024-46859] Signed-off-by: Sherry Yang <sherry.yang(a)oracle.com> --- drivers/platform/x86/panasonic-laptop.c | 49 ++++++++++++++++++++----- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index 7ca49b3fc6c2..b06382dcecf7 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -773,6 +773,24 @@ static DEVICE_ATTR_RW(dc_brightness); static DEVICE_ATTR_RW(current_brightness); static DEVICE_ATTR_RW(cdpower); +static umode_t pcc_sysfs_is_visible(struct kobject *kobj, struct attribute *attr, int idx) +{ + struct device *dev = kobj_to_dev(kobj); + struct acpi_device *acpi = to_acpi_device(dev); + struct pcc_acpi *pcc = acpi_driver_data(acpi); + + if (attr == &dev_attr_mute.attr) + return (pcc->num_sifr > SINF_MUTE) ? attr->mode : 0; + + if (attr == &dev_attr_eco_mode.attr) + return (pcc->num_sifr > SINF_ECO_MODE) ? attr->mode : 0; + + if (attr == &dev_attr_current_brightness.attr) + return (pcc->num_sifr > SINF_CUR_BRIGHT) ? attr->mode : 0; + + return attr->mode; +} + static struct attribute *pcc_sysfs_entries[] = { &dev_attr_numbatt.attr, &dev_attr_lcdtype.attr, @@ -787,8 +805,9 @@ static struct attribute *pcc_sysfs_entries[] = { }; static const struct attribute_group pcc_attr_group = { - .name = NULL, /* put in device directory */ - .attrs = pcc_sysfs_entries, + .name = NULL, /* put in device directory */ + .attrs = pcc_sysfs_entries, + .is_visible = pcc_sysfs_is_visible, }; @@ -941,12 +960,15 @@ static int acpi_pcc_hotkey_resume(struct device *dev) if (!pcc) return -EINVAL; - acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); - acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); + if (pcc->num_sifr > SINF_MUTE) + acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute); + if (pcc->num_sifr > SINF_ECO_MODE) + acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode); acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, pcc->sticky_key); acpi_pcc_write_sset(pcc, SINF_AC_CUR_BRIGHT, pcc->ac_brightness); acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, pcc->dc_brightness); - acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); + if (pcc->num_sifr > SINF_CUR_BRIGHT) + acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness); return 0; } @@ -963,8 +985,12 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) num_sifr = acpi_pcc_get_sqty(device); - if (num_sifr < 0 || num_sifr > 255) { - pr_err("num_sifr out of range"); + /* + * pcc->sinf is expected to at least have the AC+DC brightness entries. + * Accesses to higher SINF entries are checked against num_sifr. + */ + if (num_sifr <= SINF_DC_CUR_BRIGHT || num_sifr > 255) { + pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_DC_CUR_BRIGHT + 1); return -ENODEV; } @@ -1016,11 +1042,14 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, 0); pcc->sticky_key = 0; - pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; - pcc->mute = pcc->sinf[SINF_MUTE]; pcc->ac_brightness = pcc->sinf[SINF_AC_CUR_BRIGHT]; pcc->dc_brightness = pcc->sinf[SINF_DC_CUR_BRIGHT]; - pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; + if (pcc->num_sifr > SINF_MUTE) + pcc->mute = pcc->sinf[SINF_MUTE]; + if (pcc->num_sifr > SINF_ECO_MODE) + pcc->eco_mode = pcc->sinf[SINF_ECO_MODE]; + if (pcc->num_sifr > SINF_CUR_BRIGHT) + pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT]; /* add sysfs attributes */ result = sysfs_create_group(&device->dev.kobj, &pcc_attr_group); -- 2.46.0

6 months, 3 weeks

2
2
0 0

[PATCH 1/1] nfsd: fix race between laundromat and free_stateid

by Olga Kornievskaia

There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: leases_conflict+0x68/0x370 kernel: __break_lease+0x204/0xc38 kernel: nfsd_open_break_lease+0x8c/0xf0 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 Proposing to have laundromat thread hold the state_lock over both marking thru revoking the delegation as well as making free_stateid acquire state_lock before accessing the list. Making sure that revoke_delegation() (ie kernel_setlease(unlock)) is called for every delegation that was revoked and added to the reaper list. CC: stable(a)vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev(a)redhat.com> --- I can't figure out the Fixes: tag. Laundromat's behaviour has been like that forever. But the free_stateid bits wont apply before the 1e3577a4521e ("SUNRPC: discard sv_refcnt, and svc_get/svc_put"). But we used that fixes tag already with a previous fix for a different problem. --- fs/nfsd/nfs4state.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 9c2b1d251ab3..c97907d7fb38 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -6605,13 +6605,13 @@ nfs4_laundromat(struct nfsd_net *nn) unhash_delegation_locked(dp, SC_STATUS_REVOKED); list_add(&dp->dl_recall_lru, &reaplist); } - spin_unlock(&state_lock); while (!list_empty(&reaplist)) { dp = list_first_entry(&reaplist, struct nfs4_delegation, dl_recall_lru); list_del_init(&dp->dl_recall_lru); revoke_delegation(dp); } + spin_unlock(&state_lock); spin_lock(&nn->client_lock); while (!list_empty(&nn->close_lru)) { @@ -7213,7 +7213,9 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, if (s->sc_status & SC_STATUS_REVOKED) { spin_unlock(&s->sc_lock); dp = delegstateid(s); + spin_lock(&state_lock); list_del_init(&dp->dl_recall_lru); + spin_unlock(&state_lock); spin_unlock(&cl->cl_lock); nfs4_put_stid(s); ret = nfs_ok; -- 2.43.5

6 months, 3 weeks

5
10
0 0

[PATCH RFC v2] mm: Enforce the stack gap when changing inaccessible VMAs

by Jann Horn

As explained in the comment block this change adds, we can't tell what userspace's intent is when the stack grows towards an inaccessible VMA. We should ensure that, as long as code is compiled with something like -fstack-check, a stack overflow in this code can never cause the main stack to overflow into adjacent heap memory - so the bottom of a stack should never be directly adjacent to an accessible VMA. As suggested by Lorenzo, enforce this by blocking attempts to: - make an inaccessible VMA accessible with mprotect() when it is too close to a stack - replace an inaccessible VMA with another VMA using MAP_FIXED when it is too close to a stack I have a (highly contrived) C testcase for 32-bit x86 userspace with glibc that mixes malloc(), pthread creation, and recursion in just the right way such that the main stack overflows into malloc() arena memory, see the linked list post. I don't know of any specific scenario where this is actually exploitable, but it seems like it could be a security problem for sufficiently unlucky userspace. Link: https://lore.kernel.org/r/CAG48ez2v=r9-37JADA5DgnZdMLCjcbVxAjLt5eH5uoBohRdq… Suggested-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Fixes: 561b5e0709e4 ("mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> --- This is an attempt at the alternate fix approach suggested by Lorenzo. This turned into more code than I would prefer to have for a scenario like this... Also, the way the gap is enforced in my patch for MAP_FIXED_NOREPLACE is a bit ugly. In the existing code, __get_unmapped_area() normally already enforces the stack gap even when it is called with a hint; but when MAP_FIXED_NOREPLACE is used, we kinda lie to __get_unmapped_area() and tell it we'll do a MAP_FIXED mapping (introduced in commit a4ff8e8620d3f when MAP_FIXED_NOREPLACE was created), then afterwards manually reject overlapping mappings. So I ended up also doing the gap check separately for MAP_FIXED_NOREPLACE. The following test program exercises scenarios that could lead to the stack becoming directly adjacent to another accessible VMA, and passes with this patch applied: <<< int main(void) { setbuf(stdout, NULL); char *ptr = (char*)( (unsigned long)(STACK_POINTER() - (1024*1024*4)/*4MiB*/) & ~0xfffUL ); if (mmap(ptr, 0x1000, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0) != ptr) err(1, "mmap distant-from-stack"); *(volatile char *)(ptr + 0x1000); /* expand stack */ system("echo;cat /proc/$PPID/maps;echo"); /* test transforming PROT_NONE mapping adjacent to stack */ if (mprotect(ptr, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC) == 0) errx(1, "mprotect adjacent to stack allowed"); if (mmap(ptr, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0) != MAP_FAILED) errx(1, "MAP_FIXED adjacent to stack allowed"); if (munmap(ptr, 0x1000)) err(1, "munmap failed???"); /* test creating new mapping adjacent to stack */ if (mmap(ptr, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0) != MAP_FAILED) errx(1, "MAP_FIXED_NOREPLACE adjacent to stack allowed"); if (mmap(ptr, 0x1000, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0) == ptr) errx(1, "mmap hint adjacent to stack accepted"); printf("all tests passed\n"); } >>> --- Changes in v2: - Entirely new approach (suggested by Lorenzo) - Link to v1: https://lore.kernel.org/r/20241008-stack-gap-inaccessible-v1-1-848d4d891f21… --- include/linux/mm.h | 1 + mm/mmap.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ mm/mprotect.c | 6 +++++ 3 files changed, 72 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index ecf63d2b0582..ecd4afc304ca 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3520,6 +3520,7 @@ unsigned long change_prot_numa(struct vm_area_struct *vma, struct vm_area_struct *find_extend_vma_locked(struct mm_struct *, unsigned long addr); +bool overlaps_stack_gap(struct mm_struct *mm, unsigned long addr, unsigned long len); int remap_pfn_range(struct vm_area_struct *, unsigned long addr, unsigned long pfn, unsigned long size, pgprot_t); int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr, diff --git a/mm/mmap.c b/mm/mmap.c index dd4b35a25aeb..937361be3c48 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -359,6 +359,20 @@ unsigned long do_mmap(struct file *file, unsigned long addr, return -EEXIST; } + /* + * This does two things: + * + * 1. Disallow MAP_FIXED replacing a PROT_NONE VMA adjacent to a stack + * with an accessible VMA. + * 2. Disallow MAP_FIXED_NOREPLACE creating a new accessible VMA + * adjacent to a stack. + */ + if ((flags & (MAP_FIXED_NOREPLACE | MAP_FIXED)) && + (prot & (PROT_READ | PROT_WRITE | PROT_EXEC)) && + !(vm_flags & (VM_GROWSUP|VM_GROWSDOWN)) && + overlaps_stack_gap(mm, addr, len)) + return (flags & MAP_FIXED) ? -ENOMEM : -EEXIST; + if (flags & MAP_LOCKED) if (!can_do_mlock()) return -EPERM; @@ -1341,6 +1355,57 @@ struct vm_area_struct *expand_stack(struct mm_struct *mm, unsigned long addr) return vma; } +/* + * Does the specified VA range overlap the stack gap of a preceding or following + * stack VMA? + * Overlapping stack VMAs are ignored - so if someone deliberately creates a + * MAP_FIXED mapping in the middle of a stack or such, we let that go through. + * + * This is needed partly because userspace's intent when making PROT_NONE + * mappings is unclear; there are two different reasons for creating PROT_NONE + * mappings: + * + * A) Userspace wants to create its own guard mapping, for example for stacks. + * According to + * <https://lore.kernel.org/all/1499126133.2707.20.camel@decadent.org.uk/T/>, + * some Rust/Java programs do this with the main stack. + * Enforcing the kernel's stack gap between these userspace guard mappings and + * the main stack breaks stuff. + * + * B) Userspace wants to reserve some virtual address space for later mappings. + * This is done by memory allocators. + * In this case, we want to enforce a stack gap between the mapping and the + * stack. + * + * Because we can't tell these cases apart when a PROT_NONE mapping is created, + * we instead enforce the stack gap when a PROT_NONE mapping is made accessible + * (using mprotect()) or replaced with an accessible one (using MAP_FIXED). + */ +bool overlaps_stack_gap(struct mm_struct *mm, unsigned long addr, unsigned long len) +{ + + struct vm_area_struct *vma, *prev_vma; + + /* step 1: search for a non-overlapping following stack VMA */ + vma = find_vma(mm, addr+len); + if (vma && vma->vm_start >= addr+len) { + /* is it too close? */ + if (vma->vm_start - (addr+len) < stack_guard_start_gap(vma)) + return true; + } + + /* step 2: search for a non-overlapping preceding stack VMA */ + if (!IS_ENABLED(CONFIG_STACK_GROWSUP)) + return false; + vma = find_vma_prev(mm, addr, &prev_vma); + /* don't handle cases where the VA start overlaps a VMA */ + if (vma && vma->vm_start < addr) + return false; + if (!prev_vma || !(prev_vma->vm_flags & VM_GROWSUP)) + return false; + return addr - prev_vma->vm_end < stack_guard_gap; +} + /* do_munmap() - Wrapper function for non-maple tree aware do_munmap() calls. * @mm: The mm_struct * @start: The start address to munmap diff --git a/mm/mprotect.c b/mm/mprotect.c index 0c5d6d06107d..2300e2eff956 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -772,6 +772,12 @@ static int do_mprotect_pkey(unsigned long start, size_t len, } } + error = -ENOMEM; + if ((prot & (PROT_READ | PROT_WRITE | PROT_EXEC)) && + !(vma->vm_flags & (VM_GROWSUP|VM_GROWSDOWN)) && + overlaps_stack_gap(current->mm, start, end - start)) + goto out; + prev = vma_prev(&vmi); if (start > vma->vm_start) prev = vma; --- base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b change-id: 20241008-stack-gap-inaccessible-c7319f7d4b1b -- Jann Horn <jannh(a)google.com>

6 months, 3 weeks

2
3
0 0

[PATCH v2] x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load

by John Allen

A problem was introduced with commit f69759be251d ("x86/CPU/AMD: Move Zenbleed check to the Zen2 init function") where a bit in the DE_CFG MSR is getting set after a microcode late load. The problem seems to be that the microcode late load path calls into amd_check_microcode() and subsequently zen2_zenbleed_check(). Since the patch removes the cpu_has_amd_erratum() check from zen2_zenbleed_check(), this will cause all non-Zen2 CPUs to go through the function and set the bit in the DE_CFG MSR. Call into the zenbleed fix path on Zen2 CPUs only. Fixes: f69759be251d ("x86/CPU/AMD: Move Zenbleed check to the Zen2 init function") Cc: <stable(a)vger.kernel.org> Acked-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: John Allen <john.allen(a)amd.com> --- v2: - Clean up commit description --- arch/x86/kernel/cpu/amd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index 015971adadfc..368344e1394b 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -1202,5 +1202,6 @@ void amd_check_microcode(void) if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) return; - on_each_cpu(zenbleed_check_cpu, NULL, 1); + if (boot_cpu_has(X86_FEATURE_ZEN2)) + on_each_cpu(zenbleed_check_cpu, NULL, 1); } -- 2.34.1

6 months, 3 weeks

2
1
0 0

[PATCH] pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func()

by Harshit Mogalapalli

'new_map' is allocated using devm_* which takes care of freeing the allocated data on device removal, call to .dt_free_map = pinconf_generic_dt_free_map double frees the map as pinconf_generic_dt_free_map() calls pinctrl_utils_free_map(). Fix this by using kcalloc() instead of auto-managed devm_kcalloc(). Cc: stable(a)vger.kernel.org Fixes: f805e356313b ("pinctrl: nuvoton: Add ma35d1 pinctrl and GPIO driver") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> --- This is based on static analysis and reading code, only compile tested. Added the stable tag as the commit in Fixes is also in 6.11.y --- drivers/pinctrl/nuvoton/pinctrl-ma35.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pinctrl/nuvoton/pinctrl-ma35.c b/drivers/pinctrl/nuvoton/pinctrl-ma35.c index 1fa00a23534a..59c4e7c6cdde 100644 --- a/drivers/pinctrl/nuvoton/pinctrl-ma35.c +++ b/drivers/pinctrl/nuvoton/pinctrl-ma35.c @@ -218,7 +218,7 @@ static int ma35_pinctrl_dt_node_to_map_func(struct pinctrl_dev *pctldev, } map_num += grp->npins; - new_map = devm_kcalloc(pctldev->dev, map_num, sizeof(*new_map), GFP_KERNEL); + new_map = kcalloc(map_num, sizeof(*new_map), GFP_KERNEL); if (!new_map) return -ENOMEM; -- 2.39.3

6 months, 3 weeks

2
1
0 0

Add commit "59c34008d3bd x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h" to stable kernel 6.11.y

by Gong, Richard

Hi, The following commit is to make amd_pmc and amd_pmf drivers work properly on AMD family 1Ah model 60h processors, 59c34008d3bd x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h Please add this commit to stable kernel 6.11.y. Thanks! Regards, Richard

6 months, 3 weeks

1
0
0 0

[PATCH v3] xhci: tegra: fix checked USB2 port number

by Henry Lin

If USB virtualizatoin is enabled, USB2 ports are shared between all Virtual Functions. The USB2 port number owned by an USB2 root hub in a Virtual Function may be less than total USB2 phy number supported by the Tegra XUSB controller. Using total USB2 phy number as port number to check all PORTSC values would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f ... [ 117.213640] Call trace: [ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658 [ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68 [ 117.227260] pm_generic_runtime_suspend+0x30/0x50 [ 117.232847] __rpm_callback+0x84/0x3c0 [ 117.237038] rpm_suspend+0x2dc/0x740 [ 117.241229] pm_runtime_work+0xa0/0xb8 [ 117.245769] process_scheduled_works+0x24c/0x478 [ 117.251007] worker_thread+0x23c/0x328 [ 117.255547] kthread+0x104/0x1b0 [ 117.259389] ret_from_fork+0x10/0x20 [ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100) Cc: <stable(a)vger.kernel.org> # v6.3+ Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") Signed-off-by: Henry Lin <henryl(a)nvidia.com> --- drivers/usb/host/xhci-tegra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c index 6246d5ad1468..76f228e7443c 100644 --- a/drivers/usb/host/xhci-tegra.c +++ b/drivers/usb/host/xhci-tegra.c @@ -2183,7 +2183,7 @@ static int tegra_xusb_enter_elpg(struct tegra_xusb *tegra, bool runtime) goto out; } - for (i = 0; i < tegra->num_usb_phys; i++) { + for (i = 0; i < xhci->usb2_rhub.num_ports; i++) { if (!xhci->usb2_rhub.ports[i]) continue; portsc = readl(xhci->usb2_rhub.ports[i]->addr); -- 2.25.1

6 months, 3 weeks

2
1
0 0

[PATCH] arm64: dts: rockchip: Prevent thermal runaways in RK3308 SoC dtsi

by Dragan Simic

Until the TSADC, thermal zones, thermal trips and cooling maps are defined in the RK3308 SoC dtsi, none of the CPU OPPs except the slowest one may be enabled under any circumstances. Allowing the DVFS to scale the CPU cores up without even just the critical CPU thermal trip in place can rather easily result in thermal runaways and damaged SoCs, which is bad. Thus, leave only the lowest available CPU OPP enabled for now. Fixes: 6913c45239fd ("arm64: dts: rockchip: Add core dts for RK3308 SOC") Cc: stable(a)vger.kernel.org Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> --- arch/arm64/boot/dts/rockchip/rk3308.dtsi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/boot/dts/rockchip/rk3308.dtsi b/arch/arm64/boot/dts/rockchip/rk3308.dtsi index 31c25de2d689..a7698e1f6b9e 100644 --- a/arch/arm64/boot/dts/rockchip/rk3308.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3308.dtsi @@ -120,16 +120,19 @@ opp-600000000 { opp-hz = /bits/ 64 <600000000>; opp-microvolt = <950000 950000 1340000>; clock-latency-ns = <40000>; + status = "disabled"; }; opp-816000000 { opp-hz = /bits/ 64 <816000000>; opp-microvolt = <1025000 1025000 1340000>; clock-latency-ns = <40000>; + status = "disabled"; }; opp-1008000000 { opp-hz = /bits/ 64 <1008000000>; opp-microvolt = <1125000 1125000 1340000>; clock-latency-ns = <40000>; + status = "disabled"; }; };

6 months, 3 weeks

5
8
0 0

[PATCH 6.10 000/482] 6.10.14-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.10.14 release. There are 482 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.10.14-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.10.14-rc1 Alex Hung <alex.hung(a)amd.com> drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Namhyung Kim <namhyung(a)kernel.org> perf report: Fix segfault when 'sym' sort key is not used Gabe Teeger <Gabe.Teeger(a)amd.com> drm/amd/display: Revert Avoid overflow assignment Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx* - Select CRYPTO_AUTHENC Takashi Iwai <tiwai(a)suse.de> ALSA: control: Fix leftover snd_power_unref() Haoran Zhang <wh1sper(a)zju.edu.cn> vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() David Howells <dhowells(a)redhat.com> rxrpc: Fix a race between socket set up and I/O thread creation Christian König <christian.koenig(a)amd.com> drm/sched: revert "Always increment correct scheduler score" Jonathan Gray <jsg(a)jsg.id.au> Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Val Packett <val(a)packett.cool> drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add tally counter fields added with RTL8125 Colin Ian King <colin.i.king(a)gmail.com> r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Fix regmap for BMP280 device Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Use BME prefix for BME280 specifics Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Improve indentation and line wrapping Udit Kumar <u-kumar1(a)ti.com> remoteproc: k3-r5: Delay notification of wakeup event Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Acquire mailbox handle during probe routine Long Li <longli(a)microsoft.com> RDMA/mana_ib: use the correct page table index based on hardware page size Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Add support for page sizes other than 4KB on ARM64 Chuck Lever <chuck.lever(a)oracle.com> NFSD: Limit the number of concurrent async COPY operations Chuck Lever <chuck.lever(a)oracle.com> NFSD: Async COPY result needs to return a write verifier NeilBrown <neilb(a)suse.de> sunrpc: change sp_nrthreads from atomic_t to unsigned int. Johannes Weiner <hannes(a)cmpxchg.org> sched: psi: fix bogus pressure spikes from aggregation race Matthew Auld <matthew.auld(a)intel.com> drm/xe: fix UAF around queue destruction Matthew Brost <matthew.brost(a)intel.com> drm/xe: Delete unused GuC submission_state.suspend Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: harden build ID parsing logic Alexey Dobriyan <adobriyan(a)gmail.com> build-id: require program headers to be right after ELF header Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Yosry Ahmed <yosryahmed(a)google.com> mm: z3fold: deprecate CONFIG_Z3FOLD Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix buffer overflow in debug links Uwe Kleine-König <ukleinek(a)debian.org> cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix system hang while resume with TBT monitor Yihan Zhu <Yihan.Zhu(a)amd.com> drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 Alex Hung <alex.hung(a)amd.com> drm/amd/display: Add HDR workaround for specific eDP Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Always increment correct scheduler score Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Always wake up correct scheduler in drm_sched_entity_push_job Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Add locking to drm_sched_entity_modify_sched Rob Clark <robdclark(a)chromium.org> drm/sched: Fix dynamic job-flow control race Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Don't declare a queue blocked if deferred operations are pending Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup() Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Don't add write fences to the shared BOs Jani Nikula <jani.nikula(a)intel.com> drm/i915/gem: fix bitwise and logical AND mixup Al Viro <viro(a)zeniv.linux.org.uk> close_range(): fix the logics in descriptor table trimming Thomas Zimmermann <tzimmermann(a)suse.de> firmware/sysfb: Disable sysfb for firmware buffers with unknown parent Eder Zulian <ezulian(a)redhat.com> rtla: Fix the help text in osnoise and timerlat top tools Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix a race during cpuhp processing Wei Li <liwei391(a)huawei.com> tracing/timerlat: Drop interface_lock in stop_kthread() Wei Li <liwei391(a)huawei.com> tracing/hwlat: Fix a race during cpuhp processing Patrick Donnelly <pdonnell(a)redhat.com> ceph: fix cap ref leak via netfs init_request Jens Axboe <axboe(a)kernel.dk> io_uring/net: harden multishot termination case for recv Jiawei Ye <jiawei.ye(a)foxmail.com> mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Jiawen Wu <jiawenwu(a)trustnetic.com> net: pcs: xpcs: fix the wrong register that was written back Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Miquel Sabaté Solà <mikisabate(a)gmail.com> cpufreq: Avoid a bad reference count on CPU node Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Filipe Manana <fdmanana(a)suse.com> btrfs: send: fix invalid clone operation for file that got its size decreased Josef Bacik <josef(a)toxicpanda.com> btrfs: drop the backref cache during relocation if we commit Qu Wenruo <wqu(a)suse.com> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Loosen the Asus E1404GAB DMI match to also cover the E1404GA Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Remove duplicate Asus E1504GAB IRQ override Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add backlight=native quirk for Dell OptiPlex 5480 AIO Baokun Li <libaokun1(a)huawei.com> cachefiles: fix dentry leak in cachefiles_open_file() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix NULL pointer dereference Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path KhaiWenTan <khai.wen.tan(a)linux.intel.com> net: stmmac: Fix zero-division error when disabling tc cbs Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Willem de Bruijn <willemb(a)google.com> gso: fix udp gso fraglist segmentation after pull from frag_list Felix Fietkau <nbd(a)nbd.name> net: gso: fix tcp fraglist segmentation after pull from frag_list Willem de Bruijn <willemb(a)google.com> vrf: revert "vrf: Remove unnecessary RCU-bh critical section" Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors Steve French <stfrench(a)microsoft.com> smb3: fix incorrect mode displayed for read-only files wangrong <wangrong(a)uniontech.com> smb: client: use actual path when queryfs Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Fix ordering of pm_runtime_enable Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Add GPLL9 support Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Remove use_count guard in stop_streaming Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src David Virag <virag.david003(a)gmail.com> clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Mike Tipton <quic_mdtipton(a)quicinc.com> clk: qcom: clk-rpmh: Fix overflow in BCM vote Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: sun4i_csi: Implement link validate for sun4i_csi subdev Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: videobuf2: Drop minimum allocation requirement of 2 buffers Jan Kiszka <jan.kiszka(a)siemens.com> remoteproc: k3-r5: Fix error handling when power-up failed Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: ov5675: Fix power on/off delay timings Umang Jain <umang.jain(a)ideasonboard.com> media: imx335: Fix reset-gpio handling Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix kernel stack size when KASAN is enabled Pu Lehui <pulehui(a)huawei.com> drivers/perf: riscv: Align errno for unsupported perf event Long Li <longli(a)microsoft.com> RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Thomas Weißschuh <linux(a)weissschuh.net> sysctl: avoid spurious permanent empty tables Kaixin Wang <kxwang23(a)m.fudan.edu.cn> i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv4's PUTPUBFH operation Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: map the EBADMSG to nfserr_io to avoid warning NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Matt Fleming <matt(a)readmodwrite.com> perf hist: Update hist symbol when updating maps Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Disable -Wno-cast-function-type-mismatch if present on clang Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix memory leak in exfat_load_bitmap() Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Youssef Esmat <youssefesmat(a)google.com> sched/core: Clear prev->dl_server in CFS pick fast path Joel Fernandes (Google) <joel(a)joelfernandes.org> sched/core: Add clearing of ->dl_server in put_prev_task_balance() Daniel Bristot de Oliveira <bristot(a)kernel.org> sched/deadline: Comment sched_dl_entity::dl_server variable Easwar Hariharan <eahariha(a)linux.microsoft.com> arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Mark Rutland <mark.rutland(a)arm.com> arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS Kuan-Ying Lee <kuan-ying.lee(a)canonical.com> scripts/gdb: fix lx-mounts command error Kuan-Ying Lee <kuan-ying.lee(a)canonical.com> scripts/gdb: add iteration function for rbtree Kuan-Ying Lee <kuan-ying.lee(a)canonical.com> scripts/gdb: fix timerlist parsing issue Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Danilo Krummrich <dakr(a)kernel.org> mm: krealloc: consider spare memory for __GFP_ZERO Kemeng Shi <shikemeng(a)huaweicloud.com> jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Huang Ying <ying.huang(a)intel.com> resource: fix region_intersects() vs add_memory_driver_managed() Ma Ke <make24(a)iscas.ac.cn> drm: omapdrm: Add missing check for alloc_ordered_workqueue Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> of: address: Report error on resource bounds overflow Val Packett <val(a)packett.cool> drm/rockchip: vop: clear DMA stop bit on RK3066 Helge Deller <deller(a)gmx.de> parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Helge Deller <deller(a)kernel.org> parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path Baokun Li <libaokun1(a)huawei.com> ext4: fix off by one issue in alloc_flex_gd() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: use handle to mark fc as ineligible in __track_dentry_update() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix fast commit inode enqueueing during a full journal commit Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: update orig_path in ext4_find_extent() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix access to uninitialised lock in fc replay path Xiaxi Shen <shenxiaxi26(a)gmail.com> ext4: fix timer use-after-free on failed mount Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Baokun Li <libaokun1(a)huawei.com> ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Zhihao Cheng <chengzhihao1(a)huawei.com> ext4: dax: fix overflowing extents beyond inode size when partially writing Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() yao.ly <yao.ly(a)linux.alibaba.com> ext4: correct encrypted dentry name hash when not casefolded Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Abhishek Tamboli <abhishektamboli9(a)gmail.com> ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Ai Chao <aichao(a)kylinos.cn> ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8 Hans P. Moller <hmoller(a)uc.cl> ALSA: line6: add hw monitor volume control to POD HD500X Jan Lalinsky <lalinsky(a)c4.cz> ALSA: usb-audio: Add native DSD support for Luxman D-08u Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Baojun Xu <baojun.xu(a)ti.com> ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Thomas Zimmermann <tzimmermann(a)suse.de> drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Javier Carrasco <javier.carrasco.cruz(a)gmail.com> drm/mediatek: ovl_adaptor: Add missing of_node_put() Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/v3d: Prevent out of bounds access in performance query extensions Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Peng Fan <peng.fan(a)nxp.com> mm, slub: avoid zeroing kmalloc redzone Hans de Goede <hdegoede(a)redhat.com> power: supply: hwmon: Fix missing temp1_max_alarm attribute Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading David Virag <virag.david003(a)gmail.com> dt-bindings: clock: exynos7885: Fix duplicated binding Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> memory: tegra186-emc: drop unused to_tegra186_emc() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Mike Baynton <mike(a)mbaynton.com> ovl: fail if trusted xattrs are needed but caller lacks permission Alice Ryhl <aliceryhl(a)google.com> rust: sync: require `T: Sync` for `LockedBy::access` Ard Biesheuvel <ardb(a)kernel.org> i2c: synquacer: Deal with optional PCLK correctly Kimriver Liu <kimriver.liu(a)siengine.com> i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Heiner Kallweit <hkallweit1(a)gmail.com> i2c: core: Lock address during client device instantiation Alexander Shiyan <eagle.alexander923(a)gmail.com> media: i2c: ar0521: Use cansleep version of gpiod_set_value() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Marek Vasut <marex(a)denx.de> i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Marc Zyngier <maz(a)kernel.org> KVM: arm64: Fix kvm_has_feat*() handling of negative features Zach Wade <zachwade.k(a)gmail.com> platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Takashi Iwai <tiwai(a)suse.de> Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Daeho Jeong <daehojeong(a)google.com> f2fs: forcibly migrate to secure space for zoned device file pinning Daeho Jeong <daehojeong(a)google.com> f2fs: do FG_GC when GC boosting is required for zoned devices Daeho Jeong <daehojeong(a)google.com> f2fs: increase BG GC migration window granularity when boosted for zoned devices Daeho Jeong <daehojeong(a)google.com> f2fs: introduce migration_window_granularity Daeho Jeong <daehojeong(a)google.com> f2fs: make BG GC more aggressive for zoned devices Heiko Carstens <hca(a)linux.ibm.com> selftests: vDSO: fix vdso_config for s390 Jens Remus <jremus(a)linux.ibm.com> selftests: vDSO: fix ELF hash table entry size for s390x Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Chao Yu <chao(a)kernel.org> f2fs: fix to don't panic system for no free segment fault injection Liao Yuanhong <liaoyuanhong(a)vivo.com> f2fs: add write priority option based on zone UFS Arnd Bergmann <arnd(a)arndb.de> nvme-tcp: fix link failure for TCP auth David Hildenbrand <david(a)redhat.com> selftests/mm: fix charge_reserved_hugetlb.sh test Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vdso_config for powerpc Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO name for powerpc Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Fix memory leak on xe_alloc_pf_queue failure Matthew Auld <matthew.auld(a)intel.com> drm/xe: fixup xe_alloc_pf_queue Namhyung Kim <namhyung(a)kernel.org> perf: Really fix event_function_call() locking Ian Rogers <irogers(a)google.com> perf callchain: Fix stitch LBR memory leaks Takashi Iwai <tiwai(a)suse.de> ALSA: control: Fix power_ref lock order for compat code, too Biju Das <biju.das.jz(a)bp.renesas.com> spi: rpc-if: Add missing MODULE_DEVICE_TABLE Alexander F. Lent <lx(a)xanderlent.com> accel/ivpu: Add missing MODULE_FIRMWARE metadata Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Alessandro Zanni <alessandro.zanni87(a)gmail.com> kselftest/devices/probe: Fix SyntaxWarning in regex strings for Python3 Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Yun Lu <luyun(a)kylinos.cn> selftest: hid: add missing run-hid-tools-tests.sh Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-cadence: Fix missing spi_controller_is_target() check Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Ben Cheatham <Benjamin.Cheatham(a)amd.com> EINJ, CXL: Fix CXL device SBDF calculation Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix a sdiv overflow issue Kuan-Wei Chiu <visitorckw(a)gmail.com> bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Christoph Hellwig <hch(a)lst.de> iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Kuan-Wei Chiu <visitorckw(a)gmail.com> bpftool: Fix undefined behavior caused by shifting into the sign bit Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Baokun Li <libaokun1(a)huawei.com> ext4: avoid use-after-free in ext4_ext_show_leaf() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Juntong Deng <juntong.deng(a)outlook.com> bpf: Make the pointer returned by iter next method valid Jan Kara <jack(a)suse.cz> ext4: don't set SB_RDONLY after filesystem errors Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Adjust Xiaomi Pad 2 bottom bezel touch buttons LED Luiz Capitulino <luizcap(a)redhat.com> platform/mellanox: mlxbf-pmc: fix lockdep warning Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add refcnt to ksmbd_conn struct Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: i2c-hid: ensure various commands do not interfere with each other Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/hv: Add memory allocation check in hv_fcopy_start Gergo Koteles <soyer(a)irl.hu> platform/x86: lenovo-ymc: Ignore the 0x0 state Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: use rlc safe mode for soft recovery Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx11: use rlc safe mode for soft recovery Amir Goldstein <amir73il(a)gmail.com> ovl: fsync after metadata copy-up Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Matthew Brost <matthew.brost(a)intel.com> drm/xe: Drop warn on xe_guc_pc_gucrc_disable in guc pc fini Hawking Zhang <Hawking.Zhang(a)amd.com> drm/amdkfd: Check int source id for utcl2 poison event Tim Huang <tim.huang(a)amd.com> drm/amd/pm: ensure the fw_info is not null before using it Stuart Summers <stuart.summers(a)intel.com> drm/xe: Use topology to determine page fault queue size Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx11: enter safe mode before touching CP_INT_CNTL Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: use rlc safe mode for soft recovery Victor Skvortsov <victor.skvortsov(a)amd.com> drm/amdgpu: Block MMR_READ IOCTL in reset Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Peter Zijlstra <peterz(a)infradead.org> perf: Fix event_function_call() locking Tim Huang <tim.huang(a)amd.com> drm/amdgpu: fix unchecked return value warning for amdgpu_atombios Tim Huang <tim.huang(a)amd.com> drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Update PRLO handling in direct attached topology Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Andrii Nakryiko <andrii(a)kernel.org> perf,x86: avoid missing caller address in stack traces captured in uprobe Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize get_bytes_per_element's default to 1 Alex Hung <alex.hung(a)amd.com> drm/amd/display: Avoid overflow assignment in link_dp_cts Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: properly handle error ints on all pipes Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 color transformation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check link_res->hpo_dp_link_enc before using it Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check phantom_stream before it is used Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null-initialized variables Yannick Fertre <yannick.fertre(a)foss.st.com> drm/stm: ltdc: reset plane transparency after plane disable aln8 <aln8un(a)gmail.com> platform/x86/amd: pmf: Add quirk for TUF Gaming A14 Ckath <ckath(a)yandex.ru> platform/x86: touchscreen_dmi: add nanote-next quirk Vishnu Sankar <vishnuocv(a)gmail.com> HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Jesse Zhang <jesse.zhang(a)amd.com> drm/amdkfd: Fix resource leak in criu restore queue Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: enable gfxoff quirk on HP 705G4 Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: add raven1 gfxoff quirk Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs David Strahan <David.Strahan(a)microchip.com> scsi: smartpqi: add new controller PCI IDs Mahesh Rajashekhara <mahesh.rajashekhara(a)microchip.com> scsi: smartpqi: correct stream detection Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Yang Wang <kevinyang.wang(a)amd.com> drm/amdgpu: add list empty check to avoid null pointer issue Tim Huang <tim.huang(a)amd.com> drm/amd/display: fix double free issue during amdgpu module unload Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using dc->clk_mgr Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' Hans de Goede <hdegoede(a)redhat.com> HID: Ignore battery for all ELAN I2C-HID devices David Strahan <David.Strahan(a)microchip.com> scsi: smartpqi: Add new controller PCI IDs Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Damien Le Moal <dlemoal(a)kernel.org> ata: pata_serverworks: Do not use the term blacklist Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Use gpuvm_min_page_size_kbytes for DML2 surfaces Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Suraj Kandpal <suraj.kandpal(a)intel.com> drm/xe/hdcp: Check GSC structure validity Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using them Alex Hung <alex.hung(a)amd.com> drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags Katya Orlova <e.orlova(a)ispras.ru> drm/stm: Avoid use-after-free issues with crtc and plane Michal Koutný <mkoutny(a)suse.com> cgroup: Disallow mounting v1 hierarchies without controller implementation Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Do not use devm for the cd table allocations Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Unconditionally flush device TLB for pasid table updates Sanjay K Kumar <sanjay.k.kumar(a)intel.com> iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Always reserve a domain ID for identity setup Mostafa Saleh <smostafa(a)google.com> iommu/arm-smmu-v3: Match Stall behaviour for S2 Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Paul E. McKenney <paulmck(a)kernel.org> rcuscale: Provide clear error when async specified without primitives Ulf Hansson <ulf.hansson(a)linaro.org> pmdomain: core: Don't hold the genpd-lock when calling dev_pm_domain_set() Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Thomas Weißschuh <linux(a)weissschuh.net> fbdev: efifb: Register sysfs groups through driver core Denis Pauk <pauk.denis(a)gmail.com> hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Zqiang <qiang.zhang1211(a)gmail.com> rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: boards: always check the result of acpi_dev_get_first_match_dev() Kees Cook <kees(a)kernel.org> x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Thomas Weißschuh <linux(a)weissschuh.net> selftests/nolibc: avoid passing NULL to printf("%s") Thomas Weißschuh <linux(a)weissschuh.net> tools/nolibc: powerpc: limit stack-protector workaround to GCC Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Steve Wahl <steve.wahl(a)hpe.com> x86/mm/ident_map: Use gbpages only where full GB page should be mapped. Tao Liu <ltao(a)redhat.com> x86/kexec: Add EFI config table identity mapping for kexec kernel Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> x86/pkeys: Restore altstack access in sigreturn() Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> x86/pkeys: Add PKRU as a parameter in signal handling functions Ahmed S. Darwish <darwi(a)linutronix.de> tools/x86/kcpuid: Protect against faulty "max subleaf" values Takashi Iwai <tiwai(a)suse.de> ALSA: control: Take power_ref lock primarily Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wsa883x: Handle reading version failure Joshua Pius <joshuapius(a)chromium.org> ALSA: usb-audio: Add logitech Audio profile quirk Asahi Lina <lina(a)asahilina.net> ALSA: usb-audio: Add mixer quirk for RME Digiface USB Cyan Nyan <cyan.vtb(a)gmail.com> ALSA: usb-audio: Add quirk for RME Digiface USB Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Replace complex quirk lines with macros Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Define macros for quirk table entries Karol Kosik <k.kosik(a)outlook.com> ALSA: usb-audio: Support multiple control interfaces Thomas Gleixner <tglx(a)linutronix.de> x86/apic: Remove logical destination mode for 64-bit Thomas Gleixner <tglx(a)linutronix.de> x86/ioapic: Handle allocation failures gracefully Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add input value sanity checks for standard types Jinjie Ruan <ruanjinjie(a)huawei.com> nfp: Use IRQF_NO_AUTOEN flag in request_irq() David Howells <dhowells(a)redhat.com> netfs: Cancel dirty folios that have no storage destination Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Yang Shen <shenyang39(a)huawei.com> crypto: hisilicon - fix missed error branch Joe Damato <jdamato(a)fastly.com> net: napi: Prevent overflow of napi_defer_hard_irqs David Kaplan <david.kaplan(a)amd.com> x86/bugs: Fix handling when SRSO mitigation is disabled Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bugs: Add missing NO_SSB flag Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: phy: Check for read errors in SIOCGMIIREG Fares Mehanna <faresx(a)amazon.de> arm64: trans_pgd: mark PTEs entries as valid to avoid dead kexec() Alexey Dobriyan <adobriyan(a)gmail.com> block: fix integer overflow in BLKSECDISCARD Joe Damato <jdamato(a)fastly.com> netdev-genl: Set extack and fix error on napi-get Stefan Mätje <stefan.maetje(a)esd.eu> can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode James Clark <james.clark(a)linaro.org> drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Adrian Ratiu <adrian.ratiu(a)collabora.com> proc: add config & param to block forcing mem writes Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU list iterations Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: avoid NULL pointer dereference Anjaneyulu <pagadala.yesu.anjaneyulu(a)intel.com> wifi: iwlwifi: allow only CN mcc from WRDD Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: use correct key iteration Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Breno Leitao <leitao(a)debian.org> netpoll: Ensure clean state on setup failures Herbert Xu <herbert(a)gondor.apana.org.au> crypto: simd - Do not call crypto_alloc_tfm during registration Simon Horman <horms(a)kernel.org> net: atlantic: Avoid warning about potential string truncation Hannes Reinecke <hare(a)kernel.org> nvme-tcp: check for invalidated or revoked key Hannes Reinecke <hare(a)kernel.org> nvme-tcp: sanitize TLS key handling Hannes Reinecke <hare(a)kernel.org> nvme-keyring: restrict match length for version '1' identifiers Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: correct base HT rate mask for firmware Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> bnxt_en: Extend maximum length of version string by 1 byte Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw88: select WANT_DEV_COREDUMP Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath11k: fix array out-of-bound access in SoC stats Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath12k: fix array out-of-bound access in SoC stats Konstantin Ovsepian <ovs(a)ovs.to> blk_iocost: fix more out of bound shifts Mario Limonciello <mario.limonciello(a)amd.com> ACPI: CPPC: Add support for setting EPP register in FFH Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Hilda Wu <hildawu(a)realtek.com> Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Hilda Wu <hildawu(a)realtek.com> Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: consistently use rcu_replace_pointer() in taprio_change() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Tamim Khan <tamim(a)fusetak.com> ACPI: resource: Skip IRQ override on Asus Vivobook Go E1404GAB Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: avoid failing the system during pm_suspend Li Zhijian <lizhijian(a)fujitsu.com> fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Issam Hamdi <ih(a)simonwunderlich.de> wifi: cfg80211: Set correct chandef when starting CAC Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: drop wrong STA selection in TX Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: mvm: Fix a race in scan abort flow Aleksandr Mishin <amishin(a)t-argos.ru> ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx2 - Fix authenc setkey Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx - Fix authenc setkey Fangrui Song <maskray(a)google.com> crypto: x86/sha256 - Add parentheses around macros' single arguments Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw89: avoid to add interface to list twice when SER Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: gus: Fix some error handling paths related to get_bpos() usage Ben Hutchings <benh(a)debian.org> tools/rtla: Fix installation from out-of-tree build Pali Rohár <pali(a)kernel.org> cifs: Do not convert delimiter when parsing NFS-style symlinks Pali Rohár <pali(a)kernel.org> cifs: Fix buffer overflow when parsing NFS reparse points Zhanjun Dong <zhanjun.dong(a)intel.com> drm/xe: Prevent null pointer access in xe_migrate_copy Matthew Brost <matthew.brost(a)intel.com> drm/xe: Resume TDR after GT reset Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe: Restore pci state upon resume Hui Wang <hui.wang(a)canonical.com> ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Lock the VM resv before calling drm_gpuvm_bo_obtain_prealloc() Pali Rohár <pali(a)kernel.org> cifs: Remove intermediate object of failed create reparse call Oder Chiou <oder_chiou(a)realtek.com> ALSA: hda/realtek: Fix the push button function for the ALC257 Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: mixer_oss: Remove some incorrect kfree_const() usages Guixin Liu <kanie(a)linux.alibaba.com> io_uring: fix memory leak when cache init fail Andrei Simion <andrei.simion(a)microchip.com> ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Steven Price <steven.price(a)arm.com> drm/panthor: Fix race when converting group handle to group object Christoph Hellwig <hch(a)lst.de> loop: don't set QUEUE_FLAG_NOMERGES Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Try re-initialization on bus busy timeout Marc Ferland <marc.ferland(a)sonatest.com> i2c: xiic: improve error message when transfer fails to start Jeff Xu <jeffxu(a)chromium.org> selftest mm/mseal: fix test_seal_mremap_move_dontunmap_anyaddr Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Ravikanth Tuniki <ravikanth.tuniki(a)amd.com> dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Darrick J. Wong <djwong(a)kernel.org> iomap: constrain the file range passed to iomap_file_unshare Eddie James <eajames(a)linux.ibm.com> net/ncsi: Disable the ncsi work before freeing the associated structure Ido Schimmel <idosch(a)nvidia.com> bridge: mcast: Fail MDB get request on empty entry Eric Dumazet <edumazet(a)google.com> ppp: do not assume bh is held in ppp_channel_bridge_input() Eric Dumazet <edumazet(a)google.com> net: test for not too small csum_start in virtio_net_hdr_to_skb() Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Shenwei Wang <shenwei.wang(a)nxp.com> net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Reload PTP registers after link-state change Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Restart PPS after link state change Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Daniel Borkmann <daniel(a)iogearbox.net> net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Daniel Borkmann <daniel(a)iogearbox.net> net: Add netif_get_gro_max_size helper for GRO Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: improve shutdown sequence David Howells <dhowells(a)redhat.com> afs: Fix the setting of the server responding flag David Howells <dhowells(a)redhat.com> afs: Fix missing wire-up of afs_retry_request() Jinjie Ruan <ruanjinjie(a)huawei.com> Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix uaf in l2cap_connect Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix possible crash on mgmt_index_removed zhang jiao <zhangjiao2(a)cmss.chinamobile.com> selftests: netfilter: Add missing return value Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Phil Sutter <phil(a)nwl.cc> selftests: netfilter: Fix nft_audit.sh for newer nft binaries Jinjie Ruan <ruanjinjie(a)huawei.com> net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Elena Salomatkina <esalomatkina(a)ispras.ru> net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Mohamed Khalfella <mkhalfella(a)purestorage.com> net/mlx5: Added cond_resched() to crdump collection Gerd Bayer <gbayer(a)linux.ibm.com> net/mlx5: Fix error path in multi-packet WQE transmit Aakash Menon <aakash.r.menon(a)gmail.com> net: sparx5: Fix invalid timestamps Jinjie Ruan <ruanjinjie(a)huawei.com> ieee802154: Fix build error Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/dp: Fix colorimetry detection Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ceph: fix a memory leak on cap_auths in MDS client Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Geert Uytterhoeven <geert+renesas(a)glider.be> mailbox: ARM_MHU_V3 should depend on ARM64 Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> drm/amd/display: handle nulled pipe context in DCE110's set_drr() Asad Kamal <asad.kamal(a)amd.com> drm/amdgpu: Fix get each xcp macro Imre Deak <imre.deak(a)intel.com> drm/i915/dp: Fix AUX IO power enabling for eDP PSR Daniel Wagner <dwagner(a)suse.de> scsi: pm8001: Do not overwrite PCI queue mapping Rafael Rocha <rrochavi(a)fnal.gov> scsi: st: Fix input/output error on empty drive reset Peter Zijlstra <peterz(a)infradead.org> jump_label: Fix static_key_slow_dec() yet again Thomas Gleixner <tglx(a)linutronix.de> jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() Thomas Gleixner <tglx(a)linutronix.de> static_call: Replace pointless WARN_ON() in static_call_module_notify() Thomas Gleixner <tglx(a)linutronix.de> static_call: Handle module init failure correctly in static_call_del_module() ------------- Diffstat: Documentation/ABI/testing/sysfs-fs-f2fs | 22 + Documentation/admin-guide/kernel-parameters.txt | 10 + Documentation/arch/arm64/silicon-errata.rst | 6 + .../devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 +- .../networking/net_cachelines/net_device.rst | 2 +- Makefile | 4 +- arch/arm/crypto/aes-ce-glue.c | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- arch/arm64/Kconfig | 7 +- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/kvm_host.h | 25 +- arch/arm64/kernel/cpu_errata.c | 3 + arch/arm64/mm/trans_pgd.c | 6 +- arch/loongarch/configs/loongson3_defconfig | 1 - arch/parisc/include/asm/mman.h | 14 + arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/powerpc/configs/ppc64_defconfig | 1 - arch/powerpc/include/asm/vdso_datapage.h | 15 + arch/powerpc/kernel/asm-offsets.c | 2 + arch/powerpc/kernel/vdso/cacheflush.S | 2 +- arch/powerpc/kernel/vdso/datapage.S | 4 +- arch/powerpc/platforms/pseries/dlpar.c | 17 - arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +- arch/powerpc/platforms/pseries/hotplug-memory.c | 16 +- arch/powerpc/platforms/pseries/pmem.c | 2 +- arch/riscv/Kconfig | 8 +- arch/riscv/include/asm/thread_info.h | 7 +- arch/x86/crypto/sha256-avx2-asm.S | 16 +- arch/x86/events/core.c | 63 + arch/x86/include/asm/apic.h | 8 - arch/x86/include/asm/fpu/signal.h | 2 +- arch/x86/include/asm/syscall.h | 7 +- arch/x86/kernel/apic/apic_flat_64.c | 119 +- arch/x86/kernel/apic/io_apic.c | 46 +- arch/x86/kernel/cpu/bugs.c | 14 +- arch/x86/kernel/cpu/common.c | 4 +- arch/x86/kernel/fpu/signal.c | 6 +- arch/x86/kernel/machine_kexec_64.c | 27 + arch/x86/kernel/signal.c | 3 +- arch/x86/kernel/signal_64.c | 6 +- arch/x86/mm/ident_map.c | 23 +- block/blk-iocost.c | 8 +- block/ioctl.c | 9 +- crypto/simd.c | 76 +- drivers/accel/ivpu/ivpu_fw.c | 4 + drivers/acpi/acpi_pad.c | 6 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/apei/einj-cxl.c | 2 +- drivers/acpi/battery.c | 28 +- drivers/acpi/cppc_acpi.c | 10 +- drivers/acpi/ec.c | 55 +- drivers/acpi/resource.c | 22 +- drivers/acpi/video_detect.c | 17 + drivers/ata/pata_serverworks.c | 16 +- drivers/ata/sata_sil.c | 12 +- drivers/block/aoe/aoecmd.c | 13 +- drivers/block/loop.c | 15 +- drivers/bluetooth/btmrvl_sdio.c | 3 +- drivers/bluetooth/btrtl.c | 1 + drivers/bluetooth/btusb.c | 2 + drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clk/qcom/clk-rpmh.c | 2 + drivers/clk/qcom/dispcc-sm8250.c | 3 + drivers/clk/qcom/gcc-sc8180x.c | 88 +- drivers/clk/qcom/gcc-sm8250.c | 6 +- drivers/clk/qcom/gcc-sm8450.c | 4 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/samsung/clk-exynos7885.c | 2 +- drivers/cpufreq/intel_pstate.c | 16 +- drivers/crypto/hisilicon/sgl.c | 14 +- drivers/crypto/marvell/Kconfig | 2 + drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 265 +-- drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 256 +- drivers/firmware/sysfb.c | 4 +- drivers/firmware/tegra/bpmp.c | 6 - drivers/gpio/gpio-davinci.c | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 10 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 35 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 +- drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 45 +- drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 6 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 50 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 50 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_int_process_v9.c | 18 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 +- drivers/gpu/drm/amd/amdkfd/soc15_int.h | 1 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 31 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 - .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 +- drivers/gpu/drm/amd/display/dc/dc_types.h | 1 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + .../gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 + .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- .../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- .../gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 - .../amd/display/dc/dml2/dml2_translation_helper.c | 20 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 19 +- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 3 +- .../drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 7 +- .../drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 11 +- .../amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 12 + drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 +- .../amd/display/dc/resource/dcn20/dcn20_resource.c | 3 +- .../display/dc/resource/dcn201/dcn201_resource.c | 4 +- .../amd/display/dc/resource/dcn21/dcn21_resource.c | 3 +- .../amd/display/dc/resource/dcn32/dcn32_resource.c | 7 +- .../drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 + drivers/gpu/drm/drm_atomic_uapi.c | 2 +- drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/i915/display/intel_ddi.c | 2 +- drivers/gpu/drm/i915/display/intel_dp.c | 9 +- drivers/gpu/drm/i915/display/intel_psr.c | 19 + drivers/gpu/drm/i915/display/intel_psr.h | 2 + drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +- drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 + drivers/gpu/drm/msm/msm_gpu.c | 1 - drivers/gpu/drm/omapdrm/omap_drv.c | 5 + drivers/gpu/drm/panthor/panthor_mmu.c | 8 + drivers/gpu/drm/panthor/panthor_sched.c | 36 +- drivers/gpu/drm/radeon/r100.c | 70 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 + drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 + drivers/gpu/drm/scheduler/sched_entity.c | 14 +- drivers/gpu/drm/scheduler/sched_main.c | 7 +- drivers/gpu/drm/stm/drv.c | 3 +- drivers/gpu/drm/stm/ltdc.c | 76 +- drivers/gpu/drm/v3d/v3d_submit.c | 6 + drivers/gpu/drm/xe/display/xe_hdcp_gsc.c | 8 +- drivers/gpu/drm/xe/xe_bo.c | 4 +- drivers/gpu/drm/xe/xe_device.c | 6 +- drivers/gpu/drm/xe/xe_device_types.h | 3 + drivers/gpu/drm/xe/xe_gpu_scheduler.c | 5 + drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 + drivers/gpu/drm/xe/xe_gt_pagefault.c | 55 +- drivers/gpu/drm/xe/xe_gt_types.h | 9 +- drivers/gpu/drm/xe/xe_guc_pc.c | 2 +- drivers/gpu/drm/xe/xe_guc_submit.c | 29 +- drivers/gpu/drm/xe/xe_guc_types.h | 11 +- drivers/gpu/drm/xe/xe_pci.c | 2 + drivers/hid/hid-ids.h | 17 +- drivers/hid/hid-input.c | 37 +- drivers/hid/hid-multitouch.c | 6 + drivers/hid/i2c-hid/i2c-hid-core.c | 42 +- drivers/hwmon/nct6775-platform.c | 1 + drivers/i2c/busses/i2c-designware-common.c | 14 + drivers/i2c/busses/i2c-designware-core.h | 1 + drivers/i2c/busses/i2c-designware-master.c | 38 + drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-stm32f7.c | 6 +- drivers/i2c/busses/i2c-synquacer.c | 5 +- drivers/i2c/busses/i2c-xiic.c | 69 +- drivers/i2c/i2c-core-base.c | 28 + drivers/i3c/master/svc-i3c-master.c | 1 + drivers/iio/magnetometer/ak8975.c | 32 +- drivers/iio/pressure/bmp280-core.c | 150 +- drivers/iio/pressure/bmp280-regmap.c | 47 +- drivers/iio/pressure/bmp280-spi.c | 4 +- drivers/iio/pressure/bmp280.h | 46 +- drivers/infiniband/hw/mana/main.c | 8 +- drivers/input/keyboard/adp5589-keys.c | 22 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 37 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h | 1 + drivers/iommu/intel/dmar.c | 16 +- drivers/iommu/intel/iommu.c | 6 +- drivers/iommu/intel/pasid.c | 12 +- drivers/mailbox/Kconfig | 1 + drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/media/common/videobuf2/videobuf2-core.c | 7 - drivers/media/i2c/ar0521.c | 5 +- drivers/media/i2c/imx335.c | 9 +- drivers/media/i2c/ov5675.c | 12 +- drivers/media/platform/qcom/camss/camss-video.c | 6 - drivers/media/platform/qcom/camss/camss.c | 5 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 + drivers/memory/tegra/tegra186-emc.c | 5 - drivers/net/can/dev/netlink.c | 102 +- .../net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- drivers/net/ethernet/freescale/fec.h | 9 + drivers/net/ethernet/freescale/fec_main.c | 11 +- drivers/net/ethernet/freescale/fec_ptp.c | 50 + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/intel/e1000e/netdev.c | 19 +- drivers/net/ethernet/intel/ice/ice_sched.c | 6 +- drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 + .../net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +- drivers/net/ethernet/microsoft/Kconfig | 2 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 +- drivers/net/ethernet/microsoft/mana/hw_channel.c | 14 +- drivers/net/ethernet/microsoft/mana/mana_en.c | 8 +- drivers/net/ethernet/microsoft/mana/shm_channel.c | 13 +- .../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 31 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + drivers/net/ieee802154/Kconfig | 1 + drivers/net/ieee802154/mcr20a.c | 5 +- drivers/net/pcs/pcs-xpcs-wx.c | 2 +- drivers/net/phy/phy.c | 17 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/vrf.c | 2 + drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath9k/debug.c | 4 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 5 + drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 + drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 2 + drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 +- drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 2 - drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 +- drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +- drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +- drivers/net/wireless/realtek/rtw88/Kconfig | 1 + drivers/net/wireless/realtek/rtw89/core.h | 18 +- drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +- drivers/net/wireless/realtek/rtw89/phy.c | 4 +- drivers/net/wireless/realtek/rtw89/util.h | 18 + drivers/net/wwan/qcom_bam_dmux.c | 11 +- drivers/net/xen-netback/hash.c | 5 +- drivers/nvme/common/keyring.c | 58 +- drivers/nvme/host/Kconfig | 3 +- drivers/nvme/host/core.c | 1 - drivers/nvme/host/fabrics.c | 2 +- drivers/nvme/host/nvme.h | 2 +- drivers/nvme/host/sysfs.c | 4 +- drivers/nvme/host/tcp.c | 55 +- drivers/of/address.c | 5 + drivers/of/irq.c | 38 +- drivers/perf/arm_spe_pmu.c | 9 +- drivers/perf/riscv_pmu_legacy.c | 4 +- drivers/perf/riscv_pmu_sbi.c | 4 +- drivers/platform/mellanox/mlxbf-pmc.c | 5 + drivers/platform/x86/amd/pmf/pmf-quirks.c | 8 + .../x86/intel/speed_select_if/isst_if_common.c | 4 +- drivers/platform/x86/lenovo-ymc.c | 2 + drivers/platform/x86/touchscreen_dmi.c | 26 + drivers/platform/x86/x86-android-tablets/core.c | 6 +- drivers/platform/x86/x86-android-tablets/other.c | 10 +- drivers/pmdomain/core.c | 5 +- drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/power_supply_hwmon.c | 3 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 +- drivers/rtc/rtc-at91sam9.c | 1 + drivers/scsi/NCR5380.c | 4 + drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/lpfc/lpfc.h | 12 +- drivers/scsi/lpfc/lpfc_els.c | 73 +- drivers/scsi/lpfc/lpfc_hbadisc.c | 14 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 22 +- drivers/scsi/lpfc/lpfc_scsi.c | 13 +- drivers/scsi/lpfc/lpfc_sli.c | 11 + drivers/scsi/pm8001/pm8001_init.c | 6 +- drivers/scsi/smartpqi/smartpqi_init.c | 130 +- drivers/scsi/st.c | 5 +- drivers/spi/spi-bcm63xx.c | 9 +- drivers/spi/spi-cadence.c | 8 +- drivers/spi/spi-imx.c | 2 +- drivers/spi/spi-rpc-if.c | 7 + drivers/spi/spi-s3c64xx.c | 4 +- drivers/vhost/scsi.c | 25 +- drivers/video/fbdev/efifb.c | 11 +- drivers/video/fbdev/pxafb.c | 1 + fs/afs/file.c | 1 + fs/afs/fs_operation.c | 2 +- fs/btrfs/backref.c | 12 +- fs/btrfs/disk-io.c | 11 + fs/btrfs/relocation.c | 77 +- fs/btrfs/send.c | 23 +- fs/cachefiles/namei.c | 7 +- fs/ceph/addr.c | 6 +- fs/ceph/mds_client.c | 12 + fs/dax.c | 6 +- fs/exec.c | 3 +- fs/exfat/balloc.c | 10 +- fs/ext4/dir.c | 14 +- fs/ext4/extents.c | 55 +- fs/ext4/fast_commit.c | 49 +- fs/ext4/file.c | 8 +- fs/ext4/inode.c | 11 +- fs/ext4/migrate.c | 2 +- fs/ext4/move_extent.c | 1 - fs/ext4/namei.c | 14 +- fs/ext4/resize.c | 18 +- fs/ext4/super.c | 14 +- fs/ext4/xattr.c | 3 +- fs/f2fs/f2fs.h | 31 +- fs/f2fs/gc.c | 85 +- fs/f2fs/gc.h | 23 + fs/f2fs/segment.c | 31 +- fs/f2fs/super.c | 8 + fs/f2fs/sysfs.c | 18 + fs/file.c | 93 +- fs/inode.c | 10 +- fs/iomap/buffered-io.c | 16 +- fs/jbd2/checkpoint.c | 21 +- fs/jbd2/journal.c | 4 +- fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 7 +- fs/jfs/xattr.c | 2 + fs/netfs/write_issue.c | 6 +- fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +- fs/nfsd/nfs4state.c | 6 +- fs/nfsd/nfs4xdr.c | 10 +- fs/nfsd/nfsctl.c | 2 +- fs/nfsd/nfssvc.c | 2 +- fs/nfsd/vfs.c | 1 + fs/nfsd/xdr4.h | 1 + fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 11 +- fs/overlayfs/copy_up.c | 43 +- fs/overlayfs/params.c | 38 +- fs/proc/base.c | 61 +- fs/proc/proc_sysctl.c | 11 +- fs/smb/client/cifsfs.c | 13 +- fs/smb/client/cifsglob.h | 2 +- fs/smb/client/inode.c | 19 +- fs/smb/client/reparse.c | 16 +- fs/smb/client/smb1ops.c | 2 +- fs/smb/client/smb2inode.c | 24 +- fs/smb/client/smb2ops.c | 19 +- fs/smb/server/connection.c | 4 +- fs/smb/server/connection.h | 1 + fs/smb/server/oplock.c | 55 +- fs/smb/server/vfs_cache.c | 3 + include/crypto/internal/simd.h | 12 +- include/drm/drm_print.h | 54 +- include/drm/gpu_scheduler.h | 2 +- include/dt-bindings/clock/exynos7885.h | 2 +- include/dt-bindings/clock/qcom,gcc-sc8180x.h | 1 + include/linux/cpufreq.h | 6 +- include/linux/fdtable.h | 8 +- include/linux/i2c.h | 3 + include/linux/netdevice.h | 22 +- include/linux/nvme-keyring.h | 6 +- include/linux/perf_event.h | 8 +- include/linux/sched.h | 2 + include/linux/sunrpc/svc.h | 4 +- include/linux/uprobes.h | 2 + include/linux/virtio_net.h | 4 +- include/net/mana/gdma.h | 10 +- include/net/mana/mana.h | 3 +- include/trace/events/netfs.h | 1 + include/uapi/linux/cec.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- io_uring/io_uring.c | 5 +- io_uring/net.c | 4 +- kernel/bpf/verifier.c | 119 +- kernel/cgroup/cgroup-v1.c | 12 +- kernel/events/core.c | 33 +- kernel/events/uprobes.c | 4 +- kernel/fork.c | 32 +- kernel/jump_label.c | 52 +- kernel/rcu/rcuscale.c | 4 +- kernel/rcu/tasks.h | 82 +- kernel/resource.c | 58 +- kernel/sched/core.c | 23 +- kernel/sched/psi.c | 26 +- kernel/static_call_inline.c | 13 +- kernel/trace/trace_hwlat.c | 2 + kernel/trace/trace_osnoise.c | 22 +- lib/buildid.c | 88 +- mm/Kconfig | 25 +- mm/slab_common.c | 7 + mm/slub.c | 100 +- net/bluetooth/hci_core.c | 2 + net/bluetooth/hci_event.c | 15 +- net/bluetooth/l2cap_core.c | 8 - net/bluetooth/mgmt.c | 23 +- net/bridge/br_mdb.c | 2 +- net/core/dev.c | 14 +- net/core/gro.c | 9 +- net/core/net-sysfs.c | 6 +- net/core/netdev-genl.c | 8 +- net/core/netpoll.c | 15 +- net/dsa/dsa.c | 7 + net/ipv4/devinet.c | 6 +- net/ipv4/fib_frontend.c | 2 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/tcp_ipv4.c | 3 + net/ipv4/tcp_offload.c | 10 +- net/ipv4/udp_offload.c | 22 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/ipv6/tcpv6_offload.c | 10 +- net/mac80211/chan.c | 4 +- net/mac80211/mlme.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/util.c | 4 +- net/mac802154/scan.c | 4 +- net/ncsi/ncsi-manage.c | 2 + net/rxrpc/ar-internal.h | 2 +- net/rxrpc/io_thread.c | 10 +- net/rxrpc/local_object.c | 2 +- net/sched/sch_taprio.c | 4 +- net/sctp/socket.c | 4 +- net/sunrpc/svc.c | 31 +- net/tipc/bearer.c | 8 +- net/wireless/nl80211.c | 15 +- rust/kernel/sync/locked_by.rs | 18 +- scripts/gdb/linux/proc.py | 4 +- scripts/gdb/linux/rbtree.py | 12 + scripts/gdb/linux/timerlist.py | 31 +- scripts/kconfig/qconf.cc | 2 +- security/Kconfig | 32 + security/tomoyo/domain.c | 9 +- sound/core/control.c | 55 +- sound/core/control_compat.c | 45 +- sound/core/init.c | 14 +- sound/core/oss/mixer_oss.c | 4 +- sound/isa/gus/gus_pcm.c | 4 +- sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/hda_controller.h | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/hda_intel.c | 10 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 5 + sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/atmel/mchp-pdmc.c | 3 + sound/soc/codecs/wsa883x.c | 16 +- sound/soc/fsl/imx-card.c | 1 + sound/soc/intel/boards/bytcht_cx2072x.c | 4 + sound/soc/intel/boards/bytcht_da7213.c | 4 + sound/soc/intel/boards/bytcht_es8316.c | 2 +- sound/soc/intel/boards/bytcr_rt5640.c | 2 +- sound/soc/intel/boards/bytcr_rt5651.c | 2 +- sound/soc/intel/boards/cht_bsw_rt5645.c | 4 + sound/soc/intel/boards/cht_bsw_rt5672.c | 4 + sound/soc/intel/boards/sof_es8336.c | 2 +- sound/soc/intel/boards/sof_wm8804.c | 4 + sound/usb/card.c | 8 + sound/usb/clock.c | 62 +- sound/usb/format.c | 6 +- sound/usb/helper.c | 34 + sound/usb/helper.h | 10 +- sound/usb/line6/podhd.c | 2 +- sound/usb/mixer.c | 37 +- sound/usb/mixer.h | 1 + sound/usb/mixer_quirks.c | 430 +++- sound/usb/mixer_scarlett.c | 4 +- sound/usb/power.c | 3 +- sound/usb/power.h | 1 + sound/usb/quirks-table.h | 2455 +++++++------------- sound/usb/quirks.c | 62 + sound/usb/stream.c | 21 +- sound/usb/usbaudio.h | 12 + tools/arch/x86/kcpuid/kcpuid.c | 12 +- tools/bpf/bpftool/net.c | 11 +- tools/hv/hv_fcopy_uio_daemon.c | 7 + tools/include/nolibc/arch-powerpc.h | 2 +- tools/perf/util/hist.c | 7 +- tools/perf/util/machine.c | 17 +- tools/perf/util/setup.py | 2 + tools/perf/util/thread.c | 4 + tools/perf/util/thread.h | 1 + .../breakpoints/step_after_suspend_test.c | 5 +- .../selftests/devices/test_discoverable_devices.py | 4 +- tools/testing/selftests/hid/Makefile | 2 + .../selftests/mm/charge_reserved_hugetlb.sh | 2 +- tools/testing/selftests/mm/mseal_test.c | 57 +- tools/testing/selftests/mm/write_to_hugetlbfs.c | 23 +- .../selftests/net/netfilter/conntrack_dump_flush.c | 1 + tools/testing/selftests/net/netfilter/nft_audit.sh | 57 +- tools/testing/selftests/nolibc/nolibc-test.c | 4 +- tools/testing/selftests/vDSO/parse_vdso.c | 17 +- tools/testing/selftests/vDSO/vdso_config.h | 10 +- .../testing/selftests/vDSO/vdso_test_correctness.c | 6 + tools/tracing/rtla/Makefile.rtla | 2 +- tools/tracing/rtla/src/osnoise_top.c | 2 +- tools/tracing/rtla/src/timerlat_top.c | 4 +- 512 files changed, 6151 insertions(+), 4351 deletions(-)

6 months, 3 weeks

17
502
0 0

[PATCH] drm/xe/ufence: ufence can be signaled right after wait_woken

by Nirmoy Das

do_comapre() can return success after wait_woken() which is treated as -ETIME here. Fixes: e670f0b4ef24 ("drm/xe/uapi: Return correct error code for xe_wait_user_fence_ioctl") Cc: <stable(a)vger.kernel.org> # v6.8+ Cc: Bommu Krishnaiah <krishnaiah.bommu(a)intel.com> Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1630 Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Signed-off-by: Nirmoy Das <nirmoy.das(a)intel.com> --- drivers/gpu/drm/xe/xe_wait_user_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_wait_user_fence.c b/drivers/gpu/drm/xe/xe_wait_user_fence.c index d46fa8374980..d532283d4aa3 100644 --- a/drivers/gpu/drm/xe/xe_wait_user_fence.c +++ b/drivers/gpu/drm/xe/xe_wait_user_fence.c @@ -169,7 +169,7 @@ int xe_wait_user_fence_ioctl(struct drm_device *dev, void *data, args->timeout = 0; } - if (!timeout && !(err < 0)) + if (!timeout && err < 0) err = -ETIME; if (q) -- 2.46.0

6 months, 3 weeks

2
3
0 0

[PATCH] ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

by Alexey Klimov

During the migration of Soundwire runtime stream allocation from the Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845 soundcard was forgotten. At this point any playback attempt or audio daemon startup, for instance on sdm845-db845c (Qualcomm RB3 board), will result in stream pointer NULL dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000 [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: ... CPU: 5 UID: 0 PID: 1198 Comm: aplay Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18 Hardware name: Thundercomm Dragonboard 845c (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus] lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus] sp : ffff80008a2035c0 x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000 x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800 x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003 x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000 x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003 x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8 Call trace: sdw_stream_add_slave+0x44/0x380 [soundwire_bus] wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x] snd_soc_dai_hw_params+0x3c/0xa4 __soc_pcm_hw_params+0x230/0x660 dpcm_be_dai_hw_params+0x1d0/0x3f8 dpcm_fe_dai_hw_params+0x98/0x268 snd_pcm_hw_params+0x124/0x460 snd_pcm_common_ioctl+0x998/0x16e8 snd_pcm_ioctl+0x34/0x58 __arm64_sys_ioctl+0xac/0xf8 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xe0 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: aa0403fb f9418400 9100e000 9400102f (f8420f22) ---[ end trace 0000000000000000 ]--- 0000000000006108 <sdw_stream_add_slave>: 6108: d503233f paciasp 610c: a9b97bfd stp x29, x30, [sp, #-112]! 6110: 910003fd mov x29, sp 6114: a90153f3 stp x19, x20, [sp, #16] 6118: a9025bf5 stp x21, x22, [sp, #32] 611c: aa0103f6 mov x22, x1 6120: 2a0303f5 mov w21, w3 6124: a90363f7 stp x23, x24, [sp, #48] 6128: aa0003f8 mov x24, x0 612c: aa0203f7 mov x23, x2 6130: a9046bf9 stp x25, x26, [sp, #64] 6134: aa0403f9 mov x25, x4 <-- x4 copied to x25 6138: a90573fb stp x27, x28, [sp, #80] 613c: aa0403fb mov x27, x4 6140: f9418400 ldr x0, [x0, #776] 6144: 9100e000 add x0, x0, #0x38 6148: 94000000 bl 0 <mutex_lock> 614c: f8420f22 ldr x2, [x25, #32]! <-- offset 0x44 ^^^ This is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave() where data abort happens. wsa881x_hw_params() is called with stream = NULL and passes it further in register x4 (5th argument) to sdw_stream_add_slave() without any checks. Value from x4 is copied to x25 and finally it aborts on trying to load a value from address in x25 plus offset 32 (in dec) which corresponds to master_list member in struct sdw_stream_runtime: struct sdw_stream_runtime { const char * name; /* 0 8 */ struct sdw_stream_params params; /* 8 12 */ enum sdw_stream_state state; /* 20 4 */ enum sdw_stream_type type; /* 24 4 */ /* XXX 4 bytes hole, try to pack */ here-> struct list_head master_list; /* 32 16 */ int m_rt_count; /* 48 4 */ /* size: 56, cachelines: 1, members: 6 */ /* sum members: 48, holes: 1, sum holes: 4 */ /* padding: 4 */ /* last cacheline: 56 bytes */ Fix this by adding required calls to qcom_snd_sdw_startup() and sdw_release_stream() to startup and shutdown routines which restores the previous correct behaviour when ->set_stream() method is called to set a valid stream runtime pointer on playback startup. Reproduced and then fix was tested on db845c RB3 board. Reported-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Cc: stable(a)vger.kernel.org Fixes: 15c7fab0e047 ("ASoC: qcom: Move Soundwire runtime stream alloc to soundcards") Cc: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Cc: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Cc: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Cc: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Signed-off-by: Alexey Klimov <alexey.klimov(a)linaro.org> --- sound/soc/qcom/sdm845.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sound/soc/qcom/sdm845.c b/sound/soc/qcom/sdm845.c index 75701546b6ea..a479d7e5b7fb 100644 --- a/sound/soc/qcom/sdm845.c +++ b/sound/soc/qcom/sdm845.c @@ -15,6 +15,7 @@ #include <uapi/linux/input-event-codes.h> #include "common.h" #include "qdsp6/q6afe.h" +#include "sdw.h" #include "../codecs/rt5663.h" #define DRIVER_NAME "sdm845" @@ -416,7 +417,7 @@ static int sdm845_snd_startup(struct snd_pcm_substream *substream) pr_err("%s: invalid dai id 0x%x\n", __func__, cpu_dai->id); break; } - return 0; + return qcom_snd_sdw_startup(substream); } static void sdm845_snd_shutdown(struct snd_pcm_substream *substream) @@ -425,6 +426,7 @@ static void sdm845_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_card *card = rtd->card; struct sdm845_snd_data *data = snd_soc_card_get_drvdata(card); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); + struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; switch (cpu_dai->id) { case PRIMARY_MI2S_RX: @@ -463,6 +465,9 @@ static void sdm845_snd_shutdown(struct snd_pcm_substream *substream) pr_err("%s: invalid dai id 0x%x\n", __func__, cpu_dai->id); break; } + + data->sruntime[cpu_dai->id] = NULL; + sdw_release_stream(sruntime); } static int sdm845_snd_prepare(struct snd_pcm_substream *substream) -- 2.45.2

6 months, 3 weeks

5
6
0 0

[PATCH V2] x86/apic: Stop the TSC Deadline timer during lapic timer shutdown

by Zhang Rui

This 12-year-old bug prevents some modern processors from achieving maximum power savings during suspend. For example, Lunar Lake systems gets 0% package C-states during suspend to idle and this causes energy star compliance tests to fail. According to Intel SDM, for the local APIC timer, 1. "The initial-count register is a read-write register. A write of 0 to the initial-count register effectively stops the local APIC timer, in both one-shot and periodic mode." 2. "In TSC deadline mode, writes to the initial-count register are ignored; and current-count register always reads 0. Instead, timer behavior is controlled using the IA32_TSC_DEADLINE MSR." "In TSC-deadline mode, writing 0 to the IA32_TSC_DEADLINE MSR disarms the local-APIC timer." Stop the TSC Deadline timer in lapic_timer_shutdown() by writing 0 to MSR_IA32_TSC_DEADLINE. Cc: stable(a)vger.kernel.org Fixes: 279f1461432c ("x86: apic: Use tsc deadline for oneshot when available") Signed-off-by: Zhang Rui <rui.zhang(a)intel.com> --- Changes since V1 - improve changelog --- arch/x86/kernel/apic/apic.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c index 6513c53c9459..d1006531729a 100644 --- a/arch/x86/kernel/apic/apic.c +++ b/arch/x86/kernel/apic/apic.c @@ -441,6 +441,10 @@ static int lapic_timer_shutdown(struct clock_event_device *evt) v |= (APIC_LVT_MASKED | LOCAL_TIMER_VECTOR); apic_write(APIC_LVTT, v); apic_write(APIC_TMICT, 0); + + if (boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER)) + wrmsrl(MSR_IA32_TSC_DEADLINE, 0); + return 0; } -- 2.34.1

6 months, 3 weeks

6
13
0 0

[PATCH 4.19] wifi: mac80211: sdata can be NULL during AMPDU start

by hsimeliere.opensource＠witekio.com

From: Alexander Wetzel <alexander(a)wetzel-home.de> commit 69403bad97aa0162e3d7911b27e25abe774093df upstream. ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a deauthentication is ongoing. Here a trace triggering the race with the hostapd test multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 might_sleep(); 394 395 sdata = get_bss_sdata(sdata); 396 if (!check_sdata_in_driver(sdata)) 397 return -EIO; 398 399 trace_drv_ampdu_action(local, sdata, params); 400 wlan0: moving STA 02:00:00:00:03:00 to state 3 wlan0: associated wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING) wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) wlan0: moving STA 02:00:00:00:03:00 to state 2 wlan0: moving STA 02:00:00:00:03:00 to state 1 wlan0: Removed STA 02:00:00:00:03:00 wlan0: Destroyed STA 02:00:00:00:03:00 BUG: unable to handle page fault for address: fffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Workqueue: phy3 ieee80211_ba_session_work [mac80211] RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211] Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Call Trace: <TASK> ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211] ieee80211_ba_session_work+0xff/0x2e0 [mac80211] process_one_work+0x29f/0x620 worker_thread+0x4d/0x3d0 ? process_one_work+0x620/0x620 kthread+0xfb/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> Signed-off-by: Alexander Wetzel <alexander(a)wetzel-home.de> Link: https://lore.kernel.org/r/20221230121850.218810-2-alexander@wetzel-home.de Cc: stable(a)vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- net/mac80211/agg-tx.c | 6 +++++- net/mac80211/driver-ops.c | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index 79138225e880..43e8c6b0618a 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -455,7 +455,7 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) { struct tid_ampdu_tx *tid_tx; struct ieee80211_local *local = sta->local; - struct ieee80211_sub_if_data *sdata = sta->sdata; + struct ieee80211_sub_if_data *sdata; struct ieee80211_ampdu_params params = { .sta = &sta->sta, .action = IEEE80211_AMPDU_TX_START, @@ -486,9 +486,13 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) */ synchronize_net(); + sdata = sta->sdata; params.ssn = sta->tid_seq[tid] >> 4; ret = drv_ampdu_action(local, sdata, &params); if (ret) { + if (!sdata) + return; + ht_dbg(sdata, "BA request denied - HW unavailable for %pM tid %d\n", sta->sta.addr, tid); diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c index 9f0f437a09b9..208ee342eb27 100644 --- a/net/mac80211/driver-ops.c +++ b/net/mac80211/driver-ops.c @@ -313,6 +313,9 @@ int drv_ampdu_action(struct ieee80211_local *local, might_sleep(); + if (!sdata) + return -EIO; + sdata = get_bss_sdata(sdata); if (!check_sdata_in_driver(sdata)) return -EIO; -- 2.43.0

6 months, 3 weeks

1
0
0 0

[PATCH 5.4] wifi: mac80211: sdata can be NULL during AMPDU start

by hsimeliere.opensource＠witekio.com

From: Alexander Wetzel <alexander(a)wetzel-home.de> commit 69403bad97aa0162e3d7911b27e25abe774093df upstream. ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a deauthentication is ongoing. Here a trace triggering the race with the hostapd test multi_ap_fronthaul_on_ap: (gdb) list *drv_ampdu_action+0x46 0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396). 391 int ret = -EOPNOTSUPP; 392 393 might_sleep(); 394 395 sdata = get_bss_sdata(sdata); 396 if (!check_sdata_in_driver(sdata)) 397 return -EIO; 398 399 trace_drv_ampdu_action(local, sdata, params); 400 wlan0: moving STA 02:00:00:00:03:00 to state 3 wlan0: associated wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING) wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0 wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port) wlan0: moving STA 02:00:00:00:03:00 to state 2 wlan0: moving STA 02:00:00:00:03:00 to state 1 wlan0: Removed STA 02:00:00:00:03:00 wlan0: Destroyed STA 02:00:00:00:03:00 BUG: unable to handle page fault for address: fffffffffffffb48 PGD 11814067 P4D 11814067 PUD 11816067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Workqueue: phy3 ieee80211_ba_session_work [mac80211] RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211] Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85 RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287 RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240 RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40 RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0 R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8 FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0 Call Trace: <TASK> ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211] ieee80211_ba_session_work+0xff/0x2e0 [mac80211] process_one_work+0x29f/0x620 worker_thread+0x4d/0x3d0 ? process_one_work+0x620/0x620 kthread+0xfb/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> Signed-off-by: Alexander Wetzel <alexander(a)wetzel-home.de> Link: https://lore.kernel.org/r/20221230121850.218810-2-alexander@wetzel-home.de Cc: stable(a)vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- net/mac80211/agg-tx.c | 6 +++++- net/mac80211/driver-ops.c | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index f30cdd7f3a73..52712a47463e 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -489,7 +489,7 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) { struct tid_ampdu_tx *tid_tx; struct ieee80211_local *local = sta->local; - struct ieee80211_sub_if_data *sdata = sta->sdata; + struct ieee80211_sub_if_data *sdata; struct ieee80211_ampdu_params params = { .sta = &sta->sta, .action = IEEE80211_AMPDU_TX_START, @@ -519,10 +519,14 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) */ synchronize_net(); + sdata = sta->sdata; params.ssn = sta->tid_seq[tid] >> 4; ret = drv_ampdu_action(local, sdata, &params); tid_tx->ssn = params.ssn; if (ret) { + if (!sdata) + return; + ht_dbg(sdata, "BA request denied - HW unavailable for %pM tid %d\n", sta->sta.addr, tid); diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c index 48322e45e7dd..120bd9cdf7df 100644 --- a/net/mac80211/driver-ops.c +++ b/net/mac80211/driver-ops.c @@ -331,6 +331,9 @@ int drv_ampdu_action(struct ieee80211_local *local, might_sleep(); + if (!sdata) + return -EIO; + sdata = get_bss_sdata(sdata); if (!check_sdata_in_driver(sdata)) return -EIO; -- 2.43.0

6 months, 3 weeks

1
0
0 0

[PATCH v3 3/8] media: qcom: camss: Fix potential crash if domain attach fails

by Vikram Sharma

Fix a potential crash in camss by ensuring detach is skipped if attach is unsuccessful. Fixes: d89751c61279 ("media: qcom: camss: Add support for named power-domains") CC: stable(a)vger.kernel.org Signed-off-by: Vikram Sharma <quic_vikramsa(a)quicinc.com> --- drivers/media/platform/qcom/camss/camss.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c index d64985ca6e88..b6658df37709 100644 --- a/drivers/media/platform/qcom/camss/camss.c +++ b/drivers/media/platform/qcom/camss/camss.c @@ -2131,8 +2131,7 @@ static int camss_configure_pd(struct camss *camss) camss->genpd = dev_pm_domain_attach_by_name(camss->dev, camss->res->pd_name); if (IS_ERR(camss->genpd)) { - ret = PTR_ERR(camss->genpd); - goto fail_pm; + return PTR_ERR(camss->genpd); } } @@ -2149,7 +2148,7 @@ static int camss_configure_pd(struct camss *camss) ret = -ENODEV; else ret = PTR_ERR(camss->genpd); - goto fail_pm; + return ret; } camss->genpd_link = device_link_add(camss->dev, camss->genpd, DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME | -- 2.25.1

6 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 6.6 001/139] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()

by Sasha Levin

From: Dmitry Kandybka <d.kandybka(a)gmail.com> [ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ] In 'ath9k_get_et_stats()', promote TX stats counters to 'u64' to avoid possible integer overflow. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Kandybka <d.kandybka(a)gmail.com> Acked-by: Toke Høiland-Jørgensen <toke(a)toke.dk> Signed-off-by: Kalle Valo <quic_kvalo(a)quicinc.com> Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/ath/ath9k/debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c index a0376a6787b8d..aaad285042864 100644 --- a/drivers/net/wireless/ath/ath9k/debug.c +++ b/drivers/net/wireless/ath/ath9k/debug.c @@ -1325,11 +1325,11 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw, struct ath_softc *sc = hw->priv; int i = 0; - data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + + data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_pkts_all + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_pkts_all + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_pkts_all); - data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + + data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_bytes_all + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_bytes_all + sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_bytes_all); -- 2.43.0

6 months, 3 weeks

7
147
0 0

[PATCH AUTOSEL 6.11 01/76] bpf: Call the missed btf_record_free() when map creation fails

by Sasha Levin

From: Hou Tao <houtao1(a)huawei.com> [ Upstream commit 87e9675a0dfd0bf4a36550e4a0e673038ec67aee ] When security_bpf_map_create() in map_create() fails, map_create() will call btf_put() and ->map_free() callback to free the map. It doesn't free the btf_record of map value, so add the missed btf_record_free() when map creation fails. However btf_record_free() needs to be called after ->map_free() just like bpf_map_free_deferred() did, because ->map_free() may use the btf_record to free the special fields in preallocated map value. So factor out bpf_map_free() helper to free the map, btf_record, and btf orderly and use the helper in both map_create() and bpf_map_free_deferred(). Signed-off-by: Hou Tao <houtao1(a)huawei.com> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lore.kernel.org/r/20240912012845.3458483-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/bpf/syscall.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index bf6c5f685ea22..931ae9ad78149 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -733,15 +733,11 @@ void bpf_obj_free_fields(const struct btf_record *rec, void *obj) } } -/* called from workqueue */ -static void bpf_map_free_deferred(struct work_struct *work) +static void bpf_map_free(struct bpf_map *map) { - struct bpf_map *map = container_of(work, struct bpf_map, work); struct btf_record *rec = map->record; struct btf *btf = map->btf; - security_bpf_map_free(map); - bpf_map_release_memcg(map); /* implementation dependent freeing */ map->ops->map_free(map); /* Delay freeing of btf_record for maps, as map_free @@ -760,6 +756,16 @@ static void bpf_map_free_deferred(struct work_struct *work) btf_put(btf); } +/* called from workqueue */ +static void bpf_map_free_deferred(struct work_struct *work) +{ + struct bpf_map *map = container_of(work, struct bpf_map, work); + + security_bpf_map_free(map); + bpf_map_release_memcg(map); + bpf_map_free(map); +} + static void bpf_map_put_uref(struct bpf_map *map) { if (atomic64_dec_and_test(&map->usercnt)) { @@ -1411,8 +1417,7 @@ static int map_create(union bpf_attr *attr) free_map_sec: security_bpf_map_free(map); free_map: - btf_put(map->btf); - map->ops->map_free(map); + bpf_map_free(map); put_token: bpf_token_put(token); return err; -- 2.43.0

6 months, 3 weeks

4
80
0 0

[PATCH AUTOSEL 6.10 01/70] bpf: Call the missed btf_record_free() when map creation fails

by Sasha Levin

From: Hou Tao <houtao1(a)huawei.com> [ Upstream commit 87e9675a0dfd0bf4a36550e4a0e673038ec67aee ] When security_bpf_map_create() in map_create() fails, map_create() will call btf_put() and ->map_free() callback to free the map. It doesn't free the btf_record of map value, so add the missed btf_record_free() when map creation fails. However btf_record_free() needs to be called after ->map_free() just like bpf_map_free_deferred() did, because ->map_free() may use the btf_record to free the special fields in preallocated map value. So factor out bpf_map_free() helper to free the map, btf_record, and btf orderly and use the helper in both map_create() and bpf_map_free_deferred(). Signed-off-by: Hou Tao <houtao1(a)huawei.com> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lore.kernel.org/r/20240912012845.3458483-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/bpf/syscall.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index f45ed6adc092a..92590ddb2042d 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -733,15 +733,11 @@ void bpf_obj_free_fields(const struct btf_record *rec, void *obj) } } -/* called from workqueue */ -static void bpf_map_free_deferred(struct work_struct *work) +static void bpf_map_free(struct bpf_map *map) { - struct bpf_map *map = container_of(work, struct bpf_map, work); struct btf_record *rec = map->record; struct btf *btf = map->btf; - security_bpf_map_free(map); - bpf_map_release_memcg(map); /* implementation dependent freeing */ map->ops->map_free(map); /* Delay freeing of btf_record for maps, as map_free @@ -760,6 +756,16 @@ static void bpf_map_free_deferred(struct work_struct *work) btf_put(btf); } +/* called from workqueue */ +static void bpf_map_free_deferred(struct work_struct *work) +{ + struct bpf_map *map = container_of(work, struct bpf_map, work); + + security_bpf_map_free(map); + bpf_map_release_memcg(map); + bpf_map_free(map); +} + static void bpf_map_put_uref(struct bpf_map *map) { if (atomic64_dec_and_test(&map->usercnt)) { @@ -1411,8 +1417,7 @@ static int map_create(union bpf_attr *attr) free_map_sec: security_bpf_map_free(map); free_map: - btf_put(map->btf); - map->ops->map_free(map); + bpf_map_free(map); put_token: bpf_token_put(token); return err; -- 2.43.0

6 months, 3 weeks

2
71
0 0

[PATCH v5.4-v4.19] CDC-NCM: avoid overflow in sanity checking

by hsimeliere.opensource＠witekio.com

From: Oliver Neukum <oneukum(a)suse.com> commit 8d2b1a1ec9f559d30b724877da4ce592edc41fdc upstream. A broken device may give an extreme offset like 0xFFF0 and a reasonable length for a fragment. In the sanity check as formulated now, this will create an integer overflow, defeating the sanity check. Both offset and offset + len need to be checked in such a manner that no overflow can occur. And those quantities should be unsigned. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Reviewed-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- drivers/net/usb/cdc_ncm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 65dac36d8d4f..64d83f7905d0 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -1708,10 +1708,10 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) { struct sk_buff *skb; struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0]; - int len; + unsigned int len; int nframes; int x; - int offset; + unsigned int offset; union { struct usb_cdc_ncm_ndp16 *ndp16; struct usb_cdc_ncm_ndp32 *ndp32; @@ -1783,8 +1783,8 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) break; } - /* sanity checking */ - if (((offset + len) > skb_in->len) || + /* sanity checking - watch out for integer wrap*/ + if ((offset > skb_in->len) || (len > skb_in->len - offset) || (len > ctx->rx_max) || (len < ETH_HLEN)) { netif_dbg(dev, rx_err, dev->net, "invalid frame detected (ignored) offset[%u]=%u, length=%u, skb=%p\n", -- 2.43.0

6 months, 3 weeks

1
0
0 0

[RFC PATCH v2] sched/fair: Fix integer underflow

by Pierre Gondois

(struct sg_lb_stats).idle_cpus is of type 'unsigned int'. (local->idle_cpus - busiest->idle_cpus) can underflow to UINT_MAX for instance, and max_t(long, 0, UINT_MAX) will output UINT_MAX. Use lsub_positive() instead of max_t(). Fixes: 16b0a7a1a0af ("sched/fair: Ensure tasks spreading in LLC during LB") cc: stable(a)vger.kernel.org Signed-off-by: Pierre Gondois <pierre.gondois(a)arm.com> Reviewed-by: Vincent Guittot <vincent.guittot(a)linaro.org> --- kernel/sched/fair.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 9057584ec06d..6d9124499f52 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -10775,8 +10775,8 @@ static inline void calculate_imbalance(struct lb_env *env, struct sd_lb_stats *s * idle CPUs. */ env->migration_type = migrate_task; - env->imbalance = max_t(long, 0, - (local->idle_cpus - busiest->idle_cpus)); + env->imbalance = local->idle_cpus; + lsub_positive(&env->imbalance, busiest->idle_cpus); } #ifdef CONFIG_NUMA -- 2.25.1

6 months, 3 weeks

1
1
0 0

[PATCH 4.19] net: ipv6: ensure we call ipv6_mc_down() at most once

by hsimeliere.opensource＠witekio.com

From: "j.nixdorf(a)avm.de" <j.nixdorf(a)avm.de> commit 9995b408f17ff8c7f11bc725c8aa225ba3a63b1c upstream. There are two reasons for addrconf_notify() to be called with NETDEV_DOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them stays down while the other is toggled, we repeatedly call the code for NETDEV_DOWN, including ipv6_mc_down(), while never calling the corresponding ipv6_mc_up() in between. This will cause a new entry in idev->mc_tomb to be allocated for each multicast group the interface is subscribed to, which in turn leaks one struct ifmcaddr6 per nontrivial multicast group the interface is subscribed to. The following reproducer will leak at least $n objects: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); do ip link set up eth0; ip link set down eth0 done Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2) can also be used to create a nontrivial idev->mc_list, which will the leak objects with the right up-down-sequence. Based on both sources for NETDEV_DOWN events the interface IPv6 state should be considered: - not ready if the network interface is not ready OR IPv6 is disabled for it - ready if the network interface is ready AND IPv6 is enabled for it The functions ipv6_mc_up() and ipv6_down() should only be run when this state changes. Implement this by remembering when the IPv6 state is ready, and only run ipv6_mc_down() if it actually changed from ready to not ready. The other direction (not ready -> ready) already works correctly, as: - the interface notification triggered codepath for NETDEV_UP / NETDEV_CHANGE returns early if ipv6 is disabled, and - the disable_ipv6=0 triggered codepath skips fully initializing the interface as long as addrconf_link_ready(dev) returns false - calling ipv6_mc_up() repeatedly does not leak anything Fixes: 3ce62a84d53c ("ipv6: exit early in addrconf_notify() if IPv6 is disabled") Signed-off-by: Johannes Nixdorf <j.nixdorf(a)avm.de> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Bruno VERNAY <bruno.vernay(a)se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- net/ipv6/addrconf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 9058d59acd0a..7763b7f672fa 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3679,6 +3679,7 @@ static int addrconf_ifdown(struct net_device *dev, int how) struct inet6_ifaddr *ifa; LIST_HEAD(tmp_addr_list); bool keep_addr = false; + bool was_ready; int state, i; ASSERT_RTNL(); @@ -3744,7 +3745,10 @@ static int addrconf_ifdown(struct net_device *dev, int how) addrconf_del_rs_timer(idev); - /* Step 2: clear flags for stateless addrconf */ + /* Step 2: clear flags for stateless addrconf, repeated down + * detection + */ + was_ready = idev->if_flags & IF_READY; if (!how) idev->if_flags &= ~(IF_RS_SENT|IF_RA_RCVD|IF_READY); @@ -3824,7 +3828,7 @@ static int addrconf_ifdown(struct net_device *dev, int how) if (how) { ipv6_ac_destroy_dev(idev); ipv6_mc_destroy_dev(idev); - } else { + } else if (was_ready) { ipv6_mc_down(idev); } -- 2.43.0

6 months, 3 weeks

1
0
0 0

[PATCH 0/3] drm: logicvc: add of_node_put() and switch to a more secure approach

by Javier Carrasco

This driver has faced several issues due to the wrong or missing usage of of_node_put() to release device nodes after they are no longer required. The first implementation was missing the of_node_put() for 'layers_node', and it put 'layer_node' twice. Then commit 'd3a453416270 ("drm: fix device_node_continue.cocci warnings")' removed the extra of_node_put(layer_node), which would have been ok if it had stayed only in the error path. Later, commit 'e9fcc60ddd29 ("drm/logicvc: add missing of_node_put() in logicvc_layers_init()")' added the missing of_node_put(layers_node), but not the one for the child node. It should be clear how easy someone can mess up with this pattern, especially with variables that have similar names. To fix the bug for stable kernels, and provide a more robust solution that accounts for new error paths, this series provides a first patch with the classical approach of adding the missing of_node_put(), and two more patches to use the cleanup attribute and avoid issues with device nodes again. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (3): drm: logicvc: fix missing of_node_put() in for_each_child_of_node() drm: logicvc: switch to for_each_child_of_node_scoped() drm: logicvc: use automatic cleanup facility for layers_node drivers/gpu/drm/logicvc/logicvc_layer.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) --- base-commit: 0cca97bf23640ff68a6e8a74e9b6659fdc27f48c change-id: 20241010-logicvc_layer_of_node_put-bc4cb207280b Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] zram: free secondary algorithms names" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 684826f8271ad97580b138b9ffd462005e470b99 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100723-syndrome-yeast-a812@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 684826f8271a ("zram: free secondary algorithms names") f2bac7ad187d ("zram: introduce zcomp_params structure") 1d3100cf148d ("zram: add 842 compression backend support") 84112e314f69 ("zram: add zlib compression backend support") dbf2763cec21 ("zram: pass estimated src size hint to zstd") 73e7d81abbc8 ("zram: add zstd compression backend support") c60a4ef54446 ("zram: add lz4hc compression backend support") 22d651c3b339 ("zram: add lz4 compression backend support") 2152247c55b6 ("zram: add lzo and lzorle compression backends support") 917a59e81c34 ("zram: introduce custom comp backends API") 04cb7502a5d7 ("zsmalloc: use all available 24 bits of page_type") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 684826f8271ad97580b138b9ffd462005e470b99 Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 11 Sep 2024 11:54:56 +0900 Subject: [PATCH] zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 1f1bf175a6c3..0207a7fc0a97 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); }

6 months, 3 weeks

3
3
0 0

[PATCH 5.10.y 0/4] Backport fix commit for kprobe_non_uniq_symbol.tc test failure

by Sherry Yang

5.10.y backported the commit 09bcf9254838 ("selftests/ftrace: Add new test case which checks non unique symbol") which added a new test case to check non-unique symbol. However, 5.10.y didn't backport the kernel commit b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols")to support the functionality from kernel side. Backport it in this patch series. The first two patches are presiquisites. The 4th commit is a fix commit for the 3rd one. Build and test case passed. [73] Test failure of registering kprobe on non unique symbol [PASS] Andrii Nakryiko (1): tracing/kprobes: Fix symbol counting logic by looking at modules as well Francis Laniel (1): tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Jiri Olsa (2): kallsyms: Make kallsyms_on_each_symbol generally available kallsyms: Make module_kallsyms_on_each_symbol generally available include/linux/kallsyms.h | 7 +++- include/linux/module.h | 9 +++++ kernel/kallsyms.c | 2 - kernel/module.c | 2 - kernel/trace/trace_kprobe.c | 76 +++++++++++++++++++++++++++++++++++++ kernel/trace/trace_probe.h | 1 + 6 files changed, 92 insertions(+), 5 deletions(-) -- 2.46.0

6 months, 3 weeks

5
10
0 0

[PATCH 6.1 0/3] Fix block integrity violation of kobject rules

by Thadeu Lima de Souza Cascardo

integrity_kobj did not have a release function and with CONFIG_DEBUG_KOBJECT_RELEASE, a use-after-free would be triggered as its holding struct gendisk would be freed without relying on its refcount. Thomas Weißschuh (3): blk-integrity: use sysfs_emit blk-integrity: convert to struct device_attribute blk-integrity: register sysfs attributes on struct device block/blk-integrity.c | 175 ++++++++++++++--------------------------- block/blk.h | 10 +-- block/genhd.c | 12 +-- include/linux/blkdev.h | 3 - 4 files changed, 66 insertions(+), 134 deletions(-) -- 2.34.1

6 months, 3 weeks

2
4
0 0

[PATCH v6 5/8] clk: qcom: gcc-x1e80100: Fix halt_check for pipediv2 clocks

by Qiang Yu

The pipediv2_clk's source from the same mux as pipe clock. So they have same limitation, which is that the PHY sequence requires to enable these local CBCs before the PHY is actually outputting a clock to them. This means the clock won't actually turn on when we vote them. Hence, let's skip the halt bit check of the pipediv2_clk, otherwise pipediv2_clk may stuck at off state during bootup. Cc: stable(a)vger.kernel.org Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100") Suggested-by: Mike Tipton <quic_mdtipton(a)quicinc.com> Signed-off-by: Qiang Yu <quic_qianyu(a)quicinc.com> Reviewed-by: Konrad Dybcio <konradybcio(a)kernel.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/clk/qcom/gcc-x1e80100.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c index 0f578771071f..81ba5ceab342 100644 --- a/drivers/clk/qcom/gcc-x1e80100.c +++ b/drivers/clk/qcom/gcc-x1e80100.c @@ -3123,7 +3123,7 @@ static struct clk_branch gcc_pcie_3_pipe_clk = { static struct clk_branch gcc_pcie_3_pipediv2_clk = { .halt_reg = 0x58060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52020, .enable_mask = BIT(5), @@ -3248,7 +3248,7 @@ static struct clk_branch gcc_pcie_4_pipe_clk = { static struct clk_branch gcc_pcie_4_pipediv2_clk = { .halt_reg = 0x6b054, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52010, .enable_mask = BIT(27), @@ -3373,7 +3373,7 @@ static struct clk_branch gcc_pcie_5_pipe_clk = { static struct clk_branch gcc_pcie_5_pipediv2_clk = { .halt_reg = 0x2f054, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52018, .enable_mask = BIT(19), @@ -3511,7 +3511,7 @@ static struct clk_branch gcc_pcie_6a_pipe_clk = { static struct clk_branch gcc_pcie_6a_pipediv2_clk = { .halt_reg = 0x31060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52018, .enable_mask = BIT(28), @@ -3649,7 +3649,7 @@ static struct clk_branch gcc_pcie_6b_pipe_clk = { static struct clk_branch gcc_pcie_6b_pipediv2_clk = { .halt_reg = 0x8d060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52010, .enable_mask = BIT(28), -- 2.34.1

6 months, 3 weeks

1
0
0 0

[PATCH 5.15.y] RDMA/hns: Fix UAF for cq async event

by haixiao.yan.cn＠windriver.com

From: Chengchang Tang <tangchengchang(a)huawei.com> [ Upstream commit a942ec2745ca864cd8512142100e4027dc306a42 ] The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Signed-off-by: Chengchang Tang <tangchengchang(a)huawei.com> Signed-off-by: Junxian Huang <huangjunxian6(a)hisilicon.com> Link: https://lore.kernel.org/r/20240412091616.370789-6-huangjunxian6@hisilicon.c… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Haixiao Yan <haixiao.yan.cn(a)windriver.com> --- This commit is backporting a942ec2745ca to the branch linux-5.15.y to solve the CVE-2024-38545. Please merge this commit to linux-5.15.y. drivers/infiniband/hw/hns/hns_roce_cq.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c index d763f097599f..5ecd4075de93 100644 --- a/drivers/infiniband/hw/hns/hns_roce_cq.c +++ b/drivers/infiniband/hw/hns/hns_roce_cq.c @@ -125,7 +125,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) goto err_out; } - ret = xa_err(xa_store(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); + ret = xa_err(xa_store_irq(&cq_table->array, hr_cq->cqn, hr_cq, GFP_KERNEL)); if (ret) { ibdev_err(ibdev, "failed to xa_store CQ, ret = %d.\n", ret); goto err_put; @@ -160,8 +160,7 @@ static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) return 0; err_xa: - xa_erase(&cq_table->array, hr_cq->cqn); - + xa_erase_irq(&cq_table->array, hr_cq->cqn); err_put: hns_roce_table_put(hr_dev, &cq_table->table, hr_cq->cqn); @@ -182,7 +181,7 @@ static void free_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) dev_err(dev, "DESTROY_CQ failed (%d) for CQN %06lx\n", ret, hr_cq->cqn); - xa_erase(&cq_table->array, hr_cq->cqn); + xa_erase_irq(&cq_table->array, hr_cq->cqn); /* Waiting interrupt process procedure carried out */ synchronize_irq(hr_dev->eq_table.eq[hr_cq->vector].irq); @@ -478,13 +477,6 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) struct ib_event event; struct ib_cq *ibcq; - hr_cq = xa_load(&hr_dev->cq_table.array, - cqn & (hr_dev->caps.num_cqs - 1)); - if (!hr_cq) { - dev_warn(dev, "Async event for bogus CQ 0x%06x\n", cqn); - return; - } - if (event_type != HNS_ROCE_EVENT_TYPE_CQ_ID_INVALID && event_type != HNS_ROCE_EVENT_TYPE_CQ_ACCESS_ERROR && event_type != HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW) { @@ -493,7 +485,16 @@ void hns_roce_cq_event(struct hns_roce_dev *hr_dev, u32 cqn, int event_type) return; } - refcount_inc(&hr_cq->refcount); + xa_lock(&hr_dev->cq_table.array); + hr_cq = xa_load(&hr_dev->cq_table.array, + cqn & (hr_dev->caps.num_cqs - 1)); + if (hr_cq) + refcount_inc(&hr_cq->refcount); + xa_unlock(&hr_dev->cq_table.array); + if (!hr_cq) { + dev_warn(dev, "async event for bogus CQ 0x%06x\n", cqn); + return; + } ibcq = &hr_cq->ib_cq; if (ibcq->event_handler) { -- 2.34.1

6 months, 3 weeks

1
0
0 0

[v2] xhci: tegra: fix checked USB2 port number

by Henry Lin

USB2 root hub in VF may contain less port number than supported USB2 phy number. Checking all USB2 phy number here would cause invalid memory access. [ 116.923438] Unable to handle kernel paging request at virtual address 006c622f7665642f ... [ 117.213640] Call trace: [ 117.216783] tegra_xusb_enter_elpg+0x23c/0x658 [ 117.222021] tegra_xusb_runtime_suspend+0x40/0x68 [ 117.227260] pm_generic_runtime_suspend+0x30/0x50 [ 117.232847] __rpm_callback+0x84/0x3c0 [ 117.237038] rpm_suspend+0x2dc/0x740 [ 117.241229] pm_runtime_work+0xa0/0xb8 [ 117.245769] process_scheduled_works+0x24c/0x478 [ 117.251007] worker_thread+0x23c/0x328 [ 117.255547] kthread+0x104/0x1b0 [ 117.259389] ret_from_fork+0x10/0x20 [ 117.263582] Code: 54000222 f9461ae8 f8747908 b4ffff48 (f9400100) Cc: <stable(a)vger.kernel.org> # 6.3+ Fixes: a30951d31b25 ("xhci: tegra: USB2 pad power controls") Signed-off-by: Henry Lin <henryl(a)nvidia.com> --- v2: - Added Fixes tag and the cc stable line drivers/usb/host/xhci-tegra.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c index 6246d5ad1468..76f228e7443c 100644 --- a/drivers/usb/host/xhci-tegra.c +++ b/drivers/usb/host/xhci-tegra.c @@ -2183,7 +2183,7 @@ static int tegra_xusb_enter_elpg(struct tegra_xusb *tegra, bool runtime) goto out; } - for (i = 0; i < tegra->num_usb_phys; i++) { + for (i = 0; i < xhci->usb2_rhub.num_ports; i++) { if (!xhci->usb2_rhub.ports[i]) continue; portsc = readl(xhci->usb2_rhub.ports[i]->addr); -- 2.25.1

6 months, 3 weeks

1
0
0 0

[PATCH v2] ALSA: scarlett2: Add error check after retrieving PEQ filter values

by Zhu Jun

Add error check after retrieving PEQ filter values in scarlett2_update_filter_values that ensure function returns error if PEQ filter value retrieval fails. Signed-off-by: Zhu Jun <zhujun2(a)cmss.chinamobile.com> Cc: <stable(a)vger.kernel.org> --- V1 -> V2: - commit wit a dot - add tag "Cc" - delete a blank before the return value check sound/usb/mixer_scarlett2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c index 1150cf104985..4cddf84db631 100644 --- a/sound/usb/mixer_scarlett2.c +++ b/sound/usb/mixer_scarlett2.c @@ -5613,6 +5613,8 @@ static int scarlett2_update_filter_values(struct usb_mixer_interface *mixer) info->peq_flt_total_count * SCARLETT2_BIQUAD_COEFFS, peq_flt_values); + if (err < 0) + return err; for (i = 0, dst_idx = 0; i < info->dsp_input_count; i++) { src_idx = i * -- 2.17.1

6 months, 3 weeks

2
1
0 0

[PATCH] HID: wacom: Hardcode (non-inverted) AES pens as BTN_TOOL_PEN

by Gerecke, Jason

From: Jason Gerecke <jason.gerecke(a)wacom.com> Unlike EMR tools which encode type information in their tool ID, tools for AES sensors are all "generic pens". It is inappropriate to make use of the wacom_intuos_get_tool_type function when dealing with these kinds of devices. Instead, we should only ever report BTN_TOOL_PEN or BTN_TOOL_RUBBER, as depending on the state of the Eraser and Invert bits. Fixes: 9c2913b962da ("HID: wacom: more appropriate tool type categorization") Signed-off-by: Jason Gerecke <jason.gerecke(a)wacom.com> Cc: stable(a)vger.kernel.org --- drivers/hid/wacom_wac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 59a13ad9371cd..413606bdf476d 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -2567,6 +2567,8 @@ static void wacom_wac_pen_report(struct hid_device *hdev, /* Going into range select tool */ if (wacom_wac->hid_data.invert_state) wacom_wac->tool[0] = BTN_TOOL_RUBBER; + else if (wacom_wac->features.quirks & WACOM_QUIRK_AESPEN) + wacom_wac->tool[0] = BTN_TOOL_PEN; else if (wacom_wac->id[0]) wacom_wac->tool[0] = wacom_intuos_get_tool_type(wacom_wac->id[0]); else -- 2.46.2

6 months, 3 weeks

3
3
0 0

[PATCH v3 3/9] serial: qcom-geni: fix shutdown race

by Johan Hovold

A commit adding back the stopping of tx on port shutdown failed to add back the locking which had also been removed by commit e83766334f96 ("tty: serial: qcom_geni_serial: No need to stop tx/rx on UART shutdown"). Holding the port lock is needed to serialise against the console code, which may update the interrupt enable register and access the port state. Fixes: d8aca2f96813 ("tty: serial: qcom-geni-serial: stop operations in progress at shutdown") Fixes: 947cc4ecc06c ("serial: qcom-geni: fix soft lockup on sw flow control and suspend") Cc: stable(a)vger.kernel.org # 6.3 Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 2e4a5361f137..87cd974b76bf 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1114,10 +1114,12 @@ static void qcom_geni_serial_shutdown(struct uart_port *uport) { disable_irq(uport->irq); + uart_port_lock_irq(uport); qcom_geni_serial_stop_tx(uport); qcom_geni_serial_stop_rx(uport); qcom_geni_serial_cancel_tx_cmd(uport); + uart_port_unlock_irq(uport); } static void qcom_geni_serial_flush_buffer(struct uart_port *uport) -- 2.45.2

6 months, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2848ff28d180bd63a95da8e5dcbcdd76c1beeb7b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024090809-plaything-sash-1d57@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 2848ff28d180 ("x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported") c33f0a81a2cf ("x86/fpu: Add fpu_state_config::legacy_features") d72c87018d00 ("x86/fpu/xstate: Move remaining xfeature helpers to core") eda32f4f93b4 ("x86/fpu: Rework restore_regs_from_fpstate()") daddee247319 ("x86/fpu: Mop up xfeatures_mask_uabi()") 1c253ff2287f ("x86/fpu: Move xstate feature masks to fpu_*_cfg") 2bd264bce238 ("x86/fpu: Move xstate size to fpu_*_cfg") cd9ae7617449 ("x86/fpu/xstate: Cleanup size calculations") 617473acdfe4 ("x86/fpu: Cleanup fpu__init_system_xstate_size_legacy()") 578971f4e228 ("x86/fpu: Provide struct fpu_config") 5509cc78080d ("x86/fpu/signal: Use fpstate for size and features") ad6ede407aae ("x86/fpu: Use fpstate in fpu_copy_kvm_uabi_to_fpstate()") be31dfdfd75b ("x86/fpu: Use fpstate::size") 248452ce21ae ("x86/fpu: Add size and mask information to fpstate") 2dd8eedc80b1 ("x86/process: Move arch_thread_struct_whitelist() out of line") c20942ce5128 ("x86/fpu/core: Convert to fpstate") 7e049e8b7459 ("x86/fpu/signal: Convert to fpstate") 087df48c298c ("x86/fpu: Replace KVMs xstate component clearing") 18b3fa1ad15f ("x86/fpu: Convert restore_fpregs_from_fpstate() to struct fpstate") f83ac56acdad ("x86/fpu: Convert fpstate_init() to struct fpstate") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2848ff28d180bd63a95da8e5dcbcdd76c1beeb7b Mon Sep 17 00:00:00 2001 From: Mitchell Levy <levymitchell0(a)gmail.com> Date: Mon, 12 Aug 2024 13:44:12 -0700 Subject: [PATCH] x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported There are two distinct CPU features related to the use of XSAVES and LBR: whether LBR is itself supported and whether XSAVES supports LBR. The LBR subsystem correctly checks both in intel_pmu_arch_lbr_init(), but the XSTATE subsystem does not. The LBR bit is only removed from xfeatures_mask_independent when LBR is not supported by the CPU, but there is no validation of XSTATE support. If XSAVES does not support LBR the write to IA32_XSS causes a #GP fault, leaving the state of IA32_XSS unchanged, i.e. zero. The fault is handled with a warning and the boot continues. Consequently the next XRSTORS which tries to restore supervisor state fails with #GP because the RFBM has zero for all supervisor features, which does not match the XCOMP_BV field. As XFEATURE_MASK_FPSTATE includes supervisor features setting up the FPU causes a #GP, which ends up in fpu_reset_from_exception_fixup(). That fails due to the same problem resulting in recursive #GPs until the kernel runs out of stack space and double faults. Prevent this by storing the supported independent features in fpu_kernel_cfg during XSTATE initialization and use that cached value for retrieving the independent feature bits to be written into IA32_XSS. [ tglx: Massaged change log ] Fixes: f0dccc9da4c0 ("x86/fpu/xstate: Support dynamic supervisor feature for LBR") Suggested-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Mitchell Levy <levymitchell0(a)gmail.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20240812-xsave-lbr-fix-v3-1-95bac1bf62f4@gmail.… diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h index eb17f31b06d2..de16862bf230 100644 --- a/arch/x86/include/asm/fpu/types.h +++ b/arch/x86/include/asm/fpu/types.h @@ -591,6 +591,13 @@ struct fpu_state_config { * even without XSAVE support, i.e. legacy features FP + SSE */ u64 legacy_features; + /* + * @independent_features: + * + * Features that are supported by XSAVES, but not managed as part of + * the FPU core, such as LBR + */ + u64 independent_features; }; /* FPU state configuration information */ diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index c5a026fee5e0..1339f8328db5 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -788,6 +788,9 @@ void __init fpu__init_system_xstate(unsigned int legacy_size) goto out_disable; } + fpu_kernel_cfg.independent_features = fpu_kernel_cfg.max_features & + XFEATURE_MASK_INDEPENDENT; + /* * Clear XSAVE features that are disabled in the normal CPUID. */ diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h index 2ee0b9c53dcc..afb404cd2059 100644 --- a/arch/x86/kernel/fpu/xstate.h +++ b/arch/x86/kernel/fpu/xstate.h @@ -62,9 +62,9 @@ static inline u64 xfeatures_mask_supervisor(void) static inline u64 xfeatures_mask_independent(void) { if (!cpu_feature_enabled(X86_FEATURE_ARCH_LBR)) - return XFEATURE_MASK_INDEPENDENT & ~XFEATURE_MASK_LBR; + return fpu_kernel_cfg.independent_features & ~XFEATURE_MASK_LBR; - return XFEATURE_MASK_INDEPENDENT; + return fpu_kernel_cfg.independent_features; } /* XSAVE/XRSTOR wrapper functions */

6 months, 3 weeks

3
2
0 0

[PATCH 6.6 000/386] 6.6.55-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.55 release. There are 386 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.55-rc1 Zhihao Cheng <chengzhihao1(a)huawei.com> Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" Damien Le Moal <dlemoal(a)kernel.org> null_blk: Fix return value of nullb_device_power_store() Alex Hung <alex.hung(a)amd.com> drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Namhyung Kim <namhyung(a)kernel.org> perf report: Fix segfault when 'sym' sort key is not used Gabe Teeger <Gabe.Teeger(a)amd.com> drm/amd/display: Revert Avoid overflow assignment Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx* - Select CRYPTO_AUTHENC Haoran Zhang <wh1sper(a)zju.edu.cn> vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() David Howells <dhowells(a)redhat.com> rxrpc: Fix a race between socket set up and I/O thread creation Xiaolei Wang <xiaolei.wang(a)windriver.com> net: stmmac: move the EST lock to struct stmmac_priv Yu Kuai <yukuai3(a)huawei.com> null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> null_blk: Remove usage of the deprecated ida_simple_xx() API Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: think-lmi: Fix password opcode ordering for workstations Chen Yu <yu.c.chen(a)intel.com> efi/unaccepted: touch soft lockup during memory accept Mads Bligaard Nielsen <bli(a)bang-olufsen.dk> drm/bridge: adv7511: fix crash on irq during probe Nicolin Chen <nicolinc(a)nvidia.com> iommufd: Fix protection fault in iommufd_test_syz_conv_iova Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: restore set elements when delete set fails Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: fix memleak in map from abort path Zhihao Cheng <chengzhihao1(a)huawei.com> ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Jonathan Gray <jsg(a)jsg.id.au> Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Val Packett <val(a)packett.cool> drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Josef Bacik <josef(a)toxicpanda.com> btrfs: drop the backref cache during relocation if we commit David Sterba <dsterba(a)suse.com> btrfs: relocation: constify parameters where possible David Sterba <dsterba(a)suse.com> btrfs: relocation: return bool from btrfs_should_ignore_reloc_root Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Add GPLL9 support Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add tally counter fields added with RTL8125 Colin Ian King <colin.i.king(a)gmail.com> r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Fix regmap for BMP280 device Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Use BME prefix for BME280 specifics Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Improve indentation and line wrapping Angel Iglesias <ang.iglesiasg(a)gmail.com> iio: pressure: bmp280: Allow multiple chips id per family of devices Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Manivannan Sadhasivam <mani(a)kernel.org> dt-bindings: clock: qcom: Add missing UFS QREF clocks Udit Kumar <u-kumar1(a)ti.com> remoteproc: k3-r5: Delay notification of wakeup event Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Acquire mailbox handle during probe routine Umang Jain <umang.jain(a)ideasonboard.com> media: imx335: Fix reset-gpio handling Kieran Bingham <kieran.bingham(a)ideasonboard.com> media: i2c: imx335: Enable regulator supplies Long Li <longli(a)microsoft.com> RDMA/mana_ib: use the correct page table index based on hardware page size Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Add support for page sizes other than 4KB on ARM64 Haiyang Zhang <haiyangz(a)microsoft.com> net: mana: Enable MANA driver on ARM64 with 4K page size Johannes Weiner <hannes(a)cmpxchg.org> sched: psi: fix bogus pressure spikes from aggregation race Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: harden build ID parsing logic Alexey Dobriyan <adobriyan(a)gmail.com> build-id: require program headers to be right after ELF header Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Yosry Ahmed <yosryahmed(a)google.com> mm: z3fold: deprecate CONFIG_Z3FOLD Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Jens Axboe <axboe(a)kernel.dk> io_uring/net: harden multishot termination case for recv Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Ard Biesheuvel <ardb(a)kernel.org> i2c: synquacer: Deal with optional PCLK correctly Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: synquacer: Remove a clk reference from struct synquacer_i2c Heiner Kallweit <hkallweit1(a)gmail.com> i2c: core: Lock address during client device instantiation Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: create debugfs entry per adapter Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Create a platform_device from module_init() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix buffer overflow in debug links Uwe Kleine-König <ukleinek(a)debian.org> cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix system hang while resume with TBT monitor Alex Hung <alex.hung(a)amd.com> drm/amd/display: Add HDR workaround for specific eDP Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Add locking to drm_sched_entity_modify_sched Jani Nikula <jani.nikula(a)intel.com> drm/i915/gem: fix bitwise and logical AND mixup Al Viro <viro(a)zeniv.linux.org.uk> close_range(): fix the logics in descriptor table trimming Eder Zulian <ezulian(a)redhat.com> rtla: Fix the help text in osnoise and timerlat top tools Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix a race during cpuhp processing Wei Li <liwei391(a)huawei.com> tracing/timerlat: Drop interface_lock in stop_kthread() Wei Li <liwei391(a)huawei.com> tracing/hwlat: Fix a race during cpuhp processing Patrick Donnelly <pdonnell(a)redhat.com> ceph: fix cap ref leak via netfs init_request Jiawei Ye <jiawei.ye(a)foxmail.com> mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Jiawen Wu <jiawenwu(a)trustnetic.com> net: pcs: xpcs: fix the wrong register that was written back Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Miquel Sabaté Solà <mikisabate(a)gmail.com> cpufreq: Avoid a bad reference count on CPU node Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Filipe Manana <fdmanana(a)suse.com> btrfs: send: fix invalid clone operation for file that got its size decreased Qu Wenruo <wqu(a)suse.com> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Baokun Li <libaokun1(a)huawei.com> cachefiles: fix dentry leak in cachefiles_open_file() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix NULL pointer dereference Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path KhaiWenTan <khai.wen.tan(a)linux.intel.com> net: stmmac: Fix zero-division error when disabling tc cbs Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Willem de Bruijn <willemb(a)google.com> gso: fix udp gso fraglist segmentation after pull from frag_list Willem de Bruijn <willemb(a)google.com> vrf: revert "vrf: Remove unnecessary RCU-bh critical section" Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors Steve French <stfrench(a)microsoft.com> smb3: fix incorrect mode displayed for read-only files wangrong <wangrong(a)uniontech.com> smb: client: use actual path when queryfs Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Fix ordering of pm_runtime_enable Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Remove use_count guard in stop_streaming Manivannan Sadhasivam <mani(a)kernel.org> clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src David Virag <virag.david003(a)gmail.com> clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Mike Tipton <quic_mdtipton(a)quicinc.com> clk: qcom: clk-rpmh: Fix overflow in BCM vote Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Manivannan Sadhasivam <mani(a)kernel.org> clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: sun4i_csi: Implement link validate for sun4i_csi subdev Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Jan Kiszka <jan.kiszka(a)siemens.com> remoteproc: k3-r5: Fix error handling when power-up failed Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: ov5675: Fix power on/off delay timings Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix kernel stack size when KASAN is enabled Long Li <longli(a)microsoft.com> RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Kaixin Wang <kxwang23(a)m.fudan.edu.cn> i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv4's PUTPUBFH operation Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: map the EBADMSG to nfserr_io to avoid warning NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Matt Fleming <matt(a)readmodwrite.com> perf hist: Update hist symbol when updating maps Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Disable -Wno-cast-function-type-mismatch if present on clang Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix memory leak in exfat_load_bitmap() Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Easwar Hariharan <eahariha(a)linux.microsoft.com> arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Mark Rutland <mark.rutland(a)arm.com> arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Danilo Krummrich <dakr(a)kernel.org> mm: krealloc: consider spare memory for __GFP_ZERO Kemeng Shi <shikemeng(a)huaweicloud.com> jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Huang Ying <ying.huang(a)intel.com> resource: fix region_intersects() vs add_memory_driver_managed() Ma Ke <make24(a)iscas.ac.cn> drm: omapdrm: Add missing check for alloc_ordered_workqueue Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> of: address: Report error on resource bounds overflow Val Packett <val(a)packett.cool> drm/rockchip: vop: clear DMA stop bit on RK3066 Helge Deller <deller(a)gmx.de> parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Helge Deller <deller(a)kernel.org> parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: use handle to mark fc as ineligible in __track_dentry_update() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix fast commit inode enqueueing during a full journal commit Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: update orig_path in ext4_find_extent() Xiaxi Shen <shenxiaxi26(a)gmail.com> ext4: fix timer use-after-free on failed mount Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Baokun Li <libaokun1(a)huawei.com> ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Zhihao Cheng <chengzhihao1(a)huawei.com> ext4: dax: fix overflowing extents beyond inode size when partially writing Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() yao.ly <yao.ly(a)linux.alibaba.com> ext4: correct encrypted dentry name hash when not casefolded Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Abhishek Tamboli <abhishektamboli9(a)gmail.com> ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Ai Chao <aichao(a)kylinos.cn> ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Hans P. Moller <hmoller(a)uc.cl> ALSA: line6: add hw monitor volume control to POD HD500X Jan Lalinsky <lalinsky(a)c4.cz> ALSA: usb-audio: Add native DSD support for Luxman D-08u Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Baojun Xu <baojun.xu(a)ti.com> ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Thomas Zimmermann <tzimmermann(a)suse.de> drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Javier Carrasco <javier.carrasco.cruz(a)gmail.com> drm/mediatek: ovl_adaptor: Add missing of_node_put() Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Hans de Goede <hdegoede(a)redhat.com> power: supply: hwmon: Fix missing temp1_max_alarm attribute Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading David Virag <virag.david003(a)gmail.com> dt-bindings: clock: exynos7885: Fix duplicated binding Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> memory: tegra186-emc: drop unused to_tegra186_emc() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Mike Baynton <mike(a)mbaynton.com> ovl: fail if trusted xattrs are needed but caller lacks permission Alice Ryhl <aliceryhl(a)google.com> rust: sync: require `T: Sync` for `LockedBy::access` Kimriver Liu <kimriver.liu(a)siengine.com> i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Alexander Shiyan <eagle.alexander923(a)gmail.com> media: i2c: ar0521: Use cansleep version of gpiod_set_value() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Marek Vasut <marex(a)denx.de> i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Zach Wade <zachwade.k(a)gmail.com> platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Takashi Iwai <tiwai(a)suse.de> Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Heiko Carstens <hca(a)linux.ibm.com> selftests: vDSO: fix vdso_config for s390 Jens Remus <jremus(a)linux.ibm.com> selftests: vDSO: fix ELF hash table entry size for s390x Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Fix VDSO data access when running in a non-root time namespace David Hildenbrand <david(a)redhat.com> selftests/mm: fix charge_reserved_hugetlb.sh test Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vdso_config for powerpc Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO name for powerpc Namhyung Kim <namhyung(a)kernel.org> perf: Really fix event_function_call() locking Ian Rogers <irogers(a)google.com> perf callchain: Fix stitch LBR memory leaks Biju Das <biju.das.jz(a)bp.renesas.com> spi: rpc-if: Add missing MODULE_DEVICE_TABLE Alexander F. Lent <lx(a)xanderlent.com> accel/ivpu: Add missing MODULE_FIRMWARE metadata Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Yun Lu <luyun(a)kylinos.cn> selftest: hid: add missing run-hid-tools-tests.sh Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-cadence: Fix missing spi_controller_is_target() check Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled Li Zetao <lizetao1(a)huawei.com> spi: spi-cadence: Use helper function devm_clk_get_enabled() Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Kuan-Wei Chiu <visitorckw(a)gmail.com> bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Christoph Hellwig <hch(a)lst.de> iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Kuan-Wei Chiu <visitorckw(a)gmail.com> bpftool: Fix undefined behavior caused by shifting into the sign bit Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Baokun Li <libaokun1(a)huawei.com> ext4: avoid use-after-free in ext4_ext_show_leaf() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Juntong Deng <juntong.deng(a)outlook.com> bpf: Make the pointer returned by iter next method valid Jan Kara <jack(a)suse.cz> ext4: don't set SB_RDONLY after filesystem errors Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add refcnt to ksmbd_conn struct Gergo Koteles <soyer(a)irl.hu> platform/x86: lenovo-ymc: Ignore the 0x0 state Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: use rlc safe mode for soft recovery Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx11: use rlc safe mode for soft recovery Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Tim Huang <tim.huang(a)amd.com> drm/amd/pm: ensure the fw_info is not null before using it Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: use rlc safe mode for soft recovery Victor Skvortsov <victor.skvortsov(a)amd.com> drm/amdgpu: Block MMR_READ IOCTL in reset Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Peter Zijlstra <peterz(a)infradead.org> perf: Fix event_function_call() locking Tim Huang <tim.huang(a)amd.com> drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Update PRLO handling in direct attached topology Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Andrii Nakryiko <andrii(a)kernel.org> perf,x86: avoid missing caller address in stack traces captured in uprobe Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize get_bytes_per_element's default to 1 Alex Hung <alex.hung(a)amd.com> drm/amd/display: Avoid overflow assignment in link_dp_cts Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 color transformation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check link_res->hpo_dp_link_enc before using it Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Yannick Fertre <yannick.fertre(a)foss.st.com> drm/stm: ltdc: reset plane transparency after plane disable Ckath <ckath(a)yandex.ru> platform/x86: touchscreen_dmi: add nanote-next quirk Vishnu Sankar <vishnuocv(a)gmail.com> HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Jesse Zhang <jesse.zhang(a)amd.com> drm/amdkfd: Fix resource leak in criu restore queue Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: enable gfxoff quirk on HP 705G4 Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: add raven1 gfxoff quirk Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Mahesh Rajashekhara <mahesh.rajashekhara(a)microchip.com> scsi: smartpqi: correct stream detection Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Tim Huang <tim.huang(a)amd.com> drm/amd/display: fix double free issue during amdgpu module unload Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using dc->clk_mgr Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' Hans de Goede <hdegoede(a)redhat.com> HID: Ignore battery for all ELAN I2C-HID devices Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Damien Le Moal <dlemoal(a)kernel.org> ata: pata_serverworks: Do not use the term blacklist Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Katya Orlova <e.orlova(a)ispras.ru> drm/stm: Avoid use-after-free issues with crtc and plane Michal Koutný <mkoutny(a)suse.com> cgroup: Disallow mounting v1 hierarchies without controller implementation Sanjay K Kumar <sanjay.k.kumar(a)intel.com> iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Always reserve a domain ID for identity setup Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Paul E. McKenney <paulmck(a)kernel.org> rcuscale: Provide clear error when async specified without primitives Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Thomas Weißschuh <linux(a)weissschuh.net> fbdev: efifb: Register sysfs groups through driver core Denis Pauk <pauk.denis(a)gmail.com> hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Kees Cook <kees(a)kernel.org> x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Thomas Weißschuh <linux(a)weissschuh.net> selftests/nolibc: avoid passing NULL to printf("%s") Thomas Weißschuh <linux(a)weissschuh.net> tools/nolibc: powerpc: limit stack-protector workaround to GCC Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Tao Liu <ltao(a)redhat.com> x86/kexec: Add EFI config table identity mapping for kexec kernel Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> x86/pkeys: Restore altstack access in sigreturn() Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> x86/pkeys: Add PKRU as a parameter in signal handling functions Ahmed S. Darwish <darwi(a)linutronix.de> tools/x86/kcpuid: Protect against faulty "max subleaf" values Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wsa883x: Handle reading version failure Joshua Pius <joshuapius(a)chromium.org> ALSA: usb-audio: Add logitech Audio profile quirk Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Replace complex quirk lines with macros Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Define macros for quirk table entries Karol Kosik <k.kosik(a)outlook.com> ALSA: usb-audio: Support multiple control interfaces Thomas Gleixner <tglx(a)linutronix.de> x86/ioapic: Handle allocation failures gracefully Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add input value sanity checks for standard types Jinjie Ruan <ruanjinjie(a)huawei.com> nfp: Use IRQF_NO_AUTOEN flag in request_irq() Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Stefan Mätje <stefan.maetje(a)esd.eu> can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode James Clark <james.clark(a)linaro.org> drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Adrian Ratiu <adrian.ratiu(a)collabora.com> proc: add config & param to block forcing mem writes Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU list iterations Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: avoid NULL pointer dereference Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: use correct key iteration Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Breno Leitao <leitao(a)debian.org> netpoll: Ensure clean state on setup failures Herbert Xu <herbert(a)gondor.apana.org.au> crypto: simd - Do not call crypto_alloc_tfm during registration Simon Horman <horms(a)kernel.org> net: atlantic: Avoid warning about potential string truncation Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: correct base HT rate mask for firmware Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> bnxt_en: Extend maximum length of version string by 1 byte Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw88: select WANT_DEV_COREDUMP Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath11k: fix array out-of-bound access in SoC stats Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath12k: fix array out-of-bound access in SoC stats Konstantin Ovsepian <ovs(a)ovs.to> blk_iocost: fix more out of bound shifts Mario Limonciello <mario.limonciello(a)amd.com> ACPI: CPPC: Add support for setting EPP register in FFH Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Hilda Wu <hildawu(a)realtek.com> Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Hilda Wu <hildawu(a)realtek.com> Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: consistently use rcu_replace_pointer() in taprio_change() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: avoid failing the system during pm_suspend Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Issam Hamdi <ih(a)simonwunderlich.de> wifi: cfg80211: Set correct chandef when starting CAC Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: drop wrong STA selection in TX Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: mvm: Fix a race in scan abort flow Aleksandr Mishin <amishin(a)t-argos.ru> ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx2 - Fix authenc setkey Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx - Fix authenc setkey Fangrui Song <maskray(a)google.com> crypto: x86/sha256 - Add parentheses around macros' single arguments Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw89: avoid to add interface to list twice when SER Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: gus: Fix some error handling paths related to get_bpos() usage Pali Rohár <pali(a)kernel.org> cifs: Do not convert delimiter when parsing NFS-style symlinks Pali Rohár <pali(a)kernel.org> cifs: Fix buffer overflow when parsing NFS reparse points Hui Wang <hui.wang(a)canonical.com> ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Pali Rohár <pali(a)kernel.org> cifs: Remove intermediate object of failed create reparse call Oder Chiou <oder_chiou(a)realtek.com> ALSA: hda/realtek: Fix the push button function for the ALC257 Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: mixer_oss: Remove some incorrect kfree_const() usages Andrei Simion <andrei.simion(a)microchip.com> ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix not validating setsockopt user input Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix not validating setsockopt user input Benjamin Gaignard <benjamin.gaignard(a)collabora.com> media: usbtv: Remove useless locks in usbtv_video_free() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sock: Fix not validating setsockopt user input Christoph Hellwig <hch(a)lst.de> loop: don't set QUEUE_FLAG_NOMERGES Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Try re-initialization on bus busy timeout Marc Ferland <marc.ferland(a)sonatest.com> i2c: xiic: improve error message when transfer fails to start Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Ravikanth Tuniki <ravikanth.tuniki(a)amd.com> dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Darrick J. Wong <djwong(a)kernel.org> iomap: constrain the file range passed to iomap_file_unshare Eric Dumazet <edumazet(a)google.com> ppp: do not assume bh is held in ppp_channel_bridge_input() Eric Dumazet <edumazet(a)google.com> net: test for not too small csum_start in virtio_net_hdr_to_skb() Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Shenwei Wang <shenwei.wang(a)nxp.com> net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Reload PTP registers after link-state change Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Restart PPS after link state change Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Daniel Borkmann <daniel(a)iogearbox.net> net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Daniel Borkmann <daniel(a)iogearbox.net> net: Add netif_get_gro_max_size helper for GRO Jinjie Ruan <ruanjinjie(a)huawei.com> Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix uaf in l2cap_connect Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Phil Sutter <phil(a)nwl.cc> selftests: netfilter: Fix nft_audit.sh for newer nft binaries Jinjie Ruan <ruanjinjie(a)huawei.com> net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Elena Salomatkina <esalomatkina(a)ispras.ru> net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Mohamed Khalfella <mkhalfella(a)purestorage.com> net/mlx5: Added cond_resched() to crdump collection Gerd Bayer <gbayer(a)linux.ibm.com> net/mlx5: Fix error path in multi-packet WQE transmit Aakash Menon <aakash.r.menon(a)gmail.com> net: sparx5: Fix invalid timestamps Jinjie Ruan <ruanjinjie(a)huawei.com> ieee802154: Fix build error Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Asad Kamal <asad.kamal(a)amd.com> drm/amdgpu: Fix get each xcp macro Daniel Wagner <dwagner(a)suse.de> scsi: pm8001: Do not overwrite PCI queue mapping Rafael Rocha <rrochavi(a)fnal.gov> scsi: st: Fix input/output error on empty drive reset Peter Zijlstra <peterz(a)infradead.org> jump_label: Fix static_key_slow_dec() yet again Thomas Gleixner <tglx(a)linutronix.de> jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() Thomas Gleixner <tglx(a)linutronix.de> static_call: Replace pointless WARN_ON() in static_call_module_notify() Thomas Gleixner <tglx(a)linutronix.de> static_call: Handle module init failure correctly in static_call_del_module() ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 10 + Documentation/arch/arm64/silicon-errata.rst | 6 + .../devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 +- Makefile | 4 +- arch/arm/crypto/aes-ce-glue.c | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- arch/arm64/Kconfig | 7 +- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/kernel/cpu_errata.c | 3 + arch/loongarch/configs/loongson3_defconfig | 1 - arch/parisc/include/asm/mman.h | 14 + arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/powerpc/configs/ppc64_defconfig | 1 - arch/powerpc/include/asm/vdso_datapage.h | 15 + arch/powerpc/kernel/asm-offsets.c | 2 + arch/powerpc/kernel/vdso/cacheflush.S | 2 +- arch/powerpc/kernel/vdso/datapage.S | 4 +- arch/powerpc/platforms/pseries/dlpar.c | 17 - arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +- arch/powerpc/platforms/pseries/hotplug-memory.c | 16 +- arch/powerpc/platforms/pseries/pmem.c | 2 +- arch/riscv/Kconfig | 8 +- arch/riscv/include/asm/thread_info.h | 7 +- arch/x86/crypto/sha256-avx2-asm.S | 16 +- arch/x86/events/core.c | 63 + arch/x86/include/asm/fpu/signal.h | 2 +- arch/x86/include/asm/syscall.h | 7 +- arch/x86/kernel/apic/io_apic.c | 46 +- arch/x86/kernel/fpu/signal.c | 6 +- arch/x86/kernel/machine_kexec_64.c | 27 + arch/x86/kernel/signal.c | 3 +- arch/x86/kernel/signal_64.c | 6 +- block/blk-iocost.c | 8 +- crypto/simd.c | 76 +- drivers/accel/ivpu/ivpu_fw.c | 4 + drivers/acpi/acpi_pad.c | 6 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/battery.c | 28 +- drivers/acpi/cppc_acpi.c | 10 +- drivers/acpi/ec.c | 55 +- drivers/acpi/resource.c | 14 + drivers/acpi/video_detect.c | 8 + drivers/ata/pata_serverworks.c | 16 +- drivers/ata/sata_sil.c | 12 +- drivers/block/aoe/aoecmd.c | 13 +- drivers/block/loop.c | 15 +- drivers/block/null_blk/main.c | 45 +- drivers/bluetooth/btmrvl_sdio.c | 3 +- drivers/bluetooth/btrtl.c | 1 + drivers/bluetooth/btusb.c | 2 + drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clk/qcom/clk-rpmh.c | 2 + drivers/clk/qcom/dispcc-sm8250.c | 3 + drivers/clk/qcom/gcc-sc8180x.c | 88 +- drivers/clk/qcom/gcc-sm8250.c | 6 +- drivers/clk/qcom/gcc-sm8450.c | 4 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/samsung/clk-exynos7885.c | 2 +- drivers/cpufreq/intel_pstate.c | 20 +- drivers/crypto/marvell/Kconfig | 2 + drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 265 +-- drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 256 +-- drivers/firmware/efi/unaccepted_memory.c | 4 + drivers/firmware/tegra/bpmp.c | 6 - drivers/gpio/gpio-davinci.c | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 +- drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 45 +- drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 6 + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 19 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 - .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 +- drivers/gpu/drm/amd/display/dc/dc_types.h | 1 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + .../gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 + .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- .../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- .../amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 12 + drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 +- .../drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 +- drivers/gpu/drm/drm_atomic_uapi.c | 2 +- drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +- drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 + drivers/gpu/drm/msm/msm_gpu.c | 1 - drivers/gpu/drm/omapdrm/omap_drv.c | 5 + drivers/gpu/drm/radeon/r100.c | 70 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 + drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 + drivers/gpu/drm/scheduler/sched_entity.c | 2 + drivers/gpu/drm/stm/drv.c | 3 +- drivers/gpu/drm/stm/ltdc.c | 76 +- drivers/hid/hid-ids.h | 17 +- drivers/hid/hid-input.c | 37 +- drivers/hid/hid-multitouch.c | 6 + drivers/hwmon/nct6775-platform.c | 1 + drivers/i2c/busses/i2c-designware-common.c | 14 + drivers/i2c/busses/i2c-designware-core.h | 1 + drivers/i2c/busses/i2c-designware-master.c | 38 + drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-stm32f7.c | 6 +- drivers/i2c/busses/i2c-synquacer.c | 12 +- drivers/i2c/busses/i2c-xiic.c | 69 +- drivers/i2c/i2c-core-base.c | 39 + drivers/i3c/master/svc-i3c-master.c | 1 + drivers/iio/magnetometer/ak8975.c | 32 +- drivers/iio/pressure/bmp280-core.c | 185 +- drivers/iio/pressure/bmp280-regmap.c | 47 +- drivers/iio/pressure/bmp280-spi.c | 4 +- drivers/iio/pressure/bmp280.h | 49 +- drivers/infiniband/hw/mana/main.c | 8 +- drivers/input/keyboard/adp5589-keys.c | 22 +- drivers/iommu/intel/dmar.c | 16 +- drivers/iommu/intel/iommu.c | 6 +- drivers/iommu/iommufd/selftest.c | 27 +- drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/media/i2c/ar0521.c | 5 +- drivers/media/i2c/imx335.c | 43 +- drivers/media/i2c/ov5675.c | 12 +- drivers/media/platform/qcom/camss/camss-video.c | 6 - drivers/media/platform/qcom/camss/camss.c | 5 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 + drivers/media/usb/usbtv/usbtv-video.c | 7 - drivers/memory/tegra/tegra186-emc.c | 5 - drivers/net/can/dev/netlink.c | 102 +- .../net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- drivers/net/ethernet/freescale/fec.h | 9 + drivers/net/ethernet/freescale/fec_main.c | 11 +- drivers/net/ethernet/freescale/fec_ptp.c | 50 + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/intel/e1000e/netdev.c | 19 +- drivers/net/ethernet/intel/ice/ice_sched.c | 6 +- drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 + .../net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +- drivers/net/ethernet/microsoft/Kconfig | 3 +- drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 +- drivers/net/ethernet/microsoft/mana/hw_channel.c | 14 +- drivers/net/ethernet/microsoft/mana/mana_en.c | 8 +- drivers/net/ethernet/microsoft/mana/shm_channel.c | 13 +- .../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 31 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +- drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 8 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 19 +- drivers/net/ieee802154/Kconfig | 1 + drivers/net/ieee802154/mcr20a.c | 5 +- drivers/net/pcs/pcs-xpcs-wx.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/vrf.c | 2 + drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath9k/debug.c | 4 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 +- drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +- drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +- drivers/net/wireless/realtek/rtw88/Kconfig | 1 + drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +- drivers/net/wireless/realtek/rtw89/phy.c | 4 +- drivers/net/wireless/realtek/rtw89/util.h | 18 + drivers/net/wwan/qcom_bam_dmux.c | 11 +- drivers/net/xen-netback/hash.c | 5 +- drivers/of/address.c | 5 + drivers/of/irq.c | 38 +- drivers/perf/arm_spe_pmu.c | 9 +- .../x86/intel/speed_select_if/isst_if_common.c | 4 +- drivers/platform/x86/lenovo-ymc.c | 2 + drivers/platform/x86/think-lmi.c | 16 +- drivers/platform/x86/touchscreen_dmi.c | 26 + drivers/platform/x86/x86-android-tablets/core.c | 57 +- drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/power_supply_hwmon.c | 3 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 +- drivers/rtc/rtc-at91sam9.c | 1 + drivers/scsi/NCR5380.c | 4 + drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/lpfc/lpfc_els.c | 27 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 22 +- drivers/scsi/pm8001/pm8001_init.c | 6 +- drivers/scsi/smartpqi/smartpqi_init.c | 2 +- drivers/scsi/st.c | 5 +- drivers/spi/spi-bcm63xx.c | 9 +- drivers/spi/spi-cadence.c | 31 +- drivers/spi/spi-imx.c | 2 +- drivers/spi/spi-rpc-if.c | 7 + drivers/spi/spi-s3c64xx.c | 4 +- drivers/vhost/scsi.c | 25 +- drivers/video/fbdev/efifb.c | 11 +- drivers/video/fbdev/pxafb.c | 1 + fs/btrfs/backref.c | 12 +- fs/btrfs/disk-io.c | 11 + fs/btrfs/relocation.c | 150 +- fs/btrfs/relocation.h | 9 +- fs/btrfs/send.c | 23 +- fs/cachefiles/namei.c | 7 +- fs/ceph/addr.c | 6 +- fs/dax.c | 6 +- fs/exec.c | 3 +- fs/exfat/balloc.c | 10 +- fs/ext4/dir.c | 14 +- fs/ext4/extents.c | 55 +- fs/ext4/fast_commit.c | 49 +- fs/ext4/file.c | 8 +- fs/ext4/inode.c | 11 +- fs/ext4/migrate.c | 2 +- fs/ext4/move_extent.c | 1 - fs/ext4/namei.c | 14 +- fs/ext4/super.c | 11 +- fs/ext4/xattr.c | 3 +- fs/file.c | 93 +- fs/iomap/buffered-io.c | 16 +- fs/jbd2/checkpoint.c | 21 +- fs/jbd2/journal.c | 4 +- fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 7 +- fs/jfs/xattr.c | 2 + fs/nfsd/nfs4state.c | 5 +- fs/nfsd/nfs4xdr.c | 10 +- fs/nfsd/vfs.c | 1 + fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 11 +- fs/overlayfs/params.c | 38 +- fs/proc/base.c | 61 +- fs/smb/client/cifsfs.c | 13 +- fs/smb/client/cifsglob.h | 2 +- fs/smb/client/inode.c | 19 +- fs/smb/client/reparse.c | 16 +- fs/smb/client/smb1ops.c | 2 +- fs/smb/client/smb2inode.c | 24 +- fs/smb/client/smb2ops.c | 19 +- fs/smb/server/connection.c | 4 +- fs/smb/server/connection.h | 1 + fs/smb/server/oplock.c | 55 +- fs/smb/server/vfs_cache.c | 3 + include/crypto/internal/simd.h | 12 +- include/drm/drm_print.h | 54 +- include/dt-bindings/clock/exynos7885.h | 2 +- include/dt-bindings/clock/qcom,gcc-sc8180x.h | 3 + include/linux/cpufreq.h | 6 +- include/linux/fdtable.h | 8 +- include/linux/i2c.h | 5 + include/linux/netdevice.h | 18 + include/linux/perf_event.h | 8 +- include/linux/stmmac.h | 1 - include/linux/uprobes.h | 2 + include/linux/virtio_net.h | 4 +- include/net/mana/gdma.h | 10 +- include/net/mana/mana.h | 3 +- include/uapi/linux/cec.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- io_uring/net.c | 4 +- kernel/bpf/verifier.c | 26 +- kernel/cgroup/cgroup-v1.c | 12 +- kernel/events/core.c | 33 +- kernel/events/uprobes.c | 4 +- kernel/fork.c | 32 +- kernel/jump_label.c | 52 +- kernel/rcu/rcuscale.c | 4 +- kernel/resource.c | 58 +- kernel/sched/psi.c | 26 +- kernel/static_call_inline.c | 13 +- kernel/trace/trace_hwlat.c | 2 + kernel/trace/trace_osnoise.c | 22 +- lib/buildid.c | 88 +- mm/Kconfig | 25 +- mm/slab_common.c | 7 + net/bluetooth/hci_core.c | 2 + net/bluetooth/hci_event.c | 15 +- net/bluetooth/hci_sock.c | 21 +- net/bluetooth/iso.c | 36 +- net/bluetooth/l2cap_core.c | 8 - net/bluetooth/l2cap_sock.c | 52 +- net/bluetooth/mgmt.c | 23 +- net/core/dev.c | 14 +- net/core/gro.c | 9 +- net/core/netpoll.c | 15 +- net/dsa/slave.c | 7 +- net/ipv4/devinet.c | 6 +- net/ipv4/fib_frontend.c | 2 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/tcp_ipv4.c | 3 + net/ipv4/udp_offload.c | 22 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/mac80211/chan.c | 4 +- net/mac80211/mlme.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/util.c | 4 +- net/mac802154/scan.c | 4 +- net/netfilter/nf_tables_api.c | 57 +- net/netfilter/nft_set_bitmap.c | 4 +- net/netfilter/nft_set_hash.c | 8 +- net/netfilter/nft_set_pipapo.c | 5 +- net/netfilter/nft_set_rbtree.c | 4 +- net/rxrpc/ar-internal.h | 2 +- net/rxrpc/io_thread.c | 10 +- net/rxrpc/local_object.c | 2 +- net/sched/sch_taprio.c | 4 +- net/sctp/socket.c | 4 +- net/tipc/bearer.c | 8 +- net/wireless/nl80211.c | 15 +- rust/kernel/sync/locked_by.rs | 18 +- scripts/kconfig/qconf.cc | 2 +- security/Kconfig | 32 + security/tomoyo/domain.c | 9 +- sound/core/init.c | 14 +- sound/core/oss/mixer_oss.c | 4 +- sound/isa/gus/gus_pcm.c | 4 +- sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/hda_controller.h | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/hda_intel.c | 10 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 4 + sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/atmel/mchp-pdmc.c | 3 + sound/soc/codecs/wsa883x.c | 16 +- sound/soc/fsl/imx-card.c | 1 + sound/usb/card.c | 8 + sound/usb/clock.c | 62 +- sound/usb/format.c | 6 +- sound/usb/helper.c | 34 + sound/usb/helper.h | 10 +- sound/usb/line6/podhd.c | 2 +- sound/usb/mixer.c | 37 +- sound/usb/mixer.h | 1 + sound/usb/mixer_quirks.c | 17 +- sound/usb/mixer_scarlett.c | 4 +- sound/usb/power.c | 3 +- sound/usb/power.h | 1 + sound/usb/quirks-table.h | 2283 ++++++-------------- sound/usb/quirks.c | 4 + sound/usb/stream.c | 21 +- sound/usb/usbaudio.h | 12 + tools/arch/x86/kcpuid/kcpuid.c | 12 +- tools/bpf/bpftool/net.c | 11 +- tools/include/nolibc/arch-powerpc.h | 2 +- tools/perf/util/hist.c | 7 +- tools/perf/util/machine.c | 17 +- tools/perf/util/setup.py | 2 + tools/perf/util/thread.c | 4 + tools/perf/util/thread.h | 1 + .../breakpoints/step_after_suspend_test.c | 5 +- tools/testing/selftests/hid/Makefile | 2 + .../selftests/mm/charge_reserved_hugetlb.sh | 2 +- tools/testing/selftests/mm/write_to_hugetlbfs.c | 23 +- tools/testing/selftests/netfilter/nft_audit.sh | 57 +- tools/testing/selftests/nolibc/nolibc-test.c | 4 +- tools/testing/selftests/vDSO/parse_vdso.c | 17 +- tools/testing/selftests/vDSO/vdso_config.h | 10 +- .../testing/selftests/vDSO/vdso_test_correctness.c | 6 + tools/tracing/rtla/src/osnoise_top.c | 2 +- tools/tracing/rtla/src/timerlat_top.c | 4 +- 398 files changed, 4268 insertions(+), 3904 deletions(-)

6 months, 3 weeks

16
407
0 0

[PATCH] platform/chrome: cross_ec_type: fix missing fwnode reference decrement

by Javier Carrasco

The device_for_each_child_node() macro requires explicit calls to fwnode_handle_put() upon early exits (return, break, goto) to decrement the fwnode's refcount, and avoid levaing a node reference behind. Add the missing fwnode_handle_put() after the common label for all error paths. Cc: stable(a)vger.kernel.org Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- I usually switch to the scoped variant of the macro to fix such issues, but given that the fix is relevant for stable kernels, I have provided the "classical" approach by adding the missing fwnode_handle_put(). If switching to the scoped variant is desired, please let me know. This driver and cross_typec_switch could be easily converted. By the way, I wonder why all error paths are redirected to the same label to unregister ports, even before registering them (which seems to be harmless because unregistered ports are ignored, but still). With this fix, that jump to the label is definitely required, but if the scoped variant is used, maybe some simple returns would be enough. --- drivers/platform/chrome/cros_ec_typec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c index c7781aea0b88..f1324466efac 100644 --- a/drivers/platform/chrome/cros_ec_typec.c +++ b/drivers/platform/chrome/cros_ec_typec.c @@ -409,6 +409,7 @@ static int cros_typec_init_ports(struct cros_typec_data *typec) return 0; unregister_ports: + fwnode_handle_put(fwnode); cros_unregister_ports(typec); return ret; } --- base-commit: b6270c3bca987530eafc6a15f9d54ecd0033e0e3 change-id: 20241009-cross_ec_typec_fwnode_handle_put-9f13b4bd467f Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

2
2
0 0

[PATCHSET v5.0 3/9] xfs: metadata inode directory trees

by Darrick J. Wong

Hi all, This series delivers a new feature -- metadata inode directories. This is a separate directory tree (rooted in the superblock) that contains only inodes that contain filesystem metadata. Different metadata objects can be looked up with regular paths. Start by creating xfs_imeta{dir,file}* functions to mediate access to the metadata directory tree. By the end of this mega series, all existing metadata inodes (rt+quota) will use this directory tree instead of the superblock. Next, define the metadir on-disk format, which consists of marking inodes with a new iflag that says they're metadata. This prevents bulkstat and friends from ever getting their hands on fs metadata files. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=me… xfsprogs git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfsprogs-dev.git/log/?h… --- Commits in this patchset: * xfs: constify the xfs_sb predicates * xfs: constify the xfs_inode predicates * xfs: define the on-disk format for the metadir feature * xfs: undefine the sb_bad_features2 when metadir is enabled * xfs: iget for metadata inodes * xfs: load metadata directory root at mount time * xfs: enforce metadata inode flag * xfs: read and write metadata inode directory tree * xfs: disable the agi rotor for metadata inodes * xfs: hide metadata inodes from everyone because they are special * xfs: advertise metadata directory feature * xfs: allow bulkstat to return metadata directories * xfs: don't count metadata directory files to quota * xfs: mark quota inodes as metadata files * xfs: adjust xfs_bmap_add_attrfork for metadir * xfs: record health problems with the metadata directory * xfs: refactor directory tree root predicates * xfs: do not count metadata directory files when doing online quotacheck * xfs: don't fail repairs on metadata files with no attr fork * xfs: metadata files can have xattrs if metadir is enabled * xfs: adjust parent pointer scrubber for sb-rooted metadata files * xfs: fix di_metatype field of inodes that won't load * xfs: scrub metadata directories * xfs: check the metadata directory inumber in superblocks * xfs: move repair temporary files to the metadata directory tree * xfs: check metadata directory file path connectivity * xfs: confirm dotdot target before replacing it during a repair * xfs: repair metadata directory file path connectivity --- fs/xfs/Makefile | 5 fs/xfs/libxfs/xfs_attr.c | 5 fs/xfs/libxfs/xfs_bmap.c | 5 fs/xfs/libxfs/xfs_format.h | 176 ++++++++++--- fs/xfs/libxfs/xfs_fs.h | 25 ++ fs/xfs/libxfs/xfs_health.h | 6 fs/xfs/libxfs/xfs_ialloc.c | 58 +++- fs/xfs/libxfs/xfs_inode_buf.c | 83 ++++++ fs/xfs/libxfs/xfs_inode_buf.h | 3 fs/xfs/libxfs/xfs_inode_util.c | 2 fs/xfs/libxfs/xfs_log_format.h | 2 fs/xfs/libxfs/xfs_metadir.c | 481 ++++++++++++++++++++++++++++++++++++ fs/xfs/libxfs/xfs_metadir.h | 47 ++++ fs/xfs/libxfs/xfs_metafile.c | 52 ++++ fs/xfs/libxfs/xfs_metafile.h | 31 ++ fs/xfs/libxfs/xfs_ondisk.h | 2 fs/xfs/libxfs/xfs_sb.c | 33 ++ fs/xfs/scrub/agheader.c | 14 + fs/xfs/scrub/common.c | 65 ++++- fs/xfs/scrub/common.h | 5 fs/xfs/scrub/dir.c | 10 + fs/xfs/scrub/dir_repair.c | 20 + fs/xfs/scrub/dirtree.c | 32 ++ fs/xfs/scrub/dirtree.h | 12 - fs/xfs/scrub/findparent.c | 28 ++ fs/xfs/scrub/health.c | 1 fs/xfs/scrub/inode.c | 35 ++- fs/xfs/scrub/inode_repair.c | 34 ++- fs/xfs/scrub/metapath.c | 521 +++++++++++++++++++++++++++++++++++++++ fs/xfs/scrub/nlinks.c | 4 fs/xfs/scrub/nlinks_repair.c | 4 fs/xfs/scrub/orphanage.c | 4 fs/xfs/scrub/parent.c | 39 ++- fs/xfs/scrub/parent_repair.c | 37 ++- fs/xfs/scrub/quotacheck.c | 7 - fs/xfs/scrub/repair.c | 22 +- fs/xfs/scrub/repair.h | 3 fs/xfs/scrub/scrub.c | 9 + fs/xfs/scrub/scrub.h | 2 fs/xfs/scrub/stats.c | 1 fs/xfs/scrub/tempfile.c | 105 ++++++++ fs/xfs/scrub/tempfile.h | 3 fs/xfs/scrub/trace.c | 1 fs/xfs/scrub/trace.h | 42 +++ fs/xfs/xfs_dquot.c | 1 fs/xfs/xfs_health.c | 2 fs/xfs/xfs_icache.c | 73 +++++ fs/xfs/xfs_inode.c | 15 + fs/xfs/xfs_inode.h | 34 ++- fs/xfs/xfs_inode_item.c | 7 - fs/xfs/xfs_inode_item_recover.c | 5 fs/xfs/xfs_ioctl.c | 7 + fs/xfs/xfs_iops.c | 15 + fs/xfs/xfs_itable.c | 33 ++ fs/xfs/xfs_itable.h | 3 fs/xfs/xfs_mount.c | 31 ++ fs/xfs/xfs_mount.h | 3 fs/xfs/xfs_qm.c | 36 +++ fs/xfs/xfs_quota.h | 5 fs/xfs/xfs_rtalloc.c | 38 ++- fs/xfs/xfs_super.c | 4 fs/xfs/xfs_trace.c | 2 fs/xfs/xfs_trace.h | 102 ++++++++ fs/xfs/xfs_trans_dquot.c | 6 64 files changed, 2302 insertions(+), 196 deletions(-) create mode 100644 fs/xfs/libxfs/xfs_metadir.c create mode 100644 fs/xfs/libxfs/xfs_metadir.h create mode 100644 fs/xfs/libxfs/xfs_metafile.c create mode 100644 fs/xfs/libxfs/xfs_metafile.h create mode 100644 fs/xfs/scrub/metapath.c

6 months, 3 weeks

1
1
0 0

[PATCH v2] usb: dwc3: core: Fix system suspend on TI AM62 platforms

by Roger Quadros

Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), system suspend is broken on AM62 TI platforms. Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY bits (hence forth called 2 SUSPHY bits) were being set during core initialization and even during core re-initialization after a system suspend/resume. These bits are required to be set for system suspend/resume to work correctly on AM62 platforms. Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget driver is not loaded and started. For Host mode, the 2 SUSPHY bits are set before the first system suspend but get cleared at system resume during core re-init and are never set again. This patch resovles these two issues by ensuring the 2 SUSPHY bits are set before system suspend and restored to the original state during system resume. Cc: stable(a)vger.kernel.org # v6.9+ Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ Signed-off-by: Roger Quadros <rogerq(a)kernel.org> --- Changes in v2: - Fix comment style - Use both USB3 and USB2 SUSPHY bits to determine susphy_state during system suspend/resume. - Restore SUSPHY bits at system resume regardless if it was set or cleared before system suspend. - Link to v1: https://lore.kernel.org/r/20241001-am62-lpm-usb-v1-1-9916b71165f7@kernel.org --- drivers/usb/dwc3/core.c | 21 +++++++++++++++++++++ drivers/usb/dwc3/core.h | 2 ++ 2 files changed, 23 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 9eb085f359ce..20209de2b295 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2336,6 +2336,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) u32 reg; int i; + dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & + DWC3_GUSB2PHYCFG_SUSPHY) || + (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) & + DWC3_GUSB3PIPECTL_SUSPHY); + switch (dwc->current_dr_role) { case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) @@ -2387,6 +2392,15 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* + * TI AM62 platform requires SUSPHY to be + * enabled for system suspend to work. + */ + if (!dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } @@ -2454,6 +2468,13 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* + * restore SUSPHY state to that before system suspend. + */ + dwc3_enable_susphy(dwc, dwc->susphy_state); + } + return 0; } diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index c71240e8f7c7..b2ed5aba4c72 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -1150,6 +1150,7 @@ struct dwc3_scratchpad_array { * @sys_wakeup: set if the device may do system wakeup. * @wakeup_configured: set if the device is configured for remote wakeup. * @suspended: set to track suspend event due to U3/L2. + * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY before PM suspend. * @imod_interval: set the interrupt moderation interval in 250ns * increments or 0 to disable. * @max_cfg_eps: current max number of IN eps used across all USB configs. @@ -1382,6 +1383,7 @@ struct dwc3 { unsigned sys_wakeup:1; unsigned wakeup_configured:1; unsigned suspended:1; + unsigned susphy_state:1; u16 imod_interval; --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20240923-am62-lpm-usb-f420917bd707 Best regards, -- Roger Quadros <rogerq(a)kernel.org>

6 months, 3 weeks

2
1
0 0

[PATCH v3 5/9] serial: qcom-geni: fix receiver enable

by Johan Hovold

The receiver is supposed to be enabled in the startup() callback and not in set_termios() which is called also during console setup. This specifically avoids accepting input before the port has been opened (and interrupts enabled), something which can also break the GENI firmware (cancel fails and after abort, the "stale" counter handling appears to be broken so that later input is not processed until twelve chars have been received). There also does not appear to be any need to keep the receiver disabled while updating the port settings. Since commit 6f3c3cafb115 ("serial: qcom-geni: disable interrupts during console writes") the calls to manipulate the secondary interrupts, which were done without holding the port lock, can also lead to the receiver being left disabled when set_termios() races with the console code (e.g. when init opens the tty during boot). This can manifest itself as a serial getty not accepting input. The calls to stop and start rx in set_termios() can similarly race with DMA completion and, for example, cause the DMA buffer to be unmapped twice or the mapping to be leaked. Fix this by only enabling the receiver during startup and while holding the port lock to avoid racing with the console code. Fixes: 6f3c3cafb115 ("serial: qcom-geni: disable interrupts during console writes") Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA") Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Cc: stable(a)vger.kernel.org # 6.3 Cc: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index aaf24bd037a7..6c4349ea5720 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1197,6 +1197,11 @@ static int qcom_geni_serial_startup(struct uart_port *uport) if (ret) return ret; } + + uart_port_lock_irq(uport); + qcom_geni_serial_start_rx(uport); + uart_port_unlock_irq(uport); + enable_irq(uport->irq); return 0; @@ -1282,7 +1287,6 @@ static void qcom_geni_serial_set_termios(struct uart_port *uport, unsigned int avg_bw_core; unsigned long timeout; - qcom_geni_serial_stop_rx(uport); /* baud rate */ baud = uart_get_baud_rate(uport, termios, old, 300, 4000000); @@ -1298,7 +1302,7 @@ static void qcom_geni_serial_set_termios(struct uart_port *uport, dev_err(port->se.dev, "Couldn't find suitable clock rate for %u\n", baud * sampling_rate); - goto out_restart_rx; + return; } dev_dbg(port->se.dev, "desired_rate = %u, clk_rate = %lu, clk_div = %u\n", @@ -1389,8 +1393,6 @@ static void qcom_geni_serial_set_termios(struct uart_port *uport, writel(stop_bit_len, uport->membase + SE_UART_TX_STOP_BIT_LEN); writel(ser_clk_cfg, uport->membase + GENI_SER_M_CLK_CFG); writel(ser_clk_cfg, uport->membase + GENI_SER_S_CLK_CFG); -out_restart_rx: - qcom_geni_serial_start_rx(uport); } #ifdef CONFIG_SERIAL_QCOM_GENI_CONSOLE -- 2.45.2

6 months, 3 weeks

2
1
0 0

[PATCH v3 1/9] serial: qcom-geni: fix polled console initialisation

by Johan Hovold

The polled console (KGDB/KDB) implementation must not call port setup unconditionally as the port may already be in use by the console or a getty. Only make sure that the receiver is enabled, but do not enable any device interrupts. Fixes: d8851a96ba25 ("tty: serial: qcom-geni-serial: Add a poll_init() function") Cc: stable(a)vger.kernel.org # 6.4 Cc: Douglas Anderson <dianders(a)chromium.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 6f0db310cf69..c237c9d107cd 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -147,6 +147,7 @@ static struct uart_driver qcom_geni_uart_driver; static void __qcom_geni_serial_cancel_tx_cmd(struct uart_port *uport); static void qcom_geni_serial_cancel_tx_cmd(struct uart_port *uport); +static int qcom_geni_serial_port_setup(struct uart_port *uport); static inline struct qcom_geni_serial_port *to_dev_port(struct uart_port *uport) { @@ -395,6 +396,23 @@ static void qcom_geni_serial_poll_put_char(struct uart_port *uport, writel(c, uport->membase + SE_GENI_TX_FIFOn); qcom_geni_serial_poll_tx_done(uport); } + +static int qcom_geni_serial_poll_init(struct uart_port *uport) +{ + struct qcom_geni_serial_port *port = to_dev_port(uport); + int ret; + + if (!port->setup) { + ret = qcom_geni_serial_port_setup(uport); + if (ret) + return ret; + } + + if (!qcom_geni_serial_secondary_active(uport)) + geni_se_setup_s_cmd(&port->se, UART_START_READ, 0); + + return 0; +} #endif #ifdef CONFIG_SERIAL_QCOM_GENI_CONSOLE @@ -1582,7 +1600,7 @@ static const struct uart_ops qcom_geni_console_pops = { #ifdef CONFIG_CONSOLE_POLL .poll_get_char = qcom_geni_serial_get_char, .poll_put_char = qcom_geni_serial_poll_put_char, - .poll_init = qcom_geni_serial_port_setup, + .poll_init = qcom_geni_serial_poll_init, #endif .pm = qcom_geni_serial_pm, }; -- 2.45.2

6 months, 3 weeks

2
1
0 0

[PATCH] clk: actions: prevent overflow in owl_pll_recalc_rate

by Anastasia Belova

In case of OWL S900 SoC clock driver there are cases where bfreq = 24000000, shift = 0. If value read from CMU_COREPLL or CMU_DDRPLL to val is big enough, an overflow may occur. Add explicit casting to prevent it. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2792c37e94c8 ("clk: actions: Add pll clock support") Cc: <stable(a)vger.kernel.org> Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> --- drivers/clk/actions/owl-pll.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/actions/owl-pll.c b/drivers/clk/actions/owl-pll.c index 155f313986b4..fa17567665ec 100644 --- a/drivers/clk/actions/owl-pll.c +++ b/drivers/clk/actions/owl-pll.c @@ -104,7 +104,7 @@ static unsigned long owl_pll_recalc_rate(struct clk_hw *hw, val = val >> pll_hw->shift; val &= mul_mask(pll_hw); - return pll_hw->bfreq * val; + return (unsigned long)pll_hw->bfreq * val; } static int owl_pll_is_enabled(struct clk_hw *hw) -- 2.30.2

6 months, 3 weeks

3
2
0 0

[to-be-updated] mm-enforce-a-minimal-stack-gap-even-against-inaccessible-vmas.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: enforce a minimal stack gap even against inaccessible VMAs has been removed from the -mm tree. Its filename was mm-enforce-a-minimal-stack-gap-even-against-inaccessible-vmas.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Jann Horn <jannh(a)google.com> Subject: mm: enforce a minimal stack gap even against inaccessible VMAs Date: Tue, 08 Oct 2024 00:55:39 +0200 As explained in the comment block this change adds, we can't tell what userspace's intent is when the stack grows towards an inaccessible VMA. I have a (highly contrived) C testcase for 32-bit x86 userspace with glibc that mixes malloc(), pthread creation, and recursion in just the right way such that the main stack overflows into malloc() arena memory. I don't know of any specific scenario where this is actually exploitable, but it seems like it could be a security problem for sufficiently unlucky userspace. I believe we should ensure that, as long as code is compiled with something like -fstack-check, a stack overflow in it can never cause the main stack to overflow into adjacent heap memory. My fix effectively reverts the behavior for !vma_is_accessible() VMAs to the behavior before commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas"), so I think it should be a fairly safe change even in case A. [akpm(a)linux-foundation.org: s/prev/next/ in !CONFIG_STACK_GROWSUP section, per Lorenzo] Closes: https://lore.kernel.org/oe-kbuild-all/202410090632.brLG8w0b-lkp@intel.com/ Link: https://lkml.kernel.org/r/20241008-stack-gap-inaccessible-v1-1-848d4d891f21… Fixes: 561b5e0709e4 ("mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack") Signed-off-by: Jann Horn <jannh(a)google.com> Cc: Ben Hutchings <ben(a)decadent.org.uk> Cc: Helge Deller <deller(a)gmx.de> Cc: Hugh Dickins <hughd(a)google.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Rik van Riel <riel(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Willy Tarreau <w(a)1wt.eu> Cc: <stable(a)vger.kernel.org> Cc: kernel test robot <lkp(a)intel.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mmap.c | 53 +++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 7 deletions(-) --- a/mm/mmap.c~mm-enforce-a-minimal-stack-gap-even-against-inaccessible-vmas +++ a/mm/mmap.c @@ -1064,10 +1064,12 @@ static int expand_upwards(struct vm_area gap_addr = TASK_SIZE; next = find_vma_intersection(mm, vma->vm_end, gap_addr); - if (next && vma_is_accessible(next)) { - if (!(next->vm_flags & VM_GROWSUP)) + if (next && !(next->vm_flags & VM_GROWSUP)) { + /* see comments in expand_downwards() */ + if (vma_is_accessible(next)) + return -ENOMEM; + if (address == next->vm_start) return -ENOMEM; - /* Check that both stack segments have the same anon_vma? */ } if (next) @@ -1155,10 +1157,47 @@ int expand_downwards(struct vm_area_stru /* Enforce stack_guard_gap */ prev = vma_prev(&vmi); /* Check that both stack segments have the same anon_vma? */ - if (prev) { - if (!(prev->vm_flags & VM_GROWSDOWN) && - vma_is_accessible(prev) && - (address - prev->vm_end < stack_guard_gap)) + if (prev && !(prev->vm_flags & VM_GROWSDOWN) && + (address - prev->vm_end < stack_guard_gap)) { + /* + * If the previous VMA is accessible, this is the normal case + * where the main stack is growing down towards some unrelated + * VMA. Enforce the full stack guard gap. + */ + if (vma_is_accessible(prev)) + return -ENOMEM; + + /* + * If the previous VMA is not accessible, we have a problem: + * We can't tell what userspace's intent is. + * + * Case A: + * Maybe userspace wants to use the previous VMA as a + * "guard region" at the bottom of the main stack, in which case + * userspace wants us to grow the stack until it is adjacent to + * the guard region. Apparently some Java runtime environments + * and Rust do that? + * That is kind of ugly, and in that case userspace really ought + * to ensure that the stack is fully expanded immediately, but + * we have to handle this case. + * + * Case B: + * But maybe the previous VMA is entirely unrelated to the stack + * and is only *temporarily* PROT_NONE. For example, glibc + * malloc arenas create a big PROT_NONE region and then + * progressively mark parts of it as writable. + * In that case, we must not let the stack become adjacent to + * the previous VMA. Otherwise, after the region later becomes + * writable, a stack overflow will cause the stack to grow into + * the previous VMA, and we won't have any stack gap to protect + * against this. + * + * As an ugly tradeoff, enforce a single-page gap. + * A single page will hopefully be small enough to not be + * noticed in case A, while providing the same level of + * protection in case B that normal userspace threads get. + */ + if (address == prev->vm_end) return -ENOMEM; } _ Patches currently in -mm which might be from jannh(a)google.com are mm-mremap-fix-move_normal_pmd-retract_page_tables-race.patch

6 months, 3 weeks

1
0
0 0

+ mm-damon-fix-memory-leak-in-damon_sysfs_test_add_targets.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-fix-memory-leak-in-damon_sysfs_test_add_targets.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jinjie Ruan <ruanjinjie(a)huawei.com> Subject: mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets() Date: Thu, 10 Oct 2024 20:53:23 +0800 The sysfs_target->regions allocated in damon_sysfs_regions_alloc() is not freed in damon_sysfs_test_add_targets(), which cause the following memory leak, free it to fix it. unreferenced object 0xffffff80c2a8db80 (size 96): comm "kunit_try_catch", pid 187, jiffies 4294894363 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 [<000000008e6835c1>] __kmalloc_cache_noprof+0x26c/0x2f4 [<000000001286d9f8>] damon_sysfs_test_add_targets+0x1cc/0x738 [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000adf936cf>] kthread+0x2e8/0x374 [<0000000041bb1628>] ret_from_fork+0x10/0x20 Link: https://lkml.kernel.org/r/20241010125323.3127187-1-ruanjinjie@huawei.com Fixes: b8ee5575f763 ("mm/damon/sysfs-test: add a unit test for damon_sysfs_set_targets()") Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/tests/sysfs-kunit.h | 1 + 1 file changed, 1 insertion(+) --- a/mm/damon/tests/sysfs-kunit.h~mm-damon-fix-memory-leak-in-damon_sysfs_test_add_targets +++ a/mm/damon/tests/sysfs-kunit.h @@ -67,6 +67,7 @@ static void damon_sysfs_test_add_targets damon_destroy_ctx(ctx); kfree(sysfs_targets->targets_arr); kfree(sysfs_targets); + kfree(sysfs_target->regions); kfree(sysfs_target); } _ Patches currently in -mm which might be from ruanjinjie(a)huawei.com are mm-damon-fix-memory-leak-in-damon_sysfs_test_add_targets.patch

6 months, 3 weeks

1
0
0 0

[PATCH 6.1] ASoC: Intel: sof_realtek_common: set ret = 0 as initial value

by Vitaliy Shevtsov

From: Bard Liao <yung-chuan.liao(a)linux.intel.com> commit 47d2b66fec133cb27da3a551334686e465d19469 upstream. 'ret' will not be initialized if dai_fmt is not DSP_A or DSP_B. Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Signed-off-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Link: https://lore.kernel.org/r/20221206212507.359993-4-pierre-louis.bossart@linu… Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> --- sound/soc/intel/boards/sof_realtek_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/intel/boards/sof_realtek_common.c b/sound/soc/intel/boards/sof_realtek_common.c index ff2851fc8930..6c12ca92f371 100644 --- a/sound/soc/intel/boards/sof_realtek_common.c +++ b/sound/soc/intel/boards/sof_realtek_common.c @@ -267,7 +267,8 @@ static int rt1015_hw_params(struct snd_pcm_substream *substream, struct snd_soc_pcm_runtime *rtd = asoc_substream_to_rtd(substream); struct snd_soc_dai_link *dai_link = rtd->dai_link; struct snd_soc_dai *codec_dai; - int i, clk_freq, ret; + int i, clk_freq; + int ret = 0; clk_freq = sof_dai_get_bclk(rtd); -- 2.46.2

6 months, 3 weeks

1
0
0 0

[PATCH] drm/vmwgfx: Handle surface check failure correctly

by Nikolay Kuratov

Currently if condition (!bo and !vmw_kms_srf_ok()) was met we go to err_out with ret == 0. err_out dereferences vfb if ret == 0, but in our case vfb is still NULL. Fix this by assigning sensible error to ret. Found by Linux Verification Center (linuxtesting.org) with SVACE Signed-off-by: Nikolay Kuratov <kniv(a)yandex-team.ru> Cc: stable(a)vger.kernel.org Fixes: 810b3e1683d0 ("drm/vmwgfx: Support topology greater than texture size") --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 288ed0bb75cb..752510a11e1b 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1539,6 +1539,7 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, DRM_ERROR("Surface size cannot exceed %dx%d\n", dev_priv->texture_max_width, dev_priv->texture_max_height); + ret = -EINVAL; goto err_out; } -- 2.34.1

6 months, 3 weeks

2
1
0 0

[PATCH V2 1/3] perf/x86/intel: Fix ARCH_PERFMON_NUM_COUNTER_LEAF

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> The EAX of the CPUID Leaf 023H enumerates the mask of valid sub-leaves. To tell the availability of the sub-leaf 1 (enumerate the counter mask), perf should check the bit 1 (0x2) of EAS, rather than bit 0 (0x1). The error is not user-visible on bare metal. Because the sub-leaf 0 and the sub-leaf 1 are always available. However, it may bring issues in a virtualization environment when a VMM only enumerates the sub-leaf 0. Fixes: eb467aaac21e ("perf/x86/intel: Support Architectural PerfMon Extension leaf") Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/events/intel/core.c | 4 ++-- arch/x86/include/asm/perf_event.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 7ca40002a19b..2f3bf3bbbd77 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -4886,8 +4886,8 @@ static void update_pmu_cap(struct x86_hybrid_pmu *pmu) if (ebx & ARCH_PERFMON_EXT_EQ) pmu->config_mask |= ARCH_PERFMON_EVENTSEL_EQ; - if (sub_bitmaps & ARCH_PERFMON_NUM_COUNTER_LEAF_BIT) { - cpuid_count(ARCH_PERFMON_EXT_LEAF, ARCH_PERFMON_NUM_COUNTER_LEAF, + if (sub_bitmaps & ARCH_PERFMON_NUM_COUNTER_LEAF) { + cpuid_count(ARCH_PERFMON_EXT_LEAF, ARCH_PERFMON_NUM_COUNTER_LEAF_BIT, &eax, &ebx, &ecx, &edx); pmu->cntr_mask64 = eax; pmu->fixed_cntr_mask64 = ebx; diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h index 91b73571412f..41ace8431e01 100644 --- a/arch/x86/include/asm/perf_event.h +++ b/arch/x86/include/asm/perf_event.h @@ -190,7 +190,7 @@ union cpuid10_edx { #define ARCH_PERFMON_EXT_UMASK2 0x1 #define ARCH_PERFMON_EXT_EQ 0x2 #define ARCH_PERFMON_NUM_COUNTER_LEAF_BIT 0x1 -#define ARCH_PERFMON_NUM_COUNTER_LEAF 0x1 +#define ARCH_PERFMON_NUM_COUNTER_LEAF BIT(ARCH_PERFMON_NUM_COUNTER_LEAF_BIT) /* * Intel Architectural LBR CPUID detection/enumeration details: -- 2.38.1

6 months, 3 weeks

1
0
0 0

[PATCH] vt: prevent kernel-infoleak in con_font_get()

by Jeongjun Park

font.data may not initialize all memory spaces depending on the implementation of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it is safest to modify it to initialize the allocated memory space to 0, and it generally does not affect the overall performance of the system. Cc: stable(a)vger.kernel.org Reported-by: syzbot+955da2d57931604ee691(a)syzkaller.appspotmail.com Fixes: 05e2600cb0a4 ("VT: Bump font size limitation to 64x128 pixels") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- drivers/tty/vt/vt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index cd87e3d1291e..96842ce817af 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4726,7 +4726,7 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op) return -EINVAL; if (op->data) { - font.data = kvmalloc(max_font_size, GFP_KERNEL); + font.data = kvzalloc(max_font_size, GFP_KERNEL); if (!font.data) return -ENOMEM; } else --

6 months, 3 weeks

1
0
0 0

[PATCH] mm: Enforce a minimal stack gap even against inaccessible VMAs

by Jann Horn

As explained in the comment block this change adds, we can't tell what userspace's intent is when the stack grows towards an inaccessible VMA. I have a (highly contrived) C testcase for 32-bit x86 userspace with glibc that mixes malloc(), pthread creation, and recursion in just the right way such that the main stack overflows into malloc() arena memory. (Let me know if you want me to share that.) I don't know of any specific scenario where this is actually exploitable, but it seems like it could be a security problem for sufficiently unlucky userspace. I believe we should ensure that, as long as code is compiled with something like -fstack-check, a stack overflow in it can never cause the main stack to overflow into adjacent heap memory. My fix effectively reverts the behavior for !vma_is_accessible() VMAs to the behavior before commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas"), so I think it should be a fairly safe change even in case A. Fixes: 561b5e0709e4 ("mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack") Cc: stable(a)vger.kernel.org Signed-off-by: Jann Horn <jannh(a)google.com> --- I have tested that Libreoffice still launches after this change, though I don't know if that means anything. Note that I haven't tested the growsup code. --- mm/mmap.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 7 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index dd4b35a25aeb..971bfd6c1cea 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1064,10 +1064,12 @@ static int expand_upwards(struct vm_area_struct *vma, unsigned long address) gap_addr = TASK_SIZE; next = find_vma_intersection(mm, vma->vm_end, gap_addr); - if (next && vma_is_accessible(next)) { - if (!(next->vm_flags & VM_GROWSUP)) + if (next && !(next->vm_flags & VM_GROWSUP)) { + /* see comments in expand_downwards() */ + if (vma_is_accessible(prev)) + return -ENOMEM; + if (address == next->vm_start) return -ENOMEM; - /* Check that both stack segments have the same anon_vma? */ } if (next) @@ -1155,10 +1157,47 @@ int expand_downwards(struct vm_area_struct *vma, unsigned long address) /* Enforce stack_guard_gap */ prev = vma_prev(&vmi); /* Check that both stack segments have the same anon_vma? */ - if (prev) { - if (!(prev->vm_flags & VM_GROWSDOWN) && - vma_is_accessible(prev) && - (address - prev->vm_end < stack_guard_gap)) + if (prev && !(prev->vm_flags & VM_GROWSDOWN) && + (address - prev->vm_end < stack_guard_gap)) { + /* + * If the previous VMA is accessible, this is the normal case + * where the main stack is growing down towards some unrelated + * VMA. Enforce the full stack guard gap. + */ + if (vma_is_accessible(prev)) + return -ENOMEM; + + /* + * If the previous VMA is not accessible, we have a problem: + * We can't tell what userspace's intent is. + * + * Case A: + * Maybe userspace wants to use the previous VMA as a + * "guard region" at the bottom of the main stack, in which case + * userspace wants us to grow the stack until it is adjacent to + * the guard region. Apparently some Java runtime environments + * and Rust do that? + * That is kind of ugly, and in that case userspace really ought + * to ensure that the stack is fully expanded immediately, but + * we have to handle this case. + * + * Case B: + * But maybe the previous VMA is entirely unrelated to the stack + * and is only *temporarily* PROT_NONE. For example, glibc + * malloc arenas create a big PROT_NONE region and then + * progressively mark parts of it as writable. + * In that case, we must not let the stack become adjacent to + * the previous VMA. Otherwise, after the region later becomes + * writable, a stack overflow will cause the stack to grow into + * the previous VMA, and we won't have any stack gap to protect + * against this. + * + * As an ugly tradeoff, enforce a single-page gap. + * A single page will hopefully be small enough to not be + * noticed in case A, while providing the same level of + * protection in case B that normal userspace threads get. + */ + if (address == prev->vm_end) return -ENOMEM; } --- base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b change-id: 20241008-stack-gap-inaccessible-c7319f7d4b1b -- Jann Horn <jannh(a)google.com>

6 months, 3 weeks

4
8
0 0

[PATCH v2 0/3] Fix bugs in qla2xxx driver

by Anastasia Kovaleva

This series of patches contains 3 separate changes that fix some bugs in the qla2xxx driver. --- v2: - Change a spinlock wrap to a WRITE_ONCE() in patch 1 - Add Reviewed-by tags on patches 2 and 3 --- Anastasia Kovaleva (3): scsi: qla2xxx: Drop starvation counter on success scsi: qla2xxx: Make target send correct LOGO scsi: qla2xxx: Remove incorrect trap drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++++ drivers/scsi/qla2xxx/qla_isr.c | 4 ++++ drivers/scsi/qla2xxx/qla_target.c | 16 +++++++--------- 3 files changed, 22 insertions(+), 9 deletions(-) -- 2.40.1

6 months, 3 weeks

3
7
0 0

[PATCH v2] spi: stm32: fix missing device mode capability in stm32mp25

by Alain Volmat

The STM32MP25 SOC has capability to behave in device mode however missing .has_device_mode within its stm32mp25_spi_cfg structure leads to not being able to enable the device mode. Fixes: f6cd66231aa5 ("spi: stm32: add st,stm32mp25-spi compatible supporting STM32MP25 soc") Cc: stable(a)vger.kernel.org Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> --- Changes in v2: - correct Fixes commit sha1 - Link to v1: https://lore.kernel.org/r/20241009-spi-mp25-device-fix-v1-1-8e5ca7db7838@fo… --- drivers/spi/spi-stm32.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c index f2dd8ab12df831d54758d21ec1a68ffc40e2f0a6..da3517d7102dce5f830cdf0dbdee3e19184f69c5 100644 --- a/drivers/spi/spi-stm32.c +++ b/drivers/spi/spi-stm32.c @@ -2044,6 +2044,7 @@ static const struct stm32_spi_cfg stm32mp25_spi_cfg = { .baud_rate_div_max = STM32H7_SPI_MBR_DIV_MAX, .has_fifo = true, .prevent_dma_burst = true, + .has_device_mode = true, }; static const struct of_device_id stm32_spi_of_match[] = { --- base-commit: c2a59c892f20379a3e48124a83491a12374cd7e0 change-id: 20241009-spi-mp25-device-fix-e03406280c02 Best regards, -- Alain Volmat <alain.volmat(a)foss.st.com>

6 months, 3 weeks

2
1
0 0

[PATCH] spi: stm32: fix missing device mode capability in stm32mp25

by Alain Volmat

The STM32MP25 SOC has capability to behave in device mode however missing .has_device_mode within its stm32mp25_spi_cfg structure leads to not being able to enable the device mode. Fixes: a4e7908abf0c ("spi: stm32: add st,stm32mp25-spi compatible supporting STM32MP25 soc") Cc: stable(a)vger.kernel.org Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> --- drivers/spi/spi-stm32.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c index f2dd8ab12df831d54758d21ec1a68ffc40e2f0a6..da3517d7102dce5f830cdf0dbdee3e19184f69c5 100644 --- a/drivers/spi/spi-stm32.c +++ b/drivers/spi/spi-stm32.c @@ -2044,6 +2044,7 @@ static const struct stm32_spi_cfg stm32mp25_spi_cfg = { .baud_rate_div_max = STM32H7_SPI_MBR_DIV_MAX, .has_fifo = true, .prevent_dma_burst = true, + .has_device_mode = true, }; static const struct of_device_id stm32_spi_of_match[] = { --- base-commit: c2a59c892f20379a3e48124a83491a12374cd7e0 change-id: 20241009-spi-mp25-device-fix-e03406280c02 Best regards, -- Alain Volmat <alain.volmat(a)foss.st.com>

6 months, 3 weeks

2
3
0 0

[PATCH] drm/vblank: Require a driver register vblank support for 0 or all CRTCs

by Lyude Paul

Currently, there's nothing actually stopping a driver from only registering vblank support for some of it's CRTCs and not for others. As far as I can tell, this isn't really defined behavior on the C side of things - as the documentation explicitly mentions to not use drm_vblank_init() if you don't have vblank support - since DRM then steps in and adds its own vblank emulation implementation. So, let's fix this edge case and check to make sure it's all or none. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Fixes: 3ed4351a83ca ("drm: Extract drm_vblank.[hc]") Cc: Stefan Agner <stefan(a)agner.ch> Cc: Daniel Vetter <daniel.vetter(a)intel.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: Simona Vetter <simona(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.13+ --- drivers/gpu/drm/drm_vblank.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/gpu/drm/drm_vblank.c b/drivers/gpu/drm/drm_vblank.c index 94e45ed6869d0..4d00937e8ca2e 100644 --- a/drivers/gpu/drm/drm_vblank.c +++ b/drivers/gpu/drm/drm_vblank.c @@ -525,9 +525,19 @@ static void drm_vblank_init_release(struct drm_device *dev, void *ptr) */ int drm_vblank_init(struct drm_device *dev, unsigned int num_crtcs) { + struct drm_crtc *crtc; int ret; unsigned int i; + // Confirm that the required vblank functions have been filled out for all CRTCS + drm_for_each_crtc(crtc, dev) { + if (!crtc->funcs->enable_vblank || !crtc->funcs->disable_vblank) { + drm_err(dev, "CRTC vblank functions not initialized for %s, abort\n", + crtc->name); + return -EINVAL; + } + } + spin_lock_init(&dev->vbl_lock); spin_lock_init(&dev->vblank_time_lock); base-commit: 22512c3ee0f47faab5def71c4453638923c62522 -- 2.46.1

6 months, 3 weeks

3
2
0 0

[PATCH] PM: domains: Fix return value of API dev_pm_get_subsys_data()

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> dev_pm_get_subsys_data() has below 2 issues under condition (@dev->power.subsys_data != NULL): - it will do unnecessary kzalloc() and kfree(). - it will return -ENOMEM if the kzalloc() fails, that is wrong since the kzalloc() is not needed. Fixed by not doing kzalloc() and returning 0 for the condition. Fixes: ef27bed1870d ("PM: Reference counting of power.subsys_data") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- drivers/base/power/common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/base/power/common.c b/drivers/base/power/common.c index 8c34ae1cd8d5..13cb1f2a06e7 100644 --- a/drivers/base/power/common.c +++ b/drivers/base/power/common.c @@ -26,6 +26,14 @@ int dev_pm_get_subsys_data(struct device *dev) { struct pm_subsys_data *psd; + spin_lock_irq(&dev->power.lock); + if (dev->power.subsys_data) { + dev->power.subsys_data->refcount++; + spin_unlock_irq(&dev->power.lock); + return 0; + } + spin_unlock_irq(&dev->power.lock); + psd = kzalloc(sizeof(*psd), GFP_KERNEL); if (!psd) return -ENOMEM; --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241010-fix_dev_pm_get_subsys_data-2478bb200fde Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

6 months, 3 weeks

1
0
0 0

[PATCH stable 6.1] devlink: Fix RCU stall when unregistering a devlink instance

by Ido Schimmel

When a devlink instance is unregistered the following happens (among other things): t0 - The instance is marked with 'DEVLINK_UNREGISTERING'. t1 - Blocking until an RCU grace period passes. t2 - The 'DEVLINK_UNREGISTERING' mark is cleared from the instance. When iterating over devlink instances (f.e., when requesting a dump of available instances) and encountering an instance that is currently being unregistered, the current code will loop around until the 'DEVLINK_UNREGISTERING' mark is cleared. The iteration over devlink instances happens in an RCU critical section, so if the instance that is currently being unregistered was encountered between t0 and t1, the system will deadlock and RCU stalls will be reported [1]. The task unregistering the instance will forever wait for an RCU grace period to pass and the task iterating over the instances will forever wait for the mark to be cleared. The issue can be reliably reproduced by increasing the time window between t0 and t1 (used a 60 seconds sleep) and running the following reproducer [2]. Fix by skipping over instances that are currently being unregistered. [1] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-7): P344 (detected by 4, t=26002 jiffies, g=5773, q=12 ncpus=8) task:devlink state:R running task stack:25568 pid:344 ppid:260 flags:0x00004002 [...] Call Trace: xa_get_mark+0x184/0x3e0 devlinks_xa_find_get.constprop.0+0xc6/0x2e0 devlink_nl_cmd_get_dumpit+0x105/0x3f0 netlink_dump+0x568/0xff0 __netlink_dump_start+0x651/0x900 genl_family_rcv_msg_dumpit+0x201/0x340 genl_rcv_msg+0x573/0x780 netlink_rcv_skb+0x15f/0x430 genl_rcv+0x29/0x40 netlink_unicast+0x546/0x800 netlink_sendmsg+0x958/0xe60 __sys_sendto+0x3a2/0x480 __x64_sys_sendto+0xe1/0x1b0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x68/0xd2 [2] # echo 10 > /sys/bus/netdevsim/new_device # echo 10 > /sys/bus/netdevsim/del_device & # devlink dev Fixes: c2368b19807a ("net: devlink: introduce "unregistering" mark and use it during devlinks iteration") Reported-by: Vivek Reddy Karri <vkarri(a)nvidia.com> Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> --- I read the stable rules and I am not providing an "upstream commit ID" since the code in upstream has been reworked, making this fix irrelevant. The only affected stable kernel is 6.1.y. --- net/devlink/leftover.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c index 032c7af065cd..c6f781a08d06 100644 --- a/net/devlink/leftover.c +++ b/net/devlink/leftover.c @@ -301,6 +301,9 @@ devlinks_xa_find_get(struct net *net, unsigned long *indexp, xa_mark_t filter, if (!devlink) goto unlock; + /* For a possible retry, the xa_find_after() should be always used */ + xa_find_fn = xa_find_after; + /* In case devlink_unregister() was already called and "unregistering" * mark was set, do not allow to get a devlink reference here. * This prevents live-lock of devlink_unregister() wait for completion. @@ -308,8 +311,6 @@ devlinks_xa_find_get(struct net *net, unsigned long *indexp, xa_mark_t filter, if (xa_get_mark(&devlinks, *indexp, DEVLINK_UNREGISTERING)) goto retry; - /* For a possible retry, the xa_find_after() should be always used */ - xa_find_fn = xa_find_after; if (!devlink_try_get(devlink)) goto retry; if (!net_eq(devlink_net(devlink), net)) { -- 2.46.1

6 months, 3 weeks

5
8
0 0

[PATCH 6.1/6.6] ASoC: SOF: Fix runtime pm usage counter balance after fw exception

by Vitaliy Shevtsov

From: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> commit b30289e7fa927f921bfb4d0d04727461706ae822 upstream. If the retain context is enabled we will unconditionally increment the device's pm use count on each exception and when the drivers are unloaded we do not correct this (as we don't know how many times we 'prevented d3 entry'). Introduce a flag to make sure that we do not increment the use count more than once and on module unload decrement the use count if needed to balance it. Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Link: https://msgid.link/r/20240213114729.7055-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> --- sound/soc/sof/core.c | 10 ++++++++++ sound/soc/sof/debug.c | 8 +++++--- sound/soc/sof/sof-priv.h | 1 + 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/sound/soc/sof/core.c b/sound/soc/sof/core.c index 0938b259f703..cba0af5b86aa 100644 --- a/sound/soc/sof/core.c +++ b/sound/soc/sof/core.c @@ -477,6 +477,16 @@ int snd_sof_device_remove(struct device *dev) */ snd_sof_machine_unregister(sdev, pdata); + /* + * Balance the runtime pm usage count in case we are faced with an + * exception and we forcably prevented D3 power state to preserve + * context + */ + if (sdev->d3_prevented) { + sdev->d3_prevented = false; + pm_runtime_put_noidle(sdev->dev); + } + if (sdev->fw_state > SOF_FW_BOOT_NOT_STARTED) { sof_fw_trace_free(sdev); ret = snd_sof_dsp_power_down_notify(sdev); diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c index d547318e0d32..7c8aafca8fde 100644 --- a/sound/soc/sof/debug.c +++ b/sound/soc/sof/debug.c @@ -433,13 +433,15 @@ static void snd_sof_ipc_dump(struct snd_sof_dev *sdev) void snd_sof_handle_fw_exception(struct snd_sof_dev *sdev, const char *msg) { - if (IS_ENABLED(CONFIG_SND_SOC_SOF_DEBUG_RETAIN_DSP_CONTEXT) || - sof_debug_check_flag(SOF_DBG_RETAIN_CTX)) { + if ((IS_ENABLED(CONFIG_SND_SOC_SOF_DEBUG_RETAIN_DSP_CONTEXT) || + sof_debug_check_flag(SOF_DBG_RETAIN_CTX)) && !sdev->d3_prevented) { /* should we prevent DSP entering D3 ? */ if (!sdev->ipc_dump_printed) dev_info(sdev->dev, "Attempting to prevent DSP from entering D3 state to preserve context\n"); - pm_runtime_get_if_in_use(sdev->dev); + + if (pm_runtime_get_if_in_use(sdev->dev) == 1) + sdev->d3_prevented = true; } /* dump vital information to the logs */ diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h index d4f6702e93dc..b27a5f9e1bc8 100644 --- a/sound/soc/sof/sof-priv.h +++ b/sound/soc/sof/sof-priv.h @@ -593,6 +593,7 @@ struct snd_sof_dev { struct list_head dfsentry_list; bool dbg_dump_printed; bool ipc_dump_printed; + bool d3_prevented; /* runtime pm use count incremented to prevent context lost */ /* firmware loader */ struct sof_ipc_fw_ready fw_ready; -- 2.46.2

6 months, 3 weeks

1
0
0 0

[PATCH net] udp: Compute L4 checksum as usual when not segmenting the skb

by Jakub Sitnicki

If: 1) the user requested USO, but 2) there is not enough payload for GSO to kick in, and 3) the egress device doesn't offer checksum offload, then we want to compute the L4 checksum in software early on. In the case when we taking the GSO path, but it has been requested, the software checksum fallback in skb_segment doesn't get a chance to compute the full checksum, if the egress device can't do it. As a result we end up sending UDP datagrams with only a partial checksum filled in, which the peer will discard. Fixes: 10154dbded6d ("udp: Allow GSO transmit from devices with no checksum offload") Reported-by: Ivan Babrou <ivan(a)cloudflare.com> Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> Cc: stable(a)vger.kernel.org --- This shouldn't have fallen through the cracks. I clearly need to extend the net/udpgso selftests further to cover the whole TX path for software USO+csum case. I will follow up with that but I wanted to get the fix out in the meantime. Apologies for the oversight. --- net/ipv4/udp.c | 4 +++- net/ipv6/udp.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 8accbf4cb295..2849b273b131 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -951,8 +951,10 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4, skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(datalen, cork->gso_size); + + /* Don't checksum the payload, skb will get segmented */ + goto csum_partial; } - goto csum_partial; } if (is_udplite) /* UDP-Lite */ diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 52dfbb2ff1a8..0cef8ae5d1ea 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -1266,8 +1266,10 @@ static int udp_v6_send_skb(struct sk_buff *skb, struct flowi6 *fl6, skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(datalen, cork->gso_size); + + /* Don't checksum the payload, skb will get segmented */ + goto csum_partial; } - goto csum_partial; } if (is_udplite)

6 months, 3 weeks

2
2
0 0

[PATCH v6 0/4] ov08x40: Enable use of ov08x40 on Qualcomm X1E80100 CRD

by Bryan O'Donoghue

Changes in v6: - As I was applying a suggested fix from V5 of this series to other yaml schema in media/i2c it seemed to me that there were a number of properties that would be affected by converting properites: endpoint: additionalProperties: false to unevaluatedProperites: false I pinged Laurent, Sakari, Rob and Krsysztof about that leading to: link-frequencies: true is considered a valid hardware description. We don't want everything in /schemas/media/video-interfaces.yaml to be valid for each of the port{} descriptions for sensors so: a) use additionalProperties: false listing valid properties directly. b) Fixup various schema to list the valid properties in line with above. - Convert unevaluatedProperites: false to additionalProperties: false Laurent - This isn't exactly what Krsysztof gave his RB for so, I've omitted that - Add remote-endpoint: true to port{} - required as result of additionalProperties: false - I'll still follow up this series with a more general fix in-line with the above as TBH I just copy/pasted from some upstream yaml so it looks like a more general remediation is warranted, saving someone else from repeating my mistake. - Add remote-endpoint: true to port{} - required as result of additionalProperties: false - Use schemas/media/video-interface-devices.yaml# with unevaluatedProperites: false So that rotation and orientation are valid - bod - Link to v5: https://lore.kernel.org/r/20241005-b4-master-24-11-25-ov08x40-v5-0-5f1eb2e1… Changes in v5: - Fixes smatch CI splat - Link to v4: https://lore.kernel.org/r/20241003-b4-master-24-11-25-ov08x40-v4-0-7ee2c45f… Changes in v4: - Drops link-frequencies from properties: as discussed here: https://lore.kernel.org/r/Zv6STSKeNNlT83ux@kekkonen.localdomain - Link to v3: https://lore.kernel.org/r/20241002-b4-master-24-11-25-ov08x40-v3-0-483bcdcf… Changes in v3: - Drops assigned-clock-* from description retains in example - Sakari, Krzysztof - Updates example fake clock names to ov08x40_* instead of copy/paste ov9282_clk -> ov08x40_clk, ov9282_clk_parent -> ov08x40_clk_parent - bod - Link to v2: https://lore.kernel.org/r/20241001-b4-master-24-11-25-ov08x40-v2-0-e478976b… Changes in v2: - Drops "-" in ovti,ov08x40.yaml after description: - Rob - Adds ":" after first line of description text - Rob - dts -> DT in commit log - Rob - Removes dependency on 'xvclk' as a name in yaml and driver - Sakari - Uses assigned-clock, assigned-clock-parents and assigned-clock-rates - Sakari - Drops clock-frequency - Sakarai, Krzysztof - Drops dovdd-supply, avdd-supply, dvdd-supply and reset-gpios as required, its perfectly possible not to have the reset GPIO or the power rails under control of the SoC. - bod - Link to v1: https://lore.kernel.org/r/20240926-b4-master-24-11-25-ov08x40-v1-0-e4d5fbd3… V1: This series brings fixes and updates to ov08x40 which allows for use of this sensor on the Qualcomm x1e80100 CRD but also on any other dts based system. Firstly there's a fix for the pseudo burst mode code that was added in 8f667d202384 ("media: ov08x40: Reduce start streaming time"). Not every I2C controller can handle an arbitrary sized write, this is the case on Qualcomm CAMSS/CCI I2C sensor interfaces which limit the transaction size and communicate this limit via I2C quirks. A simple fix to optionally break up the large submitted burst into chunks not exceeding adapter->quirk size fixes. Secondly then is addition of a yaml description for the ov08x40 and extension of the driver to support OF probe and powering on of the power rails from the driver instead of from ACPI. Once done the sensor works without further modification on the Qualcomm x1e80100 CRD. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> --- Bryan O'Donoghue (4): media: ov08x40: Fix burst write sequence media: dt-bindings: Add OmniVision OV08X40 media: ov08x40: Rename ext_clk to xvclk media: ov08x40: Add OF probe support .../bindings/media/i2c/ovti,ov08x40.yaml | 120 ++++++++++++++ drivers/media/i2c/ov08x40.c | 181 ++++++++++++++++++--- 2 files changed, 277 insertions(+), 24 deletions(-) --- base-commit: 2b7275670032a98cba266bd1b8905f755b3e650f change-id: 20240926-b4-master-24-11-25-ov08x40-c6f477aaa6a4 Best regards, -- Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>

6 months, 3 weeks

1
1
0 0

[PATCH 6.11 000/558] 6.11.3-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.3 release. There are 558 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.3-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.3-rc1 Geert Uytterhoeven <geert+renesas(a)glider.be> pmdomain: core: Reduce debug summary table width Namhyung Kim <namhyung(a)kernel.org> perf report: Fix segfault when 'sym' sort key is not used Gabe Teeger <Gabe.Teeger(a)amd.com> drm/amd/display: Revert Avoid overflow assignment Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx* - Select CRYPTO_AUTHENC Takashi Iwai <tiwai(a)suse.de> ALSA: control: Fix leftover snd_power_unref() Haoran Zhang <wh1sper(a)zju.edu.cn> vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() David Howells <dhowells(a)redhat.com> rxrpc: Fix a race between socket set up and I/O thread creation Christian König <christian.koenig(a)amd.com> drm/sched: revert "Always increment correct scheduler score" Jonathan Gray <jsg(a)jsg.id.au> Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Matthew Auld <matthew.auld(a)intel.com> drm/xe/vram: fix ccs offset calculation Val Packett <val(a)packett.cool> drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Matthew Auld <matthew.auld(a)intel.com> drm/xe/vm: move xa_alloc to prevent UAF Matthew Brost <matthew.brost(a)intel.com> drm/xe: Clean up VM / exec queue file lock usage. Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add tally counter fields added with RTL8125 Colin Ian King <colin.i.king(a)gmail.com> r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Udit Kumar <u-kumar1(a)ti.com> remoteproc: k3-r5: Delay notification of wakeup event Beleswar Padhi <b-padhi(a)ti.com> remoteproc: k3-r5: Acquire mailbox handle during probe routine Chuck Lever <chuck.lever(a)oracle.com> NFSD: Limit the number of concurrent async COPY operations Chuck Lever <chuck.lever(a)oracle.com> NFSD: Async COPY result needs to return a write verifier NeilBrown <neilb(a)suse.de> sunrpc: change sp_nrthreads from atomic_t to unsigned int. Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Yosry Ahmed <yosryahmed(a)google.com> mm: z3fold: deprecate CONFIG_Z3FOLD Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix buffer overflow in debug links Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: move conf_read() before drawing tree pain Masahiro Yamada <masahiroy(a)kernel.org> kconfig: fix infinite loop in sym_calc_choice() Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix system hang while resume with TBT monitor Yihan Zhu <Yihan.Zhu(a)amd.com> drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Enable idle workqueue for more IPS modes Alex Hung <alex.hung(a)amd.com> drm/amd/display: Add HDR workaround for specific eDP Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Restore Optimized pbn Value if Failed to Disable DSC Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Always increment correct scheduler score Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Always wake up correct scheduler in drm_sched_entity_push_job Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Add locking to drm_sched_entity_modify_sched Rob Clark <robdclark(a)chromium.org> drm/sched: Fix dynamic job-flow control race Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Don't declare a queue blocked if deferred operations are pending Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup() Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Don't add write fences to the shared BOs Jani Nikula <jani.nikula(a)intel.com> drm/i915/gem: fix bitwise and logical AND mixup Al Viro <viro(a)zeniv.linux.org.uk> close_range(): fix the logics in descriptor table trimming Thomas Zimmermann <tzimmermann(a)suse.de> firmware/sysfb: Disable sysfb for firmware buffers with unknown parent Eder Zulian <ezulian(a)redhat.com> rtla: Fix the help text in osnoise and timerlat top tools Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Wei Li <liwei391(a)huawei.com> tracing/timerlat: Fix a race during cpuhp processing Wei Li <liwei391(a)huawei.com> tracing/timerlat: Drop interface_lock in stop_kthread() Wei Li <liwei391(a)huawei.com> tracing/hwlat: Fix a race during cpuhp processing Patrick Donnelly <pdonnell(a)redhat.com> ceph: fix cap ref leak via netfs init_request Jens Axboe <axboe(a)kernel.dk> io_uring/net: harden multishot termination case for recv Jiawei Ye <jiawei.ye(a)foxmail.com> mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Jiawen Wu <jiawenwu(a)trustnetic.com> net: pcs: xpcs: fix the wrong register that was written back Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Uwe Kleine-König <ukleinek(a)debian.org> cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Miquel Sabaté Solà <mikisabate(a)gmail.com> cpufreq: Avoid a bad reference count on CPU node Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Filipe Manana <fdmanana(a)suse.com> btrfs: send: fix invalid clone operation for file that got its size decreased Josef Bacik <josef(a)toxicpanda.com> btrfs: drop the backref cache during relocation if we commit Qu Wenruo <wqu(a)suse.com> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Filipe Manana <fdmanana(a)suse.com> btrfs: send: fix buffer overflow detection when copying path to cache entry Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Loosen the Asus E1404GAB DMI match to also cover the E1404GA Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Remove duplicate Asus E1504GAB IRQ override Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add backlight=native quirk for Dell OptiPlex 5480 AIO Christian Brauner <brauner(a)kernel.org> pidfs: check for valid pid namespace Baokun Li <libaokun1(a)huawei.com> cachefiles: fix dentry leak in cachefiles_open_file() Benjamin Tissoires <bentiss(a)kernel.org> HID: bpf: fix cfi stubs for hid_bpf_ops Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix NULL pointer dereference Steve Sistare <steven.sistare(a)oracle.com> mm/hugetlb: simplify refs in memfd_alloc_folio Steve Sistare <steven.sistare(a)oracle.com> mm/gup: fix memfd_pin_folios alloc race panic Steve Sistare <steven.sistare(a)oracle.com> mm/gup: fix memfd_pin_folios hugetlb page allocation Steve Sistare <steven.sistare(a)oracle.com> mm/hugetlb: fix memfd_pin_folios resv_huge_pages leak Steve Sistare <steven.sistare(a)oracle.com> mm/hugetlb: fix memfd_pin_folios free_huge_pages leak Steve Sistare <steven.sistare(a)oracle.com> mm/filemap: fix filemap_get_folios_contig THP panic Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path KhaiWenTan <khai.wen.tan(a)linux.intel.com> net: stmmac: Fix zero-division error when disabling tc cbs Muhammad Usama Anjum <usama.anjum(a)collabora.com> kselftests: mm: fix wrong __NR_userfaultfd value Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Willem de Bruijn <willemb(a)google.com> gso: fix udp gso fraglist segmentation after pull from frag_list Felix Fietkau <nbd(a)nbd.name> net: gso: fix tcp fraglist segmentation after pull from frag_list Willem de Bruijn <willemb(a)google.com> vrf: revert "vrf: Remove unnecessary RCU-bh critical section" Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Vasileios Amoiridis <vassilisamir(a)gmail.com> iio: pressure: bmp280: Fix regmap for BMP280 device Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors Steve French <stfrench(a)microsoft.com> smb3: fix incorrect mode displayed for read-only files wangrong <wangrong(a)uniontech.com> smb: client: use actual path when queryfs Charlene Liu <Charlene.Liu(a)amd.com> drm/amd/display: avoid set dispclk to 0 Ajit Pandey <quic_ajipan(a)quicinc.com> clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Fix ordering of pm_runtime_enable Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Add GPLL9 support Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: qcom: camss: Remove use_count guard in stop_streaming Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src David Virag <virag.david003(a)gmail.com> clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Mike Tipton <quic_mdtipton(a)quicinc.com> clk: qcom: clk-rpmh: Fix overflow in BCM vote Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> clk: qcom: gcc-sc8180x: Register QUPv3 RCGs for DFS on sc8180x Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: sun4i_csi: Implement link validate for sun4i_csi subdev Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: videobuf2: Drop minimum allocation requirement of 2 buffers Julian Sun <sunjunchao2870(a)gmail.com> gfs2: fix double destroy_workqueue error Jan Kiszka <jan.kiszka(a)siemens.com> remoteproc: k3-r5: Fix error handling when power-up failed Bastien Curutchet <bastien.curutchet(a)bootlin.com> leds: pca9532: Remove irrelevant blink configuration error message Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> media: ov5675: Fix power on/off delay timings Umang Jain <umang.jain(a)ideasonboard.com> media: imx335: Fix reset-gpio handling Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix kernel stack size when KASAN is enabled Pu Lehui <pulehui(a)huawei.com> drivers/perf: riscv: Align errno for unsupported perf event Long Li <longli(a)microsoft.com> RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Long Li <longli(a)microsoft.com> RDMA/mana_ib: use the correct page table index based on hardware page size Thomas Weißschuh <linux(a)weissschuh.net> sysctl: avoid spurious permanent empty tables Kaixin Wang <kxwang23(a)m.fudan.edu.cn> i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv4's PUTPUBFH operation Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: map the EBADMSG to nfserr_io to avoid warning NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Matt Fleming <matt(a)readmodwrite.com> perf hist: Update hist symbol when updating maps Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Disable -Wno-cast-function-type-mismatch if present on clang Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix memory leak in exfat_load_bitmap() Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Johannes Weiner <hannes(a)cmpxchg.org> sched: psi: fix bogus pressure spikes from aggregation race Youssef Esmat <youssefesmat(a)google.com> sched/core: Clear prev->dl_server in CFS pick fast path Joel Fernandes (Google) <joel(a)joelfernandes.org> sched/core: Add clearing of ->dl_server in put_prev_task_balance() Daniel Bristot de Oliveira <bristot(a)kernel.org> sched/deadline: Comment sched_dl_entity::dl_server variable José Roberto de Souza <jose.souza(a)intel.com> drm/xe/oa: Don't reset OAC_CONTEXT_ENABLE on OA stream close Matthew Auld <matthew.auld(a)intel.com> drm/xe: fix UAF around queue destruction Easwar Hariharan <eahariha(a)linux.microsoft.com> arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Mark Rutland <mark.rutland(a)arm.com> arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS Kuan-Ying Lee <kuan-ying.lee(a)canonical.com> scripts/gdb: fix lx-mounts command error Kuan-Ying Lee <kuan-ying.lee(a)canonical.com> scripts/gdb: add iteration function for rbtree Kuan-Ying Lee <kuan-ying.lee(a)canonical.com> scripts/gdb: fix timerlist parsing issue Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Danilo Krummrich <dakr(a)kernel.org> mm: krealloc: consider spare memory for __GFP_ZERO Kemeng Shi <shikemeng(a)huaweicloud.com> jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: harden build ID parsing logic Huang Ying <ying.huang(a)intel.com> resource: fix region_intersects() vs add_memory_driver_managed() Ma Ke <make24(a)iscas.ac.cn> drm: omapdrm: Add missing check for alloc_ordered_workqueue Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> of: address: Report error on resource bounds overflow Val Packett <val(a)packett.cool> drm/rockchip: vop: clear DMA stop bit on RK3066 Helge Deller <deller(a)gmx.de> parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Helge Deller <deller(a)kernel.org> parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Generate oob before compiling anything Baokun Li <libaokun1(a)huawei.com> ext4: fix off by one issue in alloc_flex_gd() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: use handle to mark fc as ineligible in __track_dentry_update() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix fast commit inode enqueueing during a full journal commit Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: update orig_path in ext4_find_extent() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix access to uninitialised lock in fc replay path Xiaxi Shen <shenxiaxi26(a)gmail.com> ext4: fix timer use-after-free on failed mount Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Baokun Li <libaokun1(a)huawei.com> ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Zhihao Cheng <chengzhihao1(a)huawei.com> ext4: dax: fix overflowing extents beyond inode size when partially writing Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() yao.ly <yao.ly(a)linux.alibaba.com> ext4: correct encrypted dentry name hash when not casefolded Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Abhishek Tamboli <abhishektamboli9(a)gmail.com> ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Ai Chao <aichao(a)kylinos.cn> ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8 Hans P. Moller <hmoller(a)uc.cl> ALSA: line6: add hw monitor volume control to POD HD500X Jan Lalinsky <lalinsky(a)c4.cz> ALSA: usb-audio: Add native DSD support for Luxman D-08u Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Baojun Xu <baojun.xu(a)ti.com> ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Thomas Zimmermann <tzimmermann(a)suse.de> drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Javier Carrasco <javier.carrasco.cruz(a)gmail.com> drm/mediatek: ovl_adaptor: Add missing of_node_put() Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/v3d: Prevent out of bounds access in performance query extensions Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Hans de Goede <hdegoede(a)redhat.com> power: supply: Drop use_cnt check from power_supply_property_is_writeable() Peng Fan <peng.fan(a)nxp.com> mm, slub: avoid zeroing kmalloc redzone Hans de Goede <hdegoede(a)redhat.com> power: supply: hwmon: Fix missing temp1_max_alarm attribute Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading David Virag <virag.david003(a)gmail.com> dt-bindings: clock: exynos7885: Fix duplicated binding Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> memory: tegra186-emc: drop unused to_tegra186_emc() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Mike Baynton <mike(a)mbaynton.com> ovl: fail if trusted xattrs are needed but caller lacks permission Alice Ryhl <aliceryhl(a)google.com> rust: sync: require `T: Sync` for `LockedBy::access` Ard Biesheuvel <ardb(a)kernel.org> i2c: synquacer: Deal with optional PCLK correctly Kimriver Liu <kimriver.liu(a)siengine.com> i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Heiner Kallweit <hkallweit1(a)gmail.com> i2c: core: Lock address during client device instantiation Alexander Shiyan <eagle.alexander923(a)gmail.com> media: i2c: ar0521: Use cansleep version of gpiod_set_value() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Marek Vasut <marex(a)denx.de> i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Marc Zyngier <maz(a)kernel.org> KVM: arm64: Fix kvm_has_feat*() handling of negative features Zach Wade <zachwade.k(a)gmail.com> platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Takashi Iwai <tiwai(a)suse.de> Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Daeho Jeong <daehojeong(a)google.com> f2fs: forcibly migrate to secure space for zoned device file pinning Daeho Jeong <daehojeong(a)google.com> f2fs: do FG_GC when GC boosting is required for zoned devices Daeho Jeong <daehojeong(a)google.com> f2fs: increase BG GC migration window granularity when boosted for zoned devices Daeho Jeong <daehojeong(a)google.com> f2fs: introduce migration_window_granularity Daeho Jeong <daehojeong(a)google.com> f2fs: make BG GC more aggressive for zoned devices Heiko Carstens <hca(a)linux.ibm.com> selftests: vDSO: fix vdso_config for s390 Jens Remus <jremus(a)linux.ibm.com> selftests: vDSO: fix ELF hash table entry size for s390x Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Chao Yu <chao(a)kernel.org> f2fs: fix to don't panic system for no free segment fault injection Liao Yuanhong <liaoyuanhong(a)vivo.com> f2fs: add write priority option based on zone UFS Arnd Bergmann <arnd(a)arndb.de> nvme-tcp: fix link failure for TCP auth David Hildenbrand <david(a)redhat.com> selftests/mm: fix charge_reserved_hugetlb.sh test Gabriel Krisman Bertazi <krisman(a)suse.de> ext4: fix error message when rejecting the default hash Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vdso_config for powerpc Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO name for powerpc Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Fix memory leak on xe_alloc_pf_queue failure Matthew Auld <matthew.auld(a)intel.com> drm/xe: fixup xe_alloc_pf_queue Namhyung Kim <namhyung(a)kernel.org> perf: Really fix event_function_call() locking Ian Rogers <irogers(a)google.com> perf callchain: Fix stitch LBR memory leaks Takashi Iwai <tiwai(a)suse.de> ALSA: control: Fix power_ref lock order for compat code, too Biju Das <biju.das.jz(a)bp.renesas.com> spi: rpc-if: Add missing MODULE_DEVICE_TABLE Alexander F. Lent <lx(a)xanderlent.com> accel/ivpu: Add missing MODULE_FIRMWARE metadata Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Alessandro Zanni <alessandro.zanni87(a)gmail.com> kselftest/devices/probe: Fix SyntaxWarning in regex strings for Python3 Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Yun Lu <luyun(a)kylinos.cn> selftest: hid: add missing run-hid-tools-tests.sh Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-cadence: Fix missing spi_controller_is_target() check Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled Jinjie Ruan <ruanjinjie(a)huawei.com> spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Ben Cheatham <Benjamin.Cheatham(a)amd.com> EINJ, CXL: Fix CXL device SBDF calculation Yonghong Song <yonghong.song(a)linux.dev> bpf: Fix a sdiv overflow issue Kuan-Wei Chiu <visitorckw(a)gmail.com> bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Christoph Hellwig <hch(a)lst.de> iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Kuan-Wei Chiu <visitorckw(a)gmail.com> bpftool: Fix undefined behavior caused by shifting into the sign bit Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Baokun Li <libaokun1(a)huawei.com> ext4: avoid use-after-free in ext4_ext_show_leaf() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Juntong Deng <juntong.deng(a)outlook.com> bpf: Make the pointer returned by iter next method valid Jan Kara <jack(a)suse.cz> ext4: don't set SB_RDONLY after filesystem errors Lizhi Xu <lizhi.xu(a)windriver.com> ext4: filesystems without casefold feature cannot be mounted with siphash Hans de Goede <hdegoede(a)redhat.com> platform/x86: x86-android-tablets: Adjust Xiaomi Pad 2 bottom bezel touch buttons LED Luiz Capitulino <luizcap(a)redhat.com> platform/mellanox: mlxbf-pmc: fix lockdep warning Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add refcnt to ksmbd_conn struct Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: i2c-hid: ensure various commands do not interfere with each other Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/hv: Add memory allocation check in hv_fcopy_start Gergo Koteles <soyer(a)irl.hu> platform/x86: lenovo-ymc: Ignore the 0x0 state Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: use rlc safe mode for soft recovery Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx11: use rlc safe mode for soft recovery Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx12: use rlc safe mode for soft recovery Amir Goldstein <amir73il(a)gmail.com> ovl: fsync after metadata copy-up Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Ahmed, Muhammad <Ahmed.Ahmed(a)amd.com> drm/amd/display: guard write a 0 post_divider value to HW Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Matthew Brost <matthew.brost(a)intel.com> drm/xe: Drop warn on xe_guc_pc_gucrc_disable in guc pc fini Hawking Zhang <Hawking.Zhang(a)amd.com> drm/amdkfd: Check int source id for utcl2 poison event Tim Huang <tim.huang(a)amd.com> drm/amd/pm: ensure the fw_info is not null before using it Stuart Summers <stuart.summers(a)intel.com> drm/xe: Use topology to determine page fault queue size Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx11: enter safe mode before touching CP_INT_CNTL Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: use rlc safe mode for soft recovery Victor Skvortsov <victor.skvortsov(a)amd.com> drm/amdgpu: Block MMR_READ IOCTL in reset Sunil Khatri <sunil.khatri(a)amd.com> drm/amdgpu: fix ptr check warning in gfx11 ip_dump Sunil Khatri <sunil.khatri(a)amd.com> drm/amdgpu: fix ptr check warning in gfx10 ip_dump Sunil Khatri <sunil.khatri(a)amd.com> drm/amdgpu: fix ptr check warning in gfx9 ip_dump Austin Zheng <Austin.Zheng(a)amd.com> drm/amd/display: Unlock Pipes Based On DET Allocation Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Finn Thain <fthain(a)linux-m68k.org> scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Peter Zijlstra <peterz(a)infradead.org> perf: Fix event_function_call() locking Tim Huang <tim.huang(a)amd.com> drm/amdgpu: fix unchecked return value warning for amdgpu_atombios Tim Huang <tim.huang(a)amd.com> drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Dillon Varone <dillon.varone(a)amd.com> drm/amd/display: Force enable 3DLUT DMA check for dcn401 in DML Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Update PRLO handling in direct attached topology Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Andrii Nakryiko <andrii(a)kernel.org> perf,x86: avoid missing caller address in stack traces captured in uprobe Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize get_bytes_per_element's default to 1 Alex Hung <alex.hung(a)amd.com> drm/amd/display: Avoid overflow assignment in link_dp_cts Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream_status before it is used Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix possible overflow in integer multiplication Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: properly handle error ints on all pipes Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx12: properly handle error ints on all pipes Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 color transformation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Implement bounds check for stream encoder creation in DCN401 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Increase array size of dummy_boolean Chris Park <chris.park(a)amd.com> drm/amd/display: Deallocate DML memory if allocation fails Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check phantom_stream before it is used Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null-initialized variables Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize denominators' default to 1 Yannick Fertre <yannick.fertre(a)foss.st.com> drm/stm: ltdc: reset plane transparency after plane disable Uma Shankar <uma.shankar(a)intel.com> drm/xe/fbdev: Limit the usage of stolen for LNL+ Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add timeout to preempt fences aln8 <aln8un(a)gmail.com> platform/x86/amd: pmf: Add quirk for TUF Gaming A14 Ckath <ckath(a)yandex.ru> platform/x86: touchscreen_dmi: add nanote-next quirk Vishnu Sankar <vishnuocv(a)gmail.com> HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Jesse Zhang <jesse.zhang(a)amd.com> drm/amdkfd: Fix resource leak in criu restore queue Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: enable gfxoff quirk on HP 705G4 Peng Liu <liupeng01(a)kylinos.cn> drm/amdgpu: add raven1 gfxoff quirk Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Konrad Dybcio <konradybcio(a)kernel.org> drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs David Strahan <David.Strahan(a)microchip.com> scsi: smartpqi: add new controller PCI IDs Mahesh Rajashekhara <mahesh.rajashekhara(a)microchip.com> scsi: smartpqi: correct stream detection Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Yang Wang <kevinyang.wang(a)amd.com> drm/amdgpu: add list empty check to avoid null pointer issue Tim Huang <tim.huang(a)amd.com> drm/amd/display: fix double free issue during amdgpu module unload Matt Roper <matthew.d.roper(a)intel.com> drm/xe: Name and document Wa_14019789679 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Check null pointer before try to access it Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using dc->clk_mgr Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2) Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: fix a UBSAN warning in DML2.1 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for function pointer in dcn401_set_output_transfer_func Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' Daniel Sa <Daniel.Sa(a)amd.com> drm/amd/display: Underflow Seen on DCN401 eGPU Hans de Goede <hdegoede(a)redhat.com> HID: Ignore battery for all ELAN I2C-HID devices David Strahan <David.Strahan(a)microchip.com> scsi: smartpqi: Add new controller PCI IDs Jiri Olsa <olsajiri(a)gmail.com> selftests/bpf: fix uprobe.path leak in bpf_testmod Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Damien Le Moal <dlemoal(a)kernel.org> ata: pata_serverworks: Do not use the term blacklist Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Use gpuvm_min_page_size_kbytes for DML2 surfaces Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe Suraj Kandpal <suraj.kandpal(a)intel.com> drm/xe/hdcp: Check GSC structure validity Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before multiple uses Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before used Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check null pointers before using them Alex Hung <alex.hung(a)amd.com> drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags Katya Orlova <e.orlova(a)ispras.ru> drm/stm: Avoid use-after-free issues with crtc and plane Michal Koutný <mkoutny(a)suse.com> cgroup: Disallow mounting v1 hierarchies without controller implementation Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Do not use devm for the cd table allocations Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Unconditionally flush device TLB for pasid table updates Sanjay K Kumar <sanjay.k.kumar(a)intel.com> iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Always reserve a domain ID for identity setup Mostafa Saleh <smostafa(a)google.com> iommu/arm-smmu-v3: Match Stall behaviour for S2 Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Paul E. McKenney <paulmck(a)kernel.org> rcuscale: Provide clear error when async specified without primitives Ulf Hansson <ulf.hansson(a)linaro.org> pmdomain: core: Use dev_name() instead of kobject_get_path() in debugfs Ulf Hansson <ulf.hansson(a)linaro.org> pmdomain: core: Don't hold the genpd-lock when calling dev_pm_domain_set() Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Thomas Weißschuh <linux(a)weissschuh.net> fbdev: efifb: Register sysfs groups through driver core Denis Pauk <pauk.denis(a)gmail.com> hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Zqiang <qiang.zhang1211(a)gmail.com> rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() Pierre-Louis Bossart <pierre-louis.bossart(a)linux.dev> ASoC: Intel: boards: always check the result of acpi_dev_get_first_match_dev() Kees Cook <kees(a)kernel.org> x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Thomas Weißschuh <linux(a)weissschuh.net> selftests/nolibc: avoid passing NULL to printf("%s") Thomas Weißschuh <linux(a)weissschuh.net> tools/nolibc: powerpc: limit stack-protector workaround to GCC Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Steve Wahl <steve.wahl(a)hpe.com> x86/mm/ident_map: Use gbpages only where full GB page should be mapped. Tao Liu <ltao(a)redhat.com> x86/kexec: Add EFI config table identity mapping for kexec kernel Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> x86/pkeys: Restore altstack access in sigreturn() Aruna Ramakrishna <aruna.ramakrishna(a)oracle.com> x86/pkeys: Add PKRU as a parameter in signal handling functions Ahmed S. Darwish <darwi(a)linutronix.de> tools/x86/kcpuid: Protect against faulty "max subleaf" values Takashi Iwai <tiwai(a)suse.de> ALSA: control: Take power_ref lock primarily Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wsa883x: Handle reading version failure Joshua Pius <joshuapius(a)chromium.org> ALSA: usb-audio: Add logitech Audio profile quirk Joshua Grisham <josh(a)joshuagrisham.com> ALSA: hda/realtek: Refactor and simplify Samsung Galaxy Book init Asahi Lina <lina(a)asahilina.net> ALSA: usb-audio: Add mixer quirk for RME Digiface USB Cyan Nyan <cyan.vtb(a)gmail.com> ALSA: usb-audio: Add quirk for RME Digiface USB Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Replace complex quirk lines with macros Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Define macros for quirk table entries Karol Kosik <k.kosik(a)outlook.com> ALSA: usb-audio: Support multiple control interfaces Thomas Gleixner <tglx(a)linutronix.de> x86/apic: Remove logical destination mode for 64-bit Thomas Gleixner <tglx(a)linutronix.de> x86/ioapic: Handle allocation failures gracefully Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add input value sanity checks for standard types Jinjie Ruan <ruanjinjie(a)huawei.com> nfp: Use IRQF_NO_AUTOEN flag in request_irq() David Howells <dhowells(a)redhat.com> netfs: Cancel dirty folios that have no storage destination Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Yang Shen <shenyang39(a)huawei.com> crypto: hisilicon - fix missed error branch Joe Damato <jdamato(a)fastly.com> net: napi: Prevent overflow of napi_defer_hard_irqs David Kaplan <david.kaplan(a)amd.com> x86/bugs: Fix handling when SRSO mitigation is disabled Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bugs: Add missing NO_SSB flag Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: phy: Check for read errors in SIOCGMIIREG Fares Mehanna <faresx(a)amazon.de> arm64: trans_pgd: mark PTEs entries as valid to avoid dead kexec() Huacai Chen <chenhuacai(a)kernel.org> cpufreq: loongson3: Use raw_smp_processor_id() in do_service_request() Anastasia Belova <abelova(a)astralinux.ru> cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value Alexey Dobriyan <adobriyan(a)gmail.com> block: fix integer overflow in BLKSECDISCARD Marek Vasut <marex(a)denx.de> wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume Joe Damato <jdamato(a)fastly.com> netdev-genl: Set extack and fix error on napi-get Stefan Mätje <stefan.maetje(a)esd.eu> can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Puranjay Mohan <pjy(a)amazon.com> nvme: fix metadata handling in nvme-passthrough James Clark <james.clark(a)linaro.org> drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Mateusz Guzik <mjguzik(a)gmail.com> vfs: use RCU in ilookup Adrian Ratiu <adrian.ratiu(a)collabora.com> proc: add config & param to block forcing mem writes Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix RCU list iterations Nikunj A Dadhania <nikunj(a)amd.com> virt: sev-guest: Ensure the SNP guest messages do not exceed a page Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: avoid NULL pointer dereference Anjaneyulu <pagadala.yesu.anjaneyulu(a)intel.com> wifi: iwlwifi: allow only CN mcc from WRDD Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: use correct key iteration Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Breno Leitao <leitao(a)debian.org> netpoll: Ensure clean state on setup failures Herbert Xu <herbert(a)gondor.apana.org.au> crypto: simd - Do not call crypto_alloc_tfm during registration Simon Horman <horms(a)kernel.org> net: atlantic: Avoid warning about potential string truncation Hannes Reinecke <hare(a)kernel.org> nvme-tcp: check for invalidated or revoked key Hannes Reinecke <hare(a)kernel.org> nvme-tcp: sanitize TLS key handling Hannes Reinecke <hare(a)kernel.org> nvme-keyring: restrict match length for version '1' identifiers Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: do not remove elements if set backend implements .abort Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: correct base HT rate mask for firmware Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> bnxt_en: Extend maximum length of version string by 1 byte Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Jakub Kicinski <kuba(a)kernel.org> net: skbuff: sprinkle more __GFP_NOWARN on ingress allocs Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure James Chapman <jchapman(a)katalix.com> l2tp: use rcu list add/del when updating lists James Chapman <jchapman(a)katalix.com> l2tp: free sessions using rcu Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw88: select WANT_DEV_COREDUMP Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath11k: fix array out-of-bound access in SoC stats Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> wifi: ath12k: fix array out-of-bound access in SoC stats Johannes Thumshirn <jthumshirn(a)wdc.com> btrfs: don't readahead the relocation inode on RST Konstantin Ovsepian <ovs(a)ovs.to> blk_iocost: fix more out of bound shifts Mario Limonciello <mario.limonciello(a)amd.com> ACPI: CPPC: Add support for setting EPP register in FFH Hans de Goede <hdegoede(a)redhat.com> ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Hilda Wu <hildawu(a)realtek.com> Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Hilda Wu <hildawu(a)realtek.com> Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: consistently use rcu_replace_pointer() in taprio_change() Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Tamim Khan <tamim(a)fusetak.com> ACPI: resource: Skip IRQ override on Asus Vivobook Go E1404GAB Li Zhijian <lizhijian(a)fujitsu.com> fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name Mateusz Guzik <mjguzik(a)gmail.com> exec: don't WARN for racy path_noexec check Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Seiji Nishikawa <snishika(a)redhat.com> ACPI: PAD: fix crash in exit_round_robin() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Jeongjun Park <aha310510(a)gmail.com> net/xen-netback: prevent UAF in xenvif_flush_hash() Issam Hamdi <ih(a)simonwunderlich.de> wifi: cfg80211: Set correct chandef when starting CAC Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: drop wrong STA selection in TX Ilan Peer <ilan.peer(a)intel.com> wifi: iwlwifi: mvm: Fix a race in scan abort flow Aleksandr Mishin <amishin(a)t-argos.ru> ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx2 - Fix authenc setkey Herbert Xu <herbert(a)gondor.apana.org.au> crypto: octeontx - Fix authenc setkey Fangrui Song <maskray(a)google.com> crypto: x86/sha256 - Add parentheses around macros' single arguments Kai-Heng Feng <kai.heng.feng(a)canonical.com> intel_idle: Disable promotion to C1E on Jasper Lake and Elkhart Lake Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw89: avoid to add interface to list twice when SER Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() James Chapman <jchapman(a)katalix.com> l2tp: prevent possible tunnel refcount underflow Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: avoid failing the system during pm_suspend Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Re-enable panel replay feature Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix VRR cannot enable Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Disable replay if VRR capability is false Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: gus: Fix some error handling paths related to get_bpos() usage Ben Hutchings <benh(a)debian.org> tools/rtla: Fix installation from out-of-tree build Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> gpiolib: Fix potential NULL pointer dereference in gpiod_get_label() Pali Rohár <pali(a)kernel.org> cifs: Do not convert delimiter when parsing NFS-style symlinks Pali Rohár <pali(a)kernel.org> cifs: Fix buffer overflow when parsing NFS reparse points Zhanjun Dong <zhanjun.dong(a)intel.com> drm/xe: Prevent null pointer access in xe_migrate_copy Matthew Brost <matthew.brost(a)intel.com> drm/xe: Resume TDR after GT reset Matthew Auld <matthew.auld(a)intel.com> drm/xe/guc_submit: add missing locking in wedged_fini Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/xe: Restore pci state upon resume Hui Wang <hui.wang(a)canonical.com> ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Lock the VM resv before calling drm_gpuvm_bo_obtain_prealloc() Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item Pali Rohár <pali(a)kernel.org> cifs: Remove intermediate object of failed create reparse call Oder Chiou <oder_chiou(a)realtek.com> ALSA: hda/realtek: Fix the push button function for the ALC257 Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ALSA: mixer_oss: Remove some incorrect kfree_const() usages Dirk Behme <dirk.behme(a)de.bosch.com> rust: mutex: fix __mutex_init() usage in case of PREEMPT_RT Gary Guo <gary(a)garyguo.net> rust: kbuild: auto generate helper exports Andreas Hindborg <a.hindborg(a)kernel.org> rust: kbuild: split up helpers.c Guixin Liu <kanie(a)linux.alibaba.com> io_uring: fix memory leak when cache init fail Derek Foreman <derek.foreman(a)collabora.com> drm/connector: hdmi: Fix writing Dynamic Range Mastering infoframes Andrei Simion <andrei.simion(a)microchip.com> ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Steven Price <steven.price(a)arm.com> drm/panthor: Fix race when converting group handle to group object Tang Bin <tangbin(a)cmss.chinamobile.com> ASoC: topology: Fix incorrect addressing assignments Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Ravikanth Tuniki <ravikanth.tuniki(a)amd.com> dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Darrick J. Wong <djwong(a)kernel.org> iomap: constrain the file range passed to iomap_file_unshare Eddie James <eajames(a)linux.ibm.com> net/ncsi: Disable the ncsi work before freeing the associated structure Ido Schimmel <idosch(a)nvidia.com> bridge: mcast: Fail MDB get request on empty entry Hui Wang <hui.wang(a)canonical.com> net: phy: realtek: Check the index value in led_hw_control_get Eric Dumazet <edumazet(a)google.com> ppp: do not assume bh is held in ppp_channel_bridge_input() Eric Dumazet <edumazet(a)google.com> net: test for not too small csum_start in virtio_net_hdr_to_skb() David Howells <dhowells(a)redhat.com> netfs: Fix missing wakeup after issuing writes Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Shenwei Wang <shenwei.wang(a)nxp.com> net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Reload PTP registers after link-state change Csókás, Bence <csokas.bence(a)prolan.hu> net: fec: Restart PPS after link state change Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Daniel Borkmann <daniel(a)iogearbox.net> net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Daniel Borkmann <daniel(a)iogearbox.net> net: Add netif_get_gro_max_size helper for GRO Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: improve shutdown sequence David Howells <dhowells(a)redhat.com> afs: Fix the setting of the server responding flag David Howells <dhowells(a)redhat.com> afs: Fix missing wire-up of afs_retry_request() Jinjie Ruan <ruanjinjie(a)huawei.com> Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix uaf in l2cap_connect Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix possible crash on mgmt_index_removed zhang jiao <zhangjiao2(a)cmss.chinamobile.com> selftests: netfilter: Add missing return value Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Phil Sutter <phil(a)nwl.cc> selftests: netfilter: Fix nft_audit.sh for newer nft binaries Jinjie Ruan <ruanjinjie(a)huawei.com> net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Jinjie Ruan <ruanjinjie(a)huawei.com> net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: SHAMPO, Fix overflow of hd_per_wq Elena Salomatkina <esalomatkina(a)ispras.ru> net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Mohamed Khalfella <mkhalfella(a)purestorage.com> net/mlx5: Added cond_resched() to crdump collection Gerd Bayer <gbayer(a)linux.ibm.com> net/mlx5: Fix error path in multi-packet WQE transmit Aakash Menon <aakash.r.menon(a)gmail.com> net: sparx5: Fix invalid timestamps Jinjie Ruan <ruanjinjie(a)huawei.com> ieee802154: Fix build error Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/dp: Fix colorimetry detection Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ceph: fix a memory leak on cap_auths in MDS client Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Geert Uytterhoeven <geert+renesas(a)glider.be> mailbox: ARM_MHU_V3 should depend on ARM64 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix warning: comparison of distinct pointer types lacks a cast Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> drm/amd/display: handle nulled pipe context in DCE110's set_drr() Asad Kamal <asad.kamal(a)amd.com> drm/amdgpu: Fix get each xcp macro Imre Deak <imre.deak(a)intel.com> drm/i915/dp: Fix AUX IO power enabling for eDP PSR Arun R Murthy <arun.r.murthy(a)intel.com> drm/i915/display: BMG supports UHBR13.5 Jouni Högander <jouni.hogander(a)intel.com> drm/i915/psr: Do not wait for PSR being idle on on Panel Replay Daniel Wagner <dwagner(a)suse.de> scsi: pm8001: Do not overwrite PCI queue mapping Rafael Rocha <rrochavi(a)fnal.gov> scsi: st: Fix input/output error on empty drive reset Peter Zijlstra <peterz(a)infradead.org> jump_label: Fix static_key_slow_dec() yet again Thomas Gleixner <tglx(a)linutronix.de> static_call: Replace pointless WARN_ON() in static_call_module_notify() Thomas Gleixner <tglx(a)linutronix.de> static_call: Handle module init failure correctly in static_call_del_module() ------------- Diffstat: Documentation/ABI/testing/sysfs-fs-f2fs | 22 + Documentation/admin-guide/kernel-parameters.txt | 10 + Documentation/arch/arm64/silicon-errata.rst | 6 + .../devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 +- .../networking/net_cachelines/net_device.rst | 2 +- Documentation/rust/general-information.rst | 4 +- Makefile | 4 +- arch/arm/crypto/aes-ce-glue.c | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- arch/arm64/Kconfig | 7 +- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/kvm_host.h | 25 +- arch/arm64/kernel/cpu_errata.c | 3 + arch/arm64/mm/trans_pgd.c | 6 +- arch/loongarch/configs/loongson3_defconfig | 1 - arch/parisc/include/asm/mman.h | 14 + arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/powerpc/configs/ppc64_defconfig | 1 - arch/powerpc/include/asm/vdso_datapage.h | 15 + arch/powerpc/kernel/asm-offsets.c | 2 + arch/powerpc/kernel/vdso/cacheflush.S | 2 +- arch/powerpc/kernel/vdso/datapage.S | 4 +- arch/powerpc/platforms/pseries/dlpar.c | 17 - arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +- arch/powerpc/platforms/pseries/hotplug-memory.c | 16 +- arch/powerpc/platforms/pseries/pmem.c | 2 +- arch/riscv/Kconfig | 8 +- arch/riscv/include/asm/thread_info.h | 7 +- arch/x86/crypto/sha256-avx2-asm.S | 16 +- arch/x86/events/core.c | 63 + arch/x86/include/asm/apic.h | 8 - arch/x86/include/asm/fpu/signal.h | 2 +- arch/x86/include/asm/sev.h | 2 +- arch/x86/include/asm/syscall.h | 7 +- arch/x86/kernel/apic/apic_flat_64.c | 119 +- arch/x86/kernel/apic/io_apic.c | 46 +- arch/x86/kernel/cpu/bugs.c | 14 +- arch/x86/kernel/cpu/common.c | 4 +- arch/x86/kernel/fpu/signal.c | 6 +- arch/x86/kernel/machine_kexec_64.c | 27 + arch/x86/kernel/signal.c | 3 +- arch/x86/kernel/signal_64.c | 6 +- arch/x86/mm/ident_map.c | 23 +- block/blk-iocost.c | 8 +- block/ioctl.c | 9 +- crypto/simd.c | 76 +- drivers/accel/ivpu/ivpu_fw.c | 4 + drivers/acpi/acpi_pad.c | 6 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/apei/einj-cxl.c | 2 +- drivers/acpi/battery.c | 28 +- drivers/acpi/cppc_acpi.c | 10 +- drivers/acpi/ec.c | 55 +- drivers/acpi/resource.c | 22 +- drivers/acpi/video_detect.c | 17 + drivers/ata/pata_serverworks.c | 16 +- drivers/ata/sata_sil.c | 12 +- drivers/block/aoe/aoecmd.c | 13 +- drivers/bluetooth/btmrvl_sdio.c | 3 +- drivers/bluetooth/btrtl.c | 1 + drivers/bluetooth/btusb.c | 2 + drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clk/qcom/clk-rpmh.c | 2 + drivers/clk/qcom/dispcc-sm8250.c | 3 + drivers/clk/qcom/gcc-sc8180x.c | 438 ++-- drivers/clk/qcom/gcc-sm8250.c | 6 +- drivers/clk/qcom/gcc-sm8450.c | 4 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/samsung/clk-exynos7885.c | 2 +- drivers/cpufreq/amd-pstate.c | 14 +- drivers/cpufreq/intel_pstate.c | 16 +- drivers/cpufreq/loongson3_cpufreq.c | 2 +- drivers/crypto/hisilicon/sgl.c | 14 +- drivers/crypto/marvell/Kconfig | 2 + drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 265 +-- drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 256 +- drivers/firmware/sysfb.c | 4 +- drivers/firmware/tegra/bpmp.c | 6 - drivers/gpio/gpio-davinci.c | 8 +- drivers/gpio/gpiolib.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 10 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 35 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 +- drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 45 +- drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 +- drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 132 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 54 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 50 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_int_process_v9.c | 18 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 +- drivers/gpu/drm/amd/amdkfd/soc15_int.h | 1 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 86 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 + .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 +- .../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 8 +- .../gpu/drm/amd/display/dc/core/dc_hw_sequencer.c | 96 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 34 +- drivers/gpu/drm/amd/display/dc/core/dc_state.c | 10 +- drivers/gpu/drm/amd/display/dc/dc_types.h | 1 + .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 3 +- .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + .../gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 + .../display/dc/dml/dcn20/display_rq_dlg_calc_20.c | 2 +- .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- .../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- .../gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 +- .../amd/display/dc/dml/dml1_display_rq_dlg_calc.c | 2 +- .../dc/dml2/dml21/dml21_translation_helper.c | 6 +- .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 89 +- .../dc/dml2/dml21/src/dml2_core/dml2_core_shared.c | 4 +- .../dml21/src/dml2_core/dml2_core_shared_types.h | 2 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 - .../amd/display/dc/dml2/dml2_translation_helper.c | 20 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.h | 1 + .../amd/display/dc/hubbub/dcn401/dcn401_hubbub.c | 23 + .../gpu/drm/amd/display/dc/hubp/dcn10/dcn10_hubp.c | 3 +- .../gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c | 3 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 24 +- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 4 +- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 48 +- .../drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 7 +- .../drm/amd/display/dc/hwss/dcn31/dcn31_hwseq.c | 4 +- .../drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 11 +- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 8 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 111 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.h | 2 + .../drm/amd/display/dc/hwss/dcn401/dcn401_init.c | 2 +- drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h | 1 + drivers/gpu/drm/amd/display/dc/inc/resource.h | 5 + .../amd/display/dc/link/accessories/link_dp_cts.c | 5 +- .../drm/amd/display/dc/link/hwss/link_hwss_dio.c | 5 +- drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 +- .../display/dc/link/protocols/link_dp_capability.c | 2 +- .../display/dc/resource/dce112/dce112_resource.c | 5 +- .../amd/display/dc/resource/dcn20/dcn20_resource.c | 3 +- .../display/dc/resource/dcn201/dcn201_resource.c | 4 +- .../amd/display/dc/resource/dcn21/dcn21_resource.c | 3 +- .../amd/display/dc/resource/dcn32/dcn32_resource.c | 10 +- .../dc/resource/dcn32/dcn32_resource_helpers.c | 14 +- .../display/dc/resource/dcn351/dcn351_resource.c | 1 + .../display/dc/resource/dcn401/dcn401_resource.c | 3 +- .../drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 + drivers/gpu/drm/display/drm_hdmi_state_helper.c | 4 +- drivers/gpu/drm/drm_atomic_uapi.c | 2 +- drivers/gpu/drm/drm_debugfs.c | 4 +- drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/i915/display/intel_ddi.c | 2 +- drivers/gpu/drm/i915/display/intel_dp.c | 22 +- drivers/gpu/drm/i915/display/intel_psr.c | 32 +- drivers/gpu/drm/i915/display/intel_psr.h | 2 + drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +- drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 + drivers/gpu/drm/msm/msm_gpu.c | 1 - drivers/gpu/drm/omapdrm/omap_drv.c | 5 + drivers/gpu/drm/panthor/panthor_mmu.c | 8 + drivers/gpu/drm/panthor/panthor_sched.c | 36 +- drivers/gpu/drm/radeon/r100.c | 70 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 + drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 + drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 + drivers/gpu/drm/scheduler/sched_entity.c | 14 +- drivers/gpu/drm/scheduler/sched_main.c | 7 +- drivers/gpu/drm/stm/drv.c | 3 +- drivers/gpu/drm/stm/ltdc.c | 76 +- drivers/gpu/drm/v3d/v3d_submit.c | 6 + drivers/gpu/drm/xe/Makefile | 24 +- drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 6 +- drivers/gpu/drm/xe/display/xe_hdcp_gsc.c | 8 +- drivers/gpu/drm/xe/display/xe_plane_initial.c | 6 + drivers/gpu/drm/xe/xe_bo.c | 4 +- drivers/gpu/drm/xe/xe_device.c | 8 +- drivers/gpu/drm/xe/xe_device_types.h | 17 +- drivers/gpu/drm/xe/xe_drm_client.c | 9 +- drivers/gpu/drm/xe/xe_exec_queue.c | 2 - drivers/gpu/drm/xe/xe_exec_queue_types.h | 6 +- drivers/gpu/drm/xe/xe_execlist.c | 3 +- drivers/gpu/drm/xe/xe_gpu_scheduler.c | 5 + drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 + drivers/gpu/drm/xe/xe_gt_pagefault.c | 55 +- drivers/gpu/drm/xe/xe_gt_types.h | 9 +- drivers/gpu/drm/xe/xe_guc_pc.c | 2 +- drivers/gpu/drm/xe/xe_guc_submit.c | 76 +- drivers/gpu/drm/xe/xe_guc_types.h | 2 + drivers/gpu/drm/xe/xe_lrc.c | 35 +- drivers/gpu/drm/xe/xe_oa.c | 9 +- drivers/gpu/drm/xe/xe_pci.c | 2 + drivers/gpu/drm/xe/xe_preempt_fence.c | 12 +- drivers/gpu/drm/xe/xe_vm.c | 32 +- drivers/gpu/drm/xe/xe_vram.c | 1 + drivers/gpu/drm/xe/xe_wa_oob.rules | 3 + drivers/hid/bpf/hid_bpf_struct_ops.c | 14 + drivers/hid/hid-ids.h | 17 +- drivers/hid/hid-input.c | 37 +- drivers/hid/hid-multitouch.c | 6 + drivers/hid/i2c-hid/i2c-hid-core.c | 42 +- drivers/hwmon/nct6775-platform.c | 1 + drivers/i2c/busses/i2c-designware-common.c | 14 + drivers/i2c/busses/i2c-designware-core.h | 1 + drivers/i2c/busses/i2c-designware-master.c | 38 + drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-stm32f7.c | 6 +- drivers/i2c/busses/i2c-synquacer.c | 5 +- drivers/i2c/busses/i2c-xiic.c | 21 +- drivers/i2c/i2c-core-base.c | 28 + drivers/i3c/master/svc-i3c-master.c | 1 + drivers/idle/intel_idle.c | 14 +- drivers/iio/magnetometer/ak8975.c | 32 +- drivers/iio/pressure/bmp280-core.c | 9 +- drivers/iio/pressure/bmp280-regmap.c | 45 +- drivers/iio/pressure/bmp280.h | 1 + drivers/infiniband/hw/mana/main.c | 8 +- drivers/input/keyboard/adp5589-keys.c | 22 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 37 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h | 1 + drivers/iommu/intel/dmar.c | 16 +- drivers/iommu/intel/iommu.c | 6 +- drivers/iommu/intel/pasid.c | 12 +- drivers/leds/leds-pca9532.c | 5 +- drivers/mailbox/Kconfig | 1 + drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/media/common/videobuf2/videobuf2-core.c | 7 - drivers/media/i2c/ar0521.c | 5 +- drivers/media/i2c/imx335.c | 9 +- drivers/media/i2c/ov5675.c | 12 +- drivers/media/platform/qcom/camss/camss-video.c | 6 - drivers/media/platform/qcom/camss/camss.c | 5 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 + drivers/memory/tegra/tegra186-emc.c | 5 - drivers/net/can/dev/netlink.c | 102 +- .../net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +- drivers/net/ethernet/freescale/fec.h | 9 + drivers/net/ethernet/freescale/fec_main.c | 11 +- drivers/net/ethernet/freescale/fec_ptp.c | 50 + drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/intel/e1000e/netdev.c | 19 +- drivers/net/ethernet/intel/ice/ice_sched.c | 6 +- drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 - .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 + .../net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +- .../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 31 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +- drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 + drivers/net/ieee802154/Kconfig | 1 + drivers/net/ieee802154/mcr20a.c | 5 +- drivers/net/pcs/pcs-xpcs-wx.c | 2 +- drivers/net/phy/phy.c | 17 +- drivers/net/phy/realtek.c | 3 + drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/vrf.c | 2 + drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +- drivers/net/wireless/ath/ath9k/debug.c | 4 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 5 + drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 + drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 2 + drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 +- drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 2 - drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 +- drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +- drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +- drivers/net/wireless/microchip/wilc1000/sdio.c | 7 + drivers/net/wireless/realtek/rtw88/Kconfig | 1 + drivers/net/wireless/realtek/rtw89/core.h | 18 +- drivers/net/wireless/realtek/rtw89/mac.c | 2 +- drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +- drivers/net/wireless/realtek/rtw89/phy.c | 4 +- drivers/net/wireless/realtek/rtw89/util.h | 18 + drivers/net/wwan/qcom_bam_dmux.c | 11 +- drivers/net/xen-netback/hash.c | 5 +- drivers/nvme/common/keyring.c | 58 +- drivers/nvme/host/Kconfig | 3 +- drivers/nvme/host/core.c | 1 - drivers/nvme/host/fabrics.c | 2 +- drivers/nvme/host/ioctl.c | 22 +- drivers/nvme/host/nvme.h | 2 +- drivers/nvme/host/sysfs.c | 4 +- drivers/nvme/host/tcp.c | 55 +- drivers/of/address.c | 5 + drivers/of/irq.c | 38 +- drivers/perf/arm_spe_pmu.c | 9 +- drivers/perf/riscv_pmu_legacy.c | 4 +- drivers/perf/riscv_pmu_sbi.c | 4 +- drivers/platform/mellanox/mlxbf-pmc.c | 5 + drivers/platform/x86/amd/pmf/pmf-quirks.c | 8 + .../x86/intel/speed_select_if/isst_if_common.c | 4 +- drivers/platform/x86/lenovo-ymc.c | 2 + drivers/platform/x86/touchscreen_dmi.c | 26 + drivers/platform/x86/x86-android-tablets/core.c | 6 +- drivers/platform/x86/x86-android-tablets/other.c | 10 +- drivers/pmdomain/core.c | 40 +- drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/power_supply_core.c | 6 +- drivers/power/supply/power_supply_hwmon.c | 3 +- drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 +- drivers/rtc/rtc-at91sam9.c | 1 + drivers/scsi/NCR5380.c | 4 + drivers/scsi/aacraid/aacraid.h | 2 +- drivers/scsi/lpfc/lpfc.h | 12 +- drivers/scsi/lpfc/lpfc_els.c | 73 +- drivers/scsi/lpfc/lpfc_hbadisc.c | 14 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 22 +- drivers/scsi/lpfc/lpfc_scsi.c | 13 +- drivers/scsi/lpfc/lpfc_sli.c | 11 + drivers/scsi/pm8001/pm8001_init.c | 6 +- drivers/scsi/smartpqi/smartpqi_init.c | 130 +- drivers/scsi/st.c | 5 +- drivers/spi/spi-bcm63xx.c | 9 +- drivers/spi/spi-cadence.c | 8 +- drivers/spi/spi-imx.c | 2 +- drivers/spi/spi-rpc-if.c | 7 + drivers/spi/spi-s3c64xx.c | 4 +- drivers/vhost/scsi.c | 25 +- drivers/video/fbdev/efifb.c | 11 +- drivers/video/fbdev/pxafb.c | 1 + drivers/virt/coco/sev-guest/sev-guest.c | 2 + fs/afs/file.c | 1 + fs/afs/fs_operation.c | 2 +- fs/btrfs/backref.c | 12 +- fs/btrfs/disk-io.c | 11 + fs/btrfs/relocation.c | 99 +- fs/btrfs/send.c | 31 +- fs/cachefiles/namei.c | 7 +- fs/ceph/addr.c | 6 +- fs/ceph/mds_client.c | 12 + fs/dax.c | 6 +- fs/exec.c | 34 +- fs/exfat/balloc.c | 10 +- fs/ext4/dir.c | 14 +- fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 55 +- fs/ext4/fast_commit.c | 49 +- fs/ext4/file.c | 8 +- fs/ext4/inode.c | 11 +- fs/ext4/migrate.c | 2 +- fs/ext4/move_extent.c | 1 - fs/ext4/namei.c | 14 +- fs/ext4/resize.c | 18 +- fs/ext4/super.c | 34 +- fs/ext4/xattr.c | 3 +- fs/f2fs/f2fs.h | 31 +- fs/f2fs/gc.c | 85 +- fs/f2fs/gc.h | 23 + fs/f2fs/segment.c | 31 +- fs/f2fs/super.c | 8 + fs/f2fs/sysfs.c | 18 + fs/file.c | 93 +- fs/gfs2/glock.c | 1 + fs/gfs2/ops_fstype.c | 3 +- fs/inode.c | 14 +- fs/iomap/buffered-io.c | 16 +- fs/jbd2/checkpoint.c | 21 +- fs/jbd2/journal.c | 4 +- fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 7 +- fs/jfs/xattr.c | 2 + fs/netfs/write_issue.c | 48 +- fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +- fs/nfsd/nfs4state.c | 6 +- fs/nfsd/nfs4xdr.c | 10 +- fs/nfsd/nfsctl.c | 2 +- fs/nfsd/nfssvc.c | 2 +- fs/nfsd/vfs.c | 1 + fs/nfsd/xdr4.h | 1 + fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 11 +- fs/overlayfs/copy_up.c | 43 +- fs/overlayfs/params.c | 38 +- fs/pidfs.c | 5 +- fs/proc/base.c | 61 +- fs/proc/proc_sysctl.c | 11 +- fs/smb/client/cifsfs.c | 13 +- fs/smb/client/cifsglob.h | 2 +- fs/smb/client/inode.c | 19 +- fs/smb/client/reparse.c | 16 +- fs/smb/client/smb1ops.c | 2 +- fs/smb/client/smb2inode.c | 24 +- fs/smb/client/smb2ops.c | 19 +- fs/smb/server/connection.c | 4 +- fs/smb/server/connection.h | 1 + fs/smb/server/oplock.c | 55 +- fs/smb/server/smb2pdu.c | 5 +- fs/smb/server/vfs_cache.c | 3 + fs/smb/server/vfs_cache.h | 4 +- include/crypto/internal/simd.h | 12 +- include/drm/drm_print.h | 54 +- include/drm/gpu_scheduler.h | 2 +- include/dt-bindings/clock/exynos7885.h | 2 +- include/dt-bindings/clock/qcom,gcc-sc8180x.h | 1 + include/linux/cpufreq.h | 6 +- include/linux/fdtable.h | 8 +- include/linux/hdmi.h | 9 + include/linux/hugetlb.h | 10 + include/linux/i2c.h | 3 + include/linux/netdevice.h | 22 +- include/linux/nvme-keyring.h | 6 +- include/linux/perf_event.h | 8 +- include/linux/sched.h | 2 + include/linux/sunrpc/svc.h | 4 +- include/linux/uprobes.h | 2 + include/linux/virtio_net.h | 4 +- include/trace/events/netfs.h | 1 + include/uapi/linux/cec.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- io_uring/io_uring.c | 5 +- io_uring/net.c | 4 +- kernel/bpf/verifier.c | 119 +- kernel/cgroup/cgroup-v1.c | 12 +- kernel/events/core.c | 33 +- kernel/events/uprobes.c | 4 +- kernel/fork.c | 32 +- kernel/jump_label.c | 34 +- kernel/rcu/rcuscale.c | 4 +- kernel/rcu/tasks.h | 82 +- kernel/resource.c | 58 +- kernel/sched/core.c | 23 +- kernel/sched/psi.c | 26 +- kernel/static_call_inline.c | 13 +- kernel/trace/trace_hwlat.c | 2 + kernel/trace/trace_osnoise.c | 22 +- lib/buildid.c | 74 +- mm/Kconfig | 25 +- mm/filemap.c | 4 + mm/gup.c | 1 + mm/hugetlb.c | 17 + mm/memfd.c | 20 +- mm/slab_common.c | 7 + mm/slub.c | 100 +- net/bluetooth/hci_core.c | 2 + net/bluetooth/hci_event.c | 15 +- net/bluetooth/l2cap_core.c | 8 - net/bluetooth/mgmt.c | 23 +- net/bridge/br_mdb.c | 2 +- net/core/dev.c | 14 +- net/core/gro.c | 9 +- net/core/net-sysfs.c | 6 +- net/core/netdev-genl.c | 8 +- net/core/netpoll.c | 15 +- net/core/skbuff.c | 15 +- net/dsa/dsa.c | 7 + net/ipv4/devinet.c | 6 +- net/ipv4/fib_frontend.c | 2 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/tcp_ipv4.c | 3 + net/ipv4/tcp_offload.c | 10 +- net/ipv4/udp_offload.c | 22 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/ipv6/tcpv6_offload.c | 10 +- net/l2tp/l2tp_core.c | 40 +- net/l2tp/l2tp_core.h | 4 +- net/l2tp/l2tp_netlink.c | 4 +- net/l2tp/l2tp_ppp.c | 3 +- net/mac80211/chan.c | 4 +- net/mac80211/mlme.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/util.c | 4 +- net/mac802154/scan.c | 4 +- net/ncsi/ncsi-manage.c | 2 + net/netfilter/nf_tables_api.c | 5 +- net/rxrpc/ar-internal.h | 2 +- net/rxrpc/io_thread.c | 10 +- net/rxrpc/local_object.c | 2 +- net/sched/sch_taprio.c | 4 +- net/sctp/socket.c | 4 +- net/sunrpc/svc.c | 31 +- net/tipc/bearer.c | 8 +- net/wireless/nl80211.c | 15 +- rust/Makefile | 22 +- rust/exports.c | 1 + rust/helpers.c | 239 -- rust/helpers/blk.c | 14 + rust/helpers/bug.c | 8 + rust/helpers/build_assert.c | 25 + rust/helpers/build_bug.c | 9 + rust/helpers/err.c | 19 + rust/helpers/helpers.c | 25 + rust/helpers/kunit.c | 9 + rust/helpers/mutex.c | 15 + rust/helpers/page.c | 19 + rust/helpers/refcount.c | 19 + rust/helpers/signal.c | 9 + rust/helpers/slab.c | 9 + rust/helpers/spinlock.c | 24 + rust/helpers/task.c | 19 + rust/helpers/uaccess.c | 15 + rust/helpers/wait.c | 9 + rust/helpers/workqueue.c | 15 + rust/kernel/sync/locked_by.rs | 18 +- scripts/gdb/linux/proc.py | 4 +- scripts/gdb/linux/rbtree.py | 12 + scripts/gdb/linux/timerlist.py | 31 +- scripts/kconfig/parser.y | 10 +- scripts/kconfig/qconf.cc | 6 +- security/Kconfig | 32 + security/tomoyo/domain.c | 9 +- sound/core/control.c | 55 +- sound/core/control_compat.c | 45 +- sound/core/init.c | 14 +- sound/core/oss/mixer_oss.c | 4 +- sound/isa/gus/gus_pcm.c | 4 +- sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/hda_controller.h | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/hda_intel.c | 10 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 156 +- sound/pci/hda/samsung_helper.c | 310 --- sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/atmel/mchp-pdmc.c | 3 + sound/soc/codecs/wsa883x.c | 16 +- sound/soc/fsl/imx-card.c | 1 + sound/soc/intel/boards/bytcht_cx2072x.c | 4 + sound/soc/intel/boards/bytcht_da7213.c | 4 + sound/soc/intel/boards/bytcht_es8316.c | 2 +- sound/soc/intel/boards/bytcr_rt5640.c | 2 +- sound/soc/intel/boards/bytcr_rt5651.c | 2 +- sound/soc/intel/boards/cht_bsw_rt5645.c | 4 + sound/soc/intel/boards/cht_bsw_rt5672.c | 4 + sound/soc/intel/boards/sof_es8336.c | 2 +- sound/soc/intel/boards/sof_wm8804.c | 4 + sound/soc/intel/common/soc-acpi-intel-rpl-match.c | 1 + sound/soc/soc-topology.c | 4 +- sound/usb/card.c | 8 + sound/usb/clock.c | 62 +- sound/usb/format.c | 6 +- sound/usb/helper.c | 34 + sound/usb/helper.h | 10 +- sound/usb/line6/podhd.c | 2 +- sound/usb/mixer.c | 37 +- sound/usb/mixer.h | 1 + sound/usb/mixer_quirks.c | 430 +++- sound/usb/mixer_scarlett.c | 4 +- sound/usb/power.c | 3 +- sound/usb/power.h | 1 + sound/usb/quirks-table.h | 2455 +++++++------------- sound/usb/quirks.c | 62 + sound/usb/stream.c | 21 +- sound/usb/usbaudio.h | 12 + tools/arch/x86/kcpuid/kcpuid.c | 12 +- tools/bpf/bpftool/net.c | 11 +- tools/hv/hv_fcopy_uio_daemon.c | 7 + tools/include/nolibc/arch-powerpc.h | 2 +- tools/perf/util/hist.c | 7 +- tools/perf/util/machine.c | 17 +- tools/perf/util/setup.py | 2 + tools/perf/util/thread.c | 4 + tools/perf/util/thread.h | 1 + .../selftests/bpf/bpf_testmod/bpf_testmod.c | 1 + .../breakpoints/step_after_suspend_test.c | 5 +- .../devices/probe/test_discoverable_devices.py | 4 +- tools/testing/selftests/hid/Makefile | 2 + .../selftests/mm/charge_reserved_hugetlb.sh | 2 +- tools/testing/selftests/mm/pagemap_ioctl.c | 2 +- tools/testing/selftests/mm/write_to_hugetlbfs.c | 23 +- .../selftests/net/netfilter/conntrack_dump_flush.c | 1 + tools/testing/selftests/net/netfilter/nft_audit.sh | 57 +- tools/testing/selftests/nolibc/nolibc-test.c | 4 +- tools/testing/selftests/vDSO/parse_vdso.c | 17 +- tools/testing/selftests/vDSO/vdso_config.h | 10 +- .../testing/selftests/vDSO/vdso_test_correctness.c | 6 + tools/tracing/rtla/Makefile.rtla | 2 +- tools/tracing/rtla/src/osnoise_top.c | 2 +- tools/tracing/rtla/src/timerlat_top.c | 4 +- 605 files changed, 7495 insertions(+), 5321 deletions(-)

6 months, 3 weeks

20
583
0 0

[PATCH v2] ASoC: dapm: avoid container_of() to get component

by Benjamin Bara

From: Benjamin Bara <benjamin.bara(a)skidata.com> The current implementation does not work for widgets of DAPMs without component, as snd_soc_dapm_to_component() requires it. If the widget is directly owned by the card, e.g. as it is the case for the tegra implementation, the call leads to UB. Therefore directly access the component of the widget's DAPM to be able to check if a component is available. Fixes: f82eb06a40c8 ("ASoC: tegra: machine: Handle component name prefix") Cc: stable(a)vger.kernel.org # v6.7+ Signed-off-by: Benjamin Bara <benjamin.bara(a)skidata.com> --- Hi! I handled the new patch as V2 of the initial one, although it has a different summary. Hope this is fine. --- Changes in v2: - fix snd_soc_dapm_widget_name_cmp() instead of reverting commit - don't pick up R-b of Krzysztof, as different implementation - Link to v1: https://lore.kernel.org/r/20241007-tegra-dapm-v1-1-bede7983fa76@skidata.com --- sound/soc/soc-dapm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 9330f1a3f7589dc467c04238830f2009a619a998..c34934c31ffec3970b34b24dcaa0826dfb7d8e86 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -2785,10 +2785,10 @@ EXPORT_SYMBOL_GPL(snd_soc_dapm_update_dai); int snd_soc_dapm_widget_name_cmp(struct snd_soc_dapm_widget *widget, const char *s) { - struct snd_soc_component *component = snd_soc_dapm_to_component(widget->dapm); + struct snd_soc_component *component = widget->dapm->component; const char *wname = widget->name; - if (component->name_prefix) + if (component && component->name_prefix) wname += strlen(component->name_prefix) + 1; /* plus space */ return strcmp(wname, s); --- base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b change-id: 20241007-tegra-dapm-ef969b8f762a Best regards, -- Benjamin Bara <benjamin.bara(a)skidata.com>

6 months, 3 weeks

2
1
0 0

Linux 6.6.56

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.56 kernel. This fixes a build error in perf that I should have caught before 6.6.55 was released (my fault, it was correctly reported...). If you do not use the perf tool in the 6.6.y tree, there is no need to upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 4 ++-- tools/perf/util/machine.c | 17 ++--------------- tools/perf/util/thread.c | 4 ---- tools/perf/util/thread.h | 1 - 4 files changed, 4 insertions(+), 22 deletions(-) Greg Kroah-Hartman (2): Revert "perf callchain: Fix stitch LBR memory leaks" Linux 6.6.56

6 months, 3 weeks

1
1
0 0

Linux 6.6.55

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.55 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/kernel-parameters.txt | 10 Documentation/arch/arm64/silicon-errata.rst | 6 Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 Makefile | 2 arch/arm/crypto/aes-ce-glue.c | 2 arch/arm/crypto/aes-neonbs-glue.c | 2 arch/arm64/Kconfig | 7 arch/arm64/include/asm/cputype.h | 2 arch/arm64/kernel/cpu_errata.c | 3 arch/loongarch/configs/loongson3_defconfig | 1 arch/parisc/include/asm/mman.h | 14 arch/parisc/kernel/entry.S | 6 arch/parisc/kernel/syscall.S | 14 arch/powerpc/configs/ppc64_defconfig | 1 arch/powerpc/include/asm/vdso_datapage.h | 15 arch/powerpc/kernel/asm-offsets.c | 2 arch/powerpc/kernel/vdso/cacheflush.S | 2 arch/powerpc/kernel/vdso/datapage.S | 4 arch/powerpc/platforms/pseries/dlpar.c | 17 arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 arch/powerpc/platforms/pseries/hotplug-memory.c | 16 arch/powerpc/platforms/pseries/pmem.c | 2 arch/riscv/Kconfig | 8 arch/riscv/include/asm/thread_info.h | 7 arch/x86/crypto/sha256-avx2-asm.S | 16 arch/x86/events/core.c | 63 arch/x86/include/asm/fpu/signal.h | 2 arch/x86/include/asm/syscall.h | 7 arch/x86/kernel/apic/io_apic.c | 46 arch/x86/kernel/fpu/signal.c | 6 arch/x86/kernel/machine_kexec_64.c | 27 arch/x86/kernel/signal.c | 3 arch/x86/kernel/signal_64.c | 6 block/blk-iocost.c | 8 crypto/simd.c | 76 drivers/accel/ivpu/ivpu_fw.c | 4 drivers/acpi/acpi_pad.c | 6 drivers/acpi/acpica/dbconvert.c | 2 drivers/acpi/acpica/exprep.c | 3 drivers/acpi/acpica/psargs.c | 47 drivers/acpi/battery.c | 28 drivers/acpi/cppc_acpi.c | 10 drivers/acpi/ec.c | 55 drivers/acpi/resource.c | 14 drivers/acpi/video_detect.c | 8 drivers/ata/pata_serverworks.c | 16 drivers/ata/sata_sil.c | 12 drivers/block/aoe/aoecmd.c | 13 drivers/block/loop.c | 15 drivers/block/null_blk/main.c | 45 drivers/bluetooth/btmrvl_sdio.c | 3 drivers/bluetooth/btrtl.c | 1 drivers/bluetooth/btusb.c | 2 drivers/clk/qcom/clk-alpha-pll.c | 2 drivers/clk/qcom/clk-rpmh.c | 2 drivers/clk/qcom/dispcc-sm8250.c | 3 drivers/clk/qcom/gcc-sc8180x.c | 88 drivers/clk/qcom/gcc-sm8250.c | 6 drivers/clk/qcom/gcc-sm8450.c | 4 drivers/clk/rockchip/clk.c | 3 drivers/clk/samsung/clk-exynos7885.c | 2 drivers/cpufreq/intel_pstate.c | 20 drivers/crypto/marvell/Kconfig | 2 drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 261 - drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 254 - drivers/firmware/efi/unaccepted_memory.c | 4 drivers/firmware/tegra/bpmp.c | 6 drivers/gpio/gpio-davinci.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 43 drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 6 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 19 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 drivers/gpu/drm/amd/display/dc/core/dc.c | 6 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 drivers/gpu/drm/amd/display/dc/dc_types.h | 1 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 12 drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 drivers/gpu/drm/drm_atomic_uapi.c | 2 drivers/gpu/drm/drm_print.c | 13 drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 drivers/gpu/drm/msm/msm_gpu.c | 1 drivers/gpu/drm/omapdrm/omap_drv.c | 5 drivers/gpu/drm/radeon/r100.c | 70 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 2 drivers/gpu/drm/stm/drv.c | 3 drivers/gpu/drm/stm/ltdc.c | 76 drivers/hid/hid-ids.h | 17 drivers/hid/hid-input.c | 37 drivers/hid/hid-multitouch.c | 6 drivers/hwmon/nct6775-platform.c | 1 drivers/i2c/busses/i2c-designware-common.c | 14 drivers/i2c/busses/i2c-designware-core.h | 1 drivers/i2c/busses/i2c-designware-master.c | 38 drivers/i2c/busses/i2c-qcom-geni.c | 4 drivers/i2c/busses/i2c-stm32f7.c | 6 drivers/i2c/busses/i2c-synquacer.c | 12 drivers/i2c/busses/i2c-xiic.c | 69 drivers/i2c/i2c-core-base.c | 39 drivers/i3c/master/svc-i3c-master.c | 1 drivers/iio/magnetometer/ak8975.c | 32 drivers/iio/pressure/bmp280-core.c | 185 drivers/iio/pressure/bmp280-regmap.c | 47 drivers/iio/pressure/bmp280-spi.c | 4 drivers/iio/pressure/bmp280.h | 49 drivers/infiniband/hw/mana/main.c | 8 drivers/input/keyboard/adp5589-keys.c | 22 drivers/iommu/intel/dmar.c | 16 drivers/iommu/intel/iommu.c | 6 drivers/iommu/iommufd/selftest.c | 27 drivers/mailbox/bcm2835-mailbox.c | 3 drivers/mailbox/rockchip-mailbox.c | 2 drivers/media/i2c/ar0521.c | 5 drivers/media/i2c/imx335.c | 43 drivers/media/i2c/ov5675.c | 12 drivers/media/platform/qcom/camss/camss-video.c | 6 drivers/media/platform/qcom/camss/camss.c | 5 drivers/media/platform/qcom/venus/core.c | 1 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 drivers/media/usb/usbtv/usbtv-video.c | 7 drivers/memory/tegra/tegra186-emc.c | 5 drivers/net/can/dev/netlink.c | 102 drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 drivers/net/ethernet/freescale/fec.h | 9 drivers/net/ethernet/freescale/fec_main.c | 11 drivers/net/ethernet/freescale/fec_ptp.c | 50 drivers/net/ethernet/hisilicon/hip04_eth.c | 1 drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 drivers/net/ethernet/hisilicon/hns_mdio.c | 1 drivers/net/ethernet/intel/e1000e/netdev.c | 19 drivers/net/ethernet/intel/ice/ice_sched.c | 6 drivers/net/ethernet/lantiq_etop.c | 4 drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 drivers/net/ethernet/microsoft/Kconfig | 3 drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 drivers/net/ethernet/microsoft/mana/hw_channel.c | 14 drivers/net/ethernet/microsoft/mana/mana_en.c | 8 drivers/net/ethernet/microsoft/mana/shm_channel.c | 13 drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 drivers/net/ethernet/realtek/r8169_main.c | 31 drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 8 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 19 drivers/net/ieee802154/Kconfig | 1 drivers/net/ieee802154/mcr20a.c | 5 drivers/net/pcs/pcs-xpcs-wx.c | 2 drivers/net/ppp/ppp_generic.c | 4 drivers/net/vrf.c | 2 drivers/net/wireless/ath/ath11k/dp_rx.c | 2 drivers/net/wireless/ath/ath12k/dp_rx.c | 2 drivers/net/wireless/ath/ath9k/debug.c | 4 drivers/net/wireless/ath/ath9k/hif_usb.c | 6 drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/scan.c | 3 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 drivers/net/wireless/realtek/rtw88/Kconfig | 1 drivers/net/wireless/realtek/rtw89/mac80211.c | 4 drivers/net/wireless/realtek/rtw89/phy.c | 4 drivers/net/wireless/realtek/rtw89/util.h | 18 drivers/net/wwan/qcom_bam_dmux.c | 11 drivers/net/xen-netback/hash.c | 5 drivers/of/address.c | 5 drivers/of/irq.c | 38 drivers/perf/arm_spe_pmu.c | 9 drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 drivers/platform/x86/lenovo-ymc.c | 2 drivers/platform/x86/think-lmi.c | 16 drivers/platform/x86/touchscreen_dmi.c | 26 drivers/platform/x86/x86-android-tablets/core.c | 57 drivers/power/reset/brcmstb-reboot.c | 3 drivers/power/supply/power_supply_hwmon.c | 3 drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 drivers/rtc/rtc-at91sam9.c | 1 drivers/scsi/NCR5380.c | 4 drivers/scsi/aacraid/aacraid.h | 2 drivers/scsi/lpfc/lpfc_els.c | 27 drivers/scsi/lpfc/lpfc_nportdisc.c | 22 drivers/scsi/pm8001/pm8001_init.c | 6 drivers/scsi/smartpqi/smartpqi_init.c | 2 drivers/scsi/st.c | 5 drivers/spi/spi-bcm63xx.c | 9 drivers/spi/spi-cadence.c | 31 drivers/spi/spi-imx.c | 2 drivers/spi/spi-rpc-if.c | 7 drivers/spi/spi-s3c64xx.c | 4 drivers/vhost/scsi.c | 27 drivers/video/fbdev/efifb.c | 11 drivers/video/fbdev/pxafb.c | 1 fs/btrfs/backref.c | 12 fs/btrfs/disk-io.c | 11 fs/btrfs/relocation.c | 150 fs/btrfs/relocation.h | 9 fs/btrfs/send.c | 23 fs/cachefiles/namei.c | 7 fs/ceph/addr.c | 6 fs/dax.c | 6 fs/exec.c | 3 fs/exfat/balloc.c | 10 fs/ext4/dir.c | 14 fs/ext4/extents.c | 55 fs/ext4/fast_commit.c | 49 fs/ext4/file.c | 8 fs/ext4/inode.c | 11 fs/ext4/migrate.c | 2 fs/ext4/move_extent.c | 1 fs/ext4/namei.c | 14 fs/ext4/super.c | 2 fs/ext4/xattr.c | 3 fs/file.c | 95 fs/iomap/buffered-io.c | 16 fs/jbd2/checkpoint.c | 21 fs/jbd2/journal.c | 4 fs/jfs/jfs_discard.c | 11 fs/jfs/jfs_dmap.c | 7 fs/jfs/xattr.c | 2 fs/nfsd/nfs4state.c | 5 fs/nfsd/nfs4xdr.c | 10 fs/nfsd/vfs.c | 1 fs/ocfs2/aops.c | 5 fs/ocfs2/buffer_head_io.c | 4 fs/ocfs2/journal.c | 7 fs/ocfs2/localalloc.c | 19 fs/ocfs2/quota_local.c | 8 fs/ocfs2/refcounttree.c | 26 fs/ocfs2/xattr.c | 11 fs/overlayfs/params.c | 38 fs/proc/base.c | 61 fs/smb/client/cifsfs.c | 13 fs/smb/client/cifsglob.h | 2 fs/smb/client/inode.c | 19 fs/smb/client/reparse.c | 16 fs/smb/client/smb1ops.c | 2 fs/smb/client/smb2inode.c | 24 fs/smb/client/smb2ops.c | 19 fs/smb/server/connection.c | 4 fs/smb/server/connection.h | 1 fs/smb/server/oplock.c | 55 fs/smb/server/vfs_cache.c | 3 include/crypto/internal/simd.h | 12 include/drm/drm_print.h | 54 include/dt-bindings/clock/exynos7885.h | 2 include/dt-bindings/clock/qcom,gcc-sc8180x.h | 3 include/linux/cpufreq.h | 6 include/linux/fdtable.h | 8 include/linux/i2c.h | 5 include/linux/netdevice.h | 18 include/linux/perf_event.h | 8 include/linux/stmmac.h | 1 include/linux/uprobes.h | 2 include/linux/virtio_net.h | 4 include/net/mana/gdma.h | 10 include/net/mana/mana.h | 3 include/uapi/linux/cec.h | 6 include/uapi/linux/netfilter/nf_tables.h | 2 io_uring/net.c | 4 kernel/bpf/verifier.c | 26 kernel/events/core.c | 33 kernel/events/uprobes.c | 4 kernel/fork.c | 32 kernel/jump_label.c | 52 kernel/rcu/rcuscale.c | 4 kernel/resource.c | 58 kernel/sched/psi.c | 26 kernel/static_call_inline.c | 13 kernel/trace/trace_hwlat.c | 2 kernel/trace/trace_osnoise.c | 22 lib/buildid.c | 90 mm/Kconfig | 25 mm/slab_common.c | 7 net/bluetooth/hci_core.c | 2 net/bluetooth/hci_event.c | 15 net/bluetooth/hci_sock.c | 21 net/bluetooth/iso.c | 36 net/bluetooth/l2cap_core.c | 8 net/bluetooth/l2cap_sock.c | 52 net/bluetooth/mgmt.c | 23 net/core/dev.c | 14 net/core/gro.c | 9 net/core/netpoll.c | 15 net/dsa/slave.c | 7 net/ipv4/devinet.c | 6 net/ipv4/fib_frontend.c | 2 net/ipv4/ip_gre.c | 6 net/ipv4/netfilter/nf_dup_ipv4.c | 7 net/ipv4/tcp_ipv4.c | 3 net/ipv4/udp_offload.c | 22 net/ipv6/netfilter/nf_dup_ipv6.c | 7 net/mac80211/chan.c | 4 net/mac80211/mlme.c | 2 net/mac80211/scan.c | 2 net/mac80211/util.c | 4 net/mac802154/scan.c | 4 net/netfilter/nf_tables_api.c | 57 net/netfilter/nft_set_bitmap.c | 4 net/netfilter/nft_set_hash.c | 8 net/netfilter/nft_set_pipapo.c | 5 net/netfilter/nft_set_rbtree.c | 4 net/rxrpc/ar-internal.h | 2 net/rxrpc/io_thread.c | 10 net/rxrpc/local_object.c | 2 net/sched/sch_taprio.c | 4 net/sctp/socket.c | 4 net/tipc/bearer.c | 8 net/wireless/nl80211.c | 15 rust/kernel/sync/locked_by.rs | 18 scripts/kconfig/qconf.cc | 2 security/Kconfig | 32 security/tomoyo/domain.c | 9 sound/core/init.c | 14 sound/core/oss/mixer_oss.c | 4 sound/isa/gus/gus_pcm.c | 4 sound/pci/asihpi/hpimsgx.c | 2 sound/pci/hda/hda_controller.h | 2 sound/pci/hda/hda_generic.c | 4 sound/pci/hda/hda_intel.c | 10 sound/pci/hda/patch_conexant.c | 24 sound/pci/hda/patch_realtek.c | 4 sound/pci/rme9652/hdsp.c | 6 sound/pci/rme9652/hdspm.c | 6 sound/soc/atmel/mchp-pdmc.c | 3 sound/soc/codecs/wsa883x.c | 16 sound/soc/fsl/imx-card.c | 1 sound/usb/card.c | 6 sound/usb/line6/podhd.c | 2 sound/usb/mixer.c | 35 sound/usb/mixer.h | 1 sound/usb/quirks-table.h | 2287 ++-------- sound/usb/quirks.c | 4 tools/arch/x86/kcpuid/kcpuid.c | 12 tools/bpf/bpftool/net.c | 11 tools/include/nolibc/arch-powerpc.h | 2 tools/perf/util/hist.c | 7 tools/perf/util/machine.c | 17 tools/perf/util/setup.py | 4 tools/perf/util/thread.c | 4 tools/perf/util/thread.h | 1 tools/testing/selftests/breakpoints/step_after_suspend_test.c | 5 tools/testing/selftests/hid/Makefile | 2 tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 2 tools/testing/selftests/mm/write_to_hugetlbfs.c | 21 tools/testing/selftests/netfilter/nft_audit.sh | 57 tools/testing/selftests/nolibc/nolibc-test.c | 4 tools/testing/selftests/vDSO/parse_vdso.c | 17 tools/testing/selftests/vDSO/vdso_config.h | 10 tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 tools/tracing/rtla/src/osnoise_top.c | 2 tools/tracing/rtla/src/timerlat_top.c | 4 387 files changed, 4126 insertions(+), 3851 deletions(-) Aakash Menon (1): net: sparx5: Fix invalid timestamps Abhishek Tamboli (1): ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Adrian Ratiu (1): proc: add config & param to block forcing mem writes Ahmed S. Darwish (1): tools/x86/kcpuid: Protect against faulty "max subleaf" values Ai Chao (1): ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Ajit Pandey (1): clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Al Viro (1): close_range(): fix the logics in descriptor table trimming Aleksander Jan Bajkowski (1): net: ethernet: lantiq_etop: fix memory disclosure Aleksandr Mishin (1): ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Aleksandrs Vinarskis (1): ACPICA: iasl: handle empty connection_node Alex Deucher (3): drm/amdgpu/gfx9: use rlc safe mode for soft recovery drm/amdgpu/gfx11: use rlc safe mode for soft recovery drm/amdgpu/gfx10: use rlc safe mode for soft recovery Alex Hung (7): drm/amd/display: Check null pointers before using dc->clk_mgr drm/amd/display: Check stream before comparing them drm/amd/display: Check link_res->hpo_dp_link_enc before using it drm/amd/display: Avoid overflow assignment in link_dp_cts drm/amd/display: Initialize get_bytes_per_element's default to 1 drm/amd/display: Add HDR workaround for specific eDP drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Alexander F. Lent (1): accel/ivpu: Add missing MODULE_FIRMWARE metadata Alexander Shiyan (1): media: i2c: ar0521: Use cansleep version of gpiod_set_value() Alexandre Ghiti (1): riscv: Fix kernel stack size when KASAN is enabled Alexey Dobriyan (1): build-id: require program headers to be right after ELF header Alice Ryhl (1): rust: sync: require `T: Sync` for `LockedBy::access` Andrei Simion (1): ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Andrew Davis (1): power: reset: brcmstb: Do not go into infinite loop if reset fails Andrew Jones (1): of/irq: Support #msi-cells=<0> in of_msi_get_domain Andrii Nakryiko (2): perf,x86: avoid missing caller address in stack traces captured in uprobe lib/buildid: harden build ID parsing logic Angel Iglesias (1): iio: pressure: bmp280: Allow multiple chips id per family of devices Anton Danilov (1): ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Ard Biesheuvel (1): i2c: synquacer: Deal with optional PCLK correctly Armin Wolf (4): ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook Arnaldo Carvalho de Melo (2): perf python: Disable -Wno-cast-function-type-mismatch if present on clang perf python: Allow checking for the existence of warning options in clang Artem Sadovnikov (1): ext4: fix i_data_sem unlock order in ext4_ind_migrate() Aruna Ramakrishna (2): x86/pkeys: Add PKRU as a parameter in signal handling functions x86/pkeys: Restore altstack access in sigreturn() Asad Kamal (1): drm/amdgpu: Fix get each xcp macro Baojun Xu (1): ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Baokun Li (9): ext4: avoid use-after-free in ext4_ext_show_leaf() ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path ext4: update orig_path in ext4_find_extent() jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error cachefiles: fix dentry leak in cachefiles_open_file() Barnabás Czémán (1): iio: magnetometer: ak8975: Fix reading for ak099xx sensors Beleswar Padhi (1): remoteproc: k3-r5: Acquire mailbox handle during probe routine Ben Dooks (1): spi: s3c64xx: fix timeout counters in flush_fifo Benjamin Gaignard (1): media: usbtv: Remove useless locks in usbtv_video_free() Benjamin Lin (1): wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Biju Das (1): spi: rpc-if: Add missing MODULE_DEVICE_TABLE Breno Leitao (1): netpoll: Ensure clean state on setup failures Bryan O'Donoghue (3): media: ov5675: Fix power on/off delay timings media: qcom: camss: Remove use_count guard in stop_streaming media: qcom: camss: Fix ordering of pm_runtime_enable Chen Yu (1): efi/unaccepted: touch soft lockup during memory accept Chih-Kang Chang (1): wifi: rtw89: avoid to add interface to list twice when SER Christoph Hellwig (2): loop: don't set QUEUE_FLAG_NOMERGES iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Christophe JAILLET (4): ALSA: mixer_oss: Remove some incorrect kfree_const() usages ALSA: gus: Fix some error handling paths related to get_bpos() usage i2c: synquacer: Remove a clk reference from struct synquacer_i2c null_blk: Remove usage of the deprecated ida_simple_xx() API Christophe Leroy (4): selftests: vDSO: fix vDSO name for powerpc selftests: vDSO: fix vdso_config for powerpc selftests: vDSO: fix vDSO symbols lookup for powerpc64 powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Chuck Lever (1): NFSD: Fix NFSv4's PUTPUBFH operation Chun-Yi Lee (1): aoe: fix the potential use-after-free problem in more places Ckath (1): platform/x86: touchscreen_dmi: add nanote-next quirk Colin Ian King (1): r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Csókás, Bence (2): net: fec: Restart PPS after link state change net: fec: Reload PTP registers after link-state change Damien Le Moal (3): ata: pata_serverworks: Do not use the term blacklist ata: sata_sil: Rename sil_blacklist to sil_quirks null_blk: Fix return value of nullb_device_power_store() Daniel Borkmann (2): net: Add netif_get_gro_max_size helper for GRO net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Daniel Wagner (1): scsi: pm8001: Do not overwrite PCI queue mapping Danilo Krummrich (1): mm: krealloc: consider spare memory for __GFP_ZERO Darrick J. Wong (1): iomap: constrain the file range passed to iomap_file_unshare David Hildenbrand (1): selftests/mm: fix charge_reserved_hugetlb.sh test David Howells (1): rxrpc: Fix a race between socket set up and I/O thread creation David Sterba (2): btrfs: relocation: return bool from btrfs_should_ignore_reloc_root btrfs: relocation: constify parameters where possible David Virag (2): dt-bindings: clock: exynos7885: Fix duplicated binding clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Denis Pauk (1): hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Dmitry Antipov (1): net: sched: consistently use rcu_replace_pointer() in taprio_change() Dmitry Baryshkov (1): clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Dmitry Kandybka (1): wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Easwar Hariharan (1): arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Eder Zulian (1): rtla: Fix the help text in osnoise and timerlat top tools Edward Adam Davis (3): jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree ext4: no need to continue when the number of entries is 1 Elena Salomatkina (1): net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Emanuele Ghidoli (1): gpio: davinci: fix lazy disable Eric Dumazet (5): netfilter: nf_tables: prevent nf_skb_duplicated corruption net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() net: test for not too small csum_start in virtio_net_hdr_to_skb() ppp: do not assume bh is held in ppp_channel_bridge_input() Fangrui Song (1): crypto: x86/sha256 - Add parentheses around macros' single arguments Felix Fietkau (2): wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Filipe Manana (2): btrfs: send: fix invalid clone operation for file that got its size decreased btrfs: wait for fixup workers before stopping cleaner kthread during umount Finn Thain (1): scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Gabe Teeger (1): drm/amd/display: Revert Avoid overflow assignment Gautham Ananthakrishna (1): ocfs2: reserve space for inline xattr before attaching reflink tree Geert Uytterhoeven (2): drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() Gerd Bayer (1): net/mlx5: Fix error path in multi-packet WQE transmit Gergo Koteles (1): platform/x86: lenovo-ymc: Ignore the 0x0 state Greg Kroah-Hartman (1): Linux 6.6.55 Gustavo A. R. Silva (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Haiyang Zhang (2): net: mana: Enable MANA driver on ARM64 with 4K page size net: mana: Add support for page sizes other than 4KB on ARM64 Hans P. Moller (1): ALSA: line6: add hw monitor volume control to POD HD500X Hans Verkuil (1): media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Hans de Goede (7): ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 HID: Ignore battery for all ELAN I2C-HID devices power: supply: hwmon: Fix missing temp1_max_alarm attribute ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] platform/x86: x86-android-tablets: Create a platform_device from module_init() platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Haoran Zhang (1): vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Haren Myneni (1): powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Heiko Carstens (1): selftests: vDSO: fix vdso_config for s390 Heiner Kallweit (2): i2c: core: Lock address during client device instantiation r8169: add tally counter fields added with RTL8125 Helge Deller (4): parisc: Fix itlb miss handler for 64-bit programs parisc: Fix 64-bit userspace syscall path parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Heming Zhao (1): ocfs2: fix the la space leak when unmounting an ocfs2 volume Herbert Xu (4): crypto: octeontx - Fix authenc setkey crypto: octeontx2 - Fix authenc setkey crypto: simd - Do not call crypto_alloc_tfm during registration crypto: octeontx* - Select CRYPTO_AUTHENC Hilda Wu (2): Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Huang Ying (1): resource: fix region_intersects() vs add_memory_driver_managed() Hui Wang (1): ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Ian Rogers (1): perf callchain: Fix stitch LBR memory leaks Ido Schimmel (1): ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Ilan Peer (1): wifi: iwlwifi: mvm: Fix a race in scan abort flow Issam Hamdi (1): wifi: cfg80211: Set correct chandef when starting CAC James Clark (1): drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Jan Kiszka (1): remoteproc: k3-r5: Fix error handling when power-up failed Jan Lalinsky (1): ALSA: usb-audio: Add native DSD support for Luxman D-08u Jani Nikula (1): drm/i915/gem: fix bitwise and logical AND mixup Jaroslav Kysela (1): ALSA: core: add isascii() check to card ID generator Jason Xing (1): tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Javier Carrasco (1): drm/mediatek: ovl_adaptor: Add missing of_node_put() Jens Axboe (1): io_uring/net: harden multishot termination case for recv Jens Remus (1): selftests: vDSO: fix ELF hash table entry size for s390x Jeongjun Park (1): net/xen-netback: prevent UAF in xenvif_flush_hash() Jesse Zhang (1): drm/amdkfd: Fix resource leak in criu restore queue Jianbo Liu (1): net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Jiawei Ye (1): mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Jiawen Wu (1): net: pcs: xpcs: fix the wrong register that was written back Jinjie Ruan (12): ieee802154: Fix build error net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() nfp: Use IRQF_NO_AUTOEN flag in request_irq() spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled spi: spi-cadence: Fix missing spi_controller_is_target() check i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled spi: bcm63xx: Fix module autoloading spi: bcm63xx: Fix missing pm_runtime_disable() Jisheng Zhang (1): riscv: define ILLEGAL_POINTER_VALUE for 64bit Johannes Berg (3): wifi: iwlwifi: mvm: drop wrong STA selection in TX wifi: iwlwifi: mvm: use correct key iteration wifi: mac80211: fix RCU list iterations Johannes Weiner (1): sched: psi: fix bogus pressure spikes from aggregation race Jonathan Gray (1): Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Josef Bacik (1): btrfs: drop the backref cache during relocation if we commit Joseph Qi (2): ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: cancel dqi_sync_work before freeing oinfo Joshua Pius (1): ALSA: usb-audio: Add logitech Audio profile quirk Julian Sun (1): ocfs2: fix null-ptr-deref when journal load failed. Juntong Deng (1): bpf: Make the pointer returned by iter next method valid Justin Tee (1): scsi: lpfc: Update PRLO handling in direct attached topology Kaixin Wang (2): fbdev: pxafb: Fix possible use after free in pxafb_task() i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Karthikeyan Periyasamy (2): wifi: ath12k: fix array out-of-bound access in SoC stats wifi: ath11k: fix array out-of-bound access in SoC stats Katya Orlova (1): drm/stm: Avoid use-after-free issues with crtc and plane Kees Cook (2): x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() scsi: aacraid: Rearrange order of struct aac_srb_unit Kemeng Shi (1): jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit KhaiWenTan (1): net: stmmac: Fix zero-division error when disabling tc cbs Kieran Bingham (1): media: i2c: imx335: Enable regulator supplies Kimriver Liu (1): i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Konrad Dybcio (1): drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Konstantin Ovsepian (1): blk_iocost: fix more out of bound shifts Krzysztof Kozlowski (7): net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() ASoC: codecs: wsa883x: Handle reading version failure firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() memory: tegra186-emc: drop unused to_tegra186_emc() rtc: at91sam9: fix OF node leak in probe() error path Kuan-Wei Chiu (2): bpftool: Fix undefined behavior caused by shifting into the sign bit bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Kuniyuki Iwashima (1): ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Laurent Pinchart (1): media: sun4i_csi: Implement link validate for sun4i_csi subdev Li Lingfeng (1): nfsd: map the EBADMSG to nfserr_io to avoid warning Li Zetao (1): spi: spi-cadence: Use helper function devm_clk_get_enabled() Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Liao Chen (1): mailbox: rockchip: fix a typo in module autoloading Lizhi Xu (2): ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Long Li (2): RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page RDMA/mana_ib: use the correct page table index based on hardware page size Lu Baolu (1): iommu/vt-d: Always reserve a domain ID for identity setup Luis Henriques (SUSE) (7): ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() ext4: fix fast commit inode enqueueing during a full journal commit ext4: use handle to mark fc as ineligible in __track_dentry_update() ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luiz Augusto von Dentz (6): Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Bluetooth: L2CAP: Fix uaf in l2cap_connect Bluetooth: hci_sock: Fix not validating setsockopt user input Bluetooth: ISO: Fix not validating setsockopt user input Bluetooth: L2CAP: Fix not validating setsockopt user input Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Luo Gengkun (1): perf/core: Fix small negative period being ignored Ma Ke (1): drm: omapdrm: Add missing check for alloc_ordered_workqueue Mads Bligaard Nielsen (1): drm/bridge: adv7511: fix crash on irq during probe Mahesh Rajashekhara (1): scsi: smartpqi: correct stream detection Manivannan Sadhasivam (3): clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() dt-bindings: clock: qcom: Add missing UFS QREF clocks Marc Ferland (1): i2c: xiic: improve error message when transfer fails to start Marek Vasut (1): i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Mario Limonciello (2): ACPI: CPPC: Add support for setting EPP register in FFH drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Mark Pearson (1): platform/x86: think-lmi: Fix password opcode ordering for workstations Mark Rutland (3): arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more Masahiro Yamada (1): kconfig: qconf: fix buffer overflow in debug links Matt Fleming (1): perf hist: Update hist symbol when updating maps Matthew Brost (1): drm/printer: Allow NULL data in devcoredump printer Mike Baynton (1): ovl: fail if trusted xattrs are needed but caller lacks permission Mike Tipton (1): clk: qcom: clk-rpmh: Fix overflow in BCM vote Miquel Sabaté Solà (1): cpufreq: Avoid a bad reference count on CPU node Miri Korenblit (1): wifi: iwlwifi: mvm: avoid NULL pointer dereference Mohamed Khalfella (1): net/mlx5: Added cond_resched() to crdump collection Namhyung Kim (2): perf: Really fix event_function_call() locking perf report: Fix segfault when 'sym' sort key is not used Namjae Jeon (1): ksmbd: add refcnt to ksmbd_conn struct NeilBrown (1): nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Nicolin Chen (1): iommufd: Fix protection fault in iommufd_test_syz_conv_iova Nuno Sa (2): Input: adp5589-keys - fix NULL pointer dereference Input: adp5589-keys - fix adp5589_gpio_get_value() Oder Chiou (1): ALSA: hda/realtek: Fix the push button function for the ALC257 Oleg Nesterov (1): uprobes: fix kernel info leak via "[uprobes]" vma Pablo Neira Ayuso (2): netfilter: nf_tables: fix memleak in map from abort path netfilter: nf_tables: restore set elements when delete set fails Pali Rohár (3): cifs: Remove intermediate object of failed create reparse call cifs: Fix buffer overflow when parsing NFS reparse points cifs: Do not convert delimiter when parsing NFS-style symlinks Patrick Donnelly (1): ceph: fix cap ref leak via netfs init_request Paul E. McKenney (1): rcuscale: Provide clear error when async specified without primitives Pei Xiao (1): ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Peng Liu (2): drm/amdgpu: add raven1 gfxoff quirk drm/amdgpu: enable gfxoff quirk on HP 705G4 Peter Zijlstra (2): jump_label: Fix static_key_slow_dec() yet again perf: Fix event_function_call() locking Phil Sutter (2): netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED selftests: netfilter: Fix nft_audit.sh for newer nft binaries Philip Yang (1): drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pierre-Eric Pelloux-Prayer (1): drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Ping-Ke Shih (1): wifi: rtw89: correct base HT rate mask for firmware Qu Wenruo (1): btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Rafael J. Wysocki (1): ACPI: EC: Do not release locks during operation region accesses Rafael Rocha (1): scsi: st: Fix input/output error on empty drive reset Ravikanth Tuniki (1): dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Remington Brasga (1): jfs: UBSAN: shift-out-of-bounds in dbFindBits Robert Hancock (2): i2c: xiic: Try re-initialization on bus busy timeout i2c: xiic: Wait for TX empty to avoid missed TX NAKs Sanjay K Kumar (1): iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Satya Priya Kakitapalli (4): clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x clk: qcom: gcc-sc8180x: Add GPLL9 support Sebastian Reichel (1): clk: rockchip: fix error for unknown clocks Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Shenwei Wang (1): net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Simon Horman (4): tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer bnxt_en: Extend maximum length of version string by 1 byte net: atlantic: Avoid warning about potential string truncation Srinivasan Shanmugam (6): drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/amd/display: Fix index out of bounds in DCN30 color transformation Stefan Mätje (1): can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Stefan Wahren (1): mailbox: bcm2835: Fix timeout during suspend mode Steve French (1): smb3: fix incorrect mode displayed for read-only files Takashi Iwai (8): ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin ALSA: usb-audio: Add input value sanity checks for standard types ALSA: usb-audio: Define macros for quirk table entries ALSA: usb-audio: Replace complex quirk lines with macros ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Tao Liu (1): x86/kexec: Add EFI config table identity mapping for kexec kernel Tetsuo Handa (1): tomoyo: fallback to realpath if symlink's pathname does not exist Thadeu Lima de Souza Cascardo (1): ext4: ext4_search_dir should return a proper error Thomas Gleixner (4): static_call: Handle module init failure correctly in static_call_del_module() static_call: Replace pointless WARN_ON() in static_call_module_notify() jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() x86/ioapic: Handle allocation failures gracefully Thomas Weißschuh (4): tools/nolibc: powerpc: limit stack-protector workaround to GCC selftests/nolibc: avoid passing NULL to printf("%s") fbdev: efifb: Register sysfs groups through driver core of: address: Report error on resource bounds overflow Thomas Zimmermann (1): drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Tim Huang (3): drm/amd/display: fix double free issue during amdgpu module unload drm/amdgpu: fix unchecked return value warning for amdgpu_gfx drm/amd/pm: ensure the fw_info is not null before using it Toke Høiland-Jørgensen (1): wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Tom Chung (1): drm/amd/display: Fix system hang while resume with TBT monitor Tvrtko Ursulin (1): drm/sched: Add locking to drm_sched_entity_modify_sched Udit Kumar (1): remoteproc: k3-r5: Delay notification of wakeup event Umang Jain (1): media: imx335: Fix reset-gpio handling Uwe Kleine-König (1): cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Val Packett (2): drm/rockchip: vop: clear DMA stop bit on RK3066 drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Vasileios Amoiridis (4): iio: pressure: bmp280: Improve indentation and line wrapping iio: pressure: bmp280: Use BME prefix for BME280 specifics iio: pressure: bmp280: Fix regmap for BMP280 device iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Victor Skvortsov (1): drm/amdgpu: Block MMR_READ IOCTL in reset Vishnu Sankar (1): HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Vitaly Lifshits (1): e1000e: avoid failing the system during pm_suspend Vladimir Oltean (1): net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Wei Li (4): tracing/hwlat: Fix a race during cpuhp processing tracing/timerlat: Drop interface_lock in stop_kthread() tracing/timerlat: Fix a race during cpuhp processing tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Willem de Bruijn (2): vrf: revert "vrf: Remove unnecessary RCU-bh critical section" gso: fix udp gso fraglist segmentation after pull from frag_list Wolfram Sang (1): i2c: create debugfs entry per adapter Xiaolei Wang (1): net: stmmac: move the EST lock to struct stmmac_priv Xiaxi Shen (1): ext4: fix timer use-after-free on failed mount Xin Long (1): sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Xiubo Li (1): ceph: remove the incorrect Fw reference check when dirtying pages Yannick Fertre (1): drm/stm: ltdc: reset plane transparency after plane disable Yifei Liu (1): selftests: breakpoints: use remaining time to check if suspend succeed Yosry Ahmed (1): mm: z3fold: deprecate CONFIG_Z3FOLD Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Yuezhang Mo (1): exfat: fix memory leak in exfat_load_bitmap() Yun Lu (1): selftest: hid: add missing run-hid-tools-tests.sh Zach Wade (1): platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Zhao Mengmeng (1): jfs: Fix uninit-value access of new_ea in ea_buffer Zheng Wang (1): media: venus: fix use after free bug in venus_remove due to race condition Zhihao Cheng (3): ext4: dax: fix overflowing extents beyond inode size when partially writing ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" Zong-Zhe Yang (1): wifi: rtw88: select WANT_DEV_COREDUMP wangrong (1): smb: client: use actual path when queryfs yao.ly (1): ext4: correct encrypted dentry name hash when not casefolded

6 months, 3 weeks

1
1
0 0

Linux 6.11.3

by Greg Kroah-Hartman

I'm announcing the release of the 6.11.3 kernel. All users of the 6.11 kernel series must upgrade. The updated 6.11.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.11.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-fs-f2fs | 22 Documentation/admin-guide/kernel-parameters.txt | 10 Documentation/arch/arm64/silicon-errata.rst | 6 Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 Documentation/networking/net_cachelines/net_device.rst | 2 Documentation/rust/general-information.rst | 4 Makefile | 2 arch/arm/crypto/aes-ce-glue.c | 2 arch/arm/crypto/aes-neonbs-glue.c | 2 arch/arm64/Kconfig | 7 arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/kvm_host.h | 25 arch/arm64/kernel/cpu_errata.c | 3 arch/arm64/mm/trans_pgd.c | 6 arch/loongarch/configs/loongson3_defconfig | 1 arch/parisc/include/asm/mman.h | 14 arch/parisc/kernel/entry.S | 6 arch/parisc/kernel/syscall.S | 14 arch/powerpc/configs/ppc64_defconfig | 1 arch/powerpc/include/asm/vdso_datapage.h | 15 arch/powerpc/kernel/asm-offsets.c | 2 arch/powerpc/kernel/vdso/cacheflush.S | 2 arch/powerpc/kernel/vdso/datapage.S | 4 arch/powerpc/platforms/pseries/dlpar.c | 17 arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 arch/powerpc/platforms/pseries/hotplug-memory.c | 16 arch/powerpc/platforms/pseries/pmem.c | 2 arch/riscv/Kconfig | 8 arch/riscv/include/asm/thread_info.h | 7 arch/x86/crypto/sha256-avx2-asm.S | 16 arch/x86/events/core.c | 63 arch/x86/include/asm/apic.h | 8 arch/x86/include/asm/fpu/signal.h | 2 arch/x86/include/asm/sev.h | 2 arch/x86/include/asm/syscall.h | 7 arch/x86/kernel/apic/apic_flat_64.c | 119 arch/x86/kernel/apic/io_apic.c | 46 arch/x86/kernel/cpu/bugs.c | 14 arch/x86/kernel/cpu/common.c | 4 arch/x86/kernel/fpu/signal.c | 6 arch/x86/kernel/machine_kexec_64.c | 27 arch/x86/kernel/signal.c | 3 arch/x86/kernel/signal_64.c | 6 arch/x86/mm/ident_map.c | 23 block/blk-iocost.c | 8 block/ioctl.c | 9 crypto/simd.c | 76 drivers/accel/ivpu/ivpu_fw.c | 4 drivers/acpi/acpi_pad.c | 6 drivers/acpi/acpica/dbconvert.c | 2 drivers/acpi/acpica/exprep.c | 3 drivers/acpi/acpica/psargs.c | 47 drivers/acpi/apei/einj-cxl.c | 2 drivers/acpi/battery.c | 28 drivers/acpi/cppc_acpi.c | 10 drivers/acpi/ec.c | 55 drivers/acpi/resource.c | 22 drivers/acpi/video_detect.c | 17 drivers/ata/pata_serverworks.c | 16 drivers/ata/sata_sil.c | 12 drivers/block/aoe/aoecmd.c | 13 drivers/bluetooth/btmrvl_sdio.c | 3 drivers/bluetooth/btrtl.c | 1 drivers/bluetooth/btusb.c | 2 drivers/clk/qcom/clk-alpha-pll.c | 2 drivers/clk/qcom/clk-rpmh.c | 2 drivers/clk/qcom/dispcc-sm8250.c | 3 drivers/clk/qcom/gcc-sc8180x.c | 438 - drivers/clk/qcom/gcc-sm8250.c | 6 drivers/clk/qcom/gcc-sm8450.c | 4 drivers/clk/rockchip/clk.c | 3 drivers/clk/samsung/clk-exynos7885.c | 2 drivers/cpufreq/amd-pstate.c | 14 drivers/cpufreq/intel_pstate.c | 16 drivers/cpufreq/loongson3_cpufreq.c | 2 drivers/crypto/hisilicon/sgl.c | 14 drivers/crypto/marvell/Kconfig | 2 drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 261 - drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 254 - drivers/firmware/sysfb.c | 4 drivers/firmware/tegra/bpmp.c | 6 drivers/gpio/gpio-davinci.c | 8 drivers/gpio/gpiolib.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 35 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 43 drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 12 drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 132 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 54 drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 50 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_int_process_v9.c | 18 drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 drivers/gpu/drm/amd/amdkfd/soc15_int.h | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 86 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 drivers/gpu/drm/amd/display/dc/core/dc.c | 8 drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c | 96 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 34 drivers/gpu/drm/amd/display/dc/core/dc_state.c | 10 drivers/gpu/drm/amd/display/dc/dc_types.h | 1 drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 3 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c | 2 drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c | 6 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 93 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared.c | 4 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared_types.h | 2 drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 20 drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.h | 1 drivers/gpu/drm/amd/display/dc/hubbub/dcn401/dcn401_hubbub.c | 23 drivers/gpu/drm/amd/display/dc/hubp/dcn10/dcn10_hubp.c | 3 drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 26 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 4 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 48 drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/hwss/dcn31/dcn31_hwseq.c | 4 drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 11 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 8 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 111 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.h | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_init.c | 2 drivers/gpu/drm/amd/display/dc/inc/hw/dchubbub.h | 1 drivers/gpu/drm/amd/display/dc/inc/resource.h | 5 drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 5 drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_dio.c | 5 drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 2 drivers/gpu/drm/amd/display/dc/resource/dce112/dce112_resource.c | 5 drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn201/dcn201_resource.c | 4 drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 10 drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource_helpers.c | 14 drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 1 drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c | 3 drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 drivers/gpu/drm/display/drm_hdmi_state_helper.c | 4 drivers/gpu/drm/drm_atomic_uapi.c | 2 drivers/gpu/drm/drm_debugfs.c | 4 drivers/gpu/drm/drm_print.c | 13 drivers/gpu/drm/i915/display/intel_ddi.c | 2 drivers/gpu/drm/i915/display/intel_dp.c | 22 drivers/gpu/drm/i915/display/intel_psr.c | 32 drivers/gpu/drm/i915/display/intel_psr.h | 2 drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 drivers/gpu/drm/msm/msm_gpu.c | 1 drivers/gpu/drm/omapdrm/omap_drv.c | 5 drivers/gpu/drm/panthor/panthor_mmu.c | 8 drivers/gpu/drm/panthor/panthor_sched.c | 36 drivers/gpu/drm/radeon/r100.c | 70 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 14 drivers/gpu/drm/scheduler/sched_main.c | 7 drivers/gpu/drm/stm/drv.c | 3 drivers/gpu/drm/stm/ltdc.c | 76 drivers/gpu/drm/v3d/v3d_submit.c | 6 drivers/gpu/drm/xe/Makefile | 24 drivers/gpu/drm/xe/display/intel_fbdev_fb.c | 6 drivers/gpu/drm/xe/display/xe_hdcp_gsc.c | 8 drivers/gpu/drm/xe/display/xe_plane_initial.c | 6 drivers/gpu/drm/xe/xe_bo.c | 4 drivers/gpu/drm/xe/xe_device.c | 8 drivers/gpu/drm/xe/xe_device_types.h | 17 drivers/gpu/drm/xe/xe_drm_client.c | 9 drivers/gpu/drm/xe/xe_exec_queue.c | 2 drivers/gpu/drm/xe/xe_exec_queue_types.h | 6 drivers/gpu/drm/xe/xe_execlist.c | 3 drivers/gpu/drm/xe/xe_gpu_scheduler.c | 5 drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 drivers/gpu/drm/xe/xe_gt_pagefault.c | 55 drivers/gpu/drm/xe/xe_gt_types.h | 9 drivers/gpu/drm/xe/xe_guc_pc.c | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 76 drivers/gpu/drm/xe/xe_guc_types.h | 2 drivers/gpu/drm/xe/xe_lrc.c | 35 drivers/gpu/drm/xe/xe_oa.c | 9 drivers/gpu/drm/xe/xe_pci.c | 2 drivers/gpu/drm/xe/xe_preempt_fence.c | 12 drivers/gpu/drm/xe/xe_vm.c | 32 drivers/gpu/drm/xe/xe_vram.c | 1 drivers/gpu/drm/xe/xe_wa_oob.rules | 3 drivers/hid/bpf/hid_bpf_struct_ops.c | 14 drivers/hid/hid-ids.h | 17 drivers/hid/hid-input.c | 37 drivers/hid/hid-multitouch.c | 6 drivers/hid/i2c-hid/i2c-hid-core.c | 42 drivers/hwmon/nct6775-platform.c | 1 drivers/i2c/busses/i2c-designware-common.c | 14 drivers/i2c/busses/i2c-designware-core.h | 1 drivers/i2c/busses/i2c-designware-master.c | 38 drivers/i2c/busses/i2c-qcom-geni.c | 4 drivers/i2c/busses/i2c-stm32f7.c | 6 drivers/i2c/busses/i2c-synquacer.c | 5 drivers/i2c/busses/i2c-xiic.c | 21 drivers/i2c/i2c-core-base.c | 28 drivers/i3c/master/svc-i3c-master.c | 1 drivers/idle/intel_idle.c | 14 drivers/iio/magnetometer/ak8975.c | 32 drivers/iio/pressure/bmp280-core.c | 9 drivers/iio/pressure/bmp280-regmap.c | 45 drivers/iio/pressure/bmp280.h | 1 drivers/infiniband/hw/mana/main.c | 8 drivers/input/keyboard/adp5589-keys.c | 22 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 37 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h | 1 drivers/iommu/intel/dmar.c | 16 drivers/iommu/intel/iommu.c | 6 drivers/iommu/intel/pasid.c | 12 drivers/leds/leds-pca9532.c | 5 drivers/mailbox/Kconfig | 1 drivers/mailbox/bcm2835-mailbox.c | 3 drivers/mailbox/rockchip-mailbox.c | 2 drivers/media/common/videobuf2/videobuf2-core.c | 7 drivers/media/i2c/ar0521.c | 5 drivers/media/i2c/imx335.c | 9 drivers/media/i2c/ov5675.c | 12 drivers/media/platform/qcom/camss/camss-video.c | 6 drivers/media/platform/qcom/camss/camss.c | 5 drivers/media/platform/qcom/venus/core.c | 1 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 drivers/memory/tegra/tegra186-emc.c | 5 drivers/net/can/dev/netlink.c | 102 drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 drivers/net/ethernet/freescale/fec.h | 9 drivers/net/ethernet/freescale/fec_main.c | 11 drivers/net/ethernet/freescale/fec_ptp.c | 50 drivers/net/ethernet/hisilicon/hip04_eth.c | 1 drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 drivers/net/ethernet/hisilicon/hns_mdio.c | 1 drivers/net/ethernet/intel/e1000e/netdev.c | 19 drivers/net/ethernet/intel/ice/ice_sched.c | 6 drivers/net/ethernet/lantiq_etop.c | 4 drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 drivers/net/ethernet/realtek/r8169_main.c | 31 drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 drivers/net/ieee802154/Kconfig | 1 drivers/net/ieee802154/mcr20a.c | 5 drivers/net/pcs/pcs-xpcs-wx.c | 2 drivers/net/phy/phy.c | 17 drivers/net/phy/realtek.c | 3 drivers/net/ppp/ppp_generic.c | 4 drivers/net/vrf.c | 2 drivers/net/wireless/ath/ath11k/dp_rx.c | 2 drivers/net/wireless/ath/ath12k/dp_rx.c | 2 drivers/net/wireless/ath/ath9k/debug.c | 4 drivers/net/wireless/ath/ath9k/hif_usb.c | 6 drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 5 drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 2 drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 2 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/scan.c | 3 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 drivers/net/wireless/microchip/wilc1000/sdio.c | 7 drivers/net/wireless/realtek/rtw88/Kconfig | 1 drivers/net/wireless/realtek/rtw89/core.h | 18 drivers/net/wireless/realtek/rtw89/mac.c | 2 drivers/net/wireless/realtek/rtw89/mac80211.c | 4 drivers/net/wireless/realtek/rtw89/phy.c | 4 drivers/net/wireless/realtek/rtw89/util.h | 18 drivers/net/wwan/qcom_bam_dmux.c | 11 drivers/net/xen-netback/hash.c | 5 drivers/nvme/common/keyring.c | 58 drivers/nvme/host/Kconfig | 3 drivers/nvme/host/core.c | 1 drivers/nvme/host/fabrics.c | 2 drivers/nvme/host/ioctl.c | 22 drivers/nvme/host/nvme.h | 2 drivers/nvme/host/sysfs.c | 4 drivers/nvme/host/tcp.c | 55 drivers/of/address.c | 5 drivers/of/irq.c | 38 drivers/perf/arm_spe_pmu.c | 9 drivers/perf/riscv_pmu_legacy.c | 4 drivers/perf/riscv_pmu_sbi.c | 4 drivers/platform/mellanox/mlxbf-pmc.c | 5 drivers/platform/x86/amd/pmf/pmf-quirks.c | 8 drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 drivers/platform/x86/lenovo-ymc.c | 2 drivers/platform/x86/touchscreen_dmi.c | 26 drivers/platform/x86/x86-android-tablets/core.c | 6 drivers/platform/x86/x86-android-tablets/other.c | 10 drivers/pmdomain/core.c | 40 drivers/power/reset/brcmstb-reboot.c | 3 drivers/power/supply/power_supply_core.c | 6 drivers/power/supply/power_supply_hwmon.c | 3 drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 drivers/rtc/rtc-at91sam9.c | 1 drivers/scsi/NCR5380.c | 4 drivers/scsi/aacraid/aacraid.h | 2 drivers/scsi/lpfc/lpfc.h | 12 drivers/scsi/lpfc/lpfc_els.c | 73 drivers/scsi/lpfc/lpfc_hbadisc.c | 14 drivers/scsi/lpfc/lpfc_nportdisc.c | 22 drivers/scsi/lpfc/lpfc_scsi.c | 13 drivers/scsi/lpfc/lpfc_sli.c | 11 drivers/scsi/pm8001/pm8001_init.c | 6 drivers/scsi/smartpqi/smartpqi_init.c | 130 drivers/scsi/st.c | 5 drivers/spi/spi-bcm63xx.c | 9 drivers/spi/spi-cadence.c | 8 drivers/spi/spi-imx.c | 2 drivers/spi/spi-rpc-if.c | 7 drivers/spi/spi-s3c64xx.c | 4 drivers/vhost/scsi.c | 27 drivers/video/fbdev/efifb.c | 11 drivers/video/fbdev/pxafb.c | 1 drivers/virt/coco/sev-guest/sev-guest.c | 2 fs/afs/file.c | 1 fs/afs/fs_operation.c | 2 fs/btrfs/backref.c | 12 fs/btrfs/disk-io.c | 11 fs/btrfs/relocation.c | 99 fs/btrfs/send.c | 31 fs/cachefiles/namei.c | 7 fs/ceph/addr.c | 6 fs/ceph/mds_client.c | 12 fs/dax.c | 6 fs/exec.c | 34 fs/exfat/balloc.c | 10 fs/ext4/dir.c | 14 fs/ext4/ext4.h | 1 fs/ext4/extents.c | 55 fs/ext4/fast_commit.c | 49 fs/ext4/file.c | 8 fs/ext4/inode.c | 11 fs/ext4/migrate.c | 2 fs/ext4/move_extent.c | 1 fs/ext4/namei.c | 14 fs/ext4/resize.c | 18 fs/ext4/super.c | 25 fs/ext4/xattr.c | 3 fs/f2fs/f2fs.h | 31 fs/f2fs/gc.c | 85 fs/f2fs/gc.h | 23 fs/f2fs/segment.c | 31 fs/f2fs/super.c | 8 fs/f2fs/sysfs.c | 18 fs/file.c | 95 fs/gfs2/glock.c | 1 fs/gfs2/ops_fstype.c | 3 fs/inode.c | 14 fs/iomap/buffered-io.c | 16 fs/jbd2/checkpoint.c | 21 fs/jbd2/journal.c | 4 fs/jfs/jfs_discard.c | 11 fs/jfs/jfs_dmap.c | 7 fs/jfs/xattr.c | 2 fs/netfs/write_issue.c | 48 fs/nfsd/netns.h | 1 fs/nfsd/nfs4proc.c | 34 fs/nfsd/nfs4state.c | 6 fs/nfsd/nfs4xdr.c | 10 fs/nfsd/nfsctl.c | 2 fs/nfsd/nfssvc.c | 2 fs/nfsd/vfs.c | 1 fs/nfsd/xdr4.h | 1 fs/ocfs2/aops.c | 5 fs/ocfs2/buffer_head_io.c | 4 fs/ocfs2/journal.c | 7 fs/ocfs2/localalloc.c | 19 fs/ocfs2/quota_local.c | 8 fs/ocfs2/refcounttree.c | 26 fs/ocfs2/xattr.c | 11 fs/overlayfs/copy_up.c | 43 fs/overlayfs/params.c | 38 fs/pidfs.c | 5 fs/proc/base.c | 61 fs/proc/proc_sysctl.c | 11 fs/smb/client/cifsfs.c | 13 fs/smb/client/cifsglob.h | 2 fs/smb/client/inode.c | 19 fs/smb/client/reparse.c | 16 fs/smb/client/smb1ops.c | 2 fs/smb/client/smb2inode.c | 24 fs/smb/client/smb2ops.c | 19 fs/smb/server/connection.c | 4 fs/smb/server/connection.h | 1 fs/smb/server/oplock.c | 55 fs/smb/server/smb2pdu.c | 5 fs/smb/server/vfs_cache.c | 3 fs/smb/server/vfs_cache.h | 4 include/crypto/internal/simd.h | 12 include/drm/drm_print.h | 54 include/drm/gpu_scheduler.h | 2 include/dt-bindings/clock/exynos7885.h | 2 include/dt-bindings/clock/qcom,gcc-sc8180x.h | 1 include/linux/cpufreq.h | 6 include/linux/fdtable.h | 8 include/linux/hdmi.h | 9 include/linux/hugetlb.h | 10 include/linux/i2c.h | 3 include/linux/netdevice.h | 22 include/linux/nvme-keyring.h | 6 include/linux/perf_event.h | 8 include/linux/sched.h | 2 include/linux/sunrpc/svc.h | 4 include/linux/uprobes.h | 2 include/linux/virtio_net.h | 4 include/trace/events/netfs.h | 1 include/uapi/linux/cec.h | 6 include/uapi/linux/netfilter/nf_tables.h | 2 io_uring/io_uring.c | 5 io_uring/net.c | 4 kernel/bpf/verifier.c | 119 kernel/events/core.c | 33 kernel/events/uprobes.c | 4 kernel/fork.c | 32 kernel/jump_label.c | 34 kernel/rcu/rcuscale.c | 4 kernel/rcu/tasks.h | 82 kernel/resource.c | 58 kernel/sched/core.c | 23 kernel/sched/psi.c | 26 kernel/static_call_inline.c | 13 kernel/trace/trace_hwlat.c | 2 kernel/trace/trace_osnoise.c | 22 lib/buildid.c | 76 mm/Kconfig | 25 mm/filemap.c | 4 mm/gup.c | 1 mm/hugetlb.c | 17 mm/memfd.c | 18 mm/slab_common.c | 7 mm/slub.c | 100 net/bluetooth/hci_core.c | 2 net/bluetooth/hci_event.c | 15 net/bluetooth/l2cap_core.c | 8 net/bluetooth/mgmt.c | 23 net/bridge/br_mdb.c | 2 net/core/dev.c | 14 net/core/gro.c | 9 net/core/net-sysfs.c | 6 net/core/netdev-genl.c | 8 net/core/netpoll.c | 15 net/core/skbuff.c | 15 net/dsa/dsa.c | 7 net/ipv4/devinet.c | 6 net/ipv4/fib_frontend.c | 2 net/ipv4/ip_gre.c | 6 net/ipv4/netfilter/nf_dup_ipv4.c | 7 net/ipv4/tcp_ipv4.c | 3 net/ipv4/tcp_offload.c | 10 net/ipv4/udp_offload.c | 22 net/ipv6/netfilter/nf_dup_ipv6.c | 7 net/ipv6/tcpv6_offload.c | 10 net/l2tp/l2tp_core.c | 40 net/l2tp/l2tp_core.h | 4 net/l2tp/l2tp_netlink.c | 4 net/l2tp/l2tp_ppp.c | 3 net/mac80211/chan.c | 4 net/mac80211/mlme.c | 2 net/mac80211/scan.c | 2 net/mac80211/util.c | 4 net/mac802154/scan.c | 4 net/ncsi/ncsi-manage.c | 2 net/netfilter/nf_tables_api.c | 5 net/rxrpc/ar-internal.h | 2 net/rxrpc/io_thread.c | 10 net/rxrpc/local_object.c | 2 net/sched/sch_taprio.c | 4 net/sctp/socket.c | 4 net/sunrpc/svc.c | 31 net/tipc/bearer.c | 8 net/wireless/nl80211.c | 15 rust/Makefile | 22 rust/exports.c | 1 rust/helpers.c | 239 rust/helpers/blk.c | 14 rust/helpers/bug.c | 8 rust/helpers/build_assert.c | 25 rust/helpers/build_bug.c | 9 rust/helpers/err.c | 19 rust/helpers/helpers.c | 25 rust/helpers/kunit.c | 9 rust/helpers/mutex.c | 15 rust/helpers/page.c | 19 rust/helpers/refcount.c | 19 rust/helpers/signal.c | 9 rust/helpers/slab.c | 9 rust/helpers/spinlock.c | 24 rust/helpers/task.c | 19 rust/helpers/uaccess.c | 15 rust/helpers/wait.c | 9 rust/helpers/workqueue.c | 15 rust/kernel/sync/locked_by.rs | 18 scripts/gdb/linux/proc.py | 4 scripts/gdb/linux/rbtree.py | 12 scripts/gdb/linux/timerlist.py | 31 scripts/kconfig/parser.y | 10 scripts/kconfig/qconf.cc | 6 security/Kconfig | 32 security/tomoyo/domain.c | 9 sound/core/control.c | 55 sound/core/control_compat.c | 45 sound/core/init.c | 14 sound/core/oss/mixer_oss.c | 4 sound/isa/gus/gus_pcm.c | 4 sound/pci/asihpi/hpimsgx.c | 2 sound/pci/hda/hda_controller.h | 2 sound/pci/hda/hda_generic.c | 4 sound/pci/hda/hda_intel.c | 10 sound/pci/hda/patch_conexant.c | 24 sound/pci/hda/patch_realtek.c | 156 sound/pci/hda/samsung_helper.c | 310 - sound/pci/rme9652/hdsp.c | 6 sound/pci/rme9652/hdspm.c | 6 sound/soc/atmel/mchp-pdmc.c | 3 sound/soc/codecs/wsa883x.c | 16 sound/soc/fsl/imx-card.c | 1 sound/soc/intel/boards/bytcht_cx2072x.c | 4 sound/soc/intel/boards/bytcht_da7213.c | 4 sound/soc/intel/boards/bytcht_es8316.c | 2 sound/soc/intel/boards/bytcr_rt5640.c | 2 sound/soc/intel/boards/bytcr_rt5651.c | 2 sound/soc/intel/boards/cht_bsw_rt5645.c | 4 sound/soc/intel/boards/cht_bsw_rt5672.c | 4 sound/soc/intel/boards/sof_es8336.c | 2 sound/soc/intel/boards/sof_wm8804.c | 4 sound/soc/intel/common/soc-acpi-intel-rpl-match.c | 1 sound/soc/soc-topology.c | 4 sound/usb/card.c | 6 sound/usb/line6/podhd.c | 2 sound/usb/mixer.c | 35 sound/usb/mixer.h | 1 sound/usb/mixer_quirks.c | 413 + sound/usb/quirks-table.h | 2457 +++------- sound/usb/quirks.c | 62 tools/arch/x86/kcpuid/kcpuid.c | 12 tools/bpf/bpftool/net.c | 11 tools/hv/hv_fcopy_uio_daemon.c | 7 tools/include/nolibc/arch-powerpc.h | 2 tools/perf/util/hist.c | 7 tools/perf/util/machine.c | 17 tools/perf/util/setup.py | 4 tools/perf/util/thread.c | 4 tools/perf/util/thread.h | 1 tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c | 1 tools/testing/selftests/breakpoints/step_after_suspend_test.c | 5 tools/testing/selftests/devices/probe/test_discoverable_devices.py | 4 tools/testing/selftests/hid/Makefile | 2 tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 2 tools/testing/selftests/mm/pagemap_ioctl.c | 2 tools/testing/selftests/mm/write_to_hugetlbfs.c | 21 tools/testing/selftests/net/netfilter/conntrack_dump_flush.c | 1 tools/testing/selftests/net/netfilter/nft_audit.sh | 57 tools/testing/selftests/nolibc/nolibc-test.c | 4 tools/testing/selftests/vDSO/parse_vdso.c | 17 tools/testing/selftests/vDSO/vdso_config.h | 10 tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 tools/tracing/rtla/Makefile.rtla | 2 tools/tracing/rtla/src/osnoise_top.c | 2 tools/tracing/rtla/src/timerlat_top.c | 4 595 files changed, 7353 insertions(+), 5268 deletions(-) Aakash Menon (1): net: sparx5: Fix invalid timestamps Abhishek Tamboli (1): ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Adrian Ratiu (1): proc: add config & param to block forcing mem writes Ahmed S. Darwish (1): tools/x86/kcpuid: Protect against faulty "max subleaf" values Ahmed, Muhammad (1): drm/amd/display: guard write a 0 post_divider value to HW Ai Chao (1): ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Ajit Pandey (1): clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Al Viro (1): close_range(): fix the logics in descriptor table trimming Aleksander Jan Bajkowski (1): net: ethernet: lantiq_etop: fix memory disclosure Aleksandr Mishin (1): ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Aleksandrs Vinarskis (1): ACPICA: iasl: handle empty connection_node Alessandro Zanni (1): kselftest/devices/probe: Fix SyntaxWarning in regex strings for Python3 Alex Deucher (7): drm/amdgpu/gfx12: properly handle error ints on all pipes drm/amdgpu/gfx9: properly handle error ints on all pipes drm/amdgpu/gfx9: use rlc safe mode for soft recovery drm/amdgpu/gfx11: enter safe mode before touching CP_INT_CNTL drm/amdgpu/gfx12: use rlc safe mode for soft recovery drm/amdgpu/gfx11: use rlc safe mode for soft recovery drm/amdgpu/gfx10: use rlc safe mode for soft recovery Alex Hung (15): drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags drm/amd/display: Check null pointers before using them drm/amd/display: Check null pointers before used drm/amd/display: Check null pointers before multiple uses drm/amd/display: Check null pointers before using dc->clk_mgr drm/amd/display: Initialize denominators' default to 1 drm/amd/display: Check null-initialized variables drm/amd/display: Check phantom_stream before it is used drm/amd/display: Check stream before comparing them drm/amd/display: Increase array size of dummy_boolean drm/amd/display: Fix possible overflow in integer multiplication drm/amd/display: Check stream_status before it is used drm/amd/display: Avoid overflow assignment in link_dp_cts drm/amd/display: Initialize get_bytes_per_element's default to 1 drm/amd/display: Add HDR workaround for specific eDP Alexander F. Lent (1): accel/ivpu: Add missing MODULE_FIRMWARE metadata Alexander Shiyan (1): media: i2c: ar0521: Use cansleep version of gpiod_set_value() Alexandre Ghiti (1): riscv: Fix kernel stack size when KASAN is enabled Alexey Dobriyan (1): block: fix integer overflow in BLKSECDISCARD Alice Ryhl (1): rust: sync: require `T: Sync` for `LockedBy::access` Amir Goldstein (1): ovl: fsync after metadata copy-up Anastasia Belova (1): cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value Andreas Hindborg (1): rust: kbuild: split up helpers.c Andrei Simion (1): ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Andrew Davis (1): power: reset: brcmstb: Do not go into infinite loop if reset fails Andrew Jones (1): of/irq: Support #msi-cells=<0> in of_msi_get_domain Andrii Nakryiko (2): perf,x86: avoid missing caller address in stack traces captured in uprobe lib/buildid: harden build ID parsing logic Anjaneyulu (1): wifi: iwlwifi: allow only CN mcc from WRDD Anton Danilov (1): ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Ard Biesheuvel (1): i2c: synquacer: Deal with optional PCLK correctly Armin Wolf (4): ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook Arnaldo Carvalho de Melo (2): perf python: Disable -Wno-cast-function-type-mismatch if present on clang perf python: Allow checking for the existence of warning options in clang Arnd Bergmann (1): nvme-tcp: fix link failure for TCP auth Artem Sadovnikov (1): ext4: fix i_data_sem unlock order in ext4_ind_migrate() Arun R Murthy (1): drm/i915/display: BMG supports UHBR13.5 Aruna Ramakrishna (2): x86/pkeys: Add PKRU as a parameter in signal handling functions x86/pkeys: Restore altstack access in sigreturn() Asad Kamal (1): drm/amdgpu: Fix get each xcp macro Asahi Lina (1): ALSA: usb-audio: Add mixer quirk for RME Digiface USB Aurabindo Pillai (1): drm/amd/display: fix a UBSAN warning in DML2.1 Austin Zheng (1): drm/amd/display: Unlock Pipes Based On DET Allocation Baojun Xu (1): ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Baokun Li (10): ext4: avoid use-after-free in ext4_ext_show_leaf() ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path ext4: update orig_path in ext4_find_extent() ext4: fix off by one issue in alloc_flex_gd() jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error cachefiles: fix dentry leak in cachefiles_open_file() Bard Liao (1): ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item Barnabás Czémán (1): iio: magnetometer: ak8975: Fix reading for ak099xx sensors Bastien Curutchet (1): leds: pca9532: Remove irrelevant blink configuration error message Beleswar Padhi (1): remoteproc: k3-r5: Acquire mailbox handle during probe routine Ben Cheatham (1): EINJ, CXL: Fix CXL device SBDF calculation Ben Dooks (1): spi: s3c64xx: fix timeout counters in flush_fifo Ben Hutchings (1): tools/rtla: Fix installation from out-of-tree build Benjamin Lin (1): wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Benjamin Tissoires (1): HID: bpf: fix cfi stubs for hid_bpf_ops Biju Das (1): spi: rpc-if: Add missing MODULE_DEVICE_TABLE Boris Brezillon (4): drm/panthor: Lock the VM resv before calling drm_gpuvm_bo_obtain_prealloc() drm/panthor: Don't add write fences to the shared BOs drm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup() drm/panthor: Don't declare a queue blocked if deferred operations are pending Breno Leitao (1): netpoll: Ensure clean state on setup failures Bryan O'Donoghue (3): media: ov5675: Fix power on/off delay timings media: qcom: camss: Remove use_count guard in stop_streaming media: qcom: camss: Fix ordering of pm_runtime_enable Chao Yu (1): f2fs: fix to don't panic system for no free segment fault injection Charlene Liu (1): drm/amd/display: avoid set dispclk to 0 Chih-Kang Chang (1): wifi: rtw89: avoid to add interface to list twice when SER Chris Park (1): drm/amd/display: Deallocate DML memory if allocation fails Christian Brauner (1): pidfs: check for valid pid namespace Christian König (1): drm/sched: revert "Always increment correct scheduler score" Christoph Hellwig (1): iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Christophe JAILLET (2): ALSA: mixer_oss: Remove some incorrect kfree_const() usages ALSA: gus: Fix some error handling paths related to get_bpos() usage Christophe Leroy (4): selftests: vDSO: fix vDSO name for powerpc selftests: vDSO: fix vdso_config for powerpc selftests: vDSO: fix vDSO symbols lookup for powerpc64 powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Chuck Lever (3): NFSD: Fix NFSv4's PUTPUBFH operation NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations Chun-Yi Lee (1): aoe: fix the potential use-after-free problem in more places Ckath (1): platform/x86: touchscreen_dmi: add nanote-next quirk Colin Ian King (1): r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Csókás, Bence (2): net: fec: Restart PPS after link state change net: fec: Reload PTP registers after link-state change Cyan Nyan (1): ALSA: usb-audio: Add quirk for RME Digiface USB Daeho Jeong (5): f2fs: make BG GC more aggressive for zoned devices f2fs: introduce migration_window_granularity f2fs: increase BG GC migration window granularity when boosted for zoned devices f2fs: do FG_GC when GC boosting is required for zoned devices f2fs: forcibly migrate to secure space for zoned device file pinning Damien Le Moal (2): ata: pata_serverworks: Do not use the term blacklist ata: sata_sil: Rename sil_blacklist to sil_quirks Daniel Borkmann (2): net: Add netif_get_gro_max_size helper for GRO net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Daniel Bristot de Oliveira (1): sched/deadline: Comment sched_dl_entity::dl_server variable Daniel Sa (1): drm/amd/display: Underflow Seen on DCN401 eGPU Daniel Sneddon (1): x86/bugs: Add missing NO_SSB flag Daniel Wagner (1): scsi: pm8001: Do not overwrite PCI queue mapping Danilo Krummrich (1): mm: krealloc: consider spare memory for __GFP_ZERO Darrick J. Wong (1): iomap: constrain the file range passed to iomap_file_unshare David Hildenbrand (1): selftests/mm: fix charge_reserved_hugetlb.sh test David Howells (5): afs: Fix missing wire-up of afs_retry_request() afs: Fix the setting of the server responding flag netfs: Fix missing wakeup after issuing writes netfs: Cancel dirty folios that have no storage destination rxrpc: Fix a race between socket set up and I/O thread creation David Kaplan (1): x86/bugs: Fix handling when SRSO mitigation is disabled David Strahan (2): scsi: smartpqi: Add new controller PCI IDs scsi: smartpqi: add new controller PCI IDs David Virag (2): dt-bindings: clock: exynos7885: Fix duplicated binding clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Denis Pauk (1): hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Derek Foreman (1): drm/connector: hdmi: Fix writing Dynamic Range Mastering infoframes Dillon Varone (1): drm/amd/display: Force enable 3DLUT DMA check for dcn401 in DML Dirk Behme (1): rust: mutex: fix __mutex_init() usage in case of PREEMPT_RT Dmitry Antipov (1): net: sched: consistently use rcu_replace_pointer() in taprio_change() Dmitry Baryshkov (1): clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Dmitry Kandybka (1): wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Dmitry Torokhov (1): HID: i2c-hid: ensure various commands do not interfere with each other Dragos Tatulea (1): net/mlx5e: SHAMPO, Fix overflow of hd_per_wq Easwar Hariharan (1): arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Eddie James (1): net/ncsi: Disable the ncsi work before freeing the associated structure Eder Zulian (1): rtla: Fix the help text in osnoise and timerlat top tools Edward Adam Davis (3): jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree ext4: no need to continue when the number of entries is 1 Elena Salomatkina (1): net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Emanuele Ghidoli (1): gpio: davinci: fix lazy disable Eric Dumazet (5): netfilter: nf_tables: prevent nf_skb_duplicated corruption net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() net: test for not too small csum_start in virtio_net_hdr_to_skb() ppp: do not assume bh is held in ppp_channel_bridge_input() Fangrui Song (1): crypto: x86/sha256 - Add parentheses around macros' single arguments Fangzhi Zuo (1): drm/amd/display: Restore Optimized pbn Value if Failed to Disable DSC Fares Mehanna (1): arm64: trans_pgd: mark PTEs entries as valid to avoid dead kexec() Felix Fietkau (3): wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker net: gso: fix tcp fraglist segmentation after pull from frag_list Filipe Manana (3): btrfs: send: fix buffer overflow detection when copying path to cache entry btrfs: send: fix invalid clone operation for file that got its size decreased btrfs: wait for fixup workers before stopping cleaner kthread during umount Finn Thain (1): scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Gabe Teeger (1): drm/amd/display: Revert Avoid overflow assignment Gabriel Krisman Bertazi (1): ext4: fix error message when rejecting the default hash Gary Guo (1): rust: kbuild: auto generate helper exports Gautham Ananthakrishna (1): ocfs2: reserve space for inline xattr before attaching reflink tree Geert Uytterhoeven (4): mailbox: ARM_MHU_V3 should depend on ARM64 drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() pmdomain: core: Reduce debug summary table width Gerd Bayer (1): net/mlx5: Fix error path in multi-packet WQE transmit Gergo Koteles (1): platform/x86: lenovo-ymc: Ignore the 0x0 state Greg Kroah-Hartman (1): Linux 6.11.3 Guixin Liu (1): io_uring: fix memory leak when cache init fail Gustavo A. R. Silva (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Hannes Reinecke (3): nvme-keyring: restrict match length for version '1' identifiers nvme-tcp: sanitize TLS key handling nvme-tcp: check for invalidated or revoked key Hans P. Moller (1): ALSA: line6: add hw monitor volume control to POD HD500X Hans Verkuil (1): media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Hans de Goede (11): ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 HID: Ignore battery for all ELAN I2C-HID devices platform/x86: x86-android-tablets: Adjust Xiaomi Pad 2 bottom bezel touch buttons LED platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors power: supply: hwmon: Fix missing temp1_max_alarm attribute power: supply: Drop use_cnt check from power_supply_property_is_writeable() ACPI: video: Add backlight=native quirk for Dell OptiPlex 5480 AIO ACPI: resource: Remove duplicate Asus E1504GAB IRQ override ACPI: resource: Loosen the Asus E1404GAB DMI match to also cover the E1404GA ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Haoran Zhang (1): vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Haren Myneni (1): powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Hawking Zhang (1): drm/amdkfd: Check int source id for utcl2 poison event Heiko Carstens (1): selftests: vDSO: fix vdso_config for s390 Heiner Kallweit (2): i2c: core: Lock address during client device instantiation r8169: add tally counter fields added with RTL8125 Helge Deller (4): parisc: Fix itlb miss handler for 64-bit programs parisc: Fix 64-bit userspace syscall path parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Heming Zhao (1): ocfs2: fix the la space leak when unmounting an ocfs2 volume Herbert Xu (4): crypto: octeontx - Fix authenc setkey crypto: octeontx2 - Fix authenc setkey crypto: simd - Do not call crypto_alloc_tfm during registration crypto: octeontx* - Select CRYPTO_AUTHENC Hilda Wu (2): Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Huacai Chen (1): cpufreq: loongson3: Use raw_smp_processor_id() in do_service_request() Huang Ying (1): resource: fix region_intersects() vs add_memory_driver_managed() Hui Wang (2): net: phy: realtek: Check the index value in led_hw_control_get ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Ian Rogers (1): perf callchain: Fix stitch LBR memory leaks Ido Schimmel (2): bridge: mcast: Fail MDB get request on empty entry ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Ilan Peer (1): wifi: iwlwifi: mvm: Fix a race in scan abort flow Imre Deak (1): drm/i915/dp: Fix AUX IO power enabling for eDP PSR Issam Hamdi (1): wifi: cfg80211: Set correct chandef when starting CAC Jakub Kicinski (1): net: skbuff: sprinkle more __GFP_NOWARN on ingress allocs James Chapman (3): l2tp: prevent possible tunnel refcount underflow l2tp: free sessions using rcu l2tp: use rcu list add/del when updating lists James Clark (1): drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Jan Kiszka (1): remoteproc: k3-r5: Fix error handling when power-up failed Jan Lalinsky (1): ALSA: usb-audio: Add native DSD support for Luxman D-08u Jani Nikula (1): drm/i915/gem: fix bitwise and logical AND mixup Jaroslav Kysela (1): ALSA: core: add isascii() check to card ID generator Jason Gunthorpe (1): iommu/arm-smmu-v3: Do not use devm for the cd table allocations Jason Xing (1): tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Javier Carrasco (1): drm/mediatek: ovl_adaptor: Add missing of_node_put() Jens Axboe (1): io_uring/net: harden multishot termination case for recv Jens Remus (1): selftests: vDSO: fix ELF hash table entry size for s390x Jeongjun Park (1): net/xen-netback: prevent UAF in xenvif_flush_hash() Jesse Zhang (1): drm/amdkfd: Fix resource leak in criu restore queue Jianbo Liu (1): net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Jiawei Ye (1): mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Jiawen Wu (1): net: pcs: xpcs: fix the wrong register that was written back Jinjie Ruan (12): ieee802154: Fix build error net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() nfp: Use IRQF_NO_AUTOEN flag in request_irq() spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled spi: spi-cadence: Fix missing spi_controller_is_target() check i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled spi: bcm63xx: Fix module autoloading spi: bcm63xx: Fix missing pm_runtime_disable() Jiri Olsa (1): selftests/bpf: fix uprobe.path leak in bpf_testmod Jisheng Zhang (1): riscv: define ILLEGAL_POINTER_VALUE for 64bit Joe Damato (2): netdev-genl: Set extack and fix error on napi-get net: napi: Prevent overflow of napi_defer_hard_irqs Joel Fernandes (Google) (1): sched/core: Add clearing of ->dl_server in put_prev_task_balance() Johannes Berg (3): wifi: iwlwifi: mvm: drop wrong STA selection in TX wifi: iwlwifi: mvm: use correct key iteration wifi: mac80211: fix RCU list iterations Johannes Thumshirn (1): btrfs: don't readahead the relocation inode on RST Johannes Weiner (1): sched: psi: fix bogus pressure spikes from aggregation race Jonathan Gray (1): Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Josef Bacik (1): btrfs: drop the backref cache during relocation if we commit Joseph Qi (2): ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: cancel dqi_sync_work before freeing oinfo Joshua Grisham (1): ALSA: hda/realtek: Refactor and simplify Samsung Galaxy Book init Joshua Pius (1): ALSA: usb-audio: Add logitech Audio profile quirk José Roberto de Souza (1): drm/xe/oa: Don't reset OAC_CONTEXT_ENABLE on OA stream close Jouni Högander (1): drm/i915/psr: Do not wait for PSR being idle on on Panel Replay Julian Sun (2): ocfs2: fix null-ptr-deref when journal load failed. gfs2: fix double destroy_workqueue error Juntong Deng (1): bpf: Make the pointer returned by iter next method valid Justin Tee (3): scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology scsi: lpfc: Update PRLO handling in direct attached topology Kai-Heng Feng (1): intel_idle: Disable promotion to C1E on Jasper Lake and Elkhart Lake Kaixin Wang (2): fbdev: pxafb: Fix possible use after free in pxafb_task() i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Karthikeyan Periyasamy (2): wifi: ath12k: fix array out-of-bound access in SoC stats wifi: ath11k: fix array out-of-bound access in SoC stats Katya Orlova (1): drm/stm: Avoid use-after-free issues with crtc and plane Kees Cook (2): x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() scsi: aacraid: Rearrange order of struct aac_srb_unit Kemeng Shi (1): jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit KhaiWenTan (1): net: stmmac: Fix zero-division error when disabling tc cbs Kimriver Liu (1): i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Konrad Dybcio (1): drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Konstantin Ovsepian (1): blk_iocost: fix more out of bound shifts Krzysztof Kozlowski (7): net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() ASoC: codecs: wsa883x: Handle reading version failure firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() memory: tegra186-emc: drop unused to_tegra186_emc() rtc: at91sam9: fix OF node leak in probe() error path Kuan-Wei Chiu (2): bpftool: Fix undefined behavior caused by shifting into the sign bit bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Kuan-Ying Lee (3): scripts/gdb: fix timerlist parsing issue scripts/gdb: add iteration function for rbtree scripts/gdb: fix lx-mounts command error Kuniyuki Iwashima (1): ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Lad Prabhakar (1): gpiolib: Fix potential NULL pointer dereference in gpiod_get_label() Laurent Pinchart (2): media: videobuf2: Drop minimum allocation requirement of 2 buffers media: sun4i_csi: Implement link validate for sun4i_csi subdev Leo Li (1): drm/amd/display: Enable idle workqueue for more IPS modes Li Lingfeng (1): nfsd: map the EBADMSG to nfserr_io to avoid warning Li Zhijian (1): fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Liao Chen (1): mailbox: rockchip: fix a typo in module autoloading Liao Yuanhong (1): f2fs: add write priority option based on zone UFS Lizhi Xu (3): ext4: filesystems without casefold feature cannot be mounted with siphash ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Long Li (2): RDMA/mana_ib: use the correct page table index based on hardware page size RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Lu Baolu (2): iommu/vt-d: Always reserve a domain ID for identity setup iommu/vt-d: Unconditionally flush device TLB for pasid table updates Lucas De Marchi (1): drm/xe: Generate oob before compiling anything Luis Henriques (SUSE) (9): ceph: fix a memory leak on cap_auths in MDS client ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: fix access to uninitialised lock in fc replay path ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() ext4: fix fast commit inode enqueueing during a full journal commit ext4: use handle to mark fc as ineligible in __track_dentry_update() ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luiz Augusto von Dentz (3): Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Bluetooth: L2CAP: Fix uaf in l2cap_connect Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Luiz Capitulino (1): platform/mellanox: mlxbf-pmc: fix lockdep warning Luo Gengkun (1): perf/core: Fix small negative period being ignored Ma Ke (1): drm: omapdrm: Add missing check for alloc_ordered_workqueue Mahesh Rajashekhara (1): scsi: smartpqi: correct stream detection Manivannan Sadhasivam (2): clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Marc Zyngier (1): KVM: arm64: Fix kvm_has_feat*() handling of negative features Marek Vasut (2): wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Mario Limonciello (2): ACPI: CPPC: Add support for setting EPP register in FFH drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Mark Rutland (3): arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more Masahiro Yamada (3): kconfig: fix infinite loop in sym_calc_choice() kconfig: qconf: move conf_read() before drawing tree pain kconfig: qconf: fix buffer overflow in debug links Mateusz Guzik (2): exec: don't WARN for racy path_noexec check vfs: use RCU in ilookup Matt Fleming (1): perf hist: Update hist symbol when updating maps Matt Roper (1): drm/xe: Name and document Wa_14019789679 Matthew Auld (5): drm/xe/guc_submit: add missing locking in wedged_fini drm/xe: fixup xe_alloc_pf_queue drm/xe: fix UAF around queue destruction drm/xe/vm: move xa_alloc to prevent UAF drm/xe/vram: fix ccs offset calculation Matthew Brost (5): drm/xe: Resume TDR after GT reset drm/xe: Add timeout to preempt fences drm/printer: Allow NULL data in devcoredump printer drm/xe: Drop warn on xe_guc_pc_gucrc_disable in guc pc fini drm/xe: Clean up VM / exec queue file lock usage. Mike Baynton (1): ovl: fail if trusted xattrs are needed but caller lacks permission Mike Tipton (1): clk: qcom: clk-rpmh: Fix overflow in BCM vote Miquel Sabaté Solà (1): cpufreq: Avoid a bad reference count on CPU node Miri Korenblit (1): wifi: iwlwifi: mvm: avoid NULL pointer dereference Mohamed Khalfella (1): net/mlx5: Added cond_resched() to crdump collection Mostafa Saleh (1): iommu/arm-smmu-v3: Match Stall behaviour for S2 Muhammad Usama Anjum (1): kselftests: mm: fix wrong __NR_userfaultfd value Namhyung Kim (2): perf: Really fix event_function_call() locking perf report: Fix segfault when 'sym' sort key is not used Namjae Jeon (2): ksmbd: fix warning: comparison of distinct pointer types lacks a cast ksmbd: add refcnt to ksmbd_conn struct NeilBrown (2): nfsd: fix delegation_blocked() to block correctly for at least 30 seconds sunrpc: change sp_nrthreads from atomic_t to unsigned int. Nicholas Kazlauskas (1): drm/amd/display: Use gpuvm_min_page_size_kbytes for DML2 surfaces Niklas Söderlund (1): net: phy: Check for read errors in SIOCGMIIREG Nikolai Afanasenkov (1): ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8 Nikunj A Dadhania (1): virt: sev-guest: Ensure the SNP guest messages do not exceed a page Nirmoy Das (1): drm/xe: Fix memory leak on xe_alloc_pf_queue failure Nuno Sa (2): Input: adp5589-keys - fix NULL pointer dereference Input: adp5589-keys - fix adp5589_gpio_get_value() Oder Chiou (1): ALSA: hda/realtek: Fix the push button function for the ALC257 Oleg Nesterov (1): uprobes: fix kernel info leak via "[uprobes]" vma Pablo Neira Ayuso (1): netfilter: nf_tables: do not remove elements if set backend implements .abort Pali Rohár (3): cifs: Remove intermediate object of failed create reparse call cifs: Fix buffer overflow when parsing NFS reparse points cifs: Do not convert delimiter when parsing NFS-style symlinks Patrick Donnelly (1): ceph: fix cap ref leak via netfs init_request Paul E. McKenney (1): rcuscale: Provide clear error when async specified without primitives Pei Xiao (1): ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Peng Fan (1): mm, slub: avoid zeroing kmalloc redzone Peng Liu (2): drm/amdgpu: add raven1 gfxoff quirk drm/amdgpu: enable gfxoff quirk on HP 705G4 Peter Zijlstra (2): jump_label: Fix static_key_slow_dec() yet again perf: Fix event_function_call() locking Phil Sutter (2): netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED selftests: netfilter: Fix nft_audit.sh for newer nft binaries Philip Yang (1): drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pierre-Eric Pelloux-Prayer (1): drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Pierre-Louis Bossart (1): ASoC: Intel: boards: always check the result of acpi_dev_get_first_match_dev() Ping-Ke Shih (2): wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure wifi: rtw89: correct base HT rate mask for firmware Pu Lehui (1): drivers/perf: riscv: Align errno for unsupported perf event Puranjay Mohan (1): nvme: fix metadata handling in nvme-passthrough Qu Wenruo (1): btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Rafael J. Wysocki (1): ACPI: EC: Do not release locks during operation region accesses Rafael Rocha (1): scsi: st: Fix input/output error on empty drive reset Ravikanth Tuniki (1): dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Remington Brasga (1): jfs: UBSAN: shift-out-of-bounds in dbFindBits Rob Clark (1): drm/sched: Fix dynamic job-flow control race Robert Hancock (1): i2c: xiic: Wait for TX empty to avoid missed TX NAKs Rodrigo Siqueira (1): drm/amd/display: Check null pointer before try to access it Rodrigo Vivi (1): drm/xe: Restore pci state upon resume Sanjay K Kumar (1): iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Satya Priya Kakitapalli (5): dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x clk: qcom: gcc-sc8180x: Register QUPv3 RCGs for DFS on sc8180x clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src clk: qcom: gcc-sc8180x: Add GPLL9 support clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Sebastian Reichel (1): clk: rockchip: fix error for unknown clocks Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Shenwei Wang (1): net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Simon Horman (4): tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer bnxt_en: Extend maximum length of version string by 1 byte net: atlantic: Avoid warning about potential string truncation Srinivasan Shanmugam (17): drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func drm/amd/display: Add NULL check for function pointer in dcn401_set_output_transfer_func drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2) drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/amd/display: Implement bounds check for stream encoder creation in DCN401 drm/amd/display: Fix index out of bounds in DCN30 color transformation Stefan Mätje (1): can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Stefan Wahren (1): mailbox: bcm2835: Fix timeout during suspend mode Steve French (1): smb3: fix incorrect mode displayed for read-only files Steve Sistare (6): mm/filemap: fix filemap_get_folios_contig THP panic mm/hugetlb: fix memfd_pin_folios free_huge_pages leak mm/hugetlb: fix memfd_pin_folios resv_huge_pages leak mm/gup: fix memfd_pin_folios hugetlb page allocation mm/gup: fix memfd_pin_folios alloc race panic mm/hugetlb: simplify refs in memfd_alloc_folio Steve Wahl (1): x86/mm/ident_map: Use gbpages only where full GB page should be mapped. Steven Price (1): drm/panthor: Fix race when converting group handle to group object Stuart Summers (1): drm/xe: Use topology to determine page fault queue size Sunil Khatri (3): drm/amdgpu: fix ptr check warning in gfx9 ip_dump drm/amdgpu: fix ptr check warning in gfx10 ip_dump drm/amdgpu: fix ptr check warning in gfx11 ip_dump Suraj Kandpal (1): drm/xe/hdcp: Check GSC structure validity Takashi Iwai (11): ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin ALSA: usb-audio: Add input value sanity checks for standard types ALSA: usb-audio: Define macros for quirk table entries ALSA: usb-audio: Replace complex quirk lines with macros ALSA: control: Take power_ref lock primarily ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop ALSA: control: Fix power_ref lock order for compat code, too Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" ALSA: control: Fix leftover snd_power_unref() Tamim Khan (1): ACPI: resource: Skip IRQ override on Asus Vivobook Go E1404GAB Tang Bin (1): ASoC: topology: Fix incorrect addressing assignments Tao Liu (1): x86/kexec: Add EFI config table identity mapping for kexec kernel Tetsuo Handa (1): tomoyo: fallback to realpath if symlink's pathname does not exist Thadeu Lima de Souza Cascardo (1): ext4: ext4_search_dir should return a proper error Thomas Gleixner (4): static_call: Handle module init failure correctly in static_call_del_module() static_call: Replace pointless WARN_ON() in static_call_module_notify() x86/ioapic: Handle allocation failures gracefully x86/apic: Remove logical destination mode for 64-bit Thomas Weißschuh (5): tools/nolibc: powerpc: limit stack-protector workaround to GCC selftests/nolibc: avoid passing NULL to printf("%s") fbdev: efifb: Register sysfs groups through driver core of: address: Report error on resource bounds overflow sysctl: avoid spurious permanent empty tables Thomas Zimmermann (2): drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS firmware/sysfb: Disable sysfb for firmware buffers with unknown parent Tim Huang (4): drm/amd/display: fix double free issue during amdgpu module unload drm/amdgpu: fix unchecked return value warning for amdgpu_gfx drm/amdgpu: fix unchecked return value warning for amdgpu_atombios drm/amd/pm: ensure the fw_info is not null before using it Tobias Jakobi (1): drm/amd/display: handle nulled pipe context in DCE110's set_drr() Toke Høiland-Jørgensen (1): wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Tom Chung (4): drm/amd/display: Disable replay if VRR capability is false drm/amd/display: Fix VRR cannot enable drm/amd/display: Re-enable panel replay feature drm/amd/display: Fix system hang while resume with TBT monitor Tvrtko Ursulin (4): drm/v3d: Prevent out of bounds access in performance query extensions drm/sched: Add locking to drm_sched_entity_modify_sched drm/sched: Always wake up correct scheduler in drm_sched_entity_push_job drm/sched: Always increment correct scheduler score Udit Kumar (1): remoteproc: k3-r5: Delay notification of wakeup event Ulf Hansson (2): pmdomain: core: Don't hold the genpd-lock when calling dev_pm_domain_set() pmdomain: core: Use dev_name() instead of kobject_get_path() in debugfs Uma Shankar (1): drm/xe/fbdev: Limit the usage of stolen for LNL+ Umang Jain (1): media: imx335: Fix reset-gpio handling Uwe Kleine-König (1): cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Val Packett (2): drm/rockchip: vop: clear DMA stop bit on RK3066 drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Vasileios Amoiridis (2): iio: pressure: bmp280: Fix regmap for BMP280 device iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Victor Skvortsov (1): drm/amdgpu: Block MMR_READ IOCTL in reset Ville Syrjälä (1): drm/i915/dp: Fix colorimetry detection Vishnu Sankar (1): HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Vitaly Lifshits (1): e1000e: avoid failing the system during pm_suspend Vladimir Oltean (1): net: dsa: improve shutdown sequence Wei Li (4): tracing/hwlat: Fix a race during cpuhp processing tracing/timerlat: Drop interface_lock in stop_kthread() tracing/timerlat: Fix a race during cpuhp processing tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Willem de Bruijn (2): vrf: revert "vrf: Remove unnecessary RCU-bh critical section" gso: fix udp gso fraglist segmentation after pull from frag_list Xiaxi Shen (1): ext4: fix timer use-after-free on failed mount Xin Long (1): sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Xiubo Li (1): ceph: remove the incorrect Fw reference check when dirtying pages Yang Shen (1): crypto: hisilicon - fix missed error branch Yang Wang (1): drm/amdgpu: add list empty check to avoid null pointer issue Yannick Fertre (1): drm/stm: ltdc: reset plane transparency after plane disable Yifei Liu (1): selftests: breakpoints: use remaining time to check if suspend succeed Yihan Zhu (1): drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 Yonghong Song (1): bpf: Fix a sdiv overflow issue Yosry Ahmed (1): mm: z3fold: deprecate CONFIG_Z3FOLD Youssef Esmat (1): sched/core: Clear prev->dl_server in CFS pick fast path Yuezhang Mo (1): exfat: fix memory leak in exfat_load_bitmap() Yun Lu (1): selftest: hid: add missing run-hid-tools-tests.sh Zach Wade (1): platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Zhanjun Dong (1): drm/xe: Prevent null pointer access in xe_migrate_copy Zhao Mengmeng (1): jfs: Fix uninit-value access of new_ea in ea_buffer Zheng Wang (1): media: venus: fix use after free bug in venus_remove due to race condition Zhihao Cheng (1): ext4: dax: fix overflowing extents beyond inode size when partially writing Zhu Jun (1): tools/hv: Add memory allocation check in hv_fcopy_start Zong-Zhe Yang (2): wifi: rtw88: select WANT_DEV_COREDUMP wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Zqiang (1): rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() aln8 (1): platform/x86/amd: pmf: Add quirk for TUF Gaming A14 wangrong (1): smb: client: use actual path when queryfs yao.ly (1): ext4: correct encrypted dentry name hash when not casefolded zhang jiao (1): selftests: netfilter: Add missing return value

6 months, 3 weeks

1
1
0 0

Linux 6.10.14

by Greg Kroah-Hartman

---------------------------- Note, this is the LAST 6.10.y kernel to be released. There will not be any more 6.10.y releases and this branch is now end-of-life and you should move to the 6.11.y branch at this point in time. ---------------------------- I'm announcing the release of the 6.10.14 kernel. All users of the 6.10 kernel series must upgrade. The updated 6.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/testing/sysfs-fs-f2fs | 22 Documentation/admin-guide/kernel-parameters.txt | 10 Documentation/arch/arm64/silicon-errata.rst | 6 Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 Documentation/networking/net_cachelines/net_device.rst | 2 Makefile | 2 arch/arm/crypto/aes-ce-glue.c | 2 arch/arm/crypto/aes-neonbs-glue.c | 2 arch/arm64/Kconfig | 7 arch/arm64/include/asm/cputype.h | 2 arch/arm64/include/asm/kvm_host.h | 25 arch/arm64/kernel/cpu_errata.c | 3 arch/arm64/mm/trans_pgd.c | 6 arch/loongarch/configs/loongson3_defconfig | 1 arch/parisc/include/asm/mman.h | 14 arch/parisc/kernel/entry.S | 6 arch/parisc/kernel/syscall.S | 14 arch/powerpc/configs/ppc64_defconfig | 1 arch/powerpc/include/asm/vdso_datapage.h | 15 arch/powerpc/kernel/asm-offsets.c | 2 arch/powerpc/kernel/vdso/cacheflush.S | 2 arch/powerpc/kernel/vdso/datapage.S | 4 arch/powerpc/platforms/pseries/dlpar.c | 17 arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 arch/powerpc/platforms/pseries/hotplug-memory.c | 16 arch/powerpc/platforms/pseries/pmem.c | 2 arch/riscv/Kconfig | 8 arch/riscv/include/asm/thread_info.h | 7 arch/x86/crypto/sha256-avx2-asm.S | 16 arch/x86/events/core.c | 63 arch/x86/include/asm/apic.h | 8 arch/x86/include/asm/fpu/signal.h | 2 arch/x86/include/asm/syscall.h | 7 arch/x86/kernel/apic/apic_flat_64.c | 119 arch/x86/kernel/apic/io_apic.c | 46 arch/x86/kernel/cpu/bugs.c | 14 arch/x86/kernel/cpu/common.c | 4 arch/x86/kernel/fpu/signal.c | 6 arch/x86/kernel/machine_kexec_64.c | 27 arch/x86/kernel/signal.c | 3 arch/x86/kernel/signal_64.c | 6 arch/x86/mm/ident_map.c | 23 block/blk-iocost.c | 8 block/ioctl.c | 9 crypto/simd.c | 76 drivers/accel/ivpu/ivpu_fw.c | 4 drivers/acpi/acpi_pad.c | 6 drivers/acpi/acpica/dbconvert.c | 2 drivers/acpi/acpica/exprep.c | 3 drivers/acpi/acpica/psargs.c | 47 drivers/acpi/apei/einj-cxl.c | 2 drivers/acpi/battery.c | 28 drivers/acpi/cppc_acpi.c | 10 drivers/acpi/ec.c | 55 drivers/acpi/resource.c | 22 drivers/acpi/video_detect.c | 17 drivers/ata/pata_serverworks.c | 16 drivers/ata/sata_sil.c | 12 drivers/block/aoe/aoecmd.c | 13 drivers/block/loop.c | 15 drivers/bluetooth/btmrvl_sdio.c | 3 drivers/bluetooth/btrtl.c | 1 drivers/bluetooth/btusb.c | 2 drivers/clk/qcom/clk-alpha-pll.c | 2 drivers/clk/qcom/clk-rpmh.c | 2 drivers/clk/qcom/dispcc-sm8250.c | 3 drivers/clk/qcom/gcc-sc8180x.c | 88 drivers/clk/qcom/gcc-sm8250.c | 6 drivers/clk/qcom/gcc-sm8450.c | 4 drivers/clk/rockchip/clk.c | 3 drivers/clk/samsung/clk-exynos7885.c | 2 drivers/cpufreq/intel_pstate.c | 16 drivers/crypto/hisilicon/sgl.c | 14 drivers/crypto/marvell/Kconfig | 2 drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 261 - drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 254 - drivers/firmware/sysfb.c | 4 drivers/firmware/tegra/bpmp.c | 6 drivers/gpio/gpio-davinci.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 35 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 43 drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 6 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 50 drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 50 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_int_process_v9.c | 18 drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 drivers/gpu/drm/amd/amdkfd/soc15_int.h | 1 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 31 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 drivers/gpu/drm/amd/display/dc/core/dc.c | 6 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 drivers/gpu/drm/amd/display/dc/dc_types.h | 1 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 7 drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 20 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 21 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 7 drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 11 drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 12 drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn201/dcn201_resource.c | 4 drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 7 drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 drivers/gpu/drm/drm_atomic_uapi.c | 2 drivers/gpu/drm/drm_print.c | 13 drivers/gpu/drm/i915/display/intel_ddi.c | 2 drivers/gpu/drm/i915/display/intel_dp.c | 9 drivers/gpu/drm/i915/display/intel_psr.c | 19 drivers/gpu/drm/i915/display/intel_psr.h | 2 drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 drivers/gpu/drm/msm/msm_gpu.c | 1 drivers/gpu/drm/omapdrm/omap_drv.c | 5 drivers/gpu/drm/panthor/panthor_mmu.c | 8 drivers/gpu/drm/panthor/panthor_sched.c | 36 drivers/gpu/drm/radeon/r100.c | 70 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 14 drivers/gpu/drm/scheduler/sched_main.c | 7 drivers/gpu/drm/stm/drv.c | 3 drivers/gpu/drm/stm/ltdc.c | 76 drivers/gpu/drm/v3d/v3d_submit.c | 6 drivers/gpu/drm/xe/display/xe_hdcp_gsc.c | 8 drivers/gpu/drm/xe/xe_bo.c | 4 drivers/gpu/drm/xe/xe_device.c | 6 drivers/gpu/drm/xe/xe_device_types.h | 3 drivers/gpu/drm/xe/xe_gpu_scheduler.c | 5 drivers/gpu/drm/xe/xe_gpu_scheduler.h | 2 drivers/gpu/drm/xe/xe_gt_pagefault.c | 55 drivers/gpu/drm/xe/xe_gt_types.h | 9 drivers/gpu/drm/xe/xe_guc_pc.c | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 29 drivers/gpu/drm/xe/xe_guc_types.h | 11 drivers/gpu/drm/xe/xe_pci.c | 2 drivers/hid/hid-ids.h | 17 drivers/hid/hid-input.c | 37 drivers/hid/hid-multitouch.c | 6 drivers/hid/i2c-hid/i2c-hid-core.c | 42 drivers/hwmon/nct6775-platform.c | 1 drivers/i2c/busses/i2c-designware-common.c | 14 drivers/i2c/busses/i2c-designware-core.h | 1 drivers/i2c/busses/i2c-designware-master.c | 38 drivers/i2c/busses/i2c-qcom-geni.c | 4 drivers/i2c/busses/i2c-stm32f7.c | 6 drivers/i2c/busses/i2c-synquacer.c | 5 drivers/i2c/busses/i2c-xiic.c | 69 drivers/i2c/i2c-core-base.c | 28 drivers/i3c/master/svc-i3c-master.c | 1 drivers/iio/magnetometer/ak8975.c | 32 drivers/iio/pressure/bmp280-core.c | 150 drivers/iio/pressure/bmp280-regmap.c | 47 drivers/iio/pressure/bmp280-spi.c | 4 drivers/iio/pressure/bmp280.h | 46 drivers/infiniband/hw/mana/main.c | 8 drivers/input/keyboard/adp5589-keys.c | 22 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 37 drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h | 1 drivers/iommu/intel/dmar.c | 16 drivers/iommu/intel/iommu.c | 6 drivers/iommu/intel/pasid.c | 12 drivers/mailbox/Kconfig | 1 drivers/mailbox/bcm2835-mailbox.c | 3 drivers/mailbox/rockchip-mailbox.c | 2 drivers/media/common/videobuf2/videobuf2-core.c | 7 drivers/media/i2c/ar0521.c | 5 drivers/media/i2c/imx335.c | 9 drivers/media/i2c/ov5675.c | 12 drivers/media/platform/qcom/camss/camss-video.c | 6 drivers/media/platform/qcom/camss/camss.c | 5 drivers/media/platform/qcom/venus/core.c | 1 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 drivers/memory/tegra/tegra186-emc.c | 5 drivers/net/can/dev/netlink.c | 102 drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 drivers/net/ethernet/freescale/fec.h | 9 drivers/net/ethernet/freescale/fec_main.c | 11 drivers/net/ethernet/freescale/fec_ptp.c | 50 drivers/net/ethernet/hisilicon/hip04_eth.c | 1 drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 drivers/net/ethernet/hisilicon/hns_mdio.c | 1 drivers/net/ethernet/intel/e1000e/netdev.c | 19 drivers/net/ethernet/intel/ice/ice_sched.c | 6 drivers/net/ethernet/lantiq_etop.c | 4 drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 drivers/net/ethernet/microsoft/Kconfig | 2 drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 drivers/net/ethernet/microsoft/mana/hw_channel.c | 14 drivers/net/ethernet/microsoft/mana/mana_en.c | 8 drivers/net/ethernet/microsoft/mana/shm_channel.c | 13 drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 drivers/net/ethernet/realtek/r8169_main.c | 31 drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 drivers/net/ieee802154/Kconfig | 1 drivers/net/ieee802154/mcr20a.c | 5 drivers/net/pcs/pcs-xpcs-wx.c | 2 drivers/net/phy/phy.c | 17 drivers/net/ppp/ppp_generic.c | 4 drivers/net/vrf.c | 2 drivers/net/wireless/ath/ath11k/dp_rx.c | 2 drivers/net/wireless/ath/ath12k/dp_rx.c | 2 drivers/net/wireless/ath/ath9k/debug.c | 4 drivers/net/wireless/ath/ath9k/hif_usb.c | 6 drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 5 drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 2 drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 2 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/scan.c | 3 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 drivers/net/wireless/realtek/rtw88/Kconfig | 1 drivers/net/wireless/realtek/rtw89/core.h | 18 drivers/net/wireless/realtek/rtw89/mac80211.c | 4 drivers/net/wireless/realtek/rtw89/phy.c | 4 drivers/net/wireless/realtek/rtw89/util.h | 18 drivers/net/wwan/qcom_bam_dmux.c | 11 drivers/net/xen-netback/hash.c | 5 drivers/nvme/common/keyring.c | 58 drivers/nvme/host/Kconfig | 3 drivers/nvme/host/core.c | 1 drivers/nvme/host/fabrics.c | 2 drivers/nvme/host/nvme.h | 2 drivers/nvme/host/sysfs.c | 4 drivers/nvme/host/tcp.c | 55 drivers/of/address.c | 5 drivers/of/irq.c | 38 drivers/perf/arm_spe_pmu.c | 9 drivers/perf/riscv_pmu_legacy.c | 4 drivers/perf/riscv_pmu_sbi.c | 4 drivers/platform/mellanox/mlxbf-pmc.c | 5 drivers/platform/x86/amd/pmf/pmf-quirks.c | 8 drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 drivers/platform/x86/lenovo-ymc.c | 2 drivers/platform/x86/touchscreen_dmi.c | 26 drivers/platform/x86/x86-android-tablets/core.c | 6 drivers/platform/x86/x86-android-tablets/other.c | 10 drivers/pmdomain/core.c | 5 drivers/power/reset/brcmstb-reboot.c | 3 drivers/power/supply/power_supply_hwmon.c | 3 drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 drivers/rtc/rtc-at91sam9.c | 1 drivers/scsi/NCR5380.c | 4 drivers/scsi/aacraid/aacraid.h | 2 drivers/scsi/lpfc/lpfc.h | 12 drivers/scsi/lpfc/lpfc_els.c | 73 drivers/scsi/lpfc/lpfc_hbadisc.c | 14 drivers/scsi/lpfc/lpfc_nportdisc.c | 22 drivers/scsi/lpfc/lpfc_scsi.c | 13 drivers/scsi/lpfc/lpfc_sli.c | 11 drivers/scsi/pm8001/pm8001_init.c | 6 drivers/scsi/smartpqi/smartpqi_init.c | 130 drivers/scsi/st.c | 5 drivers/spi/spi-bcm63xx.c | 9 drivers/spi/spi-cadence.c | 8 drivers/spi/spi-imx.c | 2 drivers/spi/spi-rpc-if.c | 7 drivers/spi/spi-s3c64xx.c | 4 drivers/vhost/scsi.c | 27 drivers/video/fbdev/efifb.c | 11 drivers/video/fbdev/pxafb.c | 1 fs/afs/file.c | 1 fs/afs/fs_operation.c | 2 fs/btrfs/backref.c | 12 fs/btrfs/disk-io.c | 11 fs/btrfs/relocation.c | 77 fs/btrfs/send.c | 23 fs/cachefiles/namei.c | 7 fs/ceph/addr.c | 6 fs/ceph/mds_client.c | 12 fs/dax.c | 6 fs/exec.c | 3 fs/exfat/balloc.c | 10 fs/ext4/dir.c | 14 fs/ext4/extents.c | 55 fs/ext4/fast_commit.c | 49 fs/ext4/file.c | 8 fs/ext4/inode.c | 11 fs/ext4/migrate.c | 2 fs/ext4/move_extent.c | 1 fs/ext4/namei.c | 14 fs/ext4/resize.c | 18 fs/ext4/super.c | 5 fs/ext4/xattr.c | 3 fs/f2fs/f2fs.h | 31 fs/f2fs/gc.c | 85 fs/f2fs/gc.h | 23 fs/f2fs/segment.c | 31 fs/f2fs/super.c | 8 fs/f2fs/sysfs.c | 18 fs/file.c | 95 fs/inode.c | 10 fs/iomap/buffered-io.c | 16 fs/jbd2/checkpoint.c | 21 fs/jbd2/journal.c | 4 fs/jfs/jfs_discard.c | 11 fs/jfs/jfs_dmap.c | 7 fs/jfs/xattr.c | 2 fs/netfs/write_issue.c | 6 fs/nfsd/netns.h | 1 fs/nfsd/nfs4proc.c | 34 fs/nfsd/nfs4state.c | 6 fs/nfsd/nfs4xdr.c | 10 fs/nfsd/nfsctl.c | 2 fs/nfsd/nfssvc.c | 2 fs/nfsd/vfs.c | 1 fs/nfsd/xdr4.h | 1 fs/ocfs2/aops.c | 5 fs/ocfs2/buffer_head_io.c | 4 fs/ocfs2/journal.c | 7 fs/ocfs2/localalloc.c | 19 fs/ocfs2/quota_local.c | 8 fs/ocfs2/refcounttree.c | 26 fs/ocfs2/xattr.c | 11 fs/overlayfs/copy_up.c | 43 fs/overlayfs/params.c | 38 fs/proc/base.c | 61 fs/proc/proc_sysctl.c | 11 fs/smb/client/cifsfs.c | 13 fs/smb/client/cifsglob.h | 2 fs/smb/client/inode.c | 19 fs/smb/client/reparse.c | 16 fs/smb/client/smb1ops.c | 2 fs/smb/client/smb2inode.c | 24 fs/smb/client/smb2ops.c | 19 fs/smb/server/connection.c | 4 fs/smb/server/connection.h | 1 fs/smb/server/oplock.c | 55 fs/smb/server/vfs_cache.c | 3 include/crypto/internal/simd.h | 12 include/drm/drm_print.h | 54 include/drm/gpu_scheduler.h | 2 include/dt-bindings/clock/exynos7885.h | 2 include/dt-bindings/clock/qcom,gcc-sc8180x.h | 1 include/linux/cpufreq.h | 6 include/linux/fdtable.h | 8 include/linux/i2c.h | 3 include/linux/netdevice.h | 22 include/linux/nvme-keyring.h | 6 include/linux/perf_event.h | 8 include/linux/sched.h | 2 include/linux/sunrpc/svc.h | 4 include/linux/uprobes.h | 2 include/linux/virtio_net.h | 4 include/net/mana/gdma.h | 10 include/net/mana/mana.h | 3 include/trace/events/netfs.h | 1 include/uapi/linux/cec.h | 6 include/uapi/linux/netfilter/nf_tables.h | 2 io_uring/io_uring.c | 5 io_uring/net.c | 4 kernel/bpf/verifier.c | 119 kernel/events/core.c | 33 kernel/events/uprobes.c | 4 kernel/fork.c | 32 kernel/jump_label.c | 52 kernel/rcu/rcuscale.c | 4 kernel/rcu/tasks.h | 82 kernel/resource.c | 58 kernel/sched/core.c | 23 kernel/sched/psi.c | 26 kernel/static_call_inline.c | 13 kernel/trace/trace_hwlat.c | 2 kernel/trace/trace_osnoise.c | 22 lib/buildid.c | 90 mm/Kconfig | 25 mm/slab_common.c | 7 mm/slub.c | 100 net/bluetooth/hci_core.c | 2 net/bluetooth/hci_event.c | 15 net/bluetooth/l2cap_core.c | 8 net/bluetooth/mgmt.c | 23 net/bridge/br_mdb.c | 2 net/core/dev.c | 14 net/core/gro.c | 9 net/core/net-sysfs.c | 6 net/core/netdev-genl.c | 8 net/core/netpoll.c | 15 net/dsa/dsa.c | 7 net/ipv4/devinet.c | 6 net/ipv4/fib_frontend.c | 2 net/ipv4/ip_gre.c | 6 net/ipv4/netfilter/nf_dup_ipv4.c | 7 net/ipv4/tcp_ipv4.c | 3 net/ipv4/tcp_offload.c | 10 net/ipv4/udp_offload.c | 22 net/ipv6/netfilter/nf_dup_ipv6.c | 7 net/ipv6/tcpv6_offload.c | 10 net/mac80211/chan.c | 4 net/mac80211/mlme.c | 2 net/mac80211/scan.c | 2 net/mac80211/util.c | 4 net/mac802154/scan.c | 4 net/ncsi/ncsi-manage.c | 2 net/rxrpc/ar-internal.h | 2 net/rxrpc/io_thread.c | 10 net/rxrpc/local_object.c | 2 net/sched/sch_taprio.c | 4 net/sctp/socket.c | 4 net/sunrpc/svc.c | 31 net/tipc/bearer.c | 8 net/wireless/nl80211.c | 15 rust/kernel/sync/locked_by.rs | 18 scripts/gdb/linux/proc.py | 4 scripts/gdb/linux/rbtree.py | 12 scripts/gdb/linux/timerlist.py | 31 scripts/kconfig/qconf.cc | 2 security/Kconfig | 32 security/tomoyo/domain.c | 9 sound/core/control.c | 55 sound/core/control_compat.c | 45 sound/core/init.c | 14 sound/core/oss/mixer_oss.c | 4 sound/isa/gus/gus_pcm.c | 4 sound/pci/asihpi/hpimsgx.c | 2 sound/pci/hda/hda_controller.h | 2 sound/pci/hda/hda_generic.c | 4 sound/pci/hda/hda_intel.c | 10 sound/pci/hda/patch_conexant.c | 24 sound/pci/hda/patch_realtek.c | 5 sound/pci/rme9652/hdsp.c | 6 sound/pci/rme9652/hdspm.c | 6 sound/soc/atmel/mchp-pdmc.c | 3 sound/soc/codecs/wsa883x.c | 16 sound/soc/fsl/imx-card.c | 1 sound/soc/intel/boards/bytcht_cx2072x.c | 4 sound/soc/intel/boards/bytcht_da7213.c | 4 sound/soc/intel/boards/bytcht_es8316.c | 2 sound/soc/intel/boards/bytcr_rt5640.c | 2 sound/soc/intel/boards/bytcr_rt5651.c | 2 sound/soc/intel/boards/cht_bsw_rt5645.c | 4 sound/soc/intel/boards/cht_bsw_rt5672.c | 4 sound/soc/intel/boards/sof_es8336.c | 2 sound/soc/intel/boards/sof_wm8804.c | 4 sound/usb/card.c | 6 sound/usb/line6/podhd.c | 2 sound/usb/mixer.c | 35 sound/usb/mixer.h | 1 sound/usb/mixer_quirks.c | 413 + sound/usb/quirks-table.h | 2457 +++------- sound/usb/quirks.c | 62 tools/arch/x86/kcpuid/kcpuid.c | 12 tools/bpf/bpftool/net.c | 11 tools/hv/hv_fcopy_uio_daemon.c | 7 tools/include/nolibc/arch-powerpc.h | 2 tools/perf/util/hist.c | 7 tools/perf/util/machine.c | 17 tools/perf/util/setup.py | 4 tools/perf/util/thread.c | 4 tools/perf/util/thread.h | 1 tools/testing/selftests/breakpoints/step_after_suspend_test.c | 5 tools/testing/selftests/devices/test_discoverable_devices.py | 4 tools/testing/selftests/hid/Makefile | 2 tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 2 tools/testing/selftests/mm/mseal_test.c | 57 tools/testing/selftests/mm/write_to_hugetlbfs.c | 21 tools/testing/selftests/net/netfilter/conntrack_dump_flush.c | 1 tools/testing/selftests/net/netfilter/nft_audit.sh | 57 tools/testing/selftests/nolibc/nolibc-test.c | 4 tools/testing/selftests/vDSO/parse_vdso.c | 17 tools/testing/selftests/vDSO/vdso_config.h | 10 tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 tools/tracing/rtla/Makefile.rtla | 2 tools/tracing/rtla/src/osnoise_top.c | 2 tools/tracing/rtla/src/timerlat_top.c | 4 502 files changed, 6008 insertions(+), 4297 deletions(-) Aakash Menon (1): net: sparx5: Fix invalid timestamps Abhishek Tamboli (1): ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Adrian Ratiu (1): proc: add config & param to block forcing mem writes Ahmed S. Darwish (1): tools/x86/kcpuid: Protect against faulty "max subleaf" values Ai Chao (1): ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Ajit Pandey (1): clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Al Viro (1): close_range(): fix the logics in descriptor table trimming Aleksander Jan Bajkowski (1): net: ethernet: lantiq_etop: fix memory disclosure Aleksandr Mishin (1): ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Aleksandrs Vinarskis (1): ACPICA: iasl: handle empty connection_node Alessandro Zanni (1): kselftest/devices/probe: Fix SyntaxWarning in regex strings for Python3 Alex Deucher (5): drm/amdgpu/gfx9: properly handle error ints on all pipes drm/amdgpu/gfx9: use rlc safe mode for soft recovery drm/amdgpu/gfx11: enter safe mode before touching CP_INT_CNTL drm/amdgpu/gfx11: use rlc safe mode for soft recovery drm/amdgpu/gfx10: use rlc safe mode for soft recovery Alex Hung (11): drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags drm/amd/display: Check null pointers before using them drm/amd/display: Check null pointers before using dc->clk_mgr drm/amd/display: Check null-initialized variables drm/amd/display: Check phantom_stream before it is used drm/amd/display: Check stream before comparing them drm/amd/display: Check link_res->hpo_dp_link_enc before using it drm/amd/display: Avoid overflow assignment in link_dp_cts drm/amd/display: Initialize get_bytes_per_element's default to 1 drm/amd/display: Add HDR workaround for specific eDP drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Alexander F. Lent (1): accel/ivpu: Add missing MODULE_FIRMWARE metadata Alexander Shiyan (1): media: i2c: ar0521: Use cansleep version of gpiod_set_value() Alexandre Ghiti (1): riscv: Fix kernel stack size when KASAN is enabled Alexey Dobriyan (2): block: fix integer overflow in BLKSECDISCARD build-id: require program headers to be right after ELF header Alice Ryhl (1): rust: sync: require `T: Sync` for `LockedBy::access` Amir Goldstein (1): ovl: fsync after metadata copy-up Andrei Simion (1): ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Andrew Davis (1): power: reset: brcmstb: Do not go into infinite loop if reset fails Andrew Jones (1): of/irq: Support #msi-cells=<0> in of_msi_get_domain Andrii Nakryiko (2): perf,x86: avoid missing caller address in stack traces captured in uprobe lib/buildid: harden build ID parsing logic Anjaneyulu (1): wifi: iwlwifi: allow only CN mcc from WRDD Anton Danilov (1): ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Ard Biesheuvel (1): i2c: synquacer: Deal with optional PCLK correctly Armin Wolf (4): ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook Arnaldo Carvalho de Melo (2): perf python: Disable -Wno-cast-function-type-mismatch if present on clang perf python: Allow checking for the existence of warning options in clang Arnd Bergmann (1): nvme-tcp: fix link failure for TCP auth Artem Sadovnikov (1): ext4: fix i_data_sem unlock order in ext4_ind_migrate() Aruna Ramakrishna (2): x86/pkeys: Add PKRU as a parameter in signal handling functions x86/pkeys: Restore altstack access in sigreturn() Asad Kamal (1): drm/amdgpu: Fix get each xcp macro Asahi Lina (1): ALSA: usb-audio: Add mixer quirk for RME Digiface USB Baojun Xu (1): ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Baokun Li (10): ext4: avoid use-after-free in ext4_ext_show_leaf() ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path ext4: update orig_path in ext4_find_extent() ext4: fix off by one issue in alloc_flex_gd() jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error cachefiles: fix dentry leak in cachefiles_open_file() Barnabás Czémán (1): iio: magnetometer: ak8975: Fix reading for ak099xx sensors Beleswar Padhi (1): remoteproc: k3-r5: Acquire mailbox handle during probe routine Ben Cheatham (1): EINJ, CXL: Fix CXL device SBDF calculation Ben Dooks (1): spi: s3c64xx: fix timeout counters in flush_fifo Ben Hutchings (1): tools/rtla: Fix installation from out-of-tree build Benjamin Lin (1): wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Biju Das (1): spi: rpc-if: Add missing MODULE_DEVICE_TABLE Boris Brezillon (4): drm/panthor: Lock the VM resv before calling drm_gpuvm_bo_obtain_prealloc() drm/panthor: Don't add write fences to the shared BOs drm/panthor: Fix access to uninitialized variable in tick_ctx_cleanup() drm/panthor: Don't declare a queue blocked if deferred operations are pending Breno Leitao (1): netpoll: Ensure clean state on setup failures Bryan O'Donoghue (3): media: ov5675: Fix power on/off delay timings media: qcom: camss: Remove use_count guard in stop_streaming media: qcom: camss: Fix ordering of pm_runtime_enable Chao Yu (1): f2fs: fix to don't panic system for no free segment fault injection Chih-Kang Chang (1): wifi: rtw89: avoid to add interface to list twice when SER Christian König (1): drm/sched: revert "Always increment correct scheduler score" Christoph Hellwig (2): loop: don't set QUEUE_FLAG_NOMERGES iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Christophe JAILLET (2): ALSA: mixer_oss: Remove some incorrect kfree_const() usages ALSA: gus: Fix some error handling paths related to get_bpos() usage Christophe Leroy (4): selftests: vDSO: fix vDSO name for powerpc selftests: vDSO: fix vdso_config for powerpc selftests: vDSO: fix vDSO symbols lookup for powerpc64 powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Chuck Lever (3): NFSD: Fix NFSv4's PUTPUBFH operation NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations Chun-Yi Lee (1): aoe: fix the potential use-after-free problem in more places Ckath (1): platform/x86: touchscreen_dmi: add nanote-next quirk Colin Ian King (1): r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Csókás, Bence (2): net: fec: Restart PPS after link state change net: fec: Reload PTP registers after link-state change Cyan Nyan (1): ALSA: usb-audio: Add quirk for RME Digiface USB Daeho Jeong (5): f2fs: make BG GC more aggressive for zoned devices f2fs: introduce migration_window_granularity f2fs: increase BG GC migration window granularity when boosted for zoned devices f2fs: do FG_GC when GC boosting is required for zoned devices f2fs: forcibly migrate to secure space for zoned device file pinning Damien Le Moal (2): ata: pata_serverworks: Do not use the term blacklist ata: sata_sil: Rename sil_blacklist to sil_quirks Daniel Borkmann (2): net: Add netif_get_gro_max_size helper for GRO net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Daniel Bristot de Oliveira (1): sched/deadline: Comment sched_dl_entity::dl_server variable Daniel Sneddon (1): x86/bugs: Add missing NO_SSB flag Daniel Wagner (1): scsi: pm8001: Do not overwrite PCI queue mapping Danilo Krummrich (1): mm: krealloc: consider spare memory for __GFP_ZERO Darrick J. Wong (1): iomap: constrain the file range passed to iomap_file_unshare David Hildenbrand (1): selftests/mm: fix charge_reserved_hugetlb.sh test David Howells (4): afs: Fix missing wire-up of afs_retry_request() afs: Fix the setting of the server responding flag netfs: Cancel dirty folios that have no storage destination rxrpc: Fix a race between socket set up and I/O thread creation David Kaplan (1): x86/bugs: Fix handling when SRSO mitigation is disabled David Strahan (2): scsi: smartpqi: Add new controller PCI IDs scsi: smartpqi: add new controller PCI IDs David Virag (2): dt-bindings: clock: exynos7885: Fix duplicated binding clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Denis Pauk (1): hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Dmitry Antipov (1): net: sched: consistently use rcu_replace_pointer() in taprio_change() Dmitry Baryshkov (1): clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Dmitry Kandybka (1): wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Dmitry Torokhov (1): HID: i2c-hid: ensure various commands do not interfere with each other Easwar Hariharan (1): arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Eddie James (1): net/ncsi: Disable the ncsi work before freeing the associated structure Eder Zulian (1): rtla: Fix the help text in osnoise and timerlat top tools Edward Adam Davis (3): jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree ext4: no need to continue when the number of entries is 1 Elena Salomatkina (1): net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Emanuele Ghidoli (1): gpio: davinci: fix lazy disable Eric Dumazet (5): netfilter: nf_tables: prevent nf_skb_duplicated corruption net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() net: test for not too small csum_start in virtio_net_hdr_to_skb() ppp: do not assume bh is held in ppp_channel_bridge_input() Fangrui Song (1): crypto: x86/sha256 - Add parentheses around macros' single arguments Fares Mehanna (1): arm64: trans_pgd: mark PTEs entries as valid to avoid dead kexec() Felix Fietkau (3): wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker net: gso: fix tcp fraglist segmentation after pull from frag_list Filipe Manana (2): btrfs: send: fix invalid clone operation for file that got its size decreased btrfs: wait for fixup workers before stopping cleaner kthread during umount Finn Thain (1): scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Gabe Teeger (1): drm/amd/display: Revert Avoid overflow assignment Gautham Ananthakrishna (1): ocfs2: reserve space for inline xattr before attaching reflink tree Geert Uytterhoeven (3): mailbox: ARM_MHU_V3 should depend on ARM64 drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() Gerd Bayer (1): net/mlx5: Fix error path in multi-packet WQE transmit Gergo Koteles (1): platform/x86: lenovo-ymc: Ignore the 0x0 state Greg Kroah-Hartman (1): Linux 6.10.14 Guixin Liu (1): io_uring: fix memory leak when cache init fail Gustavo A. R. Silva (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Haiyang Zhang (1): net: mana: Add support for page sizes other than 4KB on ARM64 Hannes Reinecke (3): nvme-keyring: restrict match length for version '1' identifiers nvme-tcp: sanitize TLS key handling nvme-tcp: check for invalidated or revoked key Hans P. Moller (1): ALSA: line6: add hw monitor volume control to POD HD500X Hans Verkuil (1): media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Hans de Goede (10): ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 HID: Ignore battery for all ELAN I2C-HID devices platform/x86: x86-android-tablets: Adjust Xiaomi Pad 2 bottom bezel touch buttons LED platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors power: supply: hwmon: Fix missing temp1_max_alarm attribute ACPI: video: Add backlight=native quirk for Dell OptiPlex 5480 AIO ACPI: resource: Remove duplicate Asus E1504GAB IRQ override ACPI: resource: Loosen the Asus E1404GAB DMI match to also cover the E1404GA ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Haoran Zhang (1): vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Haren Myneni (1): powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Hawking Zhang (1): drm/amdkfd: Check int source id for utcl2 poison event Heiko Carstens (1): selftests: vDSO: fix vdso_config for s390 Heiner Kallweit (2): i2c: core: Lock address during client device instantiation r8169: add tally counter fields added with RTL8125 Helge Deller (4): parisc: Fix itlb miss handler for 64-bit programs parisc: Fix 64-bit userspace syscall path parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Heming Zhao (1): ocfs2: fix the la space leak when unmounting an ocfs2 volume Herbert Xu (4): crypto: octeontx - Fix authenc setkey crypto: octeontx2 - Fix authenc setkey crypto: simd - Do not call crypto_alloc_tfm during registration crypto: octeontx* - Select CRYPTO_AUTHENC Hilda Wu (2): Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Huang Ying (1): resource: fix region_intersects() vs add_memory_driver_managed() Hui Wang (1): ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Ian Rogers (1): perf callchain: Fix stitch LBR memory leaks Ido Schimmel (2): bridge: mcast: Fail MDB get request on empty entry ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Ilan Peer (1): wifi: iwlwifi: mvm: Fix a race in scan abort flow Imre Deak (1): drm/i915/dp: Fix AUX IO power enabling for eDP PSR Issam Hamdi (1): wifi: cfg80211: Set correct chandef when starting CAC James Clark (1): drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Jan Kiszka (1): remoteproc: k3-r5: Fix error handling when power-up failed Jan Lalinsky (1): ALSA: usb-audio: Add native DSD support for Luxman D-08u Jani Nikula (1): drm/i915/gem: fix bitwise and logical AND mixup Jaroslav Kysela (1): ALSA: core: add isascii() check to card ID generator Jason Gunthorpe (1): iommu/arm-smmu-v3: Do not use devm for the cd table allocations Jason Xing (1): tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Javier Carrasco (1): drm/mediatek: ovl_adaptor: Add missing of_node_put() Jeff Xu (1): selftest mm/mseal: fix test_seal_mremap_move_dontunmap_anyaddr Jens Axboe (1): io_uring/net: harden multishot termination case for recv Jens Remus (1): selftests: vDSO: fix ELF hash table entry size for s390x Jeongjun Park (1): net/xen-netback: prevent UAF in xenvif_flush_hash() Jesse Zhang (1): drm/amdkfd: Fix resource leak in criu restore queue Jianbo Liu (1): net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Jiawei Ye (1): mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Jiawen Wu (1): net: pcs: xpcs: fix the wrong register that was written back Jinjie Ruan (12): ieee802154: Fix build error net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() nfp: Use IRQF_NO_AUTOEN flag in request_irq() spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled spi: spi-cadence: Fix missing spi_controller_is_target() check i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled spi: bcm63xx: Fix module autoloading spi: bcm63xx: Fix missing pm_runtime_disable() Jisheng Zhang (1): riscv: define ILLEGAL_POINTER_VALUE for 64bit Joe Damato (2): netdev-genl: Set extack and fix error on napi-get net: napi: Prevent overflow of napi_defer_hard_irqs Joel Fernandes (Google) (1): sched/core: Add clearing of ->dl_server in put_prev_task_balance() Johannes Berg (3): wifi: iwlwifi: mvm: drop wrong STA selection in TX wifi: iwlwifi: mvm: use correct key iteration wifi: mac80211: fix RCU list iterations Johannes Weiner (1): sched: psi: fix bogus pressure spikes from aggregation race Jonathan Gray (1): Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Josef Bacik (1): btrfs: drop the backref cache during relocation if we commit Joseph Qi (2): ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: cancel dqi_sync_work before freeing oinfo Joshua Pius (1): ALSA: usb-audio: Add logitech Audio profile quirk Julian Sun (1): ocfs2: fix null-ptr-deref when journal load failed. Juntong Deng (1): bpf: Make the pointer returned by iter next method valid Justin Tee (3): scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths scsi: lpfc: Fix unsolicited FLOGI kref imbalance when in direct attached topology scsi: lpfc: Update PRLO handling in direct attached topology Kaixin Wang (2): fbdev: pxafb: Fix possible use after free in pxafb_task() i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Karthikeyan Periyasamy (2): wifi: ath12k: fix array out-of-bound access in SoC stats wifi: ath11k: fix array out-of-bound access in SoC stats Katya Orlova (1): drm/stm: Avoid use-after-free issues with crtc and plane Kees Cook (2): x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() scsi: aacraid: Rearrange order of struct aac_srb_unit Kemeng Shi (1): jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit KhaiWenTan (1): net: stmmac: Fix zero-division error when disabling tc cbs Kimriver Liu (1): i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Konrad Dybcio (1): drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Konstantin Ovsepian (1): blk_iocost: fix more out of bound shifts Krzysztof Kozlowski (7): net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() ASoC: codecs: wsa883x: Handle reading version failure firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() memory: tegra186-emc: drop unused to_tegra186_emc() rtc: at91sam9: fix OF node leak in probe() error path Kuan-Wei Chiu (2): bpftool: Fix undefined behavior caused by shifting into the sign bit bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Kuan-Ying Lee (3): scripts/gdb: fix timerlist parsing issue scripts/gdb: add iteration function for rbtree scripts/gdb: fix lx-mounts command error Kuniyuki Iwashima (1): ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Laurent Pinchart (2): media: videobuf2: Drop minimum allocation requirement of 2 buffers media: sun4i_csi: Implement link validate for sun4i_csi subdev Li Lingfeng (1): nfsd: map the EBADMSG to nfserr_io to avoid warning Li Zhijian (1): fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name Lianqin Hu (1): ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Liao Chen (1): mailbox: rockchip: fix a typo in module autoloading Liao Yuanhong (1): f2fs: add write priority option based on zone UFS Lizhi Xu (2): ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Long Li (2): RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page RDMA/mana_ib: use the correct page table index based on hardware page size Lu Baolu (2): iommu/vt-d: Always reserve a domain ID for identity setup iommu/vt-d: Unconditionally flush device TLB for pasid table updates Luis Henriques (SUSE) (9): ceph: fix a memory leak on cap_auths in MDS client ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: fix access to uninitialised lock in fc replay path ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() ext4: fix fast commit inode enqueueing during a full journal commit ext4: use handle to mark fc as ineligible in __track_dentry_update() ext4: mark fc as ineligible using an handle in ext4_xattr_set() Luiz Augusto von Dentz (3): Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Bluetooth: L2CAP: Fix uaf in l2cap_connect Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Luiz Capitulino (1): platform/mellanox: mlxbf-pmc: fix lockdep warning Luo Gengkun (1): perf/core: Fix small negative period being ignored Ma Ke (1): drm: omapdrm: Add missing check for alloc_ordered_workqueue Mahesh Rajashekhara (1): scsi: smartpqi: correct stream detection Manivannan Sadhasivam (2): clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Marc Ferland (1): i2c: xiic: improve error message when transfer fails to start Marc Zyngier (1): KVM: arm64: Fix kvm_has_feat*() handling of negative features Marek Vasut (1): i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Mario Limonciello (2): ACPI: CPPC: Add support for setting EPP register in FFH drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Mark Rutland (3): arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more Masahiro Yamada (1): kconfig: qconf: fix buffer overflow in debug links Matt Fleming (1): perf hist: Update hist symbol when updating maps Matthew Auld (2): drm/xe: fixup xe_alloc_pf_queue drm/xe: fix UAF around queue destruction Matthew Brost (4): drm/xe: Resume TDR after GT reset drm/printer: Allow NULL data in devcoredump printer drm/xe: Drop warn on xe_guc_pc_gucrc_disable in guc pc fini drm/xe: Delete unused GuC submission_state.suspend Mike Baynton (1): ovl: fail if trusted xattrs are needed but caller lacks permission Mike Tipton (1): clk: qcom: clk-rpmh: Fix overflow in BCM vote Miquel Sabaté Solà (1): cpufreq: Avoid a bad reference count on CPU node Miri Korenblit (1): wifi: iwlwifi: mvm: avoid NULL pointer dereference Mohamed Khalfella (1): net/mlx5: Added cond_resched() to crdump collection Mostafa Saleh (1): iommu/arm-smmu-v3: Match Stall behaviour for S2 Namhyung Kim (2): perf: Really fix event_function_call() locking perf report: Fix segfault when 'sym' sort key is not used Namjae Jeon (1): ksmbd: add refcnt to ksmbd_conn struct NeilBrown (2): nfsd: fix delegation_blocked() to block correctly for at least 30 seconds sunrpc: change sp_nrthreads from atomic_t to unsigned int. Nicholas Kazlauskas (1): drm/amd/display: Use gpuvm_min_page_size_kbytes for DML2 surfaces Niklas Söderlund (1): net: phy: Check for read errors in SIOCGMIIREG Nikolai Afanasenkov (1): ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8 Nirmoy Das (1): drm/xe: Fix memory leak on xe_alloc_pf_queue failure Nuno Sa (2): Input: adp5589-keys - fix NULL pointer dereference Input: adp5589-keys - fix adp5589_gpio_get_value() Oder Chiou (1): ALSA: hda/realtek: Fix the push button function for the ALC257 Oleg Nesterov (1): uprobes: fix kernel info leak via "[uprobes]" vma Pali Rohár (3): cifs: Remove intermediate object of failed create reparse call cifs: Fix buffer overflow when parsing NFS reparse points cifs: Do not convert delimiter when parsing NFS-style symlinks Patrick Donnelly (1): ceph: fix cap ref leak via netfs init_request Paul E. McKenney (1): rcuscale: Provide clear error when async specified without primitives Pei Xiao (1): ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Peng Fan (1): mm, slub: avoid zeroing kmalloc redzone Peng Liu (2): drm/amdgpu: add raven1 gfxoff quirk drm/amdgpu: enable gfxoff quirk on HP 705G4 Peter Zijlstra (2): jump_label: Fix static_key_slow_dec() yet again perf: Fix event_function_call() locking Phil Sutter (2): netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED selftests: netfilter: Fix nft_audit.sh for newer nft binaries Philip Yang (1): drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pierre-Eric Pelloux-Prayer (1): drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Pierre-Louis Bossart (1): ASoC: Intel: boards: always check the result of acpi_dev_get_first_match_dev() Ping-Ke Shih (1): wifi: rtw89: correct base HT rate mask for firmware Pu Lehui (1): drivers/perf: riscv: Align errno for unsupported perf event Qu Wenruo (1): btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Rafael J. Wysocki (1): ACPI: EC: Do not release locks during operation region accesses Rafael Rocha (1): scsi: st: Fix input/output error on empty drive reset Ravikanth Tuniki (1): dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Remington Brasga (1): jfs: UBSAN: shift-out-of-bounds in dbFindBits Rob Clark (1): drm/sched: Fix dynamic job-flow control race Robert Hancock (2): i2c: xiic: Try re-initialization on bus busy timeout i2c: xiic: Wait for TX empty to avoid missed TX NAKs Rodrigo Vivi (1): drm/xe: Restore pci state upon resume Sanjay K Kumar (1): iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Satya Priya Kakitapalli (4): dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src clk: qcom: gcc-sc8180x: Add GPLL9 support clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Sebastian Reichel (1): clk: rockchip: fix error for unknown clocks Seiji Nishikawa (1): ACPI: PAD: fix crash in exit_round_robin() Shenwei Wang (1): net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Simon Horman (4): tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer bnxt_en: Extend maximum length of version string by 1 byte net: atlantic: Avoid warning about potential string truncation Srinivasan Shanmugam (12): drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation drm/amd/display: Fix index out of bounds in degamma hardware format translation drm/amd/display: Fix index out of bounds in DCN30 color transformation Stefan Mätje (1): can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Stefan Wahren (1): mailbox: bcm2835: Fix timeout during suspend mode Steve French (1): smb3: fix incorrect mode displayed for read-only files Steve Wahl (1): x86/mm/ident_map: Use gbpages only where full GB page should be mapped. Steven Price (1): drm/panthor: Fix race when converting group handle to group object Stuart Summers (1): drm/xe: Use topology to determine page fault queue size Suraj Kandpal (1): drm/xe/hdcp: Check GSC structure validity Takashi Iwai (11): ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin ALSA: usb-audio: Add input value sanity checks for standard types ALSA: usb-audio: Define macros for quirk table entries ALSA: usb-audio: Replace complex quirk lines with macros ALSA: control: Take power_ref lock primarily ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop ALSA: control: Fix power_ref lock order for compat code, too Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" ALSA: control: Fix leftover snd_power_unref() Tamim Khan (1): ACPI: resource: Skip IRQ override on Asus Vivobook Go E1404GAB Tao Liu (1): x86/kexec: Add EFI config table identity mapping for kexec kernel Tetsuo Handa (1): tomoyo: fallback to realpath if symlink's pathname does not exist Thadeu Lima de Souza Cascardo (1): ext4: ext4_search_dir should return a proper error Thomas Gleixner (5): static_call: Handle module init failure correctly in static_call_del_module() static_call: Replace pointless WARN_ON() in static_call_module_notify() jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() x86/ioapic: Handle allocation failures gracefully x86/apic: Remove logical destination mode for 64-bit Thomas Weißschuh (5): tools/nolibc: powerpc: limit stack-protector workaround to GCC selftests/nolibc: avoid passing NULL to printf("%s") fbdev: efifb: Register sysfs groups through driver core of: address: Report error on resource bounds overflow sysctl: avoid spurious permanent empty tables Thomas Zimmermann (2): drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS firmware/sysfb: Disable sysfb for firmware buffers with unknown parent Tim Huang (4): drm/amd/display: fix double free issue during amdgpu module unload drm/amdgpu: fix unchecked return value warning for amdgpu_gfx drm/amdgpu: fix unchecked return value warning for amdgpu_atombios drm/amd/pm: ensure the fw_info is not null before using it Tobias Jakobi (1): drm/amd/display: handle nulled pipe context in DCE110's set_drr() Toke Høiland-Jørgensen (1): wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Tom Chung (1): drm/amd/display: Fix system hang while resume with TBT monitor Tvrtko Ursulin (4): drm/v3d: Prevent out of bounds access in performance query extensions drm/sched: Add locking to drm_sched_entity_modify_sched drm/sched: Always wake up correct scheduler in drm_sched_entity_push_job drm/sched: Always increment correct scheduler score Udit Kumar (1): remoteproc: k3-r5: Delay notification of wakeup event Ulf Hansson (1): pmdomain: core: Don't hold the genpd-lock when calling dev_pm_domain_set() Umang Jain (1): media: imx335: Fix reset-gpio handling Uwe Kleine-König (1): cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Val Packett (2): drm/rockchip: vop: clear DMA stop bit on RK3066 drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Vasileios Amoiridis (4): iio: pressure: bmp280: Improve indentation and line wrapping iio: pressure: bmp280: Use BME prefix for BME280 specifics iio: pressure: bmp280: Fix regmap for BMP280 device iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Victor Skvortsov (1): drm/amdgpu: Block MMR_READ IOCTL in reset Ville Syrjälä (1): drm/i915/dp: Fix colorimetry detection Vishnu Sankar (1): HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Vitaly Lifshits (1): e1000e: avoid failing the system during pm_suspend Vladimir Oltean (1): net: dsa: improve shutdown sequence Wei Li (4): tracing/hwlat: Fix a race during cpuhp processing tracing/timerlat: Drop interface_lock in stop_kthread() tracing/timerlat: Fix a race during cpuhp processing tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Willem de Bruijn (2): vrf: revert "vrf: Remove unnecessary RCU-bh critical section" gso: fix udp gso fraglist segmentation after pull from frag_list Xiaxi Shen (1): ext4: fix timer use-after-free on failed mount Xin Long (1): sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Xiubo Li (1): ceph: remove the incorrect Fw reference check when dirtying pages Yang Shen (1): crypto: hisilicon - fix missed error branch Yang Wang (1): drm/amdgpu: add list empty check to avoid null pointer issue Yannick Fertre (1): drm/stm: ltdc: reset plane transparency after plane disable Yifei Liu (1): selftests: breakpoints: use remaining time to check if suspend succeed Yihan Zhu (1): drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35 Yonghong Song (1): bpf: Fix a sdiv overflow issue Yosry Ahmed (1): mm: z3fold: deprecate CONFIG_Z3FOLD Youssef Esmat (1): sched/core: Clear prev->dl_server in CFS pick fast path Yuezhang Mo (1): exfat: fix memory leak in exfat_load_bitmap() Yun Lu (1): selftest: hid: add missing run-hid-tools-tests.sh Zach Wade (1): platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Zhanjun Dong (1): drm/xe: Prevent null pointer access in xe_migrate_copy Zhao Mengmeng (1): jfs: Fix uninit-value access of new_ea in ea_buffer Zheng Wang (1): media: venus: fix use after free bug in venus_remove due to race condition Zhihao Cheng (1): ext4: dax: fix overflowing extents beyond inode size when partially writing Zhu Jun (1): tools/hv: Add memory allocation check in hv_fcopy_start Zong-Zhe Yang (2): wifi: rtw88: select WANT_DEV_COREDUMP wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Zqiang (1): rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() aln8 (1): platform/x86/amd: pmf: Add quirk for TUF Gaming A14 wangrong (1): smb: client: use actual path when queryfs yao.ly (1): ext4: correct encrypted dentry name hash when not casefolded zhang jiao (1): selftests: netfilter: Add missing return value

6 months, 3 weeks

1
1
0 0

[PATCH] leds: lp55xx: Fix check for invalid channel number

by Michal Vokáč

Prior to commit 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") the reg property (chan_nr) was parsed and stored as it was. Then, in lp55xx_init_led() function, it was checked if it is within valid range. In case it was not, an error message was printed and the driver probe failed. With the mentioned commit the reg property is checked right after it is read from the device tree. Comparison to the upper range is not correct though. Valid reg values are 0 to (max_channel - 1). So in case the parsed value is out of this (wrong) range the probe just fails and no error message is shown. Fix it by using proper comparison and print a message in case of an error. The check that is done in lp55xx_init_led() function is now redundant and can be removed. Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michal Vokáč <michal.vokac(a)ysoft.com> --- drivers/leds/leds-lp55xx-common.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c index 5a2e259679cf..055ee77455f9 100644 --- a/drivers/leds/leds-lp55xx-common.c +++ b/drivers/leds/leds-lp55xx-common.c @@ -512,12 +512,6 @@ static int lp55xx_init_led(struct lp55xx_led *led, led->max_current = pdata->led_config[chan].max_current; led->chan_nr = pdata->led_config[chan].chan_nr; - if (led->chan_nr >= max_channel) { - dev_err(dev, "Use channel numbers between 0 and %d\n", - max_channel - 1); - return -EINVAL; - } - if (pdata->led_config[chan].num_colors > 1) ret = devm_led_classdev_multicolor_register(dev, &led->mc_cdev); else @@ -1132,8 +1126,11 @@ static int lp55xx_parse_common_child(struct device_node *np, if (ret) return ret; - if (*chan_nr < 0 || *chan_nr > cfg->max_channel) + if (*chan_nr < 0 || *chan_nr >= cfg->max_channel) { + dev_err(dev, "Use channel numbers between 0 and %d\n", + cfg->max_channel - 1); return -EINVAL; + } return 0; } -- 2.1.4

6 months, 3 weeks

2
3
0 0

[PATCH 6.1] net/mlx5: Always drain health in shutdown callback

by Xiangyu Chen

From: Shay Drory <shayd(a)nvidia.com> [ Upstream commit 1b75da22ed1e6171e261bc9265370162553d5393 ] There is no point in recovery during device shutdown. if health work started need to wait for it to avoid races and NULL pointer access. Hence, drain health WQ on shutdown callback. Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") Fixes: d2aa060d40fa ("net/mlx5: Cancel health poll before sending panic teardown command") Signed-off-by: Shay Drory <shayd(a)nvidia.com> Reviewed-by: Moshe Shemesh <moshe(a)nvidia.com> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Reviewed-by: Wojciech Drewek <wojciech.drewek(a)intel.com> Link: https://patch.msgid.link/20240730061638.1831002-2-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Xiangyu: Modified to apply on 6.1.y to fix CVE-2024-43866] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c index 76af59cfdd0e..825ad7663fa4 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c @@ -1950,7 +1950,6 @@ static int mlx5_try_fast_unload(struct mlx5_core_dev *dev) /* Panic tear down fw command will stop the PCI bus communication * with the HCA, so the health poll is no longer needed. */ - mlx5_drain_health_wq(dev); mlx5_stop_health_poll(dev, false); ret = mlx5_cmd_fast_teardown_hca(dev); @@ -1985,6 +1984,7 @@ static void shutdown(struct pci_dev *pdev) mlx5_core_info(dev, "Shutdown was called\n"); set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state); + mlx5_drain_health_wq(dev); err = mlx5_try_fast_unload(dev); if (err) mlx5_unload_one(dev, false); diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c index 2424cdf9cca9..d6850eb0ed7f 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c @@ -75,6 +75,7 @@ static void mlx5_sf_dev_shutdown(struct auxiliary_device *adev) { struct mlx5_sf_dev *sf_dev = container_of(adev, struct mlx5_sf_dev, adev); + mlx5_drain_health_wq(sf_dev->mdev); mlx5_unload_one(sf_dev->mdev, false); } -- 2.43.0

6 months, 3 weeks

1
0
0 0

[PATCH v3 6.1/6.6] wifi: mac80211: Avoid address calculations via out of bounds array indexing

by Xiangyu Chen

From: Kenton Groombridge <concord(a)gentoo.org> [ Upstream commit 2663d0462eb32ae7c9b035300ab6b1523886c718 ] req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] <TASK> [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810 Co-authored-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Kenton Groombridge <concord(a)gentoo.org> Link: https://msgid.link/20240605152218.236061-1-concord@gentoo.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> [Xiangyu: Modified to apply on 6.1.y and 6.6.y] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- V1 -> V2: add v6.6 support V2 -> V3: add commit id from Linus's code tree --- net/mac80211/scan.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 62c22ff329ad..d81b49fb6458 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -357,7 +357,8 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata) struct cfg80211_scan_request *req; struct cfg80211_chan_def chandef; u8 bands_used = 0; - int i, ielen, n_chans; + int i, ielen; + u32 *n_chans; u32 flags = 0; req = rcu_dereference_protected(local->scan_req, @@ -367,34 +368,34 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata) return false; if (ieee80211_hw_check(&local->hw, SINGLE_SCAN_ON_ALL_BANDS)) { + local->hw_scan_req->req.n_channels = req->n_channels; + for (i = 0; i < req->n_channels; i++) { local->hw_scan_req->req.channels[i] = req->channels[i]; bands_used |= BIT(req->channels[i]->band); } - - n_chans = req->n_channels; } else { do { if (local->hw_scan_band == NUM_NL80211_BANDS) return false; - n_chans = 0; + n_chans = &local->hw_scan_req->req.n_channels; + *n_chans = 0; for (i = 0; i < req->n_channels; i++) { if (req->channels[i]->band != local->hw_scan_band) continue; - local->hw_scan_req->req.channels[n_chans] = + local->hw_scan_req->req.channels[(*n_chans)++] = req->channels[i]; - n_chans++; + bands_used |= BIT(req->channels[i]->band); } local->hw_scan_band++; - } while (!n_chans); + } while (!*n_chans); } - local->hw_scan_req->req.n_channels = n_chans; ieee80211_prepare_scan_chandef(&chandef, req->scan_width); if (req->flags & NL80211_SCAN_FLAG_MIN_PREQ_CONTENT) -- 2.43.0

6 months, 3 weeks

1
0
0 0

[PATCH v1 1/1] ufs: core: set SDEV_OFFLINE when ufs shutdown.

by Seunghwan Baek

There is a history of dead lock as reboot is performed at the beginning of booting. SDEV_QUIESCE was set for all lu's scsi_devices by ufs shutdown, and at that time the audio driver was waiting on blk_mq_submit_bio holding a mutex_lock while reading the fw binary. After that, a deadlock issue occurred while audio driver shutdown was waiting for mutex_unlock of blk_mq_submit_bio. To solve this, set SDEV_OFFLINE for all lus except wlun, so that any i/o that comes down after a ufs shutdown will return an error. [ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown] [ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49] [ 31.907806]I[0: swapper/0: 0] Call trace: [ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40 [ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac [ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24 [ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec [ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280 [ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c [ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280 [ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158 [ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4 [ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0 [ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0 [ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4 [ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4 [ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter] [ 31.908783]I[0: swapper/0: 0] Call trace: [ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178 [ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c [ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun") Cc: stable(a)vger.kernel.org Signed-off-by: Seunghwan Baek <sh8267.baek(a)samsung.com> --- drivers/ufs/core/ufshcd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..4ac1492787c2 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -10215,7 +10215,9 @@ static void ufshcd_wl_shutdown(struct device *dev) shost_for_each_device(sdev, hba->host) { if (sdev == hba->ufs_device_wlun) continue; - scsi_device_quiesce(sdev); + mutex_lock(&sdev->state_mutex); + scsi_device_set_state(sdev, SDEV_OFFLINE); + mutex_unlock(&sdev->state_mutex); } __ufshcd_wl_suspend(hba, UFS_SHUTDOWN_PM); -- 2.17.1

6 months, 3 weeks

3
9
0 0

FAILED: patch "[PATCH] resource: fix region_intersects() vs" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b4afe4183ec77f230851ea139d91e5cf2644c68b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100733-tiara-detective-885e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: b4afe4183ec7 ("resource: fix region_intersects() vs add_memory_driver_managed()") 14b80582c43e ("resource: Introduce alloc_free_mem_region()") 27674ef6c73f ("mm: remove the extra ZONE_DEVICE struct page refcount") dc90f0846df4 ("mm: don't include <linux/memremap.h> in <linux/mm.h>") 895749455f60 ("mm: simplify freeing of devmap managed pages") 75e55d8a107e ("mm: move free_devmap_managed_page to memremap.c") 730ff52194cd ("mm: remove pointless includes from <linux/hmm.h>") f56caedaf94f ("Merge branch 'akpm' (patches from Andrew)") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b4afe4183ec77f230851ea139d91e5cf2644c68b Mon Sep 17 00:00:00 2001 From: Huang Ying <ying.huang(a)intel.com> Date: Fri, 6 Sep 2024 11:07:11 +0800 Subject: [PATCH] resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM". Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: Jonathan Cameron <jonathan.cameron(a)huawei.com> Cc: Dave Jiang <dave.jiang(a)intel.com> Cc: Alison Schofield <alison.schofield(a)intel.com> Cc: Vishal Verma <vishal.l.verma(a)intel.com> Cc: Ira Weiny <ira.weiny(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/kernel/resource.c b/kernel/resource.c index 14777afb0a99..235dc77f8add 100644 --- a/kernel/resource.c +++ b/kernel/resource.c @@ -540,20 +540,62 @@ static int __region_intersects(struct resource *parent, resource_size_t start, size_t size, unsigned long flags, unsigned long desc) { - struct resource res; + resource_size_t ostart, oend; int type = 0; int other = 0; - struct resource *p; + struct resource *p, *dp; + bool is_type, covered; + struct resource res; res.start = start; res.end = start + size - 1; for (p = parent->child; p ; p = p->sibling) { - bool is_type = (((p->flags & flags) == flags) && - ((desc == IORES_DESC_NONE) || - (desc == p->desc))); - - if (resource_overlaps(p, &res)) - is_type ? type++ : other++; + if (!resource_overlaps(p, &res)) + continue; + is_type = (p->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == p->desc); + if (is_type) { + type++; + continue; + } + /* + * Continue to search in descendant resources as if the + * matched descendant resources cover some ranges of 'p'. + * + * |------------- "CXL Window 0" ------------| + * |-- "System RAM" --| + * + * will behave similar as the following fake resource + * tree when searching "System RAM". + * + * |-- "System RAM" --||-- "CXL Window 0a" --| + */ + covered = false; + ostart = max(res.start, p->start); + oend = min(res.end, p->end); + for_each_resource(p, dp, false) { + if (!resource_overlaps(dp, &res)) + continue; + is_type = (dp->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == dp->desc); + if (is_type) { + type++; + /* + * Range from 'ostart' to 'dp->start' + * isn't covered by matched resource. + */ + if (dp->start > ostart) + break; + if (dp->end >= oend) { + covered = true; + break; + } + /* Remove covered range */ + ostart = max(ostart, dp->end + 1); + } + } + if (!covered) + other++; } if (type == 0)

6 months, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] resource: fix region_intersects() vs" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b4afe4183ec77f230851ea139d91e5cf2644c68b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100732-disinfect-spied-83fc@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: b4afe4183ec7 ("resource: fix region_intersects() vs add_memory_driver_managed()") 14b80582c43e ("resource: Introduce alloc_free_mem_region()") 27674ef6c73f ("mm: remove the extra ZONE_DEVICE struct page refcount") dc90f0846df4 ("mm: don't include <linux/memremap.h> in <linux/mm.h>") 895749455f60 ("mm: simplify freeing of devmap managed pages") 75e55d8a107e ("mm: move free_devmap_managed_page to memremap.c") 730ff52194cd ("mm: remove pointless includes from <linux/hmm.h>") f56caedaf94f ("Merge branch 'akpm' (patches from Andrew)") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b4afe4183ec77f230851ea139d91e5cf2644c68b Mon Sep 17 00:00:00 2001 From: Huang Ying <ying.huang(a)intel.com> Date: Fri, 6 Sep 2024 11:07:11 +0800 Subject: [PATCH] resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM". Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: Jonathan Cameron <jonathan.cameron(a)huawei.com> Cc: Dave Jiang <dave.jiang(a)intel.com> Cc: Alison Schofield <alison.schofield(a)intel.com> Cc: Vishal Verma <vishal.l.verma(a)intel.com> Cc: Ira Weiny <ira.weiny(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/kernel/resource.c b/kernel/resource.c index 14777afb0a99..235dc77f8add 100644 --- a/kernel/resource.c +++ b/kernel/resource.c @@ -540,20 +540,62 @@ static int __region_intersects(struct resource *parent, resource_size_t start, size_t size, unsigned long flags, unsigned long desc) { - struct resource res; + resource_size_t ostart, oend; int type = 0; int other = 0; - struct resource *p; + struct resource *p, *dp; + bool is_type, covered; + struct resource res; res.start = start; res.end = start + size - 1; for (p = parent->child; p ; p = p->sibling) { - bool is_type = (((p->flags & flags) == flags) && - ((desc == IORES_DESC_NONE) || - (desc == p->desc))); - - if (resource_overlaps(p, &res)) - is_type ? type++ : other++; + if (!resource_overlaps(p, &res)) + continue; + is_type = (p->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == p->desc); + if (is_type) { + type++; + continue; + } + /* + * Continue to search in descendant resources as if the + * matched descendant resources cover some ranges of 'p'. + * + * |------------- "CXL Window 0" ------------| + * |-- "System RAM" --| + * + * will behave similar as the following fake resource + * tree when searching "System RAM". + * + * |-- "System RAM" --||-- "CXL Window 0a" --| + */ + covered = false; + ostart = max(res.start, p->start); + oend = min(res.end, p->end); + for_each_resource(p, dp, false) { + if (!resource_overlaps(dp, &res)) + continue; + is_type = (dp->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == dp->desc); + if (is_type) { + type++; + /* + * Range from 'ostart' to 'dp->start' + * isn't covered by matched resource. + */ + if (dp->start > ostart) + break; + if (dp->end >= oend) { + covered = true; + break; + } + /* Remove covered range */ + ostart = max(ostart, dp->end + 1); + } + } + if (!covered) + other++; } if (type == 0)

6 months, 3 weeks

4
4
0 0

FAILED: patch "[PATCH] resource: fix region_intersects() vs" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b4afe4183ec77f230851ea139d91e5cf2644c68b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100725-galore-pout-d68c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: b4afe4183ec7 ("resource: fix region_intersects() vs add_memory_driver_managed()") 14b80582c43e ("resource: Introduce alloc_free_mem_region()") 27674ef6c73f ("mm: remove the extra ZONE_DEVICE struct page refcount") dc90f0846df4 ("mm: don't include <linux/memremap.h> in <linux/mm.h>") 895749455f60 ("mm: simplify freeing of devmap managed pages") 75e55d8a107e ("mm: move free_devmap_managed_page to memremap.c") 730ff52194cd ("mm: remove pointless includes from <linux/hmm.h>") f56caedaf94f ("Merge branch 'akpm' (patches from Andrew)") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b4afe4183ec77f230851ea139d91e5cf2644c68b Mon Sep 17 00:00:00 2001 From: Huang Ying <ying.huang(a)intel.com> Date: Fri, 6 Sep 2024 11:07:11 +0800 Subject: [PATCH] resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM". Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM") Signed-off-by: "Huang, Ying" <ying.huang(a)intel.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: Jonathan Cameron <jonathan.cameron(a)huawei.com> Cc: Dave Jiang <dave.jiang(a)intel.com> Cc: Alison Schofield <alison.schofield(a)intel.com> Cc: Vishal Verma <vishal.l.verma(a)intel.com> Cc: Ira Weiny <ira.weiny(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/kernel/resource.c b/kernel/resource.c index 14777afb0a99..235dc77f8add 100644 --- a/kernel/resource.c +++ b/kernel/resource.c @@ -540,20 +540,62 @@ static int __region_intersects(struct resource *parent, resource_size_t start, size_t size, unsigned long flags, unsigned long desc) { - struct resource res; + resource_size_t ostart, oend; int type = 0; int other = 0; - struct resource *p; + struct resource *p, *dp; + bool is_type, covered; + struct resource res; res.start = start; res.end = start + size - 1; for (p = parent->child; p ; p = p->sibling) { - bool is_type = (((p->flags & flags) == flags) && - ((desc == IORES_DESC_NONE) || - (desc == p->desc))); - - if (resource_overlaps(p, &res)) - is_type ? type++ : other++; + if (!resource_overlaps(p, &res)) + continue; + is_type = (p->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == p->desc); + if (is_type) { + type++; + continue; + } + /* + * Continue to search in descendant resources as if the + * matched descendant resources cover some ranges of 'p'. + * + * |------------- "CXL Window 0" ------------| + * |-- "System RAM" --| + * + * will behave similar as the following fake resource + * tree when searching "System RAM". + * + * |-- "System RAM" --||-- "CXL Window 0a" --| + */ + covered = false; + ostart = max(res.start, p->start); + oend = min(res.end, p->end); + for_each_resource(p, dp, false) { + if (!resource_overlaps(dp, &res)) + continue; + is_type = (dp->flags & flags) == flags && + (desc == IORES_DESC_NONE || desc == dp->desc); + if (is_type) { + type++; + /* + * Range from 'ostart' to 'dp->start' + * isn't covered by matched resource. + */ + if (dp->start > ostart) + break; + if (dp->end >= oend) { + covered = true; + break; + } + /* Remove covered range */ + ostart = max(ostart, dp->end + 1); + } + } + if (!covered) + other++; } if (type == 0)

6 months, 3 weeks

2
2
0 0

[PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

by Guo Xuenan

commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 upstream. xfs log io error will trigger xlog shut down, and end_io worker call xlog_state_shutdown_callbacks to unpin and release the buf log item. The race condition is that when there are some thread doing transaction commit and happened not to be intercepted by xlog_is_shutdown, then, these log item will be insert into CIL, when unpin and release these buf log item, UAF will occur. BTW, add delay before `xlog_cil_commit` can increase recurrence probability. The following call graph actually encountered this bad situation. fsstress io end worker kworker/0:1H-216 xlog_ioend_work ->xlog_force_shutdown ->xlog_state_shutdown_callbacks ->xlog_cil_process_committed ->xlog_cil_committed ->xfs_trans_committed_bulk ->xfs_trans_apply_sb_deltas ->li_ops->iop_unpin(lip, 1); ->xfs_trans_getsb ->_xfs_trans_bjoin ->xfs_buf_item_init ->if (bip) { return 0;} //relog ->xlog_cil_commit ->xlog_cil_insert_items //insert into CIL ->xfs_buf_ioend_fail(bp); ->xfs_buf_ioend ->xfs_buf_item_done ->xfs_buf_item_relse ->xfs_buf_item_free when cil push worker gather percpu cil and insert super block buf log item into ctx->log_items then uaf occurs. ================================================================== BUG: KASAN: use-after-free in xlog_cil_push_work+0x1c8f/0x22f0 Write of size 8 at addr ffff88801800f3f0 by task kworker/u4:4/105 CPU: 0 PID: 105 Comm: kworker/u4:4 Tainted: G W 6.1.0-rc1-00001-g274115149b42 #136 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: xfs-cil/sda xlog_cil_push_work Call Trace: <TASK> dump_stack_lvl+0x4d/0x66 print_report+0x171/0x4a6 kasan_report+0xb3/0x130 xlog_cil_push_work+0x1c8f/0x22f0 process_one_work+0x6f9/0xf70 worker_thread+0x578/0xf30 kthread+0x28c/0x330 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 2145: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x14a/0x510 xfs_buf_item_init+0x160/0x6d0 _xfs_trans_bjoin+0x7f/0x2e0 xfs_trans_getsb+0xb6/0x3f0 xfs_trans_apply_sb_deltas+0x1f/0x8c0 __xfs_trans_commit+0xa25/0xe10 xfs_symlink+0xe23/0x1660 xfs_vn_symlink+0x157/0x280 vfs_symlink+0x491/0x790 do_symlinkat+0x128/0x220 __x64_sys_symlink+0x7a/0x90 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 216: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 __kasan_slab_free+0x105/0x1a0 kmem_cache_free+0xb6/0x460 xfs_buf_ioend+0x1e9/0x11f0 xfs_buf_item_unpin+0x3d6/0x840 xfs_trans_committed_bulk+0x4c2/0x7c0 xlog_cil_committed+0xab6/0xfb0 xlog_cil_process_committed+0x117/0x1e0 xlog_state_shutdown_callbacks+0x208/0x440 xlog_force_shutdown+0x1b3/0x3a0 xlog_ioend_work+0xef/0x1d0 process_one_work+0x6f9/0xf70 worker_thread+0x578/0xf30 kthread+0x28c/0x330 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff88801800f388 which belongs to the cache xfs_buf_item of size 272 The buggy address is located 104 bytes inside of 272-byte region [ffff88801800f388, ffff88801800f498) The buggy address belongs to the physical page: page:ffffea0000600380 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801800f208 pfn:0x1800e head:ffffea0000600380 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x1fffff80010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 001fffff80010200 ffffea0000699788 ffff88801319db50 ffff88800fb50640 raw: ffff88801800f208 000000000015000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801800f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801800f300: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801800f380: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801800f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801800f480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint Signed-off-by: Guo Xuenan <guoxuenan(a)huawei.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Chang Yu <marcus.yu.56(a)gmail.com> --- The fix 575689fc0ffa ("xfs: fix super block buf log item UAF during force shutdown") was first introduced in v6.2-rc1. Syzkaller reports that the UAF bug is still present in linux-5.15.y (https://syzkaller.appspot.com/bug?extid=4d9a694803b65e21655b). I think a backport should be beneficial here. --- fs/xfs/xfs_buf_item.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c index b1ab100c09e1..ffe318eb897f 100644 --- a/fs/xfs/xfs_buf_item.c +++ b/fs/xfs/xfs_buf_item.c @@ -1017,6 +1017,8 @@ xfs_buf_item_relse( trace_xfs_buf_item_relse(bp, _RET_IP_); ASSERT(!test_bit(XFS_LI_IN_AIL, &bip->bli_item.li_flags)); + if (atomic_read(&bip->bli_refcount)) + return; bp->b_log_item = NULL; xfs_buf_rele(bp); xfs_buf_item_free(bip); -- 2.46.2

6 months, 3 weeks

1
0
0 0

[PATCH 6.1] Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails

by Xiangyu Chen

From: Rick Edgecombe <rick.p.edgecombe(a)intel.com> In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens. Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Link: https://lore.kernel.org/r/20240311161558.1310-2-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240311161558.1310-2-mhklinux(a)outlook.com> [Xiangyu: Modified to apply on 6.1.y] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/hv/connection.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index da51b50787df..c74088b69a5f 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -243,8 +243,17 @@ int vmbus_connect(void) ret |= set_memory_decrypted((unsigned long) vmbus_connection.monitor_pages[1], 1); - if (ret) + if (ret) { + /* + * If set_memory_decrypted() fails, the encryption state + * of the memory is unknown. So leak the memory instead + * of risking returning decrypted memory to the free list. + * For simplicity, always handle both pages the same. + */ + vmbus_connection.monitor_pages[0] = NULL; + vmbus_connection.monitor_pages[1] = NULL; goto cleanup; + } /* * Isolation VM with AMD SNP needs to access monitor page via -- 2.43.0

6 months, 3 weeks

3
4
0 0

[PATCH net 0/4] mptcp: misc. fixes involving fallback to TCP

by Matthieu Baerts (NGI0)

- Patch 1: better handle DSS corruptions from a bugged peer: reducing warnings, doing a fallback or a reset depending on the subflow state. For >= v5.7. - Patch 2: fix DSS corruption due to large pmtu xmit, where MPTCP was not taken into account. For >= v5.6. - Patch 3: fallback when MPTCP opts are dropped after the first data packet, instead of resetting the connection. For >= v5.6. - Patch 4: restrict the removal of a subflow to other closing states, a better fix, for a recent one. For >= v5.10. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (2): mptcp: fallback when MPTCP opts are dropped after 1st data mptcp: pm: do not remove closing subflows Paolo Abeni (2): mptcp: handle consistently DSS corruption tcp: fix mptcp DSS corruption due to large pmtu xmit net/ipv4/tcp_output.c | 5 +---- net/mptcp/mib.c | 2 ++ net/mptcp/mib.h | 2 ++ net/mptcp/pm_netlink.c | 3 ++- net/mptcp/protocol.c | 24 +++++++++++++++++++++--- net/mptcp/subflow.c | 6 ++++-- 6 files changed, 32 insertions(+), 10 deletions(-) --- base-commit: f15b8d6eb63874230e36a45dd24239050a6f6250 change-id: 20241008-net-mptcp-fallback-fixes-16a9afee238e Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

6 months, 3 weeks

2
5
0 0

[PATCH] spmi: pmic-arb: fix return path in for_each_available_child_of_node()

by Javier Carrasco

This loop requires explicit calls to of_node_put() upon early exits (break, goto, return) to decrement the child refcounter and avoid memory leaks if the child is not required out of the loop. A more robust solution is using the scoped variant of the macro, which automatically calls of_node_put() when the child goes out of scope. Cc: stable(a)vger.kernel.org Fixes: 979987371739 ("spmi: pmic-arb: Add multi bus support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- drivers/spmi/spmi-pmic-arb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c index 9ba9495fcc4b..ea843159b745 100644 --- a/drivers/spmi/spmi-pmic-arb.c +++ b/drivers/spmi/spmi-pmic-arb.c @@ -1763,14 +1763,13 @@ static int spmi_pmic_arb_register_buses(struct spmi_pmic_arb *pmic_arb, { struct device *dev = &pdev->dev; struct device_node *node = dev->of_node; - struct device_node *child; int ret; /* legacy mode doesn't provide child node for the bus */ if (of_device_is_compatible(node, "qcom,spmi-pmic-arb")) return spmi_pmic_arb_bus_init(pdev, node, pmic_arb); - for_each_available_child_of_node(node, child) { + for_each_available_child_of_node_scoped(node, child) { if (of_node_name_eq(child, "spmi")) { ret = spmi_pmic_arb_bus_init(pdev, child, pmic_arb); if (ret) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241001-spmi-pmic-arb-scoped-a4b90179edef Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

6 months, 3 weeks

3
2
0 0

[PATCH 1/1] selftests/rseq: Fix mm_cid test failure

by Mathieu Desnoyers

Adapt the rseq.c/rseq.h code to follow GNU C library changes introduced by: glibc commit 2e456ccf0c34 ("Linux: Make __rseq_size useful for feature detection (bug 31965)") Without this fix, rseq selftests for mm_cid fail: ./run_param_test.sh Default parameters Running test spinlock Running compare-twice test spinlock Running mm_cid test spinlock Error: cpu id getter unavailable [ This is based on the following branch: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git branch: fixes ] Fixes: 18c2355838e7 ("selftests/rseq: Implement rseq mm_cid field support") Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Peter Zijlstra <peterz(a)infradead.org> CC: Boqun Feng <boqun.feng(a)gmail.com> CC: "Paul E. McKenney" <paulmck(a)kernel.org> Cc: Shuah Khan <skhan(a)linuxfoundation.org> CC: Carlos O'Donell <carlos(a)redhat.com> CC: Florian Weimer <fweimer(a)redhat.com> CC: linux-kselftest(a)vger.kernel.org CC: stable(a)vger.kernel.org --- tools/testing/selftests/rseq/rseq.c | 110 +++++++++++++++++++--------- tools/testing/selftests/rseq/rseq.h | 10 +-- 2 files changed, 77 insertions(+), 43 deletions(-) diff --git a/tools/testing/selftests/rseq/rseq.c b/tools/testing/selftests/rseq/rseq.c index 96e812bdf8a4..5b9772cdf265 100644 --- a/tools/testing/selftests/rseq/rseq.c +++ b/tools/testing/selftests/rseq/rseq.c @@ -60,12 +60,6 @@ unsigned int rseq_size = -1U; /* Flags used during rseq registration. */ unsigned int rseq_flags; -/* - * rseq feature size supported by the kernel. 0 if the registration was - * unsuccessful. - */ -unsigned int rseq_feature_size = -1U; - static int rseq_ownership; static int rseq_reg_success; /* At least one rseq registration has succeded. */ @@ -111,6 +105,43 @@ int rseq_available(void) } } +/* The rseq areas need to be at least 32 bytes. */ +static +unsigned int get_rseq_min_alloc_size(void) +{ + unsigned int alloc_size = rseq_size; + + if (alloc_size < ORIG_RSEQ_ALLOC_SIZE) + alloc_size = ORIG_RSEQ_ALLOC_SIZE; + return alloc_size; +} + +/* + * Return the feature size supported by the kernel. + * + * Depending on the value returned by getauxval(AT_RSEQ_FEATURE_SIZE): + * + * 0: Return ORIG_RSEQ_FEATURE_SIZE (20) + * > 0: Return the value from getauxval(AT_RSEQ_FEATURE_SIZE). + * + * It should never return a value below ORIG_RSEQ_FEATURE_SIZE. + */ +static +unsigned int get_rseq_kernel_feature_size(void) +{ + unsigned long auxv_rseq_feature_size, auxv_rseq_align; + + auxv_rseq_align = getauxval(AT_RSEQ_ALIGN); + assert(!auxv_rseq_align || auxv_rseq_align <= RSEQ_THREAD_AREA_ALLOC_SIZE); + + auxv_rseq_feature_size = getauxval(AT_RSEQ_FEATURE_SIZE); + assert(!auxv_rseq_feature_size || auxv_rseq_feature_size <= RSEQ_THREAD_AREA_ALLOC_SIZE); + if (auxv_rseq_feature_size) + return auxv_rseq_feature_size; + else + return ORIG_RSEQ_FEATURE_SIZE; +} + int rseq_register_current_thread(void) { int rc; @@ -119,7 +150,7 @@ int rseq_register_current_thread(void) /* Treat libc's ownership as a successful registration. */ return 0; } - rc = sys_rseq(&__rseq_abi, rseq_size, 0, RSEQ_SIG); + rc = sys_rseq(&__rseq_abi, get_rseq_min_alloc_size(), 0, RSEQ_SIG); if (rc) { if (RSEQ_READ_ONCE(rseq_reg_success)) { /* Incoherent success/failure within process. */ @@ -140,28 +171,12 @@ int rseq_unregister_current_thread(void) /* Treat libc's ownership as a successful unregistration. */ return 0; } - rc = sys_rseq(&__rseq_abi, rseq_size, RSEQ_ABI_FLAG_UNREGISTER, RSEQ_SIG); + rc = sys_rseq(&__rseq_abi, get_rseq_min_alloc_size(), RSEQ_ABI_FLAG_UNREGISTER, RSEQ_SIG); if (rc) return -1; return 0; } -static -unsigned int get_rseq_feature_size(void) -{ - unsigned long auxv_rseq_feature_size, auxv_rseq_align; - - auxv_rseq_align = getauxval(AT_RSEQ_ALIGN); - assert(!auxv_rseq_align || auxv_rseq_align <= RSEQ_THREAD_AREA_ALLOC_SIZE); - - auxv_rseq_feature_size = getauxval(AT_RSEQ_FEATURE_SIZE); - assert(!auxv_rseq_feature_size || auxv_rseq_feature_size <= RSEQ_THREAD_AREA_ALLOC_SIZE); - if (auxv_rseq_feature_size) - return auxv_rseq_feature_size; - else - return ORIG_RSEQ_FEATURE_SIZE; -} - static __attribute__((constructor)) void rseq_init(void) { @@ -178,28 +193,54 @@ void rseq_init(void) } if (libc_rseq_size_p && libc_rseq_offset_p && libc_rseq_flags_p && *libc_rseq_size_p != 0) { + unsigned int libc_rseq_size; + /* rseq registration owned by glibc */ rseq_offset = *libc_rseq_offset_p; - rseq_size = *libc_rseq_size_p; + libc_rseq_size = *libc_rseq_size_p; rseq_flags = *libc_rseq_flags_p; - rseq_feature_size = get_rseq_feature_size(); - if (rseq_feature_size > rseq_size) - rseq_feature_size = rseq_size; + + /* + * Previous versions of glibc expose the value + * 32 even though the kernel only supported 20 + * bytes initially. Therefore treat 32 as a + * special-case. glibc 2.40 exposes a 20 bytes + * __rseq_size without using getauxval(3) to + * query the supported size, while still allocating a 32 + * bytes area. Also treat 20 as a special-case. + * + * Special-cases are handled by using the following + * value as active feature set size: + * + * rseq_size = min(32, get_rseq_kernel_feature_size()) + */ + switch (libc_rseq_size) { + case ORIG_RSEQ_FEATURE_SIZE: + fallthrough; + case ORIG_RSEQ_ALLOC_SIZE: + { + unsigned int rseq_kernel_feature_size = get_rseq_kernel_feature_size(); + + if (rseq_kernel_feature_size < ORIG_RSEQ_ALLOC_SIZE) + rseq_size = rseq_kernel_feature_size; + else + rseq_size = ORIG_RSEQ_ALLOC_SIZE; + break; + } + default: + /* Otherwise just use the __rseq_size from libc as rseq_size. */ + rseq_size = libc_rseq_size; + break; + } return; } rseq_ownership = 1; if (!rseq_available()) { rseq_size = 0; - rseq_feature_size = 0; return; } rseq_offset = (void *)&__rseq_abi - rseq_thread_pointer(); rseq_flags = 0; - rseq_feature_size = get_rseq_feature_size(); - if (rseq_feature_size == ORIG_RSEQ_FEATURE_SIZE) - rseq_size = ORIG_RSEQ_ALLOC_SIZE; - else - rseq_size = RSEQ_THREAD_AREA_ALLOC_SIZE; } static __attribute__((destructor)) @@ -209,7 +250,6 @@ void rseq_exit(void) return; rseq_offset = 0; rseq_size = -1U; - rseq_feature_size = -1U; rseq_ownership = 0; } diff --git a/tools/testing/selftests/rseq/rseq.h b/tools/testing/selftests/rseq/rseq.h index d7364ea4d201..4e217b620e0c 100644 --- a/tools/testing/selftests/rseq/rseq.h +++ b/tools/testing/selftests/rseq/rseq.h @@ -68,12 +68,6 @@ extern unsigned int rseq_size; /* Flags used during rseq registration. */ extern unsigned int rseq_flags; -/* - * rseq feature size supported by the kernel. 0 if the registration was - * unsuccessful. - */ -extern unsigned int rseq_feature_size; - enum rseq_mo { RSEQ_MO_RELAXED = 0, RSEQ_MO_CONSUME = 1, /* Unused */ @@ -193,7 +187,7 @@ static inline uint32_t rseq_current_cpu(void) static inline bool rseq_node_id_available(void) { - return (int) rseq_feature_size >= rseq_offsetofend(struct rseq_abi, node_id); + return (int) rseq_size >= rseq_offsetofend(struct rseq_abi, node_id); } /* @@ -207,7 +201,7 @@ static inline uint32_t rseq_current_node_id(void) static inline bool rseq_mm_cid_available(void) { - return (int) rseq_feature_size >= rseq_offsetofend(struct rseq_abi, mm_cid); + return (int) rseq_size >= rseq_offsetofend(struct rseq_abi, mm_cid); } static inline uint32_t rseq_current_mm_cid(void) -- 2.39.2

6 months, 3 weeks

2
1
0 0

[PATCH 1/1] nfsd: fix possible badness in FREE_STATEID

by Olga Kornievskaia

When multiple FREE_STATEIDs are sent for the same delegation stateid, it can lead to a possible either use-after-tree or counter refcount underflow errors. In nfsd4_free_stateid() under the client lock we find a delegation stateid, however the code drops the lock before calling nfs4_put_stid(), that allows another FREE_STATE to find the stateid again. The first one will proceed to then free the stateid which leads to either use-after-free or decrementing already zerod counter. CC: stable(a)vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev(a)redhat.com> --- fs/nfsd/nfs4state.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index ac1859c7cc9d..56b261608af4 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -7154,6 +7154,7 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, switch (s->sc_type) { case SC_TYPE_DELEG: if (s->sc_status & SC_STATUS_REVOKED) { + s->sc_status |= SC_STATUS_CLOSED; spin_unlock(&s->sc_lock); dp = delegstateid(s); list_del_init(&dp->dl_recall_lru); -- 2.43.5

6 months, 3 weeks

8
10
0 0

[PATCH v10 2/2] ufs: core: requeue aborted request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> After the SQ cleanup fix, the CQ will receive a response with the corresponding tag marked as OCS: ABORTED. To align with the behavior of Legacy SDB mode, the handling of OCS: ABORTED has been changed to match that of OCS_INVALID_COMMAND_STATUS (SDB), with both returning a SCSI result of DID_REQUEUE. Furthermore, the workaround implemented before the SQ cleanup fix can be removed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 24a32e2fd75e..8e2a7889a565 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -5417,10 +5417,12 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; - break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; + dev_warn(hba->dev, + "OCS %s from controller for tag %d\n", + (ocs == OCS_ABORTED? "aborted" : "invalid"), + lrbp->task_tag); break; case OCS_INVALID_CMD_TABLE_ATTR: case OCS_INVALID_PRDT_ATTR: @@ -6466,26 +6468,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; } -- 2.45.2

6 months, 3 weeks

2
1
0 0

[PATCH] firmware/psci: fix missing '%u' format literal in kthread_create_on_cpu()

by Alexander Lobakin

kthread_create_on_cpu() always requires format string to contain one '%u' at the end, as it automatically adds the CPU ID when passing it to kthread_create_on_node(). The former isn't marked as __printf() as it's not printf-like itself, which effectively hides this from the compiler. If you convert this function to printf-like, you'll see the following: In file included from drivers/firmware/psci/psci_checker.c:15: drivers/firmware/psci/psci_checker.c: In function 'suspend_tests': drivers/firmware/psci/psci_checker.c:401:48: warning: too many arguments for format [-Wformat-extra-args] 401 | "psci_suspend_test"); | ^~~~~~~~~~~~~~~~~~~ drivers/firmware/psci/psci_checker.c:400:32: warning: data argument not used by format string [-Wformat-extra-args] 400 | (void *)(long)cpu, cpu, | ^ 401 | "psci_suspend_test"); | ~~~~~~~~~~~~~~~~~~~ Add the missing format literal to fix this. Now the corresponding kthread will be named as "psci_suspend_test-<cpuid>", as it's meant by kthread_create_on_cpu(). Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202408141012.KhvKaxoh-lkp@intel.com Closes: https://lore.kernel.org/oe-kbuild-all/202408141243.eQiEOQQe-lkp@intel.com Fixes: ea8b1c4a6019 ("drivers: psci: PSCI checker module") Cc: stable(a)vger.kernel.org # 4.10+ Signed-off-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> --- drivers/firmware/psci/psci_checker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/psci/psci_checker.c b/drivers/firmware/psci/psci_checker.c index 116eb465cdb4..ecc511c745ce 100644 --- a/drivers/firmware/psci/psci_checker.c +++ b/drivers/firmware/psci/psci_checker.c @@ -398,7 +398,7 @@ static int suspend_tests(void) thread = kthread_create_on_cpu(suspend_test_thread, (void *)(long)cpu, cpu, - "psci_suspend_test"); + "psci_suspend_test-%u"); if (IS_ERR(thread)) pr_err("Failed to create kthread on CPU %d\n", cpu); else -- 2.46.2

6 months, 3 weeks

3
3
0 0

[tip: x86/urgent] x86/bugs: Use code segment selector for VERW operand

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 785bf1ab58aa1f89a5dfcb17b682b7089d69c34f Gitweb: https://git.kernel.org/tip/785bf1ab58aa1f89a5dfcb17b682b7089d69c34f Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Thu, 26 Sep 2024 09:10:31 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 08 Oct 2024 15:19:21 -07:00 x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Robert Gill <rtgill82(a)gmail.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com Cc: stable(a)vger.kernel.org # 5.10+ Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- arch/x86/include/asm/nospec-branch.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index ff5f1ec..96b410b 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,16 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +#ifdef CONFIG_X86_64 + ALTERNATIVE "", "verw mds_verw_sel(%rip)", X86_FEATURE_CLEAR_CPU_BUF +#else + /* + * In 32bit mode, the memory operand must be a %cs reference. The data + * segments may not be usable (vm86 mode), and the stack segment may not + * be flat (ESPFIX32). + */ + ALTERNATIVE "", "verw %cs:mds_verw_sel", X86_FEATURE_CLEAR_CPU_BUF +#endif .endm #ifdef CONFIG_X86_64

6 months, 3 weeks

5
6
0 0

[PATCH v3 4/9] serial: qcom-geni: fix dma rx cancellation

by Johan Hovold

Make sure to wait for the DMA transfer to complete when cancelling the rx command on stop_rx(). This specifically prevents the DMA completion interrupt from firing after rx has been restarted, something which can lead to an IOMMU fault and hosed rx when the interrupt handler unmaps the DMA buffer for the new command: qcom_geni_serial 988000.serial: serial engine reports 0 RX bytes in! arm-smmu 15000000.iommu: FSR = 00000402 [Format=2 TF], SID=0x563 arm-smmu 15000000.iommu: FSYNR0 = 00210013 [S1CBNDX=33 WNR PLVL=3] Bluetooth: hci0: command 0xfc00 tx timeout Bluetooth: hci0: Reading QCA version information failed (-110) Also add the missing state machine reset which is needed in case cancellation fails. Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA") Cc: stable(a)vger.kernel.org # 6.3 Cc: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 87cd974b76bf..aaf24bd037a7 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -805,17 +805,27 @@ static void qcom_geni_serial_start_rx_fifo(struct uart_port *uport) static void qcom_geni_serial_stop_rx_dma(struct uart_port *uport) { struct qcom_geni_serial_port *port = to_dev_port(uport); + bool done; if (!qcom_geni_serial_secondary_active(uport)) return; geni_se_cancel_s_cmd(&port->se); - qcom_geni_serial_poll_bit(uport, SE_GENI_S_IRQ_STATUS, - S_CMD_CANCEL_EN, true); - - if (qcom_geni_serial_secondary_active(uport)) + done = qcom_geni_serial_poll_bit(uport, SE_DMA_RX_IRQ_STAT, + RX_EOT, true); + if (done) { + writel(RX_EOT | RX_DMA_DONE, + uport->membase + SE_DMA_RX_IRQ_CLR); + } else { qcom_geni_serial_abort_rx(uport); + writel(1, uport->membase + SE_DMA_RX_FSM_RST); + qcom_geni_serial_poll_bit(uport, SE_DMA_RX_IRQ_STAT, + RX_RESET_DONE, true); + writel(RX_RESET_DONE | RX_DMA_DONE, + uport->membase + SE_DMA_RX_IRQ_CLR); + } + if (port->rx_dma_addr) { geni_se_rx_dma_unprep(&port->se, port->rx_dma_addr, DMA_RX_BUF_SIZE); -- 2.45.2

6 months, 3 weeks

1
0
0 0

[PATCH v3 2/9] serial: qcom-geni: revert broken hibernation support

by Johan Hovold

This reverts commit 35781d8356a2eecaa6074ceeb80ee22e252fcdae. Hibernation is not supported on Qualcomm platforms with mainline kernels yet a broken vendor implementation for the GENI serial driver made it upstream. This is effectively dead code that cannot be tested and should just be removed, but if these paths were ever hit for an open non-console port they would crash the machine as the driver would fail to enable clocks during restore() (i.e. all ports would have to be closed by drivers and user space before hibernating the system to avoid this as a comment in the code hinted at). The broken implementation also added a random call to enable the receiver in the port setup code where it does not belong and which enables the receiver prematurely for console ports. Fixes: 35781d8356a2 ("tty: serial: qcom-geni-serial: Add support for Hibernation feature") Cc: stable(a)vger.kernel.org # 6.2 Cc: Aniket Randive <quic_arandive(a)quicinc.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 41 ++------------------------- 1 file changed, 2 insertions(+), 39 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index c237c9d107cd..2e4a5361f137 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1170,7 +1170,6 @@ static int qcom_geni_serial_port_setup(struct uart_port *uport) false, true, true); geni_se_init(&port->se, UART_RX_WM, port->rx_fifo_depth - 2); geni_se_select_mode(&port->se, port->dev_data->mode); - qcom_geni_serial_start_rx(uport); port->setup = true; return 0; @@ -1799,38 +1798,6 @@ static int qcom_geni_serial_sys_resume(struct device *dev) return ret; } -static int qcom_geni_serial_sys_hib_resume(struct device *dev) -{ - int ret = 0; - struct uart_port *uport; - struct qcom_geni_private_data *private_data; - struct qcom_geni_serial_port *port = dev_get_drvdata(dev); - - uport = &port->uport; - private_data = uport->private_data; - - if (uart_console(uport)) { - geni_icc_set_tag(&port->se, QCOM_ICC_TAG_ALWAYS); - geni_icc_set_bw(&port->se); - ret = uart_resume_port(private_data->drv, uport); - /* - * For hibernation usecase clients for - * console UART won't call port setup during restore, - * hence call port setup for console uart. - */ - qcom_geni_serial_port_setup(uport); - } else { - /* - * Peripheral register settings are lost during hibernation. - * Update setup flag such that port setup happens again - * during next session. Clients of HS-UART will close and - * open the port during hibernation. - */ - port->setup = false; - } - return ret; -} - static const struct qcom_geni_device_data qcom_geni_console_data = { .console = true, .mode = GENI_SE_FIFO, @@ -1842,12 +1809,8 @@ static const struct qcom_geni_device_data qcom_geni_uart_data = { }; static const struct dev_pm_ops qcom_geni_serial_pm_ops = { - .suspend = pm_sleep_ptr(qcom_geni_serial_sys_suspend), - .resume = pm_sleep_ptr(qcom_geni_serial_sys_resume), - .freeze = pm_sleep_ptr(qcom_geni_serial_sys_suspend), - .poweroff = pm_sleep_ptr(qcom_geni_serial_sys_suspend), - .restore = pm_sleep_ptr(qcom_geni_serial_sys_hib_resume), - .thaw = pm_sleep_ptr(qcom_geni_serial_sys_hib_resume), + SYSTEM_SLEEP_PM_OPS(qcom_geni_serial_sys_suspend, + qcom_geni_serial_sys_resume) }; static const struct of_device_id qcom_geni_serial_match_table[] = { -- 2.45.2

6 months, 3 weeks

1
0
0 0

[PATCH] mm/mremap: Fix move_normal_pmd/retract_page_tables race

by Jann Horn

In mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd(). move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise); note that process A accesses page tables through the MM while process B does it through the file rmap: process A process B ========= ========= mremap mremap_to move_vma move_page_tables get_old_pmd alloc_new_pmd *** PREEMPT *** madvise(MADV_COLLAPSE) do_madvise madvise_walk_vmas madvise_vma_behavior madvise_collapse hpage_collapse_scan_file collapse_file retract_page_tables i_mmap_lock_read(mapping) pmdp_collapse_flush i_mmap_unlock_read(mapping) move_pgt_entry(NORMAL_PMD, ...) take_rmap_locks move_normal_pmd drop_rmap_locks When this happens, move_normal_pmd() can end up creating bogus PMD entries in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect depends on arch-specific and machine-specific details; on x86, you can end up with physical page 0 mapped as a page table, which is likely exploitable for user->kernel privilege escalation. Fix the race by letting process B recheck that the PMD still points to a page table after the rmap locks have been taken. Otherwise, we bail and let the caller fall back to the PTE-level copying path, which will then bail immediately at the pmd_none() check. Bug reachability: Reaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, which would require creating your own user+mount namespace; though I don't know if some distros maybe enable shmem THP by default or something like that. Bug impact: This issue can likely be used for user->kernel privilege escalation when it is reachable. Cc: stable(a)vger.kernel.org Fixes: 1d65b771bc08 ("mm/khugepaged: retract_page_tables() without mmap or vma lock") Closes: https://project-zero.issues.chromium.org/371047675 Co-developed-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Jann Horn <jannh(a)google.com> --- @David: please confirm we can add your Signed-off-by to this patch after the Co-developed-by. (Context: David basically wrote the entire patch except for the commit message.) @akpm: This replaces the previous "[PATCH] mm/mremap: Prevent racing change of old pmd type". --- mm/mremap.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/mm/mremap.c b/mm/mremap.c index 24712f8dbb6b..dda09e957a5d 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -238,6 +238,7 @@ static bool move_normal_pmd(struct vm_area_struct *vma, unsigned long old_addr, { spinlock_t *old_ptl, *new_ptl; struct mm_struct *mm = vma->vm_mm; + bool res = false; pmd_t pmd; if (!arch_supports_page_table_move()) @@ -277,19 +278,25 @@ static bool move_normal_pmd(struct vm_area_struct *vma, unsigned long old_addr, if (new_ptl != old_ptl) spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); - /* Clear the pmd */ pmd = *old_pmd; + + /* Racing with collapse? */ + if (unlikely(!pmd_present(pmd) || pmd_leaf(pmd))) + goto out_unlock; + /* Clear the pmd */ pmd_clear(old_pmd); + res = true; VM_BUG_ON(!pmd_none(*new_pmd)); pmd_populate(mm, new_pmd, pmd_pgtable(pmd)); flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE); +out_unlock: if (new_ptl != old_ptl) spin_unlock(new_ptl); spin_unlock(old_ptl); - return true; + return res; } #else static inline bool move_normal_pmd(struct vm_area_struct *vma, --- base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b change-id: 20241007-move_normal_pmd-vs-collapse-fix-2-387e9a68c7d6 -- Jann Horn <jannh(a)google.com>

6 months, 3 weeks

5
9
0 0

[PATCH v2] ata: libata: avoid superfluous disk spin down + spin up during hibernation

by Niklas Cassel

A user reported that commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop") introduced a spin down + immediate spin up of the disk both when entering and when resuming from hibernation. This behavior was not there before, and causes an increased latency both when when entering and when resuming from hibernation. Hibernation is done by three consecutive PM events, in the following order: 1) PM_EVENT_FREEZE 2) PM_EVENT_THAW 3) PM_EVENT_HIBERNATE Commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop") modified ata_eh_handle_port_suspend() to call ata_dev_power_set_standby() (which spins down the disk), for both event PM_EVENT_FREEZE and event PM_EVENT_HIBERNATE. Documentation/driver-api/pm/devices.rst, section "Entering Hibernation", explicitly mentions that PM_EVENT_FREEZE does not have to be put the device in a low-power state, and actually recommends not doing so. Thus, let's not spin down the disk on PM_EVENT_FREEZE. (The disk will instead be spun down during the subsequent PM_EVENT_HIBERNATE event.) This way, PM_EVENT_FREEZE will behave as it did before commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop"), while PM_EVENT_HIBERNATE will continue to spin down the disk. This will avoid the superfluous spin down + spin up when entering and resuming from hibernation, while still making sure that the disk is spun down before actually entering hibernation. Cc: stable(a)vger.kernel.org # v6.6+ Fixes: aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- Changes since v1: -Add stable to cc. drivers/ata/libata-eh.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c index 3f0144e7dc80..fa41ea57a978 100644 --- a/drivers/ata/libata-eh.c +++ b/drivers/ata/libata-eh.c @@ -4099,10 +4099,20 @@ static void ata_eh_handle_port_suspend(struct ata_port *ap) WARN_ON(ap->pflags & ATA_PFLAG_SUSPENDED); - /* Set all devices attached to the port in standby mode */ - ata_for_each_link(link, ap, HOST_FIRST) { - ata_for_each_dev(dev, link, ENABLED) - ata_dev_power_set_standby(dev); + /* + * We will reach this point for all of the PM events: + * PM_EVENT_SUSPEND (if runtime pm, PM_EVENT_AUTO will also be set) + * PM_EVENT_FREEZE, and PM_EVENT_HIBERNATE. + * + * We do not want to perform disk spin down for PM_EVENT_FREEZE. + * (Spin down will be performed by the subsequent PM_EVENT_HIBERNATE.) + */ + if (!(ap->pm_mesg.event & PM_EVENT_FREEZE)) { + /* Set all devices attached to the port in standby mode */ + ata_for_each_link(link, ap, HOST_FIRST) { + ata_for_each_dev(dev, link, ENABLED) + ata_dev_power_set_standby(dev); + } } /* -- 2.46.2

6 months, 3 weeks

2
3
0 0

[PATCH v2 4/7] serial: qcom-geni: fix receiver enable

by Johan Hovold

The receiver should be enabled in the startup() callback and there is no need to stop it on every termios update. Since commit 6f3c3cafb115 ("serial: qcom-geni: disable interrupts during console writes") the calls to manipulate the secondary interrupts, which were done without holding the port lock, can lead to the receiver being left disabled when set_termios() races with the console code (e.g. when init opens the tty during boot). The calls to stop and start rx in set_termios() can similarly race with DMA completion and, for example, cause the DMA buffer to be unmapped twice or the mapping to be leaked. Fixes: 6f3c3cafb115 ("serial: qcom-geni: disable interrupts during console writes") Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA") Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Cc: stable(a)vger.kernel.org # 6.3 Cc: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index dea688db0d7c..5b6c5388efee 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1179,6 +1179,11 @@ static int qcom_geni_serial_startup(struct uart_port *uport) if (ret) return ret; } + + uart_port_lock_irq(uport); + qcom_geni_serial_start_rx(uport); + uart_port_unlock_irq(uport); + enable_irq(uport->irq); return 0; @@ -1264,7 +1269,6 @@ static void qcom_geni_serial_set_termios(struct uart_port *uport, unsigned int avg_bw_core; unsigned long timeout; - qcom_geni_serial_stop_rx(uport); /* baud rate */ baud = uart_get_baud_rate(uport, termios, old, 300, 4000000); @@ -1280,7 +1284,7 @@ static void qcom_geni_serial_set_termios(struct uart_port *uport, dev_err(port->se.dev, "Couldn't find suitable clock rate for %u\n", baud * sampling_rate); - goto out_restart_rx; + return; } dev_dbg(port->se.dev, "desired_rate = %u, clk_rate = %lu, clk_div = %u\n", @@ -1371,8 +1375,6 @@ static void qcom_geni_serial_set_termios(struct uart_port *uport, writel(stop_bit_len, uport->membase + SE_UART_TX_STOP_BIT_LEN); writel(ser_clk_cfg, uport->membase + GENI_SER_M_CLK_CFG); writel(ser_clk_cfg, uport->membase + GENI_SER_S_CLK_CFG); -out_restart_rx: - qcom_geni_serial_start_rx(uport); } #ifdef CONFIG_SERIAL_QCOM_GENI_CONSOLE -- 2.45.2

6 months, 3 weeks

3
2
0 0

[PATCH v2 1/7] serial: qcom-geni: fix premature receiver enable

by Johan Hovold

The receiver should not be enabled until the port is opened so drop the bogus call to start rx from the setup code which is shared with the console implementation. This was added for some confused implementation of hibernation support, but the receiver must not be started unconditionally as the port may not have been open when hibernating the system. Fixes: 35781d8356a2 ("tty: serial: qcom-geni-serial: Add support for Hibernation feature") Cc: stable(a)vger.kernel.org # 6.2 Cc: Aniket Randive <quic_arandive(a)quicinc.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/tty/serial/qcom_geni_serial.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 6f0db310cf69..9ea6bd09e665 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -1152,7 +1152,6 @@ static int qcom_geni_serial_port_setup(struct uart_port *uport) false, true, true); geni_se_init(&port->se, UART_RX_WM, port->rx_fifo_depth - 2); geni_se_select_mode(&port->se, port->dev_data->mode); - qcom_geni_serial_start_rx(uport); port->setup = true; return 0; -- 2.45.2

6 months, 3 weeks

5
5
0 0

[PATCH v2] drm/amdgpu: prevent BO_HANDLES error from being overwritten

by Mohammed Anees

Before this patch, if multiple BO_HANDLES chunks were submitted, the error -EINVAL would be correctly set but could be overwritten by the return value from amdgpu_cs_p1_bo_handles(). This patch ensures that if there are multiple BO_HANDLES, we stop. Cc: stable(a)vger.kernel.org Fixes: fec5f8e8c6bc ("drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit") Signed-off-by: Mohammed Anees <pvmohammedanees2003(a)gmail.com> --- v2: - Switched to goto free_partial_kdata for error handling, following the existing pattern. --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index 1e475eb01417..d891ab779ca7 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -265,7 +265,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p, /* Only a single BO list is allowed to simplify handling. */ if (p->bo_list) - ret = -EINVAL; + goto free_partial_kdata; ret = amdgpu_cs_p1_bo_handles(p, p->chunks[i].kdata); if (ret) -- 2.46.0

6 months, 3 weeks

3
2
0 0

[PATCH v5.10-v5.4] btrfs: get rid of warning on transaction commit when using flushoncommit

by hsimeliere.opensource＠witekio.com

From: Filipe Manana <fdmanana(a)suse.com> commit a0f0cf8341e34e5d2265bfd3a7ad68342da1e2aa upstream. When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3 [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0 [947.571072] Call Trace: [947.572354] <TASK> [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? schedule_timeout+0x8a/0xdd [947.582716] transaction_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] </TASK> [947.598553] ---[ end trace 644721052755541c ]--- This is because we started using writeback_inodes_sb() to flush delalloc when committing a transaction (when using -o flushoncommit), in order to avoid deadlocks with filesystem freeze operations. This change was made by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots in flushoncommit"). After that change we started producing that warning, and every now and then a user reports this since the warning happens too often, it spams dmesg/syslog, and a user is unsure if this reflects any problem that might compromise the filesystem's reliability. We can not just lock the sb->s_umount semaphore before calling writeback_inodes_sb(), because that would at least deadlock with filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem() is called while we are holding that semaphore in write mode, and that can trigger a transaction commit, resulting in a deadlock. It would also trigger the same type of deadlock in the unmount path. Possibly, it could also introduce some other locking dependencies that lockdep would report. To fix this call try_to_writeback_inodes_sb() instead of writeback_inodes_sb(), because that will try to read lock sb->s_umount and then will only call writeback_inodes_sb() if it was able to lock it. This is fine because the cases where it can't read lock sb->s_umount are during a filesystem unmount or during a filesystem freeze - in those cases sb->s_umount is write locked and sync_filesystem() is called, which calls writeback_inodes_sb(). In other words, in all cases where we can't take a read lock on sb->s_umount, writeback is already being triggered elsewhere. An alternative would be to call btrfs_start_delalloc_roots() with a number of pages different from LONG_MAX, for example matching the number of delalloc bytes we currently have, in which case we would end up starting all delalloc with filemap_fdatawrite_wbc() and not with an async flush via filemap_flush() - that is only possible after the rather recent commit e076ab2a2ca70a ("btrfs: shrink delalloc pages instead of full inodes"). However that creates a whole new can of worms due to new lock dependencies, which lockdep complains, like for example: [ 8948.247280] ====================================================== [ 8948.247823] WARNING: possible circular locking dependency detected [ 8948.248353] 5.17.0-rc1-btrfs-next-111 #1 Not tainted [ 8948.248786] ------------------------------------------------------ [ 8948.249320] kworker/u16:18/933570 is trying to acquire lock: [ 8948.249812] ffff9b3de1591690 (sb_internal#2){.+.+}-{0:0}, at: find_free_extent+0x141e/0x1590 [btrfs] [ 8948.250638] but task is already holding lock: [ 8948.251140] ffff9b3e09c717d8 (&root->delalloc_mutex){+.+.}-{3:3}, at: start_delalloc_inodes+0x78/0x400 [btrfs] [ 8948.252018] which lock already depends on the new lock. [ 8948.252710] the existing dependency chain (in reverse order) is: [ 8948.253343] -> #2 (&root->delalloc_mutex){+.+.}-{3:3}: [ 8948.253950] __mutex_lock+0x90/0x900 [ 8948.254354] start_delalloc_inodes+0x78/0x400 [btrfs] [ 8948.254859] btrfs_start_delalloc_roots+0x194/0x2a0 [btrfs] [ 8948.255408] btrfs_commit_transaction+0x32f/0xc00 [btrfs] [ 8948.255942] btrfs_mksubvol+0x380/0x570 [btrfs] [ 8948.256406] btrfs_mksnapshot+0x81/0xb0 [btrfs] [ 8948.256870] __btrfs_ioctl_snap_create+0x17f/0x190 [btrfs] [ 8948.257413] btrfs_ioctl_snap_create_v2+0xbb/0x140 [btrfs] [ 8948.257961] btrfs_ioctl+0x1196/0x3630 [btrfs] [ 8948.258418] __x64_sys_ioctl+0x83/0xb0 [ 8948.258793] do_syscall_64+0x3b/0xc0 [ 8948.259146] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 8948.259709] -> #1 (&fs_info->delalloc_root_mutex){+.+.}-{3:3}: [ 8948.260330] __mutex_lock+0x90/0x900 [ 8948.260692] btrfs_start_delalloc_roots+0x97/0x2a0 [btrfs] [ 8948.261234] btrfs_commit_transaction+0x32f/0xc00 [btrfs] [ 8948.261766] btrfs_set_free_space_cache_v1_active+0x38/0x60 [btrfs] [ 8948.262379] btrfs_start_pre_rw_mount+0x119/0x180 [btrfs] [ 8948.262909] open_ctree+0x1511/0x171e [btrfs] [ 8948.263359] btrfs_mount_root.cold+0x12/0xde [btrfs] [ 8948.263863] legacy_get_tree+0x30/0x50 [ 8948.264242] vfs_get_tree+0x28/0xc0 [ 8948.264594] vfs_kern_mount.part.0+0x71/0xb0 [ 8948.265017] btrfs_mount+0x11d/0x3a0 [btrfs] [ 8948.265462] legacy_get_tree+0x30/0x50 [ 8948.265851] vfs_get_tree+0x28/0xc0 [ 8948.266203] path_mount+0x2d4/0xbe0 [ 8948.266554] __x64_sys_mount+0x103/0x140 [ 8948.266940] do_syscall_64+0x3b/0xc0 [ 8948.267300] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 8948.267790] -> #0 (sb_internal#2){.+.+}-{0:0}: [ 8948.268322] __lock_acquire+0x12e8/0x2260 [ 8948.268733] lock_acquire+0xd7/0x310 [ 8948.269092] start_transaction+0x44c/0x6e0 [btrfs] [ 8948.269591] find_free_extent+0x141e/0x1590 [btrfs] [ 8948.270087] btrfs_reserve_extent+0x14b/0x280 [btrfs] [ 8948.270588] cow_file_range+0x17e/0x490 [btrfs] [ 8948.271051] btrfs_run_delalloc_range+0x345/0x7a0 [btrfs] [ 8948.271586] writepage_delalloc+0xb5/0x170 [btrfs] [ 8948.272071] __extent_writepage+0x156/0x3c0 [btrfs] [ 8948.272579] extent_write_cache_pages+0x263/0x460 [btrfs] [ 8948.273113] extent_writepages+0x76/0x130 [btrfs] [ 8948.273573] do_writepages+0xd2/0x1c0 [ 8948.273942] filemap_fdatawrite_wbc+0x68/0x90 [ 8948.274371] start_delalloc_inodes+0x17f/0x400 [btrfs] [ 8948.274876] btrfs_start_delalloc_roots+0x194/0x2a0 [btrfs] [ 8948.275417] flush_space+0x1f2/0x630 [btrfs] [ 8948.275863] btrfs_async_reclaim_data_space+0x108/0x1b0 [btrfs] [ 8948.276438] process_one_work+0x252/0x5a0 [ 8948.276829] worker_thread+0x55/0x3b0 [ 8948.277189] kthread+0xf2/0x120 [ 8948.277506] ret_from_fork+0x22/0x30 [ 8948.277868] other info that might help us debug this: [ 8948.278548] Chain exists of: sb_internal#2 --> &fs_info->delalloc_root_mutex --> &root->delalloc_mutex [ 8948.279601] Possible unsafe locking scenario: [ 8948.280102] CPU0 CPU1 [ 8948.280508] ---- ---- [ 8948.280915] lock(&root->delalloc_mutex); [ 8948.281271] lock(&fs_info->delalloc_root_mutex); [ 8948.281915] lock(&root->delalloc_mutex); [ 8948.282487] lock(sb_internal#2); [ 8948.282800] *** DEADLOCK *** [ 8948.283333] 4 locks held by kworker/u16:18/933570: [ 8948.283750] #0: ffff9b3dc00a9d48 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x1d2/0x5a0 [ 8948.284609] #1: ffffa90349dafe70 ((work_completion)(&fs_info->async_data_reclaim_work)){+.+.}-{0:0}, at: process_one_work+0x1d2/0x5a0 [ 8948.285637] #2: ffff9b3e14db5040 (&fs_info->delalloc_root_mutex){+.+.}-{3:3}, at: btrfs_start_delalloc_roots+0x97/0x2a0 [btrfs] [ 8948.286674] #3: ffff9b3e09c717d8 (&root->delalloc_mutex){+.+.}-{3:3}, at: start_delalloc_inodes+0x78/0x400 [btrfs] [ 8948.287596] stack backtrace: [ 8948.287975] CPU: 3 PID: 933570 Comm: kworker/u16:18 Not tainted 5.17.0-rc1-btrfs-next-111 #1 [ 8948.288677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 8948.289649] Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] [ 8948.290298] Call Trace: [ 8948.290517] <TASK> [ 8948.290700] dump_stack_lvl+0x59/0x73 [ 8948.291026] check_noncircular+0xf3/0x110 [ 8948.291375] ? start_transaction+0x228/0x6e0 [btrfs] [ 8948.291826] __lock_acquire+0x12e8/0x2260 [ 8948.292241] lock_acquire+0xd7/0x310 [ 8948.292714] ? find_free_extent+0x141e/0x1590 [btrfs] [ 8948.293241] ? lock_is_held_type+0xea/0x140 [ 8948.293601] start_transaction+0x44c/0x6e0 [btrfs] [ 8948.294055] ? find_free_extent+0x141e/0x1590 [btrfs] [ 8948.294518] find_free_extent+0x141e/0x1590 [btrfs] [ 8948.294957] ? _raw_spin_unlock+0x29/0x40 [ 8948.295312] ? btrfs_get_alloc_profile+0x124/0x290 [btrfs] [ 8948.295813] btrfs_reserve_extent+0x14b/0x280 [btrfs] [ 8948.296270] cow_file_range+0x17e/0x490 [btrfs] [ 8948.296691] btrfs_run_delalloc_range+0x345/0x7a0 [btrfs] [ 8948.297175] ? find_lock_delalloc_range+0x247/0x270 [btrfs] [ 8948.297678] writepage_delalloc+0xb5/0x170 [btrfs] [ 8948.298123] __extent_writepage+0x156/0x3c0 [btrfs] [ 8948.298570] extent_write_cache_pages+0x263/0x460 [btrfs] [ 8948.299061] extent_writepages+0x76/0x130 [btrfs] [ 8948.299495] do_writepages+0xd2/0x1c0 [ 8948.299817] ? sched_clock_cpu+0xd/0x110 [ 8948.300160] ? lock_release+0x155/0x4a0 [ 8948.300494] filemap_fdatawrite_wbc+0x68/0x90 [ 8948.300874] ? do_raw_spin_unlock+0x4b/0xa0 [ 8948.301243] start_delalloc_inodes+0x17f/0x400 [btrfs] [ 8948.301706] ? lock_release+0x155/0x4a0 [ 8948.302055] btrfs_start_delalloc_roots+0x194/0x2a0 [btrfs] [ 8948.302564] flush_space+0x1f2/0x630 [btrfs] [ 8948.302970] btrfs_async_reclaim_data_space+0x108/0x1b0 [btrfs] [ 8948.303510] process_one_work+0x252/0x5a0 [ 8948.303860] ? process_one_work+0x5a0/0x5a0 [ 8948.304221] worker_thread+0x55/0x3b0 [ 8948.304543] ? process_one_work+0x5a0/0x5a0 [ 8948.304904] kthread+0xf2/0x120 [ 8948.305184] ? kthread_complete_and_exit+0x20/0x20 [ 8948.305598] ret_from_fork+0x22/0x30 [ 8948.305921] </TASK> It all comes from the fact that btrfs_start_delalloc_roots() takes the delalloc_root_mutex, in the transaction commit path we are holding a read lock on one of the superblock's freeze semaphores (via sb_start_intwrite()), the async reclaim task can also do a call to btrfs_start_delalloc_roots(), which ends up triggering writeback with calls to filemap_fdatawrite_wbc(), resulting in extent allocation which in turn can call btrfs_start_transaction(), which will result in taking the freeze semaphore via sb_start_intwrite(), forming a nasty dependency on all those locks which can be taken in different orders by different code paths. So just adopt the simple approach of calling try_to_writeback_inodes_sb() at btrfs_start_delalloc_flush(). Link: https://lore.kernel.org/linux-btrfs/20220130005258.GA7465@cuci.nl/ Link: https://lore.kernel.org/linux-btrfs/43acc426-d683-d1b6-729d-c6bc4a2fff4d@gm… Link: https://lore.kernel.org/linux-btrfs/6833930a-08d7-6fbc-0141-eb9cdfd6bb4d@gm… Link: https://lore.kernel.org/linux-btrfs/20190322041731.GF16651@hungrycats.org/ Reviewed-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> [ add more link reports ] Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- fs/btrfs/transaction.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 8878aa7cbdc5..c797563fa9cf 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -2021,16 +2021,24 @@ static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans) struct btrfs_fs_info *fs_info = trans->fs_info; /* - * We use writeback_inodes_sb here because if we used + * We use try_to_writeback_inodes_sb() here because if we used * btrfs_start_delalloc_roots we would deadlock with fs freeze. * Currently are holding the fs freeze lock, if we do an async flush * we'll do btrfs_join_transaction() and deadlock because we need to * wait for the fs freeze lock. Using the direct flushing we benefit * from already being in a transaction and our join_transaction doesn't * have to re-take the fs freeze lock. + * + * Note that try_to_writeback_inodes_sb() will only trigger writeback + * if it can read lock sb->s_umount. It will always be able to lock it, + * except when the filesystem is being unmounted or being frozen, but in + * those cases sync_filesystem() is called, which results in calling + * writeback_inodes_sb() while holding a write lock on sb->s_umount. + * Note that we don't call writeback_inodes_sb() directly, because it + * will emit a warning if sb->s_umount is not locked. */ if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) { - writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); + try_to_writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); } else { struct btrfs_pending_snapshot *pending; struct list_head *head = &trans->transaction->pending_snapshots; -- 2.43.0

6 months, 3 weeks

3
3
0 0

[PATCH] Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails

by libo.chen.cn＠windriver.com

From: Rick Edgecombe <rick.p.edgecombe(a)intel.com> commit 03f5a999adba ("Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails") In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens. Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Link: https://lore.kernel.org/r/20240311161558.1310-2-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240311161558.1310-2-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> CVE-2024-36913 Signed-off-by: Libo Chen <libo.chen.cn(a)windriver.com> --- This commit is backporting 03f5a999adba to the branch linux-5.15.y to solve the CVE-2024-36913. Please merge this commit to linux-5.15.y. drivers/hv/connection.c | 41 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index 47fb412eafd3..8283e7ba156e 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -19,6 +19,7 @@ #include <linux/vmalloc.h> #include <linux/hyperv.h> #include <linux/export.h> +#include <linux/set_memory.h> #include <asm/mshyperv.h> #include "hyperv_vmbus.h" @@ -216,6 +217,29 @@ int vmbus_connect(void) goto cleanup; } + ret = set_memory_decrypted((unsigned long) + vmbus_connection.monitor_pages[0], 1); + ret |= set_memory_decrypted((unsigned long) + vmbus_connection.monitor_pages[1], 1); + if (ret) { + /* + * If set_memory_decrypted() fails, the encryption state + * of the memory is unknown. So leak the memory instead + * of risking returning decrypted memory to the free list. + * For simplicity, always handle both pages the same. + */ + vmbus_connection.monitor_pages[0] = NULL; + vmbus_connection.monitor_pages[1] = NULL; + goto cleanup; + } + + /* + * Set_memory_decrypted() will change the memory contents if + * decryption occurs, so zero monitor pages here. + */ + memset(vmbus_connection.monitor_pages[0], 0x00, HV_HYP_PAGE_SIZE); + memset(vmbus_connection.monitor_pages[1], 0x00, HV_HYP_PAGE_SIZE); + msginfo = kzalloc(sizeof(*msginfo) + sizeof(struct vmbus_channel_initiate_contact), GFP_KERNEL); @@ -303,10 +327,19 @@ void vmbus_disconnect(void) vmbus_connection.int_page = NULL; } - hv_free_hyperv_page((unsigned long)vmbus_connection.monitor_pages[0]); - hv_free_hyperv_page((unsigned long)vmbus_connection.monitor_pages[1]); - vmbus_connection.monitor_pages[0] = NULL; - vmbus_connection.monitor_pages[1] = NULL; + if (vmbus_connection.monitor_pages[0]) { + if (!set_memory_encrypted( + (unsigned long)vmbus_connection.monitor_pages[0], 1)) + hv_free_hyperv_page((unsigned long)vmbus_connection.monitor_pages[0]); + vmbus_connection.monitor_pages[0] = NULL; + } + + if (vmbus_connection.monitor_pages[1]) { + if (!set_memory_encrypted( + (unsigned long)vmbus_connection.monitor_pages[1], 1)) + hv_free_hyperv_page((unsigned long)vmbus_connection.monitor_pages[1]); + vmbus_connection.monitor_pages[1] = NULL; + } } /* -- 2.25.1

6 months, 3 weeks

2
1
0 0

[PATCH v3 net 0/3] net: enetc: fix some issues of XDP

by Wei Fang

We found some bugs when testing the XDP function of enetc driver, and these bugs are easy to reproduce. This is not only causes XDP to not work, but also the network cannot be restored after exiting the XDP program. So the patch set is mainly to fix these bugs. For details, please see the commit message of each patch. --- v1 link: https://lore.kernel.org/bpf/20240919084104.661180-1-wei.fang@nxp.com/T/ v2 link: https://lore.kernel.org/netdev/20241008224806.2onzkt3gbslw5jxb@skbuf/T/ --- Wei Fang (3): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: fix the issues of XDP_REDIRECT feature net: enetc: disable IRQ after Rx and Tx BD rings are disabled drivers/net/ethernet/freescale/enetc/enetc.c | 56 +++++++++++++++----- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + 2 files changed, 44 insertions(+), 13 deletions(-) -- 2.34.1

6 months, 3 weeks

2
8
0 0

[PATCH] x86/stackprotector: Work around strict Clang TLS symbol requirements

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> GCC and Clang both implement stack protector support based on Thread Local Storage (TLS) variables, and this is used in the kernel to implement per-task stack cookies, by copying a task's stack cookie into a per-CPU variable every time it is scheduled in. Both now also implement -mstack-protector-guard-symbol=, which permits the TLS variable to be specified directly. This is useful because it will allow us to move away from using a fixed offset of 40 bytes into the per-CPU area on x86_64, which requires a lot of special handling in the per-CPU code and the runtime relocation code. However, while GCC is rather lax in its implementation of this command line option, Clang actually requires that the provided symbol name refers to a TLS variable (i.e., one declared with __thread), although it also permits the variable to be undeclared entirely, in which case it will use an implicit declaration of the right type. The upshot of this is that Clang will emit the correct references to the stack cookie variable in most cases, e.g., 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax 10f: R_386_32 __stack_chk_guard However, if a non-TLS definition of the symbol in question is visible in the same compilation unit (which amounts to the whole of vmlinux if LTO is enabled), it will drop the per-CPU prefix and emit a load from a bogus address. Work around this by using a symbol name that never occurs in C code, and emit it as an alias in the linker script. Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") Cc: <stable(a)vger.kernel.org> Cc: Fangrui Song <i(a)maskray.me> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Uros Bizjak <ubizjak(a)gmail.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: Andy Lutomirski <luto(a)kernel.org> Link: https://github.com/ClangBuiltLinux/linux/issues/1854 Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- arch/x86/Makefile | 5 +++-- arch/x86/entry/entry.S | 16 ++++++++++++++++ arch/x86/kernel/cpu/common.c | 2 ++ arch/x86/kernel/vmlinux.lds.S | 3 +++ 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/arch/x86/Makefile b/arch/x86/Makefile index cd75e78a06c1..5b773b34768d 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -142,9 +142,10 @@ ifeq ($(CONFIG_X86_32),y) ifeq ($(CONFIG_STACKPROTECTOR),y) ifeq ($(CONFIG_SMP),y) - KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard + KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ + -mstack-protector-guard-symbol=__ref_stack_chk_guard else - KBUILD_CFLAGS += -mstack-protector-guard=global + KBUILD_CFLAGS += -mstack-protector-guard=global endif endif else diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S index d9feadffa972..a503e6d535f8 100644 --- a/arch/x86/entry/entry.S +++ b/arch/x86/entry/entry.S @@ -46,3 +46,19 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); .popsection THUNK warn_thunk_thunk, __warn_thunk + +#ifndef CONFIG_X86_64 +/* + * Clang's implementation of TLS stack cookies requires the variable in + * question to be a TLS variable. If the variable happens to be defined as an + * ordinary variable with external linkage in the same compilation unit (which + * amounts to the whole of vmlinux with LTO enabled), Clang will drop the + * segment register prefix from the references, resulting in broken code. Work + * around this by avoiding the symbol used in -mstack-protector-guard-symbol= + * entirely in the C code, and use an alias emitted by the linker script + * instead. + */ +#ifdef CONFIG_STACKPROTECTOR +EXPORT_SYMBOL(__ref_stack_chk_guard); +#endif +#endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index 07a34d723505..ba83f54dfaa8 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2085,8 +2085,10 @@ void syscall_init(void) #ifdef CONFIG_STACKPROTECTOR DEFINE_PER_CPU(unsigned long, __stack_chk_guard); +#ifndef CONFIG_SMP EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); #endif +#endif #endif /* CONFIG_X86_64 */ diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index 2b7c8c14c6fd..a80ad2bf8da4 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -490,6 +490,9 @@ SECTIONS . = ASSERT((_end - LOAD_OFFSET <= KERNEL_IMAGE_SIZE), "kernel image bigger than KERNEL_IMAGE_SIZE"); +/* needed for Clang - see arch/x86/entry/entry.S */ +PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); + #ifdef CONFIG_X86_64 /* * Per-cpu symbols which need to be offset from __per_cpu_load -- 2.46.1.824.gd892dcdcdd-goog

6 months, 3 weeks

4
5
0 0

[PATCH v2 0/6] sysctl: prepare sysctl core for const struct ctl_table

by Thomas Weißschuh

Adapt the internal and external APIs of the sysctl core to handle read-only instances of "struct ctl_table". Patch 1: Bugfix for the sysctl core, the bug can be reliably triggered with the series applied Patch 2: Trivial preparation commit for the sysctl BPF hook Patch 3: Adapts the internal sysctl APIs Patch 4: Adapts the external sysctl APIs Patch 5: Constifies the sysctl internal tables as proof that it works Patch 6: Updates scripts/const_structs.checkpatch for "struct ctl_table" Motivation ========== Moving structures containing function pointers into unmodifiable .rodata prevents attackers or bugs from corrupting and diverting those pointers. Also the "struct ctl_table" exposed by the sysctl core were never meant to be mutated by users. For this goal changes to both the sysctl core and "const" qualifiers for various sysctl APIs are necessary. Full Process ============ * Drop ctl_table modifications from the sysctl core ([0], in mainline) * Constify arguments to ctl_table_root::{set_ownership,permissions} ([1], in mainline) * Migrate users of "ctl_table_header::ctl_table_arg" to "const". (in mainline) * Afterwards convert "ctl_table_header::ctl_table_arg" itself to const. (in mainline) * Prepare helpers used to implement proc_handlers throughout the tree to use "const struct ctl_table *". ([2], in mainline) * Afterwards switch over all proc_handlers callbacks to use "const struct ctl_table *" in one commit. (in mainline) * Switch over the internals of the sysctl core to "const struct ctl_table *" (this series) * Switch include/linux/sysctl.h to "const struct ctl_table *" (this series) * Transition instances of "struct ctl_table" through the tree to const (to be done) This series is meant to be applied through the sysctl tree. Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- Changes in v2: - Avoid spurious permanent empty tables (patch 1) - Link to v1: https://lore.kernel.org/r/20240729-sysctl-const-api-v1-0-ca628c7a942c@weiss… --- Thomas Weißschuh (6): sysctl: avoid spurious permanent empty tables bpf: Constify ctl_table argument of filter function sysctl: move internal interfaces to const struct ctl_table sysctl: allow registration of const struct ctl_table sysctl: make internal ctl_tables const const_structs.checkpatch: add ctl_table fs/proc/internal.h | 2 +- fs/proc/proc_sysctl.c | 100 +++++++++++++++++++++------------------ include/linux/bpf-cgroup.h | 2 +- include/linux/sysctl.h | 12 ++--- kernel/bpf/cgroup.c | 2 +- scripts/const_structs.checkpatch | 1 + 6 files changed, 63 insertions(+), 56 deletions(-) --- base-commit: 8400291e289ee6b2bf9779ff1c83a291501f017b change-id: 20240729-sysctl-const-api-73954f3d62c1 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

6 months, 3 weeks

3
4
0 0

[PATCH] usb: dwc3: core: Fix system suspend on TI AM62 platforms

by Roger Quadros

Since commit 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init"), system suspend is broken on AM62 TI platforms. Before that commit, both DWC3_GUSB3PIPECTL_SUSPHY and DWC3_GUSB2PHYCFG_SUSPHY bits (hence forth called 2 SUSPHY bits) were being set during core initialization and even during core re-initialization after a system suspend/resume. These bits are required to be set for system suspend/resume to work correctly on AM62 platforms. Since that commit, the 2 SUSPHY bits are not set for DEVICE/OTG mode if gadget driver is not loaded and started. For Host mode, the 2 SUSPHY bits are set before the first system suspend but get cleared at system resume during core re-init and are never set again. This patch resovles these two issues by ensuring the 2 SUSPHY bits are set before system suspend and restored to the original state during system resume. Cc: stable(a)vger.kernel.org # v6.9+ Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init") Link: https://lore.kernel.org/all/1519dbe7-73b6-4afc-bfe3-23f4f75d772f@kernel.org/ Signed-off-by: Roger Quadros <rogerq(a)kernel.org> --- drivers/usb/dwc3/core.c | 16 ++++++++++++++++ drivers/usb/dwc3/core.h | 2 ++ 2 files changed, 18 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 9eb085f359ce..1233922d4d54 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -2336,6 +2336,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) u32 reg; int i; + dwc->susphy_state = !!(dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & + DWC3_GUSB2PHYCFG_SUSPHY); + switch (dwc->current_dr_role) { case DWC3_GCTL_PRTCAP_DEVICE: if (pm_runtime_suspended(dwc->dev)) @@ -2387,6 +2390,11 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + if (!dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } @@ -2454,6 +2462,14 @@ static int dwc3_resume_common(struct dwc3 *dwc, pm_message_t msg) break; } + if (!PMSG_IS_AUTO(msg)) { + /* dwc3_core_init_for_resume() disables SUSPHY so just handle + * the enable case + */ + if (dwc->susphy_state) + dwc3_enable_susphy(dwc, true); + } + return 0; } diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index c71240e8f7c7..b2ed5aba4c72 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -1150,6 +1150,7 @@ struct dwc3_scratchpad_array { * @sys_wakeup: set if the device may do system wakeup. * @wakeup_configured: set if the device is configured for remote wakeup. * @suspended: set to track suspend event due to U3/L2. + * @susphy_state: state of DWC3_GUSB2PHYCFG_SUSPHY before PM suspend. * @imod_interval: set the interrupt moderation interval in 250ns * increments or 0 to disable. * @max_cfg_eps: current max number of IN eps used across all USB configs. @@ -1382,6 +1383,7 @@ struct dwc3 { unsigned sys_wakeup:1; unsigned wakeup_configured:1; unsigned suspended:1; + unsigned susphy_state:1; u16 imod_interval; --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20240923-am62-lpm-usb-f420917bd707 Best regards, -- Roger Quadros <rogerq(a)kernel.org>

6 months, 3 weeks

2
7
0 0

[PATCH v5 5/7] clk: qcom: gcc-x1e80100: Fix halt_check for pipediv2 clocks

by Qiang Yu

The pipediv2_clk's source from the same mux as pipe clock. So they have same limitation, which is that the PHY sequence requires to enable these local CBCs before the PHY is actually outputting a clock to them. This means the clock won't actually turn on when we vote them. Hence, let's skip the halt bit check of the pipediv2_clk, otherwise pipediv2_clk may stuck at off state during bootup. Cc: stable(a)vger.kernel.org Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100") Suggested-by: Mike Tipton <quic_mdtipton(a)quicinc.com> Signed-off-by: Qiang Yu <quic_qianyu(a)quicinc.com> Reviewed-by: Konrad Dybcio <konradybcio(a)kernel.org> Reviewed-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/clk/qcom/gcc-x1e80100.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c index 0f578771071f..81ba5ceab342 100644 --- a/drivers/clk/qcom/gcc-x1e80100.c +++ b/drivers/clk/qcom/gcc-x1e80100.c @@ -3123,7 +3123,7 @@ static struct clk_branch gcc_pcie_3_pipe_clk = { static struct clk_branch gcc_pcie_3_pipediv2_clk = { .halt_reg = 0x58060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52020, .enable_mask = BIT(5), @@ -3248,7 +3248,7 @@ static struct clk_branch gcc_pcie_4_pipe_clk = { static struct clk_branch gcc_pcie_4_pipediv2_clk = { .halt_reg = 0x6b054, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52010, .enable_mask = BIT(27), @@ -3373,7 +3373,7 @@ static struct clk_branch gcc_pcie_5_pipe_clk = { static struct clk_branch gcc_pcie_5_pipediv2_clk = { .halt_reg = 0x2f054, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52018, .enable_mask = BIT(19), @@ -3511,7 +3511,7 @@ static struct clk_branch gcc_pcie_6a_pipe_clk = { static struct clk_branch gcc_pcie_6a_pipediv2_clk = { .halt_reg = 0x31060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52018, .enable_mask = BIT(28), @@ -3649,7 +3649,7 @@ static struct clk_branch gcc_pcie_6b_pipe_clk = { static struct clk_branch gcc_pcie_6b_pipediv2_clk = { .halt_reg = 0x8d060, - .halt_check = BRANCH_HALT_VOTED, + .halt_check = BRANCH_HALT_SKIP, .clkr = { .enable_reg = 0x52010, .enable_mask = BIT(28), -- 2.34.1

6 months, 3 weeks

1
0
0 0

[PATCH 5.15.y 0/1] Fix of CVE-2023-52904 for stable-5.15

by Harshvardhan Jha

Folowing is a backport of commit a474d4ad59cd ("ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()") to stable-5.15 branch which fixes broken commit bfd36b1d1869 ("ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format()"). This was a clean pick and shouldn't be break anything. Basic smoke tests were performed on this patch. Jaroslav Kysela (1): ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate() sound/usb/pcm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.46.0

6 months, 3 weeks

1
1
0 0

[PATCH v7 0/3] Fix dosemu vm86() fault

by Pawan Gupta

Changes in v7: - Using %ss for verw fails kselftest ldt_gdt.c in 32-bit mode, use safer %cs instead (Dave). v6: https://lore.kernel.org/r/20240905-fix-dosemu-vm86-v6-0-7aff8e53cbbf@linux.… - Use %ss in 64-bit mode as well for all VERW calls. This avoids any having a separate macro for 32-bit (Dave). - Split 32-bit mode fixes into separate patches. v5: https://lore.kernel.org/r/20240711-fix-dosemu-vm86-v5-1-e87dcd7368aa@linux.… - Simplify the use of ALTERNATIVE construct (Uros/Jiri/Peter). v4: https://lore.kernel.org/r/20240710-fix-dosemu-vm86-v4-1-aa6464e1de6f@linux.… - Further simplify the patch by using %ss for all VERW calls in 32-bit mode (Brian). - In NMI exit path move VERW after RESTORE_ALL_NMI that touches GPRs (Dave). v3: https://lore.kernel.org/r/20240701-fix-dosemu-vm86-v3-1-b1969532c75a@linux.… - Simplify CLEAR_CPU_BUFFERS_SAFE by using %ss instead of %ds (Brian). - Do verw before popf in SYSEXIT path (Jari). v2: https://lore.kernel.org/r/20240627-fix-dosemu-vm86-v2-1-d5579f698e77@linux.… - Safe guard against any other system calls like vm86() that might change %ds (Dave). v1: https://lore.kernel.org/r/20240426-fix-dosemu-vm86-v1-1-88c826a3f378@linux.… Hi, This series fixes a #GP in 32-bit kernels when executing vm86() system call in dosemu software. In 32-bit mode, their are cases when user can set an arbitrary %ds that can cause a #GP when executing VERW instruction. The fix is to use %ss for referencing the VERW operand. Patch 1-2: Fixes the VERW callsites in 32-bit entry path. Patch 3: Uses %ss for VERW in 32-bit and 64-bit mode. The fix is tested with below kselftest on 32-bit kernel: ./tools/testing/selftests/x86/entry_from_vm86.c 64-bit kernel was boot tested. On a Rocket Lake, measuring the CPU cycles for VERW with and without the %ss shows no significant difference. This indicates that the scrubbing behavior of VERW is intact. Thanks, Pawan Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- Pawan Gupta (3): x86/entry_32: Do not clobber user EFLAGS.ZF x86/entry_32: Clear CPU buffers after register restore in NMI return x86/bugs: Use code segment selector for VERW operand arch/x86/entry/entry_32.S | 6 ++++-- arch/x86/include/asm/nospec-branch.h | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) --- base-commit: 431c1646e1f86b949fa3685efc50b660a364c2b6 change-id: 20240426-fix-dosemu-vm86-dd111a01737e Best regards, -- Thanks, Pawan

6 months, 3 weeks

6
16
0 0

[PATCH] drm: panel: jd9365da-h3: Remove unused num_init_cmds structure member

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Now that the driver has been converted to use wrapped MIPI DCS functions, the num_init_cmds structure member is no longer needed, so remove it. Fixes: 35583e129995 ("drm/panel: panel-jadard-jd9365da-h3: use wrapped MIPI DCS functions") Cc: <stable(a)vger.kernel.org> Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c index 44897e5218a6..45d09e6fa667 100644 --- a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c +++ b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c @@ -26,7 +26,6 @@ struct jadard_panel_desc { unsigned int lanes; enum mipi_dsi_pixel_format format; int (*init)(struct jadard *jadard); - u32 num_init_cmds; bool lp11_before_reset; bool reset_before_power_off_vcioo; unsigned int vcioo_to_lp11_delay_ms; base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc -- 2.39.5

6 months, 3 weeks

3
3
0 0

[tip: x86/urgent] x86/bugs: Use code segment selector for VERW operand

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: e4d2102018542e3ae5e297bc6e229303abff8a0f Gitweb: https://git.kernel.org/tip/e4d2102018542e3ae5e297bc6e229303abff8a0f Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Thu, 26 Sep 2024 09:10:31 -07:00 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Wed, 09 Oct 2024 09:42:30 +02:00 x86/bugs: Use code segment selector for VERW operand Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call: general protection fault: 0000 [#1] PREEMPT SMP CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction: #GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit. CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds. [ mingo: Fixed the SOB chain. ] Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Robert Gill <rtgill82(a)gmail.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com Cc: stable(a)vger.kernel.org # 5.10+ Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218707 Closes: https://lore.kernel.org/all/8c77ccfd-d561-45a1-8ed5-6b75212c7a58@leemhuis.i… Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Suggested-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> --- arch/x86/include/asm/nospec-branch.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index ff5f1ec..96b410b 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,16 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF +#ifdef CONFIG_X86_64 + ALTERNATIVE "", "verw mds_verw_sel(%rip)", X86_FEATURE_CLEAR_CPU_BUF +#else + /* + * In 32bit mode, the memory operand must be a %cs reference. The data + * segments may not be usable (vm86 mode), and the stack segment may not + * be flat (ESPFIX32). + */ + ALTERNATIVE "", "verw %cs:mds_verw_sel", X86_FEATURE_CLEAR_CPU_BUF +#endif .endm #ifdef CONFIG_X86_64

6 months, 3 weeks

1
0
0 0

[PATCH] media: i2c: tc358743: Fix crash in the probe error path when using polling

by Alexander Shiyan

If an error occurs in the probe() function, we should remove the polling timer that was alarmed earlier, otherwise the timer is called with arguments that are already freed, which results in a crash. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268 Modules linked in: CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226 Hardware name: Diasom DS-RK3568-SOM-EVB (DT) pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __run_timers+0x244/0x268 lr : __run_timers+0x1d4/0x268 sp : ffffff80eff2baf0 x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00 x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00 x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000 x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000 x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009 x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480 x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240 x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0 Call trace: __run_timers+0x244/0x268 timer_expire_remote+0x50/0x68 tmigr_handle_remote+0x388/0x39c run_timer_softirq+0x38/0x44 handle_softirqs+0x138/0x298 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x24/0x4c do_softirq_own_stack+0x1c/0x2c irq_exit_rcu+0x9c/0xcc el1_interrupt+0x48/0xc0 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x7c/0x80 default_idle_call+0x34/0x68 do_idle+0x23c/0x294 cpu_startup_entry+0x38/0x3c secondary_start_kernel+0x128/0x160 __secondary_switched+0xb8/0xbc ---[ end trace 0000000000000000 ]--- Fixes: 4e66a52a2e4c ("[media] tc358743: Add support for platforms without IRQ line") Signed-off-by: Alexander Shiyan <eagle.alexander923(a)gmail.com> Cc: stable(a)vger.kernel.org --- drivers/media/i2c/tc358743.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index 65d58ddf0287..344a670e732f 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -2168,8 +2168,10 @@ static int tc358743_probe(struct i2c_client *client) err_work_queues: cec_unregister_adapter(state->cec_adap); - if (!state->i2c_client->irq) + if (!state->i2c_client->irq) { + del_timer(&state->timer); flush_work(&state->work_i2c_poll); + } cancel_delayed_work(&state->delayed_work_enable_hotplug); mutex_destroy(&state->confctl_mutex); err_hdl: -- 2.39.1

6 months, 3 weeks

1
0
0 0

[PATCH 4.19.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index 0da814b41e72..75cd4c813cbb 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -981,12 +981,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

[PATCH 5.4.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

[PATCH 5.10.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

[PATCH 5.15.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

[PATCH 6.1.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

[PATCH] USB: chaoskey: fail open after removal

by Oliver Neukum

chaoskey_open() takes the lock only to increase the counter of openings. That means that the mutual exclusion with chaoskey_disconnect() cannot prevent an increase of the counter and chaoskey_open() returning a success. If that race is hit, chaoskey_disconnect() will happily free all resources associated with the device after it has dropped the lock, as it has read the counter as zero. To prevent this race chaoskey_open() has to check the presence of the device under the lock. However, the current per device lock cannot be used, because it is a part of the data structure to be freed. Hence an additional global mutex is needed. The issue is as old as the driver. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Reported-by: syzbot+422188bce66e76020e55(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=422188bce66e76020e55 Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)") --- drivers/usb/misc/chaoskey.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c index 6fb5140e29b9..e8b63df5f975 100644 --- a/drivers/usb/misc/chaoskey.c +++ b/drivers/usb/misc/chaoskey.c @@ -27,6 +27,8 @@ static struct usb_class_driver chaoskey_class; static int chaoskey_rng_read(struct hwrng *rng, void *data, size_t max, bool wait); +static DEFINE_MUTEX(chaoskey_list_lock); + #define usb_dbg(usb_if, format, arg...) \ dev_dbg(&(usb_if)->dev, format, ## arg) @@ -230,6 +232,7 @@ static void chaoskey_disconnect(struct usb_interface *interface) if (dev->hwrng_registered) hwrng_unregister(&dev->hwrng); + mutex_lock(&chaoskey_list_lock); usb_deregister_dev(interface, &chaoskey_class); usb_set_intfdata(interface, NULL); @@ -244,6 +247,7 @@ static void chaoskey_disconnect(struct usb_interface *interface) } else mutex_unlock(&dev->lock); + mutex_unlock(&chaoskey_list_lock); usb_dbg(interface, "disconnect done"); } @@ -251,6 +255,7 @@ static int chaoskey_open(struct inode *inode, struct file *file) { struct chaoskey *dev; struct usb_interface *interface; + int rv = 0; /* get the interface from minor number and driver information */ interface = usb_find_interface(&chaoskey_driver, iminor(inode)); @@ -266,18 +271,23 @@ static int chaoskey_open(struct inode *inode, struct file *file) } file->private_data = dev; + mutex_lock(&chaoskey_list_lock); mutex_lock(&dev->lock); - ++dev->open; + if (dev->present) + ++dev->open; + else + rv = -ENODEV; mutex_unlock(&dev->lock); + mutex_unlock(&chaoskey_list_lock); - usb_dbg(interface, "open success"); - return 0; + return rv; } static int chaoskey_release(struct inode *inode, struct file *file) { struct chaoskey *dev = file->private_data; struct usb_interface *interface; + int rv = 0; if (dev == NULL) return -ENODEV; @@ -286,14 +296,15 @@ static int chaoskey_release(struct inode *inode, struct file *file) usb_dbg(interface, "release"); + mutex_lock(&chaoskey_list_lock); mutex_lock(&dev->lock); usb_dbg(interface, "open count at release is %d", dev->open); if (dev->open <= 0) { usb_dbg(interface, "invalid open count (%d)", dev->open); - mutex_unlock(&dev->lock); - return -ENODEV; + rv = -ENODEV; + goto bail; } --dev->open; @@ -302,13 +313,15 @@ static int chaoskey_release(struct inode *inode, struct file *file) if (dev->open == 0) { mutex_unlock(&dev->lock); chaoskey_free(dev); - } else - mutex_unlock(&dev->lock); - } else - mutex_unlock(&dev->lock); - + goto destruction; + } + } +bail: + mutex_unlock(&dev->lock); +destruction: + mutex_lock(&chaoskey_list_lock); usb_dbg(interface, "release success"); - return 0; + return rv; } static void chaos_read_callback(struct urb *urb) -- 2.46.1

6 months, 3 weeks

4
4
0 0

[PATCH 6.6.y] Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal

by Tzung-Bi Shih

From: Mathias Krause <minipli(a)grsecurity.net> commit fbf8d71742557abaf558d8efb96742d442720cc2 upstream. Calling irq_domain_remove() will lead to freeing the IRQ domain prematurely. The domain is still referenced and will be attempted to get used via rmi_free_function_list() -> rmi_unregister_function() -> irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer. With PaX's MEMORY_SANITIZE this will lead to an access fault when attempting to dereference embedded pointers, as in Torsten's report that was faulting on the 'domain->ops->unmap' test. Fix this by releasing the IRQ domain only after all related IRQs have been deactivated. Fixes: 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") Reported-by: Torsten Hilbrich <torsten.hilbrich(a)secunet.com> Signed-off-by: Mathias Krause <minipli(a)grsecurity.net> Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.net Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tzung-Bi Shih <tzungbi(a)kernel.org> --- Commit 24d28e4f1271 ("Input: synaptics-rmi4 - convert irq distribution to irq_domain") was first seen in v4.18-rc3. While the fix fbf8d7174255 ("Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal") was first seen in v6.8. In the field test, we observed the UAF which was triggered via re-probing hid_rmi driver. linux-6.6.y, linux-6.1.y, linux-5.15.y, linux-5.10.y, linux-5.4.y, and linux-4.19.y haven't backported commit fbf8d7174255. Let's backport it. --- drivers/input/rmi4/rmi_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c index aa32371f04af..ef9ea295f9e0 100644 --- a/drivers/input/rmi4/rmi_driver.c +++ b/drivers/input/rmi4/rmi_driver.c @@ -978,12 +978,12 @@ static int rmi_driver_remove(struct device *dev) rmi_disable_irq(rmi_dev, false); - irq_domain_remove(data->irqdomain); - data->irqdomain = NULL; - rmi_f34_remove_sysfs(rmi_dev); rmi_free_function_list(rmi_dev); + irq_domain_remove(data->irqdomain); + data->irqdomain = NULL; + return 0; } -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] zram: free secondary algorithms names" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 684826f8271ad97580b138b9ffd462005e470b99 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100724-used-ventricle-7559@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 684826f8271a ("zram: free secondary algorithms names") f2bac7ad187d ("zram: introduce zcomp_params structure") 1d3100cf148d ("zram: add 842 compression backend support") 84112e314f69 ("zram: add zlib compression backend support") dbf2763cec21 ("zram: pass estimated src size hint to zstd") 73e7d81abbc8 ("zram: add zstd compression backend support") c60a4ef54446 ("zram: add lz4hc compression backend support") 22d651c3b339 ("zram: add lz4 compression backend support") 2152247c55b6 ("zram: add lzo and lzorle compression backends support") 917a59e81c34 ("zram: introduce custom comp backends API") 04cb7502a5d7 ("zsmalloc: use all available 24 bits of page_type") 43d746dc49bb ("mm/zsmalloc: use a proper page type") 8db00ad56461 ("mm: allow reuse of the lower 16 bit of the page type with an actual type") 6d21dde7adc0 ("mm: update _mapcount and page_type documentation") ff202303c398 ("mm: convert page type macros to enum") 46df8e73a4a3 ("mm: free up PG_slab") d99e3140a4d3 ("mm: turn folio_test_hugetlb into a PageType") fd1a745ce03e ("mm: support page_mapcount() on page_has_type() pages") 29cfe7556bfd ("mm: constify more page/folio tests") 443cbaf9e2fd ("crash: split vmcoreinfo exporting code out from crash_core.c") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 684826f8271ad97580b138b9ffd462005e470b99 Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 11 Sep 2024 11:54:56 +0900 Subject: [PATCH] zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 1f1bf175a6c3..0207a7fc0a97 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); }

6 months, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] zram: free secondary algorithms names" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 684826f8271ad97580b138b9ffd462005e470b99 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100723-covenant-chef-b766@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 684826f8271a ("zram: free secondary algorithms names") f2bac7ad187d ("zram: introduce zcomp_params structure") 1d3100cf148d ("zram: add 842 compression backend support") 84112e314f69 ("zram: add zlib compression backend support") dbf2763cec21 ("zram: pass estimated src size hint to zstd") 73e7d81abbc8 ("zram: add zstd compression backend support") c60a4ef54446 ("zram: add lz4hc compression backend support") 22d651c3b339 ("zram: add lz4 compression backend support") 2152247c55b6 ("zram: add lzo and lzorle compression backends support") 917a59e81c34 ("zram: introduce custom comp backends API") 04cb7502a5d7 ("zsmalloc: use all available 24 bits of page_type") 43d746dc49bb ("mm/zsmalloc: use a proper page type") 8db00ad56461 ("mm: allow reuse of the lower 16 bit of the page type with an actual type") 6d21dde7adc0 ("mm: update _mapcount and page_type documentation") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 684826f8271ad97580b138b9ffd462005e470b99 Mon Sep 17 00:00:00 2001 From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Date: Wed, 11 Sep 2024 11:54:56 +0900 Subject: [PATCH] zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device that had multi-streams, otherwise we leak memory. [senozhatsky(a)chromium.org: kfree(NULL) is legal] Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org Link: https://lkml.kernel.org/r/20240911025600.3681789-1-senozhatsky@chromium.org Fixes: 001d92735701 ("zram: add recompression algorithm sysfs knob") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 1f1bf175a6c3..0207a7fc0a97 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2112,6 +2112,11 @@ static void zram_destroy_comps(struct zram *zram) zram->num_active_comps--; } + for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { + kfree(zram->comp_algs[prio]); + zram->comp_algs[prio] = NULL; + } + zram_comp_params_reset(zram); }

6 months, 3 weeks

2
2
0 0

[PATCH] sched: psi: fix bogus pressure spikes from aggregation race

by Yo-Jung (Leo) Lin

From: Johannes Weiner <hannes(a)cmpxchg.org> Brandon reports sporadic, non-sensical spikes in cumulative pressure time (total=) when reading cpu.pressure at a high rate. This is due to a race condition between reader aggregation and tasks changing states. While it affects all states and all resources captured by PSI, in practice it most likely triggers with CPU pressure, since scheduling events are so frequent compared to other resource events. The race context is the live snooping of ongoing stalls during a pressure read. The read aggregates per-cpu records for stalls that have concluded, but will also incorporate ad-hoc the duration of any active state that hasn't been recorded yet. This is important to get timely measurements of ongoing stalls. Those ad-hoc samples are calculated on-the-fly up to the current time on that CPU; since the stall hasn't concluded, it's expected that this is the minimum amount of stall time that will enter the per-cpu records once it does. The problem is that the path that concludes the state uses a CPU clock read that is not synchronized against aggregators; the clock is read outside of the seqlock protection. This allows aggregators to race and snoop a stall with a longer duration than will actually be recorded. With the recorded stall time being less than the last snapshot remembered by the aggregator, a subsequent sample will underflow and observe a bogus delta value, resulting in an erratic jump in pressure. Fix this by moving the clock read of the state change into the seqlock protection. This ensures no aggregation can snoop live stalls past the time that's recorded when the state concludes. Reported-by: Brandon Duffany <brandon(a)buildbuddy.io> Link: https://bugzilla.kernel.org/show_bug.cgi?id=219194 Link: https://lore.kernel.org/lkml/20240827121851.GB438928@cmpxchg.org/ Fixes: df77430639c9 ("psi: Reduce calls to sched_clock() in psi") Cc: stable(a)vger.kernel.org Signed-off-by: Johannes Weiner <hannes(a)cmpxchg.org> Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> --- kernel/sched/psi.c | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c index 020d58967d4e..84dad1511d1e 100644 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -769,12 +769,13 @@ static void record_times(struct psi_group_cpu *groupc, u64 now) } static void psi_group_change(struct psi_group *group, int cpu, - unsigned int clear, unsigned int set, u64 now, + unsigned int clear, unsigned int set, bool wake_clock) { struct psi_group_cpu *groupc; unsigned int t, m; u32 state_mask; + u64 now; lockdep_assert_rq_held(cpu_rq(cpu)); groupc = per_cpu_ptr(group->pcpu, cpu); @@ -789,6 +790,7 @@ static void psi_group_change(struct psi_group *group, int cpu, * SOME and FULL time these may have resulted in. */ write_seqcount_begin(&groupc->seq); + now = cpu_clock(cpu); /* * Start with TSK_ONCPU, which doesn't have a corresponding @@ -899,18 +901,15 @@ void psi_task_change(struct task_struct *task, int clear, int set) { int cpu = task_cpu(task); struct psi_group *group; - u64 now; if (!task->pid) return; psi_flags_change(task, clear, set); - now = cpu_clock(cpu); - group = task_psi_group(task); do { - psi_group_change(group, cpu, clear, set, now, true); + psi_group_change(group, cpu, clear, set, true); } while ((group = group->parent)); } @@ -919,7 +918,6 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, { struct psi_group *group, *common = NULL; int cpu = task_cpu(prev); - u64 now = cpu_clock(cpu); if (next->pid) { psi_flags_change(next, 0, TSK_ONCPU); @@ -936,7 +934,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, break; } - psi_group_change(group, cpu, 0, TSK_ONCPU, now, true); + psi_group_change(group, cpu, 0, TSK_ONCPU, true); } while ((group = group->parent)); } @@ -974,7 +972,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, do { if (group == common) break; - psi_group_change(group, cpu, clear, set, now, wake_clock); + psi_group_change(group, cpu, clear, set, wake_clock); } while ((group = group->parent)); /* @@ -986,7 +984,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next, if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) { clear &= ~TSK_ONCPU; for (; group; group = group->parent) - psi_group_change(group, cpu, clear, set, now, wake_clock); + psi_group_change(group, cpu, clear, set, wake_clock); } } } @@ -997,8 +995,8 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st int cpu = task_cpu(curr); struct psi_group *group; struct psi_group_cpu *groupc; - u64 now, irq; s64 delta; + u64 irq; if (static_branch_likely(&psi_disabled)) return; @@ -1011,7 +1009,6 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st if (prev && task_psi_group(prev) == group) return; - now = cpu_clock(cpu); irq = irq_time_read(cpu); delta = (s64)(irq - rq->psi_irq_time); if (delta < 0) @@ -1019,12 +1016,15 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st rq->psi_irq_time = irq; do { + u64 now; + if (!group->enabled) continue; groupc = per_cpu_ptr(group->pcpu, cpu); write_seqcount_begin(&groupc->seq); + now = cpu_clock(cpu); record_times(groupc, now); groupc->times[PSI_IRQ_FULL] += delta; @@ -1223,11 +1223,9 @@ void psi_cgroup_restart(struct psi_group *group) for_each_possible_cpu(cpu) { struct rq *rq = cpu_rq(cpu); struct rq_flags rf; - u64 now; rq_lock_irq(rq, &rf); - now = cpu_clock(cpu); - psi_group_change(group, cpu, 0, 0, now, true); + psi_group_change(group, cpu, 0, 0, true); rq_unlock_irq(rq, &rf); } } -- 2.43.0

6 months, 3 weeks

1
1
0 0

[PATCH v2 net 0/3] net: enetc: fix some issues of XDP

by Wei Fang

We found some bugs when testing the XDP function of enetc driver, and these bugs are easy to reproduce. This is not only causes XDP to not work, but also the network cannot be restored after exiting the XDP program. So the patch set is mainly to fix these bugs. For details, please see the commit message of each patch. --- v1 link: https://lore.kernel.org/bpf/20240919084104.661180-1-wei.fang@nxp.com/T/ --- Wei Fang (3): net: enetc: remove xdp_drops statistic from enetc_xdp_drop() net: enetc: fix the issues of XDP_REDIRECT feature net: enetc: disable IRQ after Rx and Tx BD rings are disabled drivers/net/ethernet/freescale/enetc/enetc.c | 50 +++++++++++++++----- drivers/net/ethernet/freescale/enetc/enetc.h | 1 + 2 files changed, 38 insertions(+), 13 deletions(-) -- 2.34.1

6 months, 3 weeks

2
8
0 0

[PATCH 6.1 00/63] 6.1.111-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.111 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Sep 2024 11:42:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.111-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.111-rc1 Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Mika Westerberg <mika.westerberg(a)linux.intel.com> pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/i915/guc: prevent a possible int overflow in wq offsets Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Fix incorrect free_irq() sequence Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Undo runtime PM changes at driver exit time Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> spi: geni-qcom: Convert to platform remove callback returning void Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: Silence UBSAN warning T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: make cgroupsv2 matching work with namespaces Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Benjamin Poirier <bpoirier(a)nvidia.com> net/mlx5: Fix bridge mode operations when there are no VFs Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Verify support for scheduling element and TSAR type Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Correct TASR typo into TSAR Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() peng guo <engguopeng(a)buaa.edu.cn> cxl/core: Fix incorrect vendor debug UUID define Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Use kvfree to free memory allocated by kvmalloc Kunwu Chan <chentao(a)kylinos.cn> pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix race in axienet_stop Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a race condition when accessing recalc_sector Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_open() Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add Support for Surface Pro 10 Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for smb2_query_info() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for share path check ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++++- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/mem.c | 2 - drivers/cxl/cxlmem.h | 2 +- drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++ drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/hid/hid-ids.h | 2 + drivers/hid/hid-multitouch.c | 33 ++++ drivers/hwmon/pmbus/pmbus.h | 6 + drivers/hwmon/pmbus/pmbus_core.c | 17 +- drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 9 ++ drivers/input/touchscreen/ads7846.c | 2 +- drivers/md/dm-integrity.c | 4 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- drivers/net/ethernet/intel/ice/ice_switch.c | 2 +- drivers/net/ethernet/intel/igb/igb_main.c | 17 +- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 15 ++ .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 177 ++++++++++++++++++++- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 + .../net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 +++--- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 + drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 + drivers/net/phy/vitesse.c | 14 -- drivers/net/usb/ipheth.c | 5 +- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 + .../platform/surface/surface_aggregator_registry.c | 8 +- drivers/platform/x86/panasonic-laptop.c | 58 +++++-- drivers/soc/ti/omap_prm.c | 2 + drivers/soundwire/stream.c | 8 +- drivers/spi/spi-geni-qcom.c | 22 ++- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 ++- fs/btrfs/inode.c | 1 + fs/nfs/delegation.c | 15 +- fs/nfs/nfs4proc.c | 9 +- fs/nfs/pnfs.c | 5 +- fs/ntfs3/attrlist.c | 4 +- fs/ntfs3/bitmap.c | 4 +- fs/ntfs3/frecord.c | 4 +- fs/ntfs3/super.c | 2 +- fs/smb/server/mgmt/share_config.c | 15 +- fs/smb/server/mgmt/share_config.h | 4 +- fs/smb/server/mgmt/tree_connect.c | 9 +- fs/smb/server/mgmt/tree_connect.h | 4 +- fs/smb/server/smb2pdu.c | 11 +- fs/smb/server/smb_common.c | 9 +- fs/smb/server/smb_common.h | 2 + include/linux/mlx5/mlx5_ifc.h | 12 +- include/linux/virtio_net.h | 3 +- mm/memory.c | 27 +++- net/ipv4/fou.c | 4 +- net/mptcp/pm_netlink.c | 13 +- net/netfilter/nft_socket.c | 48 +++++- scripts/kconfig/merge_config.sh | 2 + sound/soc/meson/axg-card.c | 3 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- 68 files changed, 642 insertions(+), 177 deletions(-)

6 months, 3 weeks

11
77
0 0

[tip: x86/urgent] x86/entry_32: Do not clobber user EFLAGS.ZF

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 Gitweb: https://git.kernel.org/tip/2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Wed, 25 Sep 2024 15:25:38 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 08 Oct 2024 15:16:28 -07:00 x86/entry_32: Do not clobber user EFLAGS.ZF Opportunistic SYSEXIT executes VERW to clear CPU buffers after user EFLAGS are restored. This can clobber user EFLAGS.ZF. Move CLEAR_CPU_BUFFERS before the user EFLAGS are restored. This ensures that the user EFLAGS.ZF is not clobbered. Closes: https://lore.kernel.org/lkml/yVXwe8gvgmPADpRB6lXlicS2fcHoV5OHHxyuFbB_MEleRP… Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Reported-by: Jari Ruusu <jariruusu(a)protonmail.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-1-1de0daca2d42%40li… --- arch/x86/entry/entry_32.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index d3a814e..9ad6cd8 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -871,6 +871,8 @@ SYM_FUNC_START(entry_SYSENTER_32) /* Now ready to switch the cr3 */ SWITCH_TO_USER_CR3 scratch_reg=%eax + /* Clobbers ZF */ + CLEAR_CPU_BUFFERS /* * Restore all flags except IF. (We restore IF separately because @@ -881,7 +883,6 @@ SYM_FUNC_START(entry_SYSENTER_32) BUG_IF_WRONG_CR3 no_user_check=1 popfl popl %eax - CLEAR_CPU_BUFFERS /* * Return back to the vDSO, which will pop ecx and edx.

6 months, 3 weeks

1
0
0 0

[tip: x86/urgent] x86/entry_32: Clear CPU buffers after register restore in NMI return

by tip-bot2 for Pawan Gupta

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 48a2440d0f20c826b884e04377ccc1e4696c84e9 Gitweb: https://git.kernel.org/tip/48a2440d0f20c826b884e04377ccc1e4696c84e9 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> AuthorDate: Wed, 25 Sep 2024 15:25:44 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 08 Oct 2024 15:16:28 -07:00 x86/entry_32: Clear CPU buffers after register restore in NMI return CPU buffers are currently cleared after call to exc_nmi, but before register state is restored. This may be okay for MDS mitigation but not for RDFS. Because RDFS mitigation requires CPU buffers to be cleared when registers don't have any sensitive data. Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI. Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-2-1de0daca2d42%40li… --- arch/x86/entry/entry_32.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S index 9ad6cd8..20be575 100644 --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -1145,7 +1145,6 @@ SYM_CODE_START(asm_exc_nmi) /* Not on SYSENTER stack. */ call exc_nmi - CLEAR_CPU_BUFFERS jmp .Lnmi_return .Lnmi_from_sysenter_stack: @@ -1166,6 +1165,7 @@ SYM_CODE_START(asm_exc_nmi) CHECK_AND_APPLY_ESPFIX RESTORE_ALL_NMI cr3_reg=%edi pop=4 + CLEAR_CPU_BUFFERS jmp .Lirq_return #ifdef CONFIG_X86_ESPFIX32 @@ -1207,6 +1207,7 @@ SYM_CODE_START(asm_exc_nmi) * 1 - orig_ax */ lss (1+5+6)*4(%esp), %esp # back to espfix stack + CLEAR_CPU_BUFFERS jmp .Lirq_return #endif SYM_CODE_END(asm_exc_nmi)

6 months, 3 weeks

1
0
0 0

[PATCH] usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG

by Prashanth K

DWC3 programming guide mentions that when operating in USB2.0 speeds, if GUSB2PHYCFG[6] or GUSB2PHYCFG[8] is set, it must be cleared prior to issuing commands and may be set again after the command completes. But currently while issuing EndXfer command without CmdIOC set, we wait for 1ms after GUSB2PHYCFG is restored. This results in cases where EndXfer command doesn't get completed and causes SMMU faults since requests are unmapped afterwards. Hence restore GUSB2PHYCFG after waiting for EndXfer command completion. Cc: stable(a)vger.kernel.org Fixes: 1d26ba0944d3 ("usb: dwc3: Wait unconditionally after issuing EndXfer command") Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- drivers/usb/dwc3/gadget.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 291bc549935b..50772d611582 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -438,6 +438,10 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, dwc3_gadget_ep_get_transfer_index(dep); } + if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_ENDTRANSFER && + !(cmd & DWC3_DEPCMD_CMDIOC)) + mdelay(1); + if (saved_config) { reg = dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)); reg |= saved_config; @@ -1715,12 +1719,10 @@ static int __dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force, bool int WARN_ON_ONCE(ret); dep->resource_index = 0; - if (!interrupt) { - mdelay(1); + if (!interrupt) dep->flags &= ~DWC3_EP_TRANSFER_STARTED; - } else if (!ret) { + else if (!ret) dep->flags |= DWC3_EP_END_TRANSFER_PENDING; - } dep->flags &= ~DWC3_EP_DELAY_STOP; return ret; -- 2.25.1

6 months, 3 weeks

2
3
0 0

[PATCH v3 03/12] drm/fbdev-dma: Select FB_DEFERRED_IO

by Thomas Zimmermann

Commit 808a40b69468 ("drm/fbdev-dma: Implement damage handling and deferred I/O") added deferred I/O for fbdev-dma. Also select the Kconfig symbol FB_DEFERRED_IO (via FB_DMAMEM_HELPERS_DEFERRED). Fixes build errors about missing fbdefio, such as drivers/gpu/drm/drm_fbdev_dma.c:218:26: error: 'struct drm_fb_helper' has no member named 'fbdefio' 218 | fb_helper->fbdefio.delay = HZ / 20; | ^~ drivers/gpu/drm/drm_fbdev_dma.c:219:26: error: 'struct drm_fb_helper' has no member named 'fbdefio' 219 | fb_helper->fbdefio.deferred_io = drm_fb_helper_deferred_io; | ^~ drivers/gpu/drm/drm_fbdev_dma.c:221:21: error: 'struct fb_info' has no member named 'fbdefio' 221 | info->fbdefio = &fb_helper->fbdefio; | ^~ drivers/gpu/drm/drm_fbdev_dma.c:221:43: error: 'struct drm_fb_helper' has no member named 'fbdefio' 221 | info->fbdefio = &fb_helper->fbdefio; | ^~ Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202410050241.Mox9QRjP-lkp@intel.com/ Fixes: 808a40b69468 ("drm/fbdev-dma: Implement damage handling and deferred I/O") Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: <stable(a)vger.kernel.org> # v6.11+ --- drivers/gpu/drm/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig index 1df4e627e3d3..db2e206a117c 100644 --- a/drivers/gpu/drm/Kconfig +++ b/drivers/gpu/drm/Kconfig @@ -338,7 +338,7 @@ config DRM_TTM_HELPER config DRM_GEM_DMA_HELPER tristate depends on DRM - select FB_DMAMEM_HELPERS if DRM_FBDEV_EMULATION + select FB_DMAMEM_HELPERS_DEFERRED if DRM_FBDEV_EMULATION help Choose this if you need the GEM DMA helper functions -- 2.46.0

6 months, 3 weeks

2
1
0 0

[PATCH] iwlegacy: Clear stale interrupts before enabling interrupts

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> iwl4965 fails upon resume from hibernation on my laptop. The reason seems to be a stale interrupt which isn't being cleared out before interrupts are enabled. We end up with a race beween the resume trying to bring things back up, and the restart work (queued form the interrupt handler) trying to bring things down. Eventually the whole thing blows up. Fix the problem by clearing out any stale interrupts before interrupts get enabled. Here's a debug log of the indicent: [ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000 [ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000 [ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio. [ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload [ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282 [ 12.052207] ieee80211 phy0: il4965_mac_start enter [ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff [ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready [ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions [ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S [ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm [ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm [ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK [ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations [ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up [ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done. [ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down [ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout [ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort [ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver [ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared [ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state [ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master [ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear. [ 12.058869] ieee80211 phy0: Hardware restart was requested [ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms. [ 16.132303] ------------[ cut here ]------------ [ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue. [ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev [ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143 [ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 [ 16.132463] Workqueue: async async_run_entry_fn [ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132501] Code: da 02 00 00 c6 83 ad 05 00 00 00 48 89 df e8 98 1b fc ff 85 c0 41 89 c7 0f 84 e9 02 00 00 48 c7 c7 a0 e6 48 a0 e8 d1 77 c4 e0 <0f> 0b eb 2d 84 c0 0f 85 8b 01 00 00 c6 87 ad 05 00 00 00 e8 69 1b [ 16.132504] RSP: 0018:ffffc9000029fcf0 EFLAGS: 00010282 [ 16.132507] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: 0000000000000001 [ 16.132509] RDX: ffffffff81f21a18 RSI: 0000000000000086 RDI: 0000000000000001 [ 16.132510] RBP: ffff8880072003c0 R08: 0000000000000000 R09: 0000000000000003 [ 16.132512] R10: 0000000000000000 R11: ffff88807e5b0000 R12: 0000000000000001 [ 16.132514] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff92 [ 16.132515] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000 [ 16.132517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.132519] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0 [ 16.132521] Call Trace: [ 16.132525] <TASK> [ 16.132526] ? __warn+0x77/0x120 [ 16.132532] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132564] ? report_bug+0x15c/0x190 [ 16.132568] ? handle_bug+0x36/0x70 [ 16.132571] ? exc_invalid_op+0x13/0x60 [ 16.132573] ? asm_exc_invalid_op+0x16/0x20 [ 16.132579] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132611] ? snd_hdac_bus_init_cmd_io+0x24/0x200 [snd_hda_core] [ 16.132617] ? pick_eevdf+0x133/0x1c0 [ 16.132622] ? check_preempt_wakeup_fair+0x70/0x90 [ 16.132626] ? wakeup_preempt+0x4a/0x60 [ 16.132628] ? ttwu_do_activate.isra.0+0x5a/0x190 [ 16.132632] wiphy_resume+0x79/0x1a0 [cfg80211] [ 16.132675] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211] [ 16.132697] dpm_run_callback+0x75/0x1b0 [ 16.132703] device_resume+0x97/0x200 [ 16.132707] async_resume+0x14/0x20 [ 16.132711] async_run_entry_fn+0x1b/0xa0 [ 16.132714] process_one_work+0x13d/0x350 [ 16.132718] worker_thread+0x2be/0x3d0 [ 16.132722] ? cancel_delayed_work_sync+0x70/0x70 [ 16.132725] kthread+0xc0/0xf0 [ 16.132729] ? kthread_park+0x80/0x80 [ 16.132732] ret_from_fork+0x28/0x40 [ 16.132735] ? kthread_park+0x80/0x80 [ 16.132738] ret_from_fork_asm+0x11/0x20 [ 16.132741] </TASK> [ 16.132742] ---[ end trace 0000000000000000 ]--- [ 16.132930] ------------[ cut here ]------------ [ 16.132932] WARNING: CPU: 0 PID: 181 at net/mac80211/driver-ops.c:41 drv_stop+0xe7/0xf0 [mac80211] [ 16.132957] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev [ 16.133014] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Tainted: G W 6.11.0-cl+ #143 [ 16.133018] Tainted: [W]=WARN [ 16.133019] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 [ 16.133021] Workqueue: async async_run_entry_fn [ 16.133025] RIP: 0010:drv_stop+0xe7/0xf0 [mac80211] [ 16.133048] Code: 48 85 c0 74 0e 48 8b 78 08 89 ea 48 89 de e8 e0 87 04 00 65 ff 0d d1 de c4 5f 0f 85 42 ff ff ff e8 be 52 c2 e0 e9 38 ff ff ff <0f> 0b 5b 5d c3 0f 1f 40 00 41 54 49 89 fc 55 53 48 89 f3 2e 2e 2e [ 16.133050] RSP: 0018:ffffc9000029fc50 EFLAGS: 00010246 [ 16.133053] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: ffff88800377f6c0 [ 16.133054] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880072008e0 [ 16.133056] RBP: 0000000000000000 R08: ffffffff81f238d8 R09: 0000000000000000 [ 16.133058] R10: ffff8880080520f0 R11: 0000000000000000 R12: ffff888008051c60 [ 16.133060] R13: ffff8880072008e0 R14: 0000000000000000 R15: ffff8880072011d8 [ 16.133061] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000 [ 16.133063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.133065] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0 [ 16.133067] Call Trace: [ 16.133069] <TASK> [ 16.133070] ? __warn+0x77/0x120 [ 16.133075] ? drv_stop+0xe7/0xf0 [mac80211] [ 16.133098] ? report_bug+0x15c/0x190 [ 16.133100] ? handle_bug+0x36/0x70 [ 16.133103] ? exc_invalid_op+0x13/0x60 [ 16.133105] ? asm_exc_invalid_op+0x16/0x20 [ 16.133109] ? drv_stop+0xe7/0xf0 [mac80211] [ 16.133132] ieee80211_do_stop+0x55a/0x810 [mac80211] [ 16.133161] ? fq_codel_reset+0xa5/0xc0 [sch_fq_codel] [ 16.133164] ieee80211_stop+0x4f/0x180 [mac80211] [ 16.133192] __dev_close_many+0xa2/0x120 [ 16.133195] dev_close_many+0x90/0x150 [ 16.133198] dev_close+0x5d/0x80 [ 16.133200] cfg80211_shutdown_all_interfaces+0x40/0xe0 [cfg80211] [ 16.133223] wiphy_resume+0xb2/0x1a0 [cfg80211] [ 16.133247] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211] [ 16.133269] dpm_run_callback+0x75/0x1b0 [ 16.133273] device_resume+0x97/0x200 [ 16.133277] async_resume+0x14/0x20 [ 16.133280] async_run_entry_fn+0x1b/0xa0 [ 16.133283] process_one_work+0x13d/0x350 [ 16.133287] worker_thread+0x2be/0x3d0 [ 16.133290] ? cancel_delayed_work_sync+0x70/0x70 [ 16.133294] kthread+0xc0/0xf0 [ 16.133296] ? kthread_park+0x80/0x80 [ 16.133299] ret_from_fork+0x28/0x40 [ 16.133302] ? kthread_park+0x80/0x80 [ 16.133304] ret_from_fork_asm+0x11/0x20 [ 16.133307] </TASK> [ 16.133308] ---[ end trace 0000000000000000 ]--- [ 16.133335] ieee80211 phy0: PM: dpm_run_callback(): wiphy_resume [cfg80211] returns -110 [ 16.133360] ieee80211 phy0: PM: failed to restore async: error -110 Cc: stable(a)vger.kernel.org Cc: Stanislaw Gruszka <stf_xl(a)wp.pl> Cc: Kalle Valo <kvalo(a)kernel.org> Cc: linux-wireless(a)vger.kernel.org Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/net/wireless/intel/iwlegacy/common.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/intel/iwlegacy/common.h b/drivers/net/wireless/intel/iwlegacy/common.h index 2147781b5fff..758984d527bf 100644 --- a/drivers/net/wireless/intel/iwlegacy/common.h +++ b/drivers/net/wireless/intel/iwlegacy/common.h @@ -2342,6 +2342,8 @@ static inline void il_enable_interrupts(struct il_priv *il) { set_bit(S_INT_ENABLED, &il->status); + _il_wr(il, CSR_INT, 0xffffffff); + _il_wr(il, CSR_FH_INT_STATUS, 0xffffffff); _il_wr(il, CSR_INT_MASK, il->inta_mask); } -- 2.45.2

6 months, 3 weeks

3
4
0 0

FAILED: patch "[PATCH] clk: qcom: clk-rpmh: Fix overflow in BCM vote" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100719-exploring-umbrella-b6ca@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: a4e5af27e6f6 ("clk: qcom: clk-rpmh: Fix overflow in BCM vote") 2cf7a4cbcb4e ("clk: qcom: rpmh: Simplify clk_rpmh_bcm_send_cmd()") dad4e7fda4bd ("clk: qcom: clk-rpmh: Wait for completion when enabling clocks") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 Mon Sep 17 00:00:00 2001 From: Mike Tipton <quic_mdtipton(a)quicinc.com> Date: Fri, 9 Aug 2024 10:51:29 +0530 Subject: [PATCH] clk: qcom: clk-rpmh: Fix overflow in BCM vote Valid frequencies may result in BCM votes that exceed the max HW value. Set vote ceiling to BCM_TCS_CMD_VOTE_MASK to ensure the votes aren't truncated, which can result in lower frequencies than desired. Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support") Cc: stable(a)vger.kernel.org Signed-off-by: Mike Tipton <quic_mdtipton(a)quicinc.com> Reviewed-by: Taniya Das <quic_tdas(a)quicinc.com> Signed-off-by: Imran Shaik <quic_imrashai(a)quicinc.com> Link: https://lore.kernel.org/r/20240809-clk-rpmh-bcm-vote-fix-v2-1-240c584b7ef9@… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> diff --git a/drivers/clk/qcom/clk-rpmh.c b/drivers/clk/qcom/clk-rpmh.c index bb82abeed88f..4acde937114a 100644 --- a/drivers/clk/qcom/clk-rpmh.c +++ b/drivers/clk/qcom/clk-rpmh.c @@ -263,6 +263,8 @@ static int clk_rpmh_bcm_send_cmd(struct clk_rpmh *c, bool enable) cmd_state = 0; } + cmd_state = min(cmd_state, BCM_TCS_CMD_VOTE_MASK); + if (c->last_sent_aggr_state != cmd_state) { cmd.addr = c->res_addr; cmd.data = BCM_TCS_CMD(1, enable, 0, cmd_state);

6 months, 3 weeks

2
1
0 0

[PATCH v2 0/8] binder: several fixes for frozen notification

by Carlos Llamas

These are all fixes for the frozen notification patch [1], which as of today hasn't landed in mainline yet. As such, this patchset is rebased on top of the char-misc-next branch. [1] https://lore.kernel.org/all/20240709070047.4055369-2-yutingtseng@google.com/ Cc: stable(a)vger.kernel.org Cc: Yu-Ting Tseng <yutingtseng(a)google.com> Cc: Alice Ryhl <aliceryhl(a)google.com> Cc: Todd Kjos <tkjos(a)google.com> Cc: Martijn Coenen <maco(a)google.com> Cc: Arve Hjønnevåg <arve(a)android.com> Cc: Viktor Martensson <vmartensson(a)google.com> v1: https://lore.kernel.org/all/20240924184401.76043-1-cmllamas@google.com/ v2: * debug output for BINDER_WORK_CLEAR_FREEZE_NOTIFICATION (Alice) * allow notifications for dead nodes instead of EINVAL (Alice) * add fix for memleak of proc->delivered_freeze * add proc->delivered_freeze to debug output * collect tags Carlos Llamas (8): binder: fix node UAF in binder_add_freeze_work() binder: fix OOB in binder_add_freeze_work() binder: fix freeze UAF in binder_release_work() binder: fix BINDER_WORK_FROZEN_BINDER debug logs binder: fix BINDER_WORK_CLEAR_FREEZE_NOTIFICATION debug logs binder: allow freeze notification for dead nodes binder: fix memleak of proc->delivered_freeze binder: add delivered_freeze to debugfs output drivers/android/binder.c | 64 ++++++++++++++++++++++++++++++---------- 1 file changed, 49 insertions(+), 15 deletions(-) -- 2.46.1.824.gd892dcdcdd-goog

6 months, 3 weeks

4
23
0 0

Dell WD19TB Thunderbolt Dock not working with kernel > 6.6.28-1

by Fabian Stäber

Hi, I got a Dell WD19TBS Thunderbolt Dock, and it has been working with Linux for years without issues. However, updating to linux-lts-6.6.29-1 or newer breaks the USB ports on my Dock. Using the latest non-LTS kernel doesn't help, it also breaks the USB ports. Downgrading the kernel to linux-lts-6.6.28-1 works. This is the last working version. I opened a thread on the Arch Linux forum https://bbs.archlinux.org/viewtopic.php?id=299604 with some dmesg output. However, it sounds like this is a regression in the Linux kernel, so I'm posting this here as well. Let me know if you need any more info. Thanks a lot Fabian

6 months, 3 weeks

6
7
0 0

[PATCH 5.15 0/3] Fix block integrity violation of kobject rules

by Thadeu Lima de Souza Cascardo

integrity_kobj did not have a release function and with CONFIG_DEBUG_KOBJECT_RELEASE, a use-after-free would be triggered as its holding struct gendisk would be freed without relying on its refcount. Thomas Weißschuh (3): blk-integrity: use sysfs_emit blk-integrity: convert to struct device_attribute blk-integrity: register sysfs attributes on struct device block/blk-integrity.c | 175 ++++++++++++++--------------------------- block/blk.h | 10 +-- block/genhd.c | 12 +-- include/linux/blkdev.h | 3 - 4 files changed, 66 insertions(+), 134 deletions(-) -- 2.34.1

6 months, 3 weeks

1
3
0 0

Re: [PATCH 6.11 000/558] 6.11.3-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

6 months, 3 weeks

1
0
0 0

[tip: irq/urgent] irqchip/gic-v4: Don't allow a VMOVP on a dying VPE

by tip-bot2 for Marc Zyngier

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 1442ee0011983f0c5c4b92380e6853afb513841a Gitweb: https://git.kernel.org/tip/1442ee0011983f0c5c4b92380e6853afb513841a Author: Marc Zyngier <maz(a)kernel.org> AuthorDate: Wed, 02 Oct 2024 21:49:59 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Tue, 08 Oct 2024 17:44:27 +02:00 irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Kunkun Jiang reported that there is a small window of opportunity for userspace to force a change of affinity for a VPE while the VPE has already been unmapped, but the corresponding doorbell interrupt still visible in /proc/irq/. Plug the race by checking the value of vmapp_count, which tracks whether the VPE is mapped ot not, and returning an error in this case. This involves making vmapp_count common to both GICv4.1 and its v4.0 ancestor. Fixes: 64edfaa9a234 ("irqchip/gic-v4.1: Implement the v4.1 flavour of VMAPP") Reported-by: Kunkun Jiang <jiangkunkun(a)huawei.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/c182ece6-2ba0-ce4f-3404-dba7a3ab6c52@huawei.com Link: https://lore.kernel.org/all/20241002204959.2051709-1-maz@kernel.org --- drivers/irqchip/irq-gic-v3-its.c | 18 ++++++++++++------ include/linux/irqchip/arm-gic-v4.h | 4 +++- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index fdec478..ab597e7 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -797,8 +797,8 @@ static struct its_vpe *its_build_vmapp_cmd(struct its_node *its, its_encode_valid(cmd, desc->its_vmapp_cmd.valid); if (!desc->its_vmapp_cmd.valid) { + alloc = !atomic_dec_return(&desc->its_vmapp_cmd.vpe->vmapp_count); if (is_v4_1(its)) { - alloc = !atomic_dec_return(&desc->its_vmapp_cmd.vpe->vmapp_count); its_encode_alloc(cmd, alloc); /* * Unmapping a VPE is self-synchronizing on GICv4.1, @@ -817,13 +817,13 @@ static struct its_vpe *its_build_vmapp_cmd(struct its_node *its, its_encode_vpt_addr(cmd, vpt_addr); its_encode_vpt_size(cmd, LPI_NRBITS - 1); + alloc = !atomic_fetch_inc(&desc->its_vmapp_cmd.vpe->vmapp_count); + if (!is_v4_1(its)) goto out; vconf_addr = virt_to_phys(page_address(desc->its_vmapp_cmd.vpe->its_vm->vprop_page)); - alloc = !atomic_fetch_inc(&desc->its_vmapp_cmd.vpe->vmapp_count); - its_encode_alloc(cmd, alloc); /* @@ -3807,6 +3807,13 @@ static int its_vpe_set_affinity(struct irq_data *d, unsigned long flags; /* + * Check if we're racing against a VPE being destroyed, for + * which we don't want to allow a VMOVP. + */ + if (!atomic_read(&vpe->vmapp_count)) + return -EINVAL; + + /* * Changing affinity is mega expensive, so let's be as lazy as * we can and only do it if we really have to. Also, if mapped * into the proxy device, we need to move the doorbell @@ -4463,9 +4470,8 @@ static int its_vpe_init(struct its_vpe *vpe) raw_spin_lock_init(&vpe->vpe_lock); vpe->vpe_id = vpe_id; vpe->vpt_page = vpt_page; - if (gic_rdists->has_rvpeid) - atomic_set(&vpe->vmapp_count, 0); - else + atomic_set(&vpe->vmapp_count, 0); + if (!gic_rdists->has_rvpeid) vpe->vpe_proxy_event = -1; return 0; diff --git a/include/linux/irqchip/arm-gic-v4.h b/include/linux/irqchip/arm-gic-v4.h index ecabed6..7f1f11a 100644 --- a/include/linux/irqchip/arm-gic-v4.h +++ b/include/linux/irqchip/arm-gic-v4.h @@ -66,10 +66,12 @@ struct its_vpe { bool enabled; bool group; } sgi_config[16]; - atomic_t vmapp_count; }; }; + /* Track the VPE being mapped */ + atomic_t vmapp_count; + /* * Ensures mutual exclusion between affinity setting of the * vPE and vLPI operations using vpe->col_idx.

6 months, 3 weeks

1
0
0 0

[PATCH v2] irqchip/sifive-plic: Unmask interrupt in plic_irq_enable()

by Nam Cao

It is possible that an interrupt is disabled and masked at the same time. When the interrupt is enabled again by enable_irq(), only plic_irq_enable() is called, not plic_irq_unmask(). The interrupt remains masked and never raises. An example where interrupt is both disabled and masked is when handle_fasteoi_irq() is the handler, and IRQS_ONESHOT is set. The interrupt handler: 1. Mask the interrupt 2. Handle the interrupt 3. Check if interrupt is still enabled, and unmask it (see cond_unmask_eoi_irq()) If another task disables the interrupt in the middle of the above steps, the interrupt will not get unmasked, and will remain masked when it is enabled in the future. The problem is occasionally observed when PREEMPT_RT is enabled, because PREEMPT_RT add the IRQS_ONESHOT flag. But PREEMPT_RT only makes the problem more likely to appear, the bug has been around since commit a1706a1c5062 ("irqchip/sifive-plic: Separate the enable and mask operations"). Fix it by unmasking interrupt in plic_irq_enable(). Fixes: a1706a1c5062 ("irqchip/sifive-plic: Separate the enable and mask operations") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- v2: re-use plic_irq_unmask() instead of duplicating its code drivers/irqchip/irq-sifive-plic.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index 2f6ef5c495bd..503d36d5a869 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -126,16 +126,6 @@ static inline void plic_irq_toggle(const struct cpumask *mask, } } -static void plic_irq_enable(struct irq_data *d) -{ - plic_irq_toggle(irq_data_get_effective_affinity_mask(d), d, 1); -} - -static void plic_irq_disable(struct irq_data *d) -{ - plic_irq_toggle(irq_data_get_effective_affinity_mask(d), d, 0); -} - static void plic_irq_unmask(struct irq_data *d) { struct plic_priv *priv = irq_data_get_irq_chip_data(d); @@ -150,6 +140,17 @@ static void plic_irq_mask(struct irq_data *d) writel(0, priv->regs + PRIORITY_BASE + d->hwirq * PRIORITY_PER_ID); } +static void plic_irq_enable(struct irq_data *d) +{ + plic_irq_toggle(irq_data_get_effective_affinity_mask(d), d, 1); + plic_irq_unmask(d); +} + +static void plic_irq_disable(struct irq_data *d) +{ + plic_irq_toggle(irq_data_get_effective_affinity_mask(d), d, 0); +} + static void plic_irq_eoi(struct irq_data *d) { struct plic_handler *handler = this_cpu_ptr(&plic_handlers); -- 2.39.5

6 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/xe/vm: move xa_alloc to prevent UAF" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 74231870cf4976f69e83aa24f48edb16619f652f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100727-compacted-armored-bbce@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 74231870cf49 ("drm/xe/vm: move xa_alloc to prevent UAF") 9e3c85ddea7a ("drm/xe: Clean up VM / exec queue file lock usage.") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 74231870cf4976f69e83aa24f48edb16619f652f Mon Sep 17 00:00:00 2001 From: Matthew Auld <matthew.auld(a)intel.com> Date: Wed, 25 Sep 2024 08:14:27 +0100 Subject: [PATCH] drm/xe/vm: move xa_alloc to prevent UAF Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xa_alloc all the way to the end to prevent this. v2: - Rebase Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Matthew Brost <matthew.brost(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240925071426.144015-3-matth… (cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 31fe31db3fdc..ce9dca4d4e87 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1765,10 +1765,6 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, if (IS_ERR(vm)) return PTR_ERR(vm); - err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); - if (err) - goto err_close_and_put; - if (xe->info.has_asid) { down_write(&xe->usm.lock); err = xa_alloc_cyclic(&xe->usm.asid_to_vm, &asid, vm, @@ -1776,12 +1772,11 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, &xe->usm.next_asid, GFP_KERNEL); up_write(&xe->usm.lock); if (err < 0) - goto err_free_id; + goto err_close_and_put; vm->usm.asid = asid; } - args->vm_id = id; vm->xef = xe_file_get(xef); /* Record BO memory for VM pagetable created against client */ @@ -1794,10 +1789,15 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, args->reserved[0] = xe_bo_main_addr(vm->pt_root[0]->bo, XE_PAGE_SIZE); #endif + /* user id alloc must always be last in ioctl to prevent UAF */ + err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); + if (err) + goto err_close_and_put; + + args->vm_id = id; + return 0; -err_free_id: - xa_erase(&xef->vm.xa, id); err_close_and_put: xe_vm_close_and_put(vm);

6 months, 3 weeks

3
2
0 0

+ mm-mremap-prevent-racing-change-of-old-pmd-type.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/mremap: prevent racing change of old pmd type has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-mremap-prevent-racing-change-of-old-pmd-type.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jann Horn <jannh(a)google.com> Subject: mm/mremap: prevent racing change of old pmd type Date: Wed, 02 Oct 2024 23:07:06 +0200 Prevent move_normal_pmd() in mremap() from racing with retract_page_tables() in MADVISE_COLLAPSE such that pmd_populate(mm, new_pmd, pmd_pgtable(pmd)) operates on an empty source pmd, causing creation of a new pmd which maps physical address 0 as a page table. This bug is only reachable if either CONFIG_READ_ONLY_THP_FOR_FS is set or THP shmem is usable. (Unprivileged namespaces can be used to set up a tmpfs that can contain THP shmem pages with "huge=advise".) If userspace triggers this bug *in multiple processes*, this could likely be used to create stale TLB entries pointing to freed pages or cause kernel UAF by breaking an invariant the rmap code relies on. Fix it by moving the rmap locking up so that it covers the span from reading the PMD entry to moving the page table. Link: https://lkml.kernel.org/r/20241002-move_normal_pmd-vs-collapse-fix-v1-1-782… Fixes: 1d65b771bc08 ("mm/khugepaged: retract_page_tables() without mmap or vma lock") Signed-off-by: Jann Horn <jannh(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mremap.c | 68 +++++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 30 deletions(-) --- a/mm/mremap.c~mm-mremap-prevent-racing-change-of-old-pmd-type +++ a/mm/mremap.c @@ -136,17 +136,17 @@ static pte_t move_soft_dirty_pte(pte_t p static int move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, unsigned long old_addr, unsigned long old_end, struct vm_area_struct *new_vma, pmd_t *new_pmd, - unsigned long new_addr, bool need_rmap_locks) + unsigned long new_addr) { struct mm_struct *mm = vma->vm_mm; pte_t *old_pte, *new_pte, pte; spinlock_t *old_ptl, *new_ptl; bool force_flush = false; unsigned long len = old_end - old_addr; - int err = 0; /* - * When need_rmap_locks is true, we take the i_mmap_rwsem and anon_vma + * When need_rmap_locks is true in the caller, we are holding the + * i_mmap_rwsem and anon_vma * locks to ensure that rmap will always observe either the old or the * new ptes. This is the easiest way to avoid races with * truncate_pagecache(), page migration, etc... @@ -163,23 +163,18 @@ static int move_ptes(struct vm_area_stru * serialize access to individual ptes, but only rmap traversal * order guarantees that we won't miss both the old and new ptes). */ - if (need_rmap_locks) - take_rmap_locks(vma); /* * We don't have to worry about the ordering of src and dst * pte locks because exclusive mmap_lock prevents deadlock. */ old_pte = pte_offset_map_lock(mm, old_pmd, old_addr, &old_ptl); - if (!old_pte) { - err = -EAGAIN; - goto out; - } + if (!old_pte) + return -EAGAIN; new_pte = pte_offset_map_nolock(mm, new_pmd, new_addr, &new_ptl); if (!new_pte) { pte_unmap_unlock(old_pte, old_ptl); - err = -EAGAIN; - goto out; + return -EAGAIN; } if (new_ptl != old_ptl) spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); @@ -217,10 +212,7 @@ static int move_ptes(struct vm_area_stru spin_unlock(new_ptl); pte_unmap(new_pte - 1); pte_unmap_unlock(old_pte - 1, old_ptl); -out: - if (need_rmap_locks) - drop_rmap_locks(vma); - return err; + return 0; } #ifndef arch_supports_page_table_move @@ -447,17 +439,14 @@ static __always_inline unsigned long get /* * Attempts to speedup the move by moving entry at the level corresponding to * pgt_entry. Returns true if the move was successful, else false. + * rmap locks are held by the caller. */ static bool move_pgt_entry(enum pgt_entry entry, struct vm_area_struct *vma, unsigned long old_addr, unsigned long new_addr, - void *old_entry, void *new_entry, bool need_rmap_locks) + void *old_entry, void *new_entry) { bool moved = false; - /* See comment in move_ptes() */ - if (need_rmap_locks) - take_rmap_locks(vma); - switch (entry) { case NORMAL_PMD: moved = move_normal_pmd(vma, old_addr, new_addr, old_entry, @@ -483,9 +472,6 @@ static bool move_pgt_entry(enum pgt_entr break; } - if (need_rmap_locks) - drop_rmap_locks(vma); - return moved; } @@ -550,6 +536,7 @@ unsigned long move_page_tables(struct vm struct mmu_notifier_range range; pmd_t *old_pmd, *new_pmd; pud_t *old_pud, *new_pud; + int move_res; if (!len) return 0; @@ -573,6 +560,12 @@ unsigned long move_page_tables(struct vm old_addr, old_end); mmu_notifier_invalidate_range_start(&range); + /* + * Hold rmap locks to ensure the type of the old PUD/PMD entry doesn't + * change under us due to khugepaged or folio splitting. + */ + take_rmap_locks(vma); + for (; old_addr < old_end; old_addr += extent, new_addr += extent) { cond_resched(); /* @@ -590,14 +583,14 @@ unsigned long move_page_tables(struct vm if (pud_trans_huge(*old_pud) || pud_devmap(*old_pud)) { if (extent == HPAGE_PUD_SIZE) { move_pgt_entry(HPAGE_PUD, vma, old_addr, new_addr, - old_pud, new_pud, need_rmap_locks); + old_pud, new_pud); /* We ignore and continue on error? */ continue; } } else if (IS_ENABLED(CONFIG_HAVE_MOVE_PUD) && extent == PUD_SIZE) { if (move_pgt_entry(NORMAL_PUD, vma, old_addr, new_addr, - old_pud, new_pud, true)) + old_pud, new_pud)) continue; } @@ -613,7 +606,7 @@ again: pmd_devmap(*old_pmd)) { if (extent == HPAGE_PMD_SIZE && move_pgt_entry(HPAGE_PMD, vma, old_addr, new_addr, - old_pmd, new_pmd, need_rmap_locks)) + old_pmd, new_pmd)) continue; split_huge_pmd(vma, old_pmd, old_addr); } else if (IS_ENABLED(CONFIG_HAVE_MOVE_PMD) && @@ -623,17 +616,32 @@ again: * moving at the PMD level if possible. */ if (move_pgt_entry(NORMAL_PMD, vma, old_addr, new_addr, - old_pmd, new_pmd, true)) + old_pmd, new_pmd)) continue; } if (pmd_none(*old_pmd)) continue; - if (pte_alloc(new_vma->vm_mm, new_pmd)) + + /* + * Temporarily drop the rmap locks while we do a potentially + * slow move_ptes() operation, unless move_ptes() wants them + * held (see comment inside there). + */ + if (!need_rmap_locks) + drop_rmap_locks(vma); + if (pte_alloc(new_vma->vm_mm, new_pmd)) { + if (!need_rmap_locks) + take_rmap_locks(vma); break; - if (move_ptes(vma, old_pmd, old_addr, old_addr + extent, - new_vma, new_pmd, new_addr, need_rmap_locks) < 0) + } + move_res = move_ptes(vma, old_pmd, old_addr, old_addr + extent, + new_vma, new_pmd, new_addr); + if (!need_rmap_locks) + take_rmap_locks(vma); + if (move_res < 0) goto again; } + drop_rmap_locks(vma); mmu_notifier_invalidate_range_end(&range); _ Patches currently in -mm which might be from jannh(a)google.com are mm-mremap-prevent-racing-change-of-old-pmd-type.patch

6 months, 3 weeks

3
2
0 0

[PATCH 00/15] media: stm32: introduction of CSI / DCMIPP for STM32MP25

by Alain Volmat

This series introduces the camera pipeline support for the STM32MP25 SOC. The STM32MP25 has 3 pipelines, fed from a single camera input which can be either parallel or csi. This series adds the basic support for the 1st pipe (dump) which, in term of features is same as the one featured on the STM32MP13 SOC. It focuses on introduction of the CSI input stage for the DCMIPP, and the CSI specific new control code for the DCMIPP. One of the subdev of the DCMIPP, dcmipp_parallel is now renamed as dcmipp_input since it allows to not only control the parallel but also the csi interface. Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> --- Alain Volmat (15): media: stm32: dcmipp: correct dma_set_mask_and_coherent mask value dt-bindings: media: addition of stm32 csi driver description media: stm32: csi: addition of the STM32 CSI driver media: stm32: dcmipp: use v4l2_subdev_is_streaming media: stm32: dcmipp: replace s_stream with enable/disable_streams media: stm32: dcmipp: rename dcmipp_parallel into dcmipp_input media: stm32: dcmipp: add support for csi input into dcmipp-input media: stm32: dcmipp: add bayer 10~14 bits formats media: stm32: dcmipp: add 1X16 RGB / YUV formats support media: stm32: dcmipp: avoid duplicated format on enum in bytecap media: stm32: dcmipp: fill media ctl hw_revision field dt-bindings: media: addition of stm32mp25 compatible of DCMIPP media: stm32: dcmipp: add core support for the stm32mp25 arm64: dts: st: add csi & dcmipp node in stm32mp25 arm64: dts: st: enable imx335/csi/dcmipp pipeline on stm32mp257f-ev1 .../devicetree/bindings/media/st,stm32-csi.yaml | 129 +++ .../devicetree/bindings/media/st,stm32-dcmipp.yaml | 53 +- MAINTAINERS | 8 + arch/arm64/boot/dts/st/stm32mp251.dtsi | 23 + arch/arm64/boot/dts/st/stm32mp257f-ev1.dts | 87 ++ drivers/media/platform/st/stm32/Kconfig | 14 + drivers/media/platform/st/stm32/Makefile | 1 + drivers/media/platform/st/stm32/stm32-csi.c | 1150 ++++++++++++++++++++ .../media/platform/st/stm32/stm32-dcmipp/Makefile | 2 +- .../st/stm32/stm32-dcmipp/dcmipp-bytecap.c | 128 ++- .../st/stm32/stm32-dcmipp/dcmipp-byteproc.c | 119 +- .../platform/st/stm32/stm32-dcmipp/dcmipp-common.h | 4 +- .../platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 116 +- .../platform/st/stm32/stm32-dcmipp/dcmipp-input.c | 540 +++++++++ .../st/stm32/stm32-dcmipp/dcmipp-parallel.c | 440 -------- 15 files changed, 2238 insertions(+), 576 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241007-csi_dcmipp_mp25-7779601f57da Best regards, -- Alain Volmat <alain.volmat(a)foss.st.com>

6 months, 3 weeks

2
2
0 0

[PATCH] vdpa: solidrun: Fix UB bug with devres

by Philipp Stanner

In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). Cc: stable(a)vger.kernel.org # v6.3 Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Closes: https://lore.kernel.org/all/74e9109a-ac59-49e2-9b1d-d825c9c9f891@wanadoo.fr/ Suggested-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/vdpa/solidrun/snet_main.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/solidrun/snet_main.c b/drivers/vdpa/solidrun/snet_main.c index 99428a04068d..c8b74980dbd1 100644 --- a/drivers/vdpa/solidrun/snet_main.c +++ b/drivers/vdpa/solidrun/snet_main.c @@ -555,7 +555,7 @@ static const struct vdpa_config_ops snet_config_ops = { static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) { - char name[50]; + char *name; int ret, i, mask = 0; /* We don't know which BAR will be used to communicate.. * We will map every bar with len > 0. @@ -573,7 +573,10 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) return -ENODEV; } - snprintf(name, sizeof(name), "psnet[%s]-bars", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + ret = pcim_iomap_regions(pdev, mask, name); if (ret) { SNET_ERR(pdev, "Failed to request and map PCI BARs\n"); @@ -590,10 +593,13 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) static int snet_open_vf_bar(struct pci_dev *pdev, struct snet *snet) { - char name[50]; + char *name; int ret; - snprintf(name, sizeof(name), "snet[%s]-bar", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "snet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + /* Request and map BAR */ ret = pcim_iomap_regions(pdev, BIT(snet->psnet->cfg.vf_bar), name); if (ret) { -- 2.46.1

6 months, 3 weeks

1
0
0 0

[PATCH] [PATCH v3] perf/x86/amd: check event before enable to avoid GPF

by George Kennedy

On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> Reported-by: syzkaller <syzkaller(a)googlegroups.com> Signed-off-by: George Kennedy <george.kennedy(a)oracle.com> --- Suggested comment now with the code. arch/x86/events/amd/core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c index 920e3a640cad..6615ace15f5d 100644 --- a/arch/x86/events/amd/core.c +++ b/arch/x86/events/amd/core.c @@ -762,7 +762,12 @@ static void amd_pmu_enable_all(int added) if (!test_bit(idx, cpuc->active_mask)) continue; - amd_pmu_enable_event(cpuc->events[idx]); + /* + * FIXME: cpuc->events[idx] can become NULL in a subtle race + * condition with NMI->throttle->x86_pmu_stop(). + */ + if (cpuc->events[idx]) + amd_pmu_enable_event(cpuc->events[idx]); } } -- 2.39.3

6 months, 3 weeks

2
1
0 0

[PATCH RFC 6.6.y 00/15] Some missing CVE fixes

by Vegard Nossum

Hi, We noticed some cases where a mainline commit that fixes a CVE has a Fixes: tag pointing to a commit that has been backported to 6.6 but where the fix is not present. Harshit and I have backported some of these patches. We are not subsystem experts and that's why we have marked this series as RFC -- any review or feedback is welcome. We've tried to document the conflicts and their causes in the changelogs. We haven't done targeted testing beyond our usual stable tests, but this includes for example the netfilter test suite, which did not show any new failures. Greg: feel free to take these patches or leave it as you want. Conflict resolution always comes with the risk of missing something and we want to be up-front about that. On the other hand, these were identified as CVE fixes so presumably we're not the only ones who want them. [Note: we added some other people to Cc that we think would be interested, let me know privately if you don't want to receive emails like these in the future.] Thanks, Vegard --- Benjamin Gaignard (1): media: usbtv: Remove useless locks in usbtv_video_free() Chen Yu (1): efi/unaccepted: touch soft lockup during memory accept Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Luiz Augusto von Dentz (3): Bluetooth: hci_sock: Fix not validating setsockopt user input Bluetooth: ISO: Fix not validating setsockopt user input Bluetooth: L2CAP: Fix not validating setsockopt user input Mads Bligaard Nielsen (1): drm/bridge: adv7511: fix crash on irq during probe Mark Pearson (1): platform/x86: think-lmi: Fix password opcode ordering for workstations Nicolin Chen (1): iommufd: Fix protection fault in iommufd_test_syz_conv_iova Pablo Neira Ayuso (2): netfilter: nf_tables: fix memleak in map from abort path netfilter: nf_tables: restore set elements when delete set fails Vladimir Oltean (1): net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Xiaolei Wang (1): net: stmmac: move the EST lock to struct stmmac_priv Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Zhihao Cheng (1): ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path drivers/block/null_blk/main.c | 44 ++++++++------ drivers/firmware/efi/unaccepted_memory.c | 4 ++ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 +++---- drivers/iommu/iommufd/selftest.c | 27 +++++++-- drivers/media/usb/usbtv/usbtv-video.c | 7 --- drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 + .../net/ethernet/stmicro/stmmac/stmmac_ptp.c | 8 +-- .../net/ethernet/stmicro/stmmac/stmmac_tc.c | 18 +++--- drivers/platform/x86/think-lmi.c | 16 +++--- fs/ubifs/dir.c | 2 + include/linux/stmmac.h | 1 - net/bluetooth/hci_sock.c | 21 +++---- net/bluetooth/iso.c | 36 ++++-------- net/bluetooth/l2cap_sock.c | 52 +++++++---------- net/dsa/slave.c | 7 ++- net/netfilter/nf_tables_api.c | 57 +++++++++++++++++-- net/netfilter/nft_set_bitmap.c | 4 +- net/netfilter/nft_set_hash.c | 8 +-- net/netfilter/nft_set_pipapo.c | 5 +- net/netfilter/nft_set_rbtree.c | 4 +- 20 files changed, 192 insertions(+), 153 deletions(-) -- 2.34.1

6 months, 3 weeks

10
38
0 0

[PATCH for 6.12] ASoC: SOF: Intel: hda-loader: do not wait for HDaudio IOC

by Peter Ujfalusi

From: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Commit 9ee3f0d8c999 ("ASOC: SOF: Intel: hda-loader: only wait for HDaudio IOC for IPC4 devices") removed DMA wait for IPC3 case. Proceed and remove the wait for IPC4 devices as well. There is no dependency to IPC version in the load logic and checking the firmware status is a sufficient check in case of errors. The removed code also had a bug in that -ETIMEDOUT is returned without stopping the DMA transfer. Cc: stable(a)vger.kernel.org Link: https://github.com/thesofproject/linux/issues/5135 Fixes: 9ee3f0d8c999 ("ASOC: SOF: Intel: hda-loader: only wait for HDaudio IOC for IPC4 devices") Suggested-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Signed-off-by: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> --- sound/soc/sof/intel/hda-loader.c | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/sound/soc/sof/intel/hda-loader.c b/sound/soc/sof/intel/hda-loader.c index 75f6240cf3e1..9d8ebb7c6a10 100644 --- a/sound/soc/sof/intel/hda-loader.c +++ b/sound/soc/sof/intel/hda-loader.c @@ -294,14 +294,9 @@ int hda_cl_copy_fw(struct snd_sof_dev *sdev, struct hdac_ext_stream *hext_stream { struct sof_intel_hda_dev *hda = sdev->pdata->hw_pdata; const struct sof_intel_dsp_desc *chip = hda->desc; - struct sof_intel_hda_stream *hda_stream; - unsigned long time_left; unsigned int reg; int ret, status; - hda_stream = container_of(hext_stream, struct sof_intel_hda_stream, - hext_stream); - dev_dbg(sdev->dev, "Code loader DMA starting\n"); ret = hda_cl_trigger(sdev->dev, hext_stream, SNDRV_PCM_TRIGGER_START); @@ -310,18 +305,6 @@ int hda_cl_copy_fw(struct snd_sof_dev *sdev, struct hdac_ext_stream *hext_stream return ret; } - if (sdev->pdata->ipc_type == SOF_IPC_TYPE_4) { - /* Wait for completion of transfer */ - time_left = wait_for_completion_timeout(&hda_stream->ioc, - msecs_to_jiffies(HDA_CL_DMA_IOC_TIMEOUT_MS)); - - if (!time_left) { - dev_err(sdev->dev, "Code loader DMA did not complete\n"); - return -ETIMEDOUT; - } - dev_dbg(sdev->dev, "Code loader DMA done\n"); - } - dev_dbg(sdev->dev, "waiting for FW_ENTERED status\n"); status = snd_sof_dsp_read_poll_timeout(sdev, HDA_DSP_BAR, -- 2.46.2

6 months, 3 weeks

2
1
0 0

[PATCH v4 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration

by Yonatan Maman

From: Yonatan Maman <Ymaman(a)Nvidia.com> This patch series addresses two critical issues in the Nouveau driver related to device channels, error handling, and sensitive data leaks. - Vulnerability in migrate_to_ram: The migrate_to_ram function might return a dirty HIGH_USER page when a copy push command (FW channel) fails, potentially exposing sensitive data and posing a security risk. To mitigate this, the patch ensures the allocation of a non-dirty (zero) page for the destination, preventing the return of a dirty page and enhancing driver security in case of failure. - Privileged Error in Copy Engine Channel: An error was observed when the nouveau_dmem_copy_one function is executed, leading to a Host Copy Engine Privileged error on channel 1. The patch resolves this by adjusting the Copy Engine channel configuration to permit privileged push commands, resolving the error. Changes since V3: - Fixed version according to Danilo Krummrich's comments. Yonatan Maman (2): nouveau/dmem: Fix privileged error in copy engine channel nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.34.1

6 months, 3 weeks

3
4
0 0

[PATCH] fcntl: make F_DUPFD_QUERY associative

by Christian Brauner

Currently when passing a closed file descriptor to fcntl(fd, F_DUPFD_QUERY, fd_dup) the order matters: fd = open("/dev/null"); fd_dup = dup(fd); When we now close one of the file descriptors we get: (1) fcntl(fd, fd_dup) // -EBADF (2) fcntl(fd_dup, fd) // 0 aka not equal depending on which file descriptor is passed first. That's not a huge deal but it gives the api I slightly weird feel. Make it so that the order doesn't matter by requiring that both file descriptors are valid: (1') fcntl(fd, fd_dup) // -EBADF (2') fcntl(fd_dup, fd) // -EBADF Fixes: c62b758bae6a ("fcntl: add F_DUPFD_QUERY fcntl()") Cc: <stable(a)vger.kernel.org> Reported-by: Lennart Poettering <lennart(a)poettering.net> Signed-off-by: Christian Brauner <brauner(a)kernel.org> --- fs/fcntl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/fcntl.c b/fs/fcntl.c index 22dd9dcce7ec..3d89de31066a 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -397,6 +397,9 @@ static long f_dupfd_query(int fd, struct file *filp) { CLASS(fd_raw, f)(fd); + if (fd_empty(f)) + return -EBADF; + /* * We can do the 'fdput()' immediately, as the only thing that * matters is the pointer value which isn't changed by the fdput. -- 2.45.2

6 months, 3 weeks

3
3
0 0

[PATCH 0/3] media: uvcvideo: Support partial control reads and minor changes

by Ricardo Ribalda

Some cameras do not return all the bytes requested from a control if it can fit in less bytes. Eg: returning 0xab instead of 0x00ab. Support these devices. Also, now that we are at it, improve uvc_query_ctrl(). Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Ricardo Ribalda (3): media: uvcvideo: Support partial control reads media: uvcvideo: Refactor uvc_query_ctrl media: uvcvideo: Add more logging to uvc_query_ctrl_error() drivers/media/usb/uvc/uvc_video.c | 44 +++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 16 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241008-uvc-readless-23f9b8cad0b3 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

6 months, 3 weeks

2
2
0 0

[PATCH v3 0/2] drm/nouveau/dmem: Fix Vulnerability and Device Channels configuration

by Yonatan Maman

From: Yonatan Maman <Ymaman(a)Nvidia.com> This patch series addresses two critical issues in the Nouveau driver related to device channels, error handling, and sensitive data leaks. - Vulnerability in migrate_to_ram: The migrate_to_ram function might return a dirty HIGH_USER page when a copy push command (FW channel) fails, potentially exposing sensitive data and posing a security risk. To mitigate this, the patch ensures the allocation of a non-dirty (zero) page for the destination, preventing the return of a dirty page and enhancing driver security in case of failure. - Privileged Error in Copy Engine Channel: An error was observed when the nouveau_dmem_copy_one function is executed, leading to a Host Copy Engine Privileged error on channel 1. The patch resolves this by adjusting the Copy Engine channel configuration to permit privileged push commands, resolving the error. Changes since V2: - Fixed version according to Danilo Krummrich's comments. Yonatan Maman (2): nouveau/dmem: Fix privileged error in copy engine channel nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.34.1

6 months, 3 weeks

3
4
0 0

[PATCH 6.1.y 1/5] erofs: get rid of erofs_inode_datablocks()

by Gao Xiang

commit 4efdec36dc9907628e590a68193d6d8e5e74d032 upstream. erofs_inode_datablocks() has the only one caller, let's just get rid of it entirely. No logic changes. Reviewed-by: Yue Hu <huyue2(a)coolpad.com> Reviewed-by: Jingbo Xu <jefflexu(a)linux.alibaba.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Stable-dep-of: 9ed50b8231e3 ("erofs: fix incorrect symlink detection in fast symlink") Link: https://lore.kernel.org/r/20230204093040.97967-1-hsiangkao@linux.alibaba.com [ Gao Xiang: apply this to 6.6.y to avoid further backport twists due to obsoleted EROFS_BLKSIZ. ] Signed-off-by: Gao Xiang <hsiangkao(a)linux.alibaba.com> --- Obsoleted EROFS_BLKSIZ impedes efforts to backport 9ed50b8231e3 ("erofs: fix incorrect symlink detection in fast symlink") 9e2f9d34dd12 ("erofs: handle overlapped pclusters out of crafted images properly") To avoid further bugfix conflicts due to random EROFS_BLKSIZs around the whole codebase, just backport the dependencies for 6.1.y. fs/erofs/internal.h | 6 ------ fs/erofs/namei.c | 18 +++++------------- 2 files changed, 5 insertions(+), 19 deletions(-) diff --git a/fs/erofs/internal.h b/fs/erofs/internal.h index 79a7a5815ea6..30d464230ae0 100644 --- a/fs/erofs/internal.h +++ b/fs/erofs/internal.h @@ -347,12 +347,6 @@ static inline erofs_off_t erofs_iloc(struct inode *inode) (EROFS_I(inode)->nid << sbi->islotbits); } -static inline unsigned long erofs_inode_datablocks(struct inode *inode) -{ - /* since i_size cannot be changed */ - return DIV_ROUND_UP(inode->i_size, EROFS_BLKSIZ); -} - static inline unsigned int erofs_bitrange(unsigned int value, unsigned int bit, unsigned int bits) { diff --git a/fs/erofs/namei.c b/fs/erofs/namei.c index e8ccaa761bd6..642431350bea 100644 --- a/fs/erofs/namei.c +++ b/fs/erofs/namei.c @@ -5,7 +5,6 @@ * Copyright (C) 2022, Alibaba Cloud */ #include "xattr.h" - #include <trace/events/erofs.h> struct erofs_qstr { @@ -87,19 +86,13 @@ static struct erofs_dirent *find_target_dirent(struct erofs_qstr *name, return ERR_PTR(-ENOENT); } -static void *find_target_block_classic(struct erofs_buf *target, - struct inode *dir, - struct erofs_qstr *name, - int *_ndirents) +static void *erofs_find_target_block(struct erofs_buf *target, + struct inode *dir, struct erofs_qstr *name, int *_ndirents) { - unsigned int startprfx, endprfx; - int head, back; + int head = 0, back = DIV_ROUND_UP(dir->i_size, EROFS_BLKSIZ) - 1; + unsigned int startprfx = 0, endprfx = 0; void *candidate = ERR_PTR(-ENOENT); - startprfx = endprfx = 0; - head = 0; - back = erofs_inode_datablocks(dir) - 1; - while (head <= back) { const int mid = head + (back - head) / 2; struct erofs_buf buf = __EROFS_BUF_INITIALIZER; @@ -180,8 +173,7 @@ int erofs_namei(struct inode *dir, const struct qstr *name, erofs_nid_t *nid, qn.end = name->name + name->len; ndirents = 0; - - de = find_target_block_classic(&buf, dir, &qn, &ndirents); + de = erofs_find_target_block(&buf, dir, &qn, &ndirents); if (IS_ERR(de)) return PTR_ERR(de); -- 2.43.5

6 months, 3 weeks

2
6
0 0

[PATCH 4.19] btrfs: get rid of warning on transaction commit when using flushoncommit

by hsimeliere.opensource＠witekio.com

From: Filipe Manana <fdmanana(a)suse.com> commit a0f0cf8341e34e5d2265bfd3a7ad68342da1e2aa upstream. When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3 [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0 [947.571072] Call Trace: [947.572354] <TASK> [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? schedule_timeout+0x8a/0xdd [947.582716] transaction_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] </TASK> [947.598553] ---[ end trace 644721052755541c ]--- This is because we started using writeback_inodes_sb() to flush delalloc when committing a transaction (when using -o flushoncommit), in order to avoid deadlocks with filesystem freeze operations. This change was made by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots in flushoncommit"). After that change we started producing that warning, and every now and then a user reports this since the warning happens too often, it spams dmesg/syslog, and a user is unsure if this reflects any problem that might compromise the filesystem's reliability. We can not just lock the sb->s_umount semaphore before calling writeback_inodes_sb(), because that would at least deadlock with filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem() is called while we are holding that semaphore in write mode, and that can trigger a transaction commit, resulting in a deadlock. It would also trigger the same type of deadlock in the unmount path. Possibly, it could also introduce some other locking dependencies that lockdep would report. To fix this call try_to_writeback_inodes_sb() instead of writeback_inodes_sb(), because that will try to read lock sb->s_umount and then will only call writeback_inodes_sb() if it was able to lock it. This is fine because the cases where it can't read lock sb->s_umount are during a filesystem unmount or during a filesystem freeze - in those cases sb->s_umount is write locked and sync_filesystem() is called, which calls writeback_inodes_sb(). In other words, in all cases where we can't take a read lock on sb->s_umount, writeback is already being triggered elsewhere. An alternative would be to call btrfs_start_delalloc_roots() with a number of pages different from LONG_MAX, for example matching the number of delalloc bytes we currently have, in which case we would end up starting all delalloc with filemap_fdatawrite_wbc() and not with an async flush via filemap_flush() - that is only possible after the rather recent commit e076ab2a2ca70a ("btrfs: shrink delalloc pages instead of full inodes"). However that creates a whole new can of worms due to new lock dependencies, which lockdep complains, like for example: [ 8948.247280] ====================================================== [ 8948.247823] WARNING: possible circular locking dependency detected [ 8948.248353] 5.17.0-rc1-btrfs-next-111 #1 Not tainted [ 8948.248786] ------------------------------------------------------ [ 8948.249320] kworker/u16:18/933570 is trying to acquire lock: [ 8948.249812] ffff9b3de1591690 (sb_internal#2){.+.+}-{0:0}, at: find_free_extent+0x141e/0x1590 [btrfs] [ 8948.250638] but task is already holding lock: [ 8948.251140] ffff9b3e09c717d8 (&root->delalloc_mutex){+.+.}-{3:3}, at: start_delalloc_inodes+0x78/0x400 [btrfs] [ 8948.252018] which lock already depends on the new lock. [ 8948.252710] the existing dependency chain (in reverse order) is: [ 8948.253343] -> #2 (&root->delalloc_mutex){+.+.}-{3:3}: [ 8948.253950] __mutex_lock+0x90/0x900 [ 8948.254354] start_delalloc_inodes+0x78/0x400 [btrfs] [ 8948.254859] btrfs_start_delalloc_roots+0x194/0x2a0 [btrfs] [ 8948.255408] btrfs_commit_transaction+0x32f/0xc00 [btrfs] [ 8948.255942] btrfs_mksubvol+0x380/0x570 [btrfs] [ 8948.256406] btrfs_mksnapshot+0x81/0xb0 [btrfs] [ 8948.256870] __btrfs_ioctl_snap_create+0x17f/0x190 [btrfs] [ 8948.257413] btrfs_ioctl_snap_create_v2+0xbb/0x140 [btrfs] [ 8948.257961] btrfs_ioctl+0x1196/0x3630 [btrfs] [ 8948.258418] __x64_sys_ioctl+0x83/0xb0 [ 8948.258793] do_syscall_64+0x3b/0xc0 [ 8948.259146] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 8948.259709] -> #1 (&fs_info->delalloc_root_mutex){+.+.}-{3:3}: [ 8948.260330] __mutex_lock+0x90/0x900 [ 8948.260692] btrfs_start_delalloc_roots+0x97/0x2a0 [btrfs] [ 8948.261234] btrfs_commit_transaction+0x32f/0xc00 [btrfs] [ 8948.261766] btrfs_set_free_space_cache_v1_active+0x38/0x60 [btrfs] [ 8948.262379] btrfs_start_pre_rw_mount+0x119/0x180 [btrfs] [ 8948.262909] open_ctree+0x1511/0x171e [btrfs] [ 8948.263359] btrfs_mount_root.cold+0x12/0xde [btrfs] [ 8948.263863] legacy_get_tree+0x30/0x50 [ 8948.264242] vfs_get_tree+0x28/0xc0 [ 8948.264594] vfs_kern_mount.part.0+0x71/0xb0 [ 8948.265017] btrfs_mount+0x11d/0x3a0 [btrfs] [ 8948.265462] legacy_get_tree+0x30/0x50 [ 8948.265851] vfs_get_tree+0x28/0xc0 [ 8948.266203] path_mount+0x2d4/0xbe0 [ 8948.266554] __x64_sys_mount+0x103/0x140 [ 8948.266940] do_syscall_64+0x3b/0xc0 [ 8948.267300] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 8948.267790] -> #0 (sb_internal#2){.+.+}-{0:0}: [ 8948.268322] __lock_acquire+0x12e8/0x2260 [ 8948.268733] lock_acquire+0xd7/0x310 [ 8948.269092] start_transaction+0x44c/0x6e0 [btrfs] [ 8948.269591] find_free_extent+0x141e/0x1590 [btrfs] [ 8948.270087] btrfs_reserve_extent+0x14b/0x280 [btrfs] [ 8948.270588] cow_file_range+0x17e/0x490 [btrfs] [ 8948.271051] btrfs_run_delalloc_range+0x345/0x7a0 [btrfs] [ 8948.271586] writepage_delalloc+0xb5/0x170 [btrfs] [ 8948.272071] __extent_writepage+0x156/0x3c0 [btrfs] [ 8948.272579] extent_write_cache_pages+0x263/0x460 [btrfs] [ 8948.273113] extent_writepages+0x76/0x130 [btrfs] [ 8948.273573] do_writepages+0xd2/0x1c0 [ 8948.273942] filemap_fdatawrite_wbc+0x68/0x90 [ 8948.274371] start_delalloc_inodes+0x17f/0x400 [btrfs] [ 8948.274876] btrfs_start_delalloc_roots+0x194/0x2a0 [btrfs] [ 8948.275417] flush_space+0x1f2/0x630 [btrfs] [ 8948.275863] btrfs_async_reclaim_data_space+0x108/0x1b0 [btrfs] [ 8948.276438] process_one_work+0x252/0x5a0 [ 8948.276829] worker_thread+0x55/0x3b0 [ 8948.277189] kthread+0xf2/0x120 [ 8948.277506] ret_from_fork+0x22/0x30 [ 8948.277868] other info that might help us debug this: [ 8948.278548] Chain exists of: sb_internal#2 --> &fs_info->delalloc_root_mutex --> &root->delalloc_mutex [ 8948.279601] Possible unsafe locking scenario: [ 8948.280102] CPU0 CPU1 [ 8948.280508] ---- ---- [ 8948.280915] lock(&root->delalloc_mutex); [ 8948.281271] lock(&fs_info->delalloc_root_mutex); [ 8948.281915] lock(&root->delalloc_mutex); [ 8948.282487] lock(sb_internal#2); [ 8948.282800] *** DEADLOCK *** [ 8948.283333] 4 locks held by kworker/u16:18/933570: [ 8948.283750] #0: ffff9b3dc00a9d48 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x1d2/0x5a0 [ 8948.284609] #1: ffffa90349dafe70 ((work_completion)(&fs_info->async_data_reclaim_work)){+.+.}-{0:0}, at: process_one_work+0x1d2/0x5a0 [ 8948.285637] #2: ffff9b3e14db5040 (&fs_info->delalloc_root_mutex){+.+.}-{3:3}, at: btrfs_start_delalloc_roots+0x97/0x2a0 [btrfs] [ 8948.286674] #3: ffff9b3e09c717d8 (&root->delalloc_mutex){+.+.}-{3:3}, at: start_delalloc_inodes+0x78/0x400 [btrfs] [ 8948.287596] stack backtrace: [ 8948.287975] CPU: 3 PID: 933570 Comm: kworker/u16:18 Not tainted 5.17.0-rc1-btrfs-next-111 #1 [ 8948.288677] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 8948.289649] Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] [ 8948.290298] Call Trace: [ 8948.290517] <TASK> [ 8948.290700] dump_stack_lvl+0x59/0x73 [ 8948.291026] check_noncircular+0xf3/0x110 [ 8948.291375] ? start_transaction+0x228/0x6e0 [btrfs] [ 8948.291826] __lock_acquire+0x12e8/0x2260 [ 8948.292241] lock_acquire+0xd7/0x310 [ 8948.292714] ? find_free_extent+0x141e/0x1590 [btrfs] [ 8948.293241] ? lock_is_held_type+0xea/0x140 [ 8948.293601] start_transaction+0x44c/0x6e0 [btrfs] [ 8948.294055] ? find_free_extent+0x141e/0x1590 [btrfs] [ 8948.294518] find_free_extent+0x141e/0x1590 [btrfs] [ 8948.294957] ? _raw_spin_unlock+0x29/0x40 [ 8948.295312] ? btrfs_get_alloc_profile+0x124/0x290 [btrfs] [ 8948.295813] btrfs_reserve_extent+0x14b/0x280 [btrfs] [ 8948.296270] cow_file_range+0x17e/0x490 [btrfs] [ 8948.296691] btrfs_run_delalloc_range+0x345/0x7a0 [btrfs] [ 8948.297175] ? find_lock_delalloc_range+0x247/0x270 [btrfs] [ 8948.297678] writepage_delalloc+0xb5/0x170 [btrfs] [ 8948.298123] __extent_writepage+0x156/0x3c0 [btrfs] [ 8948.298570] extent_write_cache_pages+0x263/0x460 [btrfs] [ 8948.299061] extent_writepages+0x76/0x130 [btrfs] [ 8948.299495] do_writepages+0xd2/0x1c0 [ 8948.299817] ? sched_clock_cpu+0xd/0x110 [ 8948.300160] ? lock_release+0x155/0x4a0 [ 8948.300494] filemap_fdatawrite_wbc+0x68/0x90 [ 8948.300874] ? do_raw_spin_unlock+0x4b/0xa0 [ 8948.301243] start_delalloc_inodes+0x17f/0x400 [btrfs] [ 8948.301706] ? lock_release+0x155/0x4a0 [ 8948.302055] btrfs_start_delalloc_roots+0x194/0x2a0 [btrfs] [ 8948.302564] flush_space+0x1f2/0x630 [btrfs] [ 8948.302970] btrfs_async_reclaim_data_space+0x108/0x1b0 [btrfs] [ 8948.303510] process_one_work+0x252/0x5a0 [ 8948.303860] ? process_one_work+0x5a0/0x5a0 [ 8948.304221] worker_thread+0x55/0x3b0 [ 8948.304543] ? process_one_work+0x5a0/0x5a0 [ 8948.304904] kthread+0xf2/0x120 [ 8948.305184] ? kthread_complete_and_exit+0x20/0x20 [ 8948.305598] ret_from_fork+0x22/0x30 [ 8948.305921] </TASK> It all comes from the fact that btrfs_start_delalloc_roots() takes the delalloc_root_mutex, in the transaction commit path we are holding a read lock on one of the superblock's freeze semaphores (via sb_start_intwrite()), the async reclaim task can also do a call to btrfs_start_delalloc_roots(), which ends up triggering writeback with calls to filemap_fdatawrite_wbc(), resulting in extent allocation which in turn can call btrfs_start_transaction(), which will result in taking the freeze semaphore via sb_start_intwrite(), forming a nasty dependency on all those locks which can be taken in different orders by different code paths. So just adopt the simple approach of calling try_to_writeback_inodes_sb() at btrfs_start_delalloc_flush(). Link: https://lore.kernel.org/linux-btrfs/20220130005258.GA7465@cuci.nl/ Link: https://lore.kernel.org/linux-btrfs/43acc426-d683-d1b6-729d-c6bc4a2fff4d@gm… Link: https://lore.kernel.org/linux-btrfs/6833930a-08d7-6fbc-0141-eb9cdfd6bb4d@gm… Link: https://lore.kernel.org/linux-btrfs/20190322041731.GF16651@hungrycats.org/ Reviewed-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> [ add more link reports ] Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- fs/btrfs/transaction.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index df9b209bf1b2..a844e3b2bc2e 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -1921,16 +1921,24 @@ static void cleanup_transaction(struct btrfs_trans_handle *trans, int err) static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info) { /* - * We use writeback_inodes_sb here because if we used + * We use try_to_writeback_inodes_sb() here because if we used * btrfs_start_delalloc_roots we would deadlock with fs freeze. * Currently are holding the fs freeze lock, if we do an async flush * we'll do btrfs_join_transaction() and deadlock because we need to * wait for the fs freeze lock. Using the direct flushing we benefit * from already being in a transaction and our join_transaction doesn't * have to re-take the fs freeze lock. + * + * Note that try_to_writeback_inodes_sb() will only trigger writeback + * if it can read lock sb->s_umount. It will always be able to lock it, + * except when the filesystem is being unmounted or being frozen, but in + * those cases sync_filesystem() is called, which results in calling + * writeback_inodes_sb() while holding a write lock on sb->s_umount. + * Note that we don't call writeback_inodes_sb() directly, because it + * will emit a warning if sb->s_umount is not locked. */ if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) - writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); + try_to_writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC); return 0; } -- 2.43.0

6 months, 3 weeks

1
0
0 0

[PATCH] arm64: dts: mediatek: mt8186-corsola-voltorb: Merge speaker codec nodes

by Chen-Yu Tsai

The Voltorb device uses a speaker codec different from the original Corsola device. When the Voltorb device tree was first added, the new codec was added as a separate node when it should have just replaced the existing one. Merge the two nodes. The only differences are the compatible string and the GPIO line property name. This keeps the device node path for the speaker codec the same across the MT8186 Chromebook line. Fixes: 321ad586e607 ("arm64: dts: mediatek: Add MT8186 Voltorb Chromebooks") Cc: <stable(a)vger.kernel.org> Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> --- .../dts/mediatek/mt8186-corsola-voltorb.dtsi | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi index 52ec58128d56..fbcd97069df9 100644 --- a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi @@ -10,12 +10,6 @@ / { chassis-type = "laptop"; - - max98360a: max98360a { - compatible = "maxim,max98360a"; - sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; - #sound-dai-cells = <0>; - }; }; &cpu6 { @@ -59,19 +53,14 @@ &cluster1_opp_15 { opp-hz = /bits/ 64 <2200000000>; }; -&rt1019p{ - status = "disabled"; +&rt1019p { + compatible = "maxim,max98360a"; + sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; + /delete-property/ sdb-gpios; }; &sound { compatible = "mediatek,mt8186-mt6366-rt5682s-max98360-sound"; - status = "okay"; - - spk-hdmi-playback-dai-link { - codec { - sound-dai = <&it6505dptx>, <&max98360a>; - }; - }; }; &spmi { -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

2
3
0 0

[PATCH 5.15,6.1 0/3] Fix block integrity violation of kobject rules

by Thadeu Lima de Souza Cascardo

integrity_kobj did not have a release function and with CONFIG_DEBUG_KOBJECT_RELEASE, a use-after-free would be triggered as its holding struct gendisk would be freed without relying on its refcount. Thomas Weißschuh (3): blk-integrity: use sysfs_emit blk-integrity: convert to struct device_attribute blk-integrity: register sysfs attributes on struct device block/blk-integrity.c | 175 ++++++++++++++--------------------------- block/blk.h | 10 +-- block/genhd.c | 12 +-- include/linux/blkdev.h | 3 - 4 files changed, 66 insertions(+), 134 deletions(-) -- 2.34.1

6 months, 3 weeks

3
6
0 0

[PATCH] KVM: arm64: Unregister redistributor for failed vCPU creation

by Oliver Upton

Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM: BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758 CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM. It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock. Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock. Cc: stable(a)vger.kernel.org Fixes: f616506754d3 ("KVM: arm64: vgic: Don't hold config_lock while unregistering redistributors") Reported-by: Alexander Potapenko <glider(a)google.com> Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> --- arch/arm64/kvm/vgic/vgic-init.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/vgic/vgic-init.c b/arch/arm64/kvm/vgic/vgic-init.c index e7c53e8af3d1..57aedf7b2b76 100644 --- a/arch/arm64/kvm/vgic/vgic-init.c +++ b/arch/arm64/kvm/vgic/vgic-init.c @@ -417,8 +417,28 @@ static void __kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu) kfree(vgic_cpu->private_irqs); vgic_cpu->private_irqs = NULL; - if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) + if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3) { + /* + * If this vCPU is being destroyed because of a failed creation + * then unregister the redistributor to avoid leaving behind a + * dangling pointer to the vCPU struct. + * + * vCPUs that have been successfully created (i.e. added to + * kvm->vcpu_array) get unregistered in kvm_vgic_destroy(), as + * this function gets called while holding kvm->arch.config_lock + * in the VM teardown path and would otherwise introduce a lock + * inversion w.r.t. kvm->srcu. + * + * vCPUs that failed creation are torn down outside of the + * kvm->arch.config_lock and do not get unregistered in + * kvm_vgic_destroy(), meaning it is both safe and necessary to + * do so here. + */ + if (kvm_get_vcpu_by_id(vcpu->kvm, vcpu->vcpu_id) != vcpu) + vgic_unregister_redist_iodev(vcpu); + vgic_cpu->rd_iodev.base_addr = VGIC_ADDR_UNDEF; + } } void kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu) -- 2.47.0.rc0.187.ge670bccf7e-goog

6 months, 3 weeks

2
1
0 0

[PATCH 6.6.y] Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link"

by Jonathan Gray

This reverts commit a53841b074cc196c3caaa37e1f15d6bc90943b97. duplicated a change made in 6.6.46 718d83f66fb07b2cab89a1fc984613a00e3db18f Cc: stable(a)vger.kernel.org # 6.6 Signed-off-by: Jonathan Gray <jsg(a)jsg.id.au> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 7fb11445a28f..d390e3d62e56 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -1266,9 +1266,6 @@ static bool is_dsc_need_re_compute( } } - if (new_stream_on_link_num == 0) - return false; - if (new_stream_on_link_num == 0) return false; -- 2.46.1

6 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/xe/vram: fix ccs offset calculation" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x ee06c09ded3c2f722be4e240ed06287e23596bda # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100809-goes-diagnosis-d07c@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: ee06c09ded3c ("drm/xe/vram: fix ccs offset calculation") 638d1c79cbf1 ("drm/xe: Promote VRAM initialization function to own file") 8c52ca22b15b ("drm/xe: Drop xe_ prefix from static functions in xe_mmio.c") 2d8865b27724 ("drm/xe: Move BAR definitions to dedicated file") 2adfc4e022f3 ("drm/xe: Move XEHP_MTCFG_ADDR register definition to xe_regs.h") c7117419784f ("drm/xe: reset mmio mappings with devm") a0b834c8957a ("drm/xe/mmio: move mmio_fini over to devm") f7e20cfb59c9 ("drm/xe: Cleanup xe_mmio.h") 93dd6ad89c7d ("drm/xe: Don't rely on xe_force_wake.h to be included elsewhere") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ee06c09ded3c2f722be4e240ed06287e23596bda Mon Sep 17 00:00:00 2001 From: Matthew Auld <matthew.auld(a)intel.com> Date: Mon, 16 Sep 2024 09:49:12 +0100 Subject: [PATCH] drm/xe/vram: fix ccs offset calculation Spec says SW is expected to round up to the nearest 128K, if not already aligned for the CC unit view of CCS. We are seeing the assert sometimes pop on BMG to tell us that there is a hole between GSM and CCS, as well as popping other asserts with having a vram size with strange alignment, which is likely caused by misaligned offset here. v2 (Shuicheng): - Do the round_up() on final SW address. BSpec: 68023 Fixes: b5c2ca0372dc ("drm/xe/xe2hpg: Determine flat ccs offset for vram") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Akshata Jahagirdar <akshata.jahagirdar(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: Shuicheng Lin <shuicheng.lin(a)intel.com> Cc: Matt Roper <matthew.d.roper(a)intel.com> Cc: stable(a)vger.kernel.org # v6.10+ Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Tested-by: Shuicheng Lin <shuicheng.lin(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240916084911.13119-2-matthe… Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit 37173392741c425191b959acb3adf70c9a4610c0) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_vram.c b/drivers/gpu/drm/xe/xe_vram.c index 5bcd59190353..80ba2fc78837 100644 --- a/drivers/gpu/drm/xe/xe_vram.c +++ b/drivers/gpu/drm/xe/xe_vram.c @@ -182,6 +182,7 @@ static inline u64 get_flat_ccs_offset(struct xe_gt *gt, u64 tile_size) offset = offset_hi << 32; /* HW view bits 39:32 */ offset |= offset_lo << 6; /* HW view bits 31:6 */ offset *= num_enabled; /* convert to SW view */ + offset = round_up(offset, SZ_128K); /* SW must round up to nearest 128K */ /* We don't expect any holes */ xe_assert_msg(xe, offset == (xe_mmio_read64_2x32(gt, GSMBASE) - ccs_size),

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915/bios: fix printk format width" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0289507609dcb7690e45e79fbcc3680d9298ec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100818-doorstop-clone-45d6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 0289507609dc ("drm/i915/bios: fix printk format width") 9aec6f76a28c ("drm/i915/bios: convert to struct intel_display") 769b081c18b9 ("drm/i915/opregion: convert to struct intel_display") b7f317e62968 ("drm/i915/opregion: unify intel_encoder/intel_connector naming") f7303ab29d08 ("drm/i915/acpi: convert to struct intel_display") 4c288f56030f ("drm/i915/bios: remove stale and useless comments") 6f4e43a2f771 ("drm/xe: Fix opregion leak") bc3ca4d94369 ("drm/i915: Make I2C terminology more inclusive") fd5a9b950ea8 ("drm/i915/fbc: Convert to intel_display, mostly") bc34d310b578 ("drm/i915/fbc: Extract intel_fbc_has_fences()") d754ed2821fd ("Merge drm/drm-next into drm-intel-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0289507609dcb7690e45e79fbcc3680d9298ec77 Mon Sep 17 00:00:00 2001 From: Jani Nikula <jani.nikula(a)intel.com> Date: Thu, 5 Sep 2024 14:25:19 +0300 Subject: [PATCH] drm/i915/bios: fix printk format width s/0x04%x/0x%04x/ to use 0 prefixed width 4 instead of printing 04 verbatim. Fixes: 51f5748179d4 ("drm/i915/bios: create fake child devices on missing VBT") Cc: stable(a)vger.kernel.org # v5.13+ Reviewed-by: Vandita Kulkarni <vandita.kulkarni(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240905112519.4186408-1-jani… Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> (cherry picked from commit 54df34c5a2439b481f066476e67bfa21a0a640e5) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index d49435af62c7..bed485374ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -2948,7 +2948,7 @@ init_vbt_missing_defaults(struct intel_display *display) list_add_tail(&devdata->node, &display->vbt.display_devices); drm_dbg_kms(display->drm, - "Generating default VBT child device with type 0x04%x on port %c\n", + "Generating default VBT child device with type 0x%04x on port %c\n", child->device_type, port_name(port)); }

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915/bios: fix printk format width" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0289507609dcb7690e45e79fbcc3680d9298ec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100817-erupt-tutor-d82f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 0289507609dc ("drm/i915/bios: fix printk format width") 9aec6f76a28c ("drm/i915/bios: convert to struct intel_display") 769b081c18b9 ("drm/i915/opregion: convert to struct intel_display") b7f317e62968 ("drm/i915/opregion: unify intel_encoder/intel_connector naming") f7303ab29d08 ("drm/i915/acpi: convert to struct intel_display") 4c288f56030f ("drm/i915/bios: remove stale and useless comments") 6f4e43a2f771 ("drm/xe: Fix opregion leak") bc3ca4d94369 ("drm/i915: Make I2C terminology more inclusive") fd5a9b950ea8 ("drm/i915/fbc: Convert to intel_display, mostly") bc34d310b578 ("drm/i915/fbc: Extract intel_fbc_has_fences()") d754ed2821fd ("Merge drm/drm-next into drm-intel-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0289507609dcb7690e45e79fbcc3680d9298ec77 Mon Sep 17 00:00:00 2001 From: Jani Nikula <jani.nikula(a)intel.com> Date: Thu, 5 Sep 2024 14:25:19 +0300 Subject: [PATCH] drm/i915/bios: fix printk format width s/0x04%x/0x%04x/ to use 0 prefixed width 4 instead of printing 04 verbatim. Fixes: 51f5748179d4 ("drm/i915/bios: create fake child devices on missing VBT") Cc: stable(a)vger.kernel.org # v5.13+ Reviewed-by: Vandita Kulkarni <vandita.kulkarni(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240905112519.4186408-1-jani… Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> (cherry picked from commit 54df34c5a2439b481f066476e67bfa21a0a640e5) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index d49435af62c7..bed485374ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -2948,7 +2948,7 @@ init_vbt_missing_defaults(struct intel_display *display) list_add_tail(&devdata->node, &display->vbt.display_devices); drm_dbg_kms(display->drm, - "Generating default VBT child device with type 0x04%x on port %c\n", + "Generating default VBT child device with type 0x%04x on port %c\n", child->device_type, port_name(port)); }

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915/bios: fix printk format width" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0289507609dcb7690e45e79fbcc3680d9298ec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100816-deserving-sneeze-b1ce@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 0289507609dc ("drm/i915/bios: fix printk format width") 9aec6f76a28c ("drm/i915/bios: convert to struct intel_display") 769b081c18b9 ("drm/i915/opregion: convert to struct intel_display") b7f317e62968 ("drm/i915/opregion: unify intel_encoder/intel_connector naming") f7303ab29d08 ("drm/i915/acpi: convert to struct intel_display") 4c288f56030f ("drm/i915/bios: remove stale and useless comments") 6f4e43a2f771 ("drm/xe: Fix opregion leak") bc3ca4d94369 ("drm/i915: Make I2C terminology more inclusive") fd5a9b950ea8 ("drm/i915/fbc: Convert to intel_display, mostly") bc34d310b578 ("drm/i915/fbc: Extract intel_fbc_has_fences()") d754ed2821fd ("Merge drm/drm-next into drm-intel-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0289507609dcb7690e45e79fbcc3680d9298ec77 Mon Sep 17 00:00:00 2001 From: Jani Nikula <jani.nikula(a)intel.com> Date: Thu, 5 Sep 2024 14:25:19 +0300 Subject: [PATCH] drm/i915/bios: fix printk format width s/0x04%x/0x%04x/ to use 0 prefixed width 4 instead of printing 04 verbatim. Fixes: 51f5748179d4 ("drm/i915/bios: create fake child devices on missing VBT") Cc: stable(a)vger.kernel.org # v5.13+ Reviewed-by: Vandita Kulkarni <vandita.kulkarni(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240905112519.4186408-1-jani… Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> (cherry picked from commit 54df34c5a2439b481f066476e67bfa21a0a640e5) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index d49435af62c7..bed485374ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -2948,7 +2948,7 @@ init_vbt_missing_defaults(struct intel_display *display) list_add_tail(&devdata->node, &display->vbt.display_devices); drm_dbg_kms(display->drm, - "Generating default VBT child device with type 0x04%x on port %c\n", + "Generating default VBT child device with type 0x%04x on port %c\n", child->device_type, port_name(port)); }

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915/bios: fix printk format width" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 0289507609dcb7690e45e79fbcc3680d9298ec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100816-recliner-obnoxious-a8b7@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 0289507609dc ("drm/i915/bios: fix printk format width") 9aec6f76a28c ("drm/i915/bios: convert to struct intel_display") 769b081c18b9 ("drm/i915/opregion: convert to struct intel_display") b7f317e62968 ("drm/i915/opregion: unify intel_encoder/intel_connector naming") f7303ab29d08 ("drm/i915/acpi: convert to struct intel_display") 4c288f56030f ("drm/i915/bios: remove stale and useless comments") 6f4e43a2f771 ("drm/xe: Fix opregion leak") bc3ca4d94369 ("drm/i915: Make I2C terminology more inclusive") fd5a9b950ea8 ("drm/i915/fbc: Convert to intel_display, mostly") bc34d310b578 ("drm/i915/fbc: Extract intel_fbc_has_fences()") d754ed2821fd ("Merge drm/drm-next into drm-intel-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0289507609dcb7690e45e79fbcc3680d9298ec77 Mon Sep 17 00:00:00 2001 From: Jani Nikula <jani.nikula(a)intel.com> Date: Thu, 5 Sep 2024 14:25:19 +0300 Subject: [PATCH] drm/i915/bios: fix printk format width s/0x04%x/0x%04x/ to use 0 prefixed width 4 instead of printing 04 verbatim. Fixes: 51f5748179d4 ("drm/i915/bios: create fake child devices on missing VBT") Cc: stable(a)vger.kernel.org # v5.13+ Reviewed-by: Vandita Kulkarni <vandita.kulkarni(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240905112519.4186408-1-jani… Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> (cherry picked from commit 54df34c5a2439b481f066476e67bfa21a0a640e5) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index d49435af62c7..bed485374ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -2948,7 +2948,7 @@ init_vbt_missing_defaults(struct intel_display *display) list_add_tail(&devdata->node, &display->vbt.display_devices); drm_dbg_kms(display->drm, - "Generating default VBT child device with type 0x04%x on port %c\n", + "Generating default VBT child device with type 0x%04x on port %c\n", child->device_type, port_name(port)); }

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915/bios: fix printk format width" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 0289507609dcb7690e45e79fbcc3680d9298ec77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100815-transpose-startling-abe8@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 0289507609dc ("drm/i915/bios: fix printk format width") 9aec6f76a28c ("drm/i915/bios: convert to struct intel_display") 769b081c18b9 ("drm/i915/opregion: convert to struct intel_display") b7f317e62968 ("drm/i915/opregion: unify intel_encoder/intel_connector naming") f7303ab29d08 ("drm/i915/acpi: convert to struct intel_display") 4c288f56030f ("drm/i915/bios: remove stale and useless comments") 6f4e43a2f771 ("drm/xe: Fix opregion leak") bc3ca4d94369 ("drm/i915: Make I2C terminology more inclusive") fd5a9b950ea8 ("drm/i915/fbc: Convert to intel_display, mostly") bc34d310b578 ("drm/i915/fbc: Extract intel_fbc_has_fences()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0289507609dcb7690e45e79fbcc3680d9298ec77 Mon Sep 17 00:00:00 2001 From: Jani Nikula <jani.nikula(a)intel.com> Date: Thu, 5 Sep 2024 14:25:19 +0300 Subject: [PATCH] drm/i915/bios: fix printk format width s/0x04%x/0x%04x/ to use 0 prefixed width 4 instead of printing 04 verbatim. Fixes: 51f5748179d4 ("drm/i915/bios: create fake child devices on missing VBT") Cc: stable(a)vger.kernel.org # v5.13+ Reviewed-by: Vandita Kulkarni <vandita.kulkarni(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240905112519.4186408-1-jani… Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> (cherry picked from commit 54df34c5a2439b481f066476e67bfa21a0a640e5) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c index d49435af62c7..bed485374ab0 100644 --- a/drivers/gpu/drm/i915/display/intel_bios.c +++ b/drivers/gpu/drm/i915/display/intel_bios.c @@ -2948,7 +2948,7 @@ init_vbt_missing_defaults(struct intel_display *display) list_add_tail(&devdata->node, &display->vbt.display_devices); drm_dbg_kms(display->drm, - "Generating default VBT child device with type 0x04%x on port %c\n", + "Generating default VBT child device with type 0x%04x on port %c\n", child->device_type, port_name(port)); }

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 33eca84db6e31091cef63584158ab64704f78462 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100801-yelp-fasting-b762@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 33eca84db6e3 ("drm/i915: Fix readout degamma_lut mismatch on ilk/snb") da8c3cdb016c ("drm/i915: Rename bigjoiner master/slave to bigjoiner primary/secondary") fb4943574f92 ("drm/i915: Rename all bigjoiner to joiner") 578ff98403ce ("drm/i915: Allow bigjoiner for MST") 3607b30836ae ("drm/i915: Handle joined pipes inside hsw_crtc_enable()") e16bcbb01186 ("drm/i915: Handle joined pipes inside hsw_crtc_disable()") 2b8ad19d3ed6 ("drm/i915: Introduce intel_crtc_joined_pipe_mask()") e43b4f7980f8 ("drm/i915: Pass connector to intel_dp_need_bigjoiner()") 5a1527ed8b43 ("drm/i915/mst: Check intel_dp_joiner_needs_dsc()") aa099402f98b ("drm/i915: Extract intel_dp_joiner_needs_dsc()") c0b8afc3a777 ("drm/i915: s/intel_dp_can_bigjoiner()/intel_dp_has_bigjoiner()/") e02ef5553d9b ("drm/i915: Update pipes in reverse order for bigjoiner") 3a5e09d82f97 ("drm/i915: Fix intel_modeset_pipe_config_late() for bigjoiner") f9d5e51db656 ("drm/i915/vrr: Disable VRR when using bigjoiner") ef79820db723 ("drm/i915: Disable live M/N updates when using bigjoiner") b37e1347b991 ("drm/i915: Disable port sync when bigjoiner is used") 372fa0c79d3f ("drm/i915/psr: Disable PSR when bigjoiner is used") 7a3f171c8f6a ("drm/i915: Extract glk_need_scaler_clock_gating_wa()") c922a47913f9 ("drm/i915: Clean up glk_pipe_scaler_clock_gating_wa()") e9fa99dd47a4 ("drm/i915: Shuffle DP .mode_valid() checks") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33eca84db6e31091cef63584158ab64704f78462 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala(a)linux.intel.com> Date: Wed, 10 Jul 2024 15:41:37 +0300 Subject: [PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On ilk/snb the pipe may be configured to place the LUT before or after the CSC depending on various factors, but as there is only one LUT (no split mode like on IVB+) we only advertise a gamma_lut and no degamma_lut in the uapi to avoid confusing userspace. This can cause a problem during readout if the VBIOS/GOP enabled the LUT in the pre CSC configuration. The current code blindly assigns the results of the readout to the degamma_lut, which will cause a failure during the next atomic_check() as we aren't expecting anything to be in degamma_lut since it's not visible to userspace. Fix the problem by assigning whatever LUT we read out from the hardware into gamma_lut. Cc: stable(a)vger.kernel.org Fixes: d2559299d339 ("drm/i915: Make ilk_read_luts() capable of degamma readout") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11608 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240710124137.16773-1-ville.… Reviewed-by: Uma Shankar <uma.shankar(a)intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_modeset_setup.c b/drivers/gpu/drm/i915/display/intel_modeset_setup.c index 6f85f5352455..72694dde3c22 100644 --- a/drivers/gpu/drm/i915/display/intel_modeset_setup.c +++ b/drivers/gpu/drm/i915/display/intel_modeset_setup.c @@ -326,6 +326,8 @@ static void intel_modeset_update_connector_atomic_state(struct drm_i915_private static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state) { + struct drm_i915_private *i915 = to_i915(crtc_state->uapi.crtc->dev); + if (intel_crtc_is_joiner_secondary(crtc_state)) return; @@ -337,11 +339,30 @@ static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state crtc_state->uapi.adjusted_mode = crtc_state->hw.adjusted_mode; crtc_state->uapi.scaling_filter = crtc_state->hw.scaling_filter; - /* assume 1:1 mapping */ - drm_property_replace_blob(&crtc_state->hw.degamma_lut, - crtc_state->pre_csc_lut); - drm_property_replace_blob(&crtc_state->hw.gamma_lut, - crtc_state->post_csc_lut); + if (DISPLAY_INFO(i915)->color.degamma_lut_size) { + /* assume 1:1 mapping */ + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + crtc_state->pre_csc_lut); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut); + } else { + /* + * ilk/snb hw may be configured for either pre_csc_lut + * or post_csc_lut, but we don't advertise degamma_lut as + * being available in the uapi since there is only one + * hardware LUT. Always assign the result of the readout + * to gamma_lut as that is the only valid source of LUTs + * in the uapi. + */ + drm_WARN_ON(&i915->drm, crtc_state->post_csc_lut && + crtc_state->pre_csc_lut); + + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + NULL); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut ?: + crtc_state->pre_csc_lut); + } drm_property_replace_blob(&crtc_state->uapi.degamma_lut, crtc_state->hw.degamma_lut);

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 33eca84db6e31091cef63584158ab64704f78462 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100859-bogus-pursuable-6b33@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: 33eca84db6e3 ("drm/i915: Fix readout degamma_lut mismatch on ilk/snb") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33eca84db6e31091cef63584158ab64704f78462 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala(a)linux.intel.com> Date: Wed, 10 Jul 2024 15:41:37 +0300 Subject: [PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On ilk/snb the pipe may be configured to place the LUT before or after the CSC depending on various factors, but as there is only one LUT (no split mode like on IVB+) we only advertise a gamma_lut and no degamma_lut in the uapi to avoid confusing userspace. This can cause a problem during readout if the VBIOS/GOP enabled the LUT in the pre CSC configuration. The current code blindly assigns the results of the readout to the degamma_lut, which will cause a failure during the next atomic_check() as we aren't expecting anything to be in degamma_lut since it's not visible to userspace. Fix the problem by assigning whatever LUT we read out from the hardware into gamma_lut. Cc: stable(a)vger.kernel.org Fixes: d2559299d339 ("drm/i915: Make ilk_read_luts() capable of degamma readout") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11608 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240710124137.16773-1-ville.… Reviewed-by: Uma Shankar <uma.shankar(a)intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_modeset_setup.c b/drivers/gpu/drm/i915/display/intel_modeset_setup.c index 6f85f5352455..72694dde3c22 100644 --- a/drivers/gpu/drm/i915/display/intel_modeset_setup.c +++ b/drivers/gpu/drm/i915/display/intel_modeset_setup.c @@ -326,6 +326,8 @@ static void intel_modeset_update_connector_atomic_state(struct drm_i915_private static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state) { + struct drm_i915_private *i915 = to_i915(crtc_state->uapi.crtc->dev); + if (intel_crtc_is_joiner_secondary(crtc_state)) return; @@ -337,11 +339,30 @@ static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state crtc_state->uapi.adjusted_mode = crtc_state->hw.adjusted_mode; crtc_state->uapi.scaling_filter = crtc_state->hw.scaling_filter; - /* assume 1:1 mapping */ - drm_property_replace_blob(&crtc_state->hw.degamma_lut, - crtc_state->pre_csc_lut); - drm_property_replace_blob(&crtc_state->hw.gamma_lut, - crtc_state->post_csc_lut); + if (DISPLAY_INFO(i915)->color.degamma_lut_size) { + /* assume 1:1 mapping */ + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + crtc_state->pre_csc_lut); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut); + } else { + /* + * ilk/snb hw may be configured for either pre_csc_lut + * or post_csc_lut, but we don't advertise degamma_lut as + * being available in the uapi since there is only one + * hardware LUT. Always assign the result of the readout + * to gamma_lut as that is the only valid source of LUTs + * in the uapi. + */ + drm_WARN_ON(&i915->drm, crtc_state->post_csc_lut && + crtc_state->pre_csc_lut); + + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + NULL); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut ?: + crtc_state->pre_csc_lut); + } drm_property_replace_blob(&crtc_state->uapi.degamma_lut, crtc_state->hw.degamma_lut);

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 33eca84db6e31091cef63584158ab64704f78462 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100800-retiring-unopened-df59@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 33eca84db6e3 ("drm/i915: Fix readout degamma_lut mismatch on ilk/snb") da8c3cdb016c ("drm/i915: Rename bigjoiner master/slave to bigjoiner primary/secondary") fb4943574f92 ("drm/i915: Rename all bigjoiner to joiner") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 33eca84db6e31091cef63584158ab64704f78462 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala(a)linux.intel.com> Date: Wed, 10 Jul 2024 15:41:37 +0300 Subject: [PATCH] drm/i915: Fix readout degamma_lut mismatch on ilk/snb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On ilk/snb the pipe may be configured to place the LUT before or after the CSC depending on various factors, but as there is only one LUT (no split mode like on IVB+) we only advertise a gamma_lut and no degamma_lut in the uapi to avoid confusing userspace. This can cause a problem during readout if the VBIOS/GOP enabled the LUT in the pre CSC configuration. The current code blindly assigns the results of the readout to the degamma_lut, which will cause a failure during the next atomic_check() as we aren't expecting anything to be in degamma_lut since it's not visible to userspace. Fix the problem by assigning whatever LUT we read out from the hardware into gamma_lut. Cc: stable(a)vger.kernel.org Fixes: d2559299d339 ("drm/i915: Make ilk_read_luts() capable of degamma readout") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11608 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240710124137.16773-1-ville.… Reviewed-by: Uma Shankar <uma.shankar(a)intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_modeset_setup.c b/drivers/gpu/drm/i915/display/intel_modeset_setup.c index 6f85f5352455..72694dde3c22 100644 --- a/drivers/gpu/drm/i915/display/intel_modeset_setup.c +++ b/drivers/gpu/drm/i915/display/intel_modeset_setup.c @@ -326,6 +326,8 @@ static void intel_modeset_update_connector_atomic_state(struct drm_i915_private static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state) { + struct drm_i915_private *i915 = to_i915(crtc_state->uapi.crtc->dev); + if (intel_crtc_is_joiner_secondary(crtc_state)) return; @@ -337,11 +339,30 @@ static void intel_crtc_copy_hw_to_uapi_state(struct intel_crtc_state *crtc_state crtc_state->uapi.adjusted_mode = crtc_state->hw.adjusted_mode; crtc_state->uapi.scaling_filter = crtc_state->hw.scaling_filter; - /* assume 1:1 mapping */ - drm_property_replace_blob(&crtc_state->hw.degamma_lut, - crtc_state->pre_csc_lut); - drm_property_replace_blob(&crtc_state->hw.gamma_lut, - crtc_state->post_csc_lut); + if (DISPLAY_INFO(i915)->color.degamma_lut_size) { + /* assume 1:1 mapping */ + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + crtc_state->pre_csc_lut); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut); + } else { + /* + * ilk/snb hw may be configured for either pre_csc_lut + * or post_csc_lut, but we don't advertise degamma_lut as + * being available in the uapi since there is only one + * hardware LUT. Always assign the result of the readout + * to gamma_lut as that is the only valid source of LUTs + * in the uapi. + */ + drm_WARN_ON(&i915->drm, crtc_state->post_csc_lut && + crtc_state->pre_csc_lut); + + drm_property_replace_blob(&crtc_state->hw.degamma_lut, + NULL); + drm_property_replace_blob(&crtc_state->hw.gamma_lut, + crtc_state->post_csc_lut ?: + crtc_state->pre_csc_lut); + } drm_property_replace_blob(&crtc_state->uapi.degamma_lut, crtc_state->hw.degamma_lut);

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6ed51ba95e27221ce87979bd2ad5926033b9e1b9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100845-extradite-silencer-e137@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 6ed51ba95e27 ("drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066") 8e140cb60270 ("drm/rockchip: vop: limit maximum resolution to hardware capabilities") 3ba000d6ae99 ("drm/rockchip: define gamma registers for RK3399") 604be85547ce ("drm/rockchip: Add VOP2 driver") b382406a2cf4 ("drm/rockchip: Make VOP driver optional") 540b8f271e53 ("drm/rockchip: Embed drm_encoder into rockchip_decoder") 1e0f66420b13 ("drm/display: Introduce a DRM display-helper module") da68386d9edb ("drm: Rename dp/ to display/") c5060b09f460 ("drm/bridge: Fix it6505 Kconfig DRM_DP_AUX_BUS dependency") 9cbbd694a58b ("Merge drm/drm-next into drm-misc-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6ed51ba95e27221ce87979bd2ad5926033b9e1b9 Mon Sep 17 00:00:00 2001 From: Val Packett <val(a)packett.cool> Date: Mon, 24 Jun 2024 17:40:49 -0300 Subject: [PATCH] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 The RK3066 does have RGB display output, so it should be marked as such. Fixes: f4a6de855eae ("drm: rockchip: vop: add rk3066 vop definitions") Cc: stable(a)vger.kernel.org Signed-off-by: Val Packett <val(a)packett.cool> Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> Link: https://patchwork.freedesktop.org/patch/msgid/20240624204054.5524-3-val@pac… diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c index 9bcb40a640af..e2c6ba26f437 100644 --- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c @@ -515,6 +515,7 @@ static const struct vop_data rk3066_vop = { .output = &rk3066_output, .win = rk3066_vop_win_data, .win_size = ARRAY_SIZE(rk3066_vop_win_data), + .feature = VOP_FEATURE_INTERNAL_RGB, .max_output = { 1920, 1080 }, };

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6ed51ba95e27221ce87979bd2ad5926033b9e1b9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100844-wireless-suction-3d40@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 6ed51ba95e27 ("drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066") 8e140cb60270 ("drm/rockchip: vop: limit maximum resolution to hardware capabilities") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6ed51ba95e27221ce87979bd2ad5926033b9e1b9 Mon Sep 17 00:00:00 2001 From: Val Packett <val(a)packett.cool> Date: Mon, 24 Jun 2024 17:40:49 -0300 Subject: [PATCH] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 The RK3066 does have RGB display output, so it should be marked as such. Fixes: f4a6de855eae ("drm: rockchip: vop: add rk3066 vop definitions") Cc: stable(a)vger.kernel.org Signed-off-by: Val Packett <val(a)packett.cool> Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> Link: https://patchwork.freedesktop.org/patch/msgid/20240624204054.5524-3-val@pac… diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c index 9bcb40a640af..e2c6ba26f437 100644 --- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c +++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c @@ -515,6 +515,7 @@ static const struct vop_data rk3066_vop = { .output = &rk3066_output, .win = rk3066_vop_win_data, .win_size = ARRAY_SIZE(rk3066_vop_win_data), + .feature = VOP_FEATURE_INTERNAL_RGB, .max_output = { 1920, 1080 }, };

6 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ext4: fix slab-use-after-free in ext4_split_extent_at()" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x c26ab35702f8cd0cdc78f96aa5856bfb77be798f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100717-untrue-mockup-9fb4@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()") 082cd4ec240b ("ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001 From: Baokun Li <libaokun1(a)huawei.com> Date: Thu, 22 Aug 2024 10:35:23 +0800 Subject: [PATCH] ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates. Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code") Cc: stable(a)kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Ojaswin Mujoo <ojaswin(a)linux.ibm.com> Tested-by: Ojaswin Mujoo <ojaswin(a)linux.ibm.com> Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 4395e2b668ec..fe6bca63f9d6 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3251,6 +3251,25 @@ static int ext4_split_extent_at(handle_t *handle, if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM) goto out; + /* + * Update path is required because previous ext4_ext_insert_extent() + * may have freed or reallocated the path. Using EXT4_EX_NOFAIL + * guarantees that ext4_find_extent() will not return -ENOMEM, + * otherwise -ENOMEM will cause a retry in do_writepages(), and a + * WARN_ON may be triggered in ext4_da_update_reserve_space() due to + * an incorrect ee_len causing the i_reserved_data_blocks exception. + */ + path = ext4_find_extent(inode, ee_block, ppath, + flags | EXT4_EX_NOFAIL); + if (IS_ERR(path)) { + EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld", + split, PTR_ERR(path)); + return PTR_ERR(path); + } + depth = ext_depth(inode); + ex = path[depth].p_ext; + *ppath = path; + if (EXT4_EXT_MAY_ZEROOUT & split_flag) { if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { if (split_flag & EXT4_EXT_DATA_VALID1) { @@ -3303,7 +3322,7 @@ static int ext4_split_extent_at(handle_t *handle, ext4_ext_dirty(handle, inode, path + path->p_depth); return err; out: - ext4_ext_show_leaf(inode, path); + ext4_ext_show_leaf(inode, *ppath); return err; }

6 months, 3 weeks

2
1
0 0

[PATCH 5.10] ntfs: do not dereference a null ctx on error

by George Rurikov

From: George Ryurikov <g.ryurikov(a)securitycode.ru> Danila Chernetsov <listdansp(a)mail.ru> commit aa4b92c5234878d55da96d387ea4d3695ca5e4ab upstream. In ntfs_mft_data_extend_allocation_nolock(), if an error condition occurs prior to 'ctx' being set to a non-NULL value, avoid dereferencing the NULL 'ctx' pointer in error handling. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Danila Chernetsov <listdansp(a)mail.ru> Reviewed-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: George Ryurikov <g.ryurikov(a)securitycode.ru> --- fs/ntfs/mft.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c index 0d62cd5bb7f8..3feb218174fa 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c @@ -1955,36 +1955,38 @@ static int ntfs_mft_data_extend_allocation_nolock(ntfs_volume *vol) "attribute.%s", es); NVolSetErrors(vol); } - a = ctx->attr; + if (ntfs_rl_truncate_nolock(vol, &mft_ni->runlist, old_last_vcn)) { ntfs_error(vol->sb, "Failed to truncate mft data attribute " "runlist.%s", es); NVolSetErrors(vol); } - if (mp_rebuilt && !IS_ERR(ctx->mrec)) { - if (ntfs_mapping_pairs_build(vol, (u8*)a + le16_to_cpu( + if (ctx) { + a = ctx->attr; + if (mp_rebuilt && !IS_ERR(ctx->mrec)) { + if (ntfs_mapping_pairs_build(vol, (u8 *)a + le16_to_cpu( a->data.non_resident.mapping_pairs_offset), old_alen - le16_to_cpu( - a->data.non_resident.mapping_pairs_offset), + a->data.non_resident.mapping_pairs_offset), rl2, ll, -1, NULL)) { - ntfs_error(vol->sb, "Failed to restore mapping pairs " + ntfs_error(vol->sb, "Failed to restore mapping pairs " "array.%s", es); - NVolSetErrors(vol); - } - if (ntfs_attr_record_resize(ctx->mrec, a, old_alen)) { - ntfs_error(vol->sb, "Failed to restore attribute " + NVolSetErrors(vol); + } + if (ntfs_attr_record_resize(ctx->mrec, a, old_alen)) { + ntfs_error(vol->sb, "Failed to restore attribute " "record.%s", es); + NVolSetErrors(vol); + } + flush_dcache_mft_record_page(ctx->ntfs_ino); + mark_mft_record_dirty(ctx->ntfs_ino); + } else if (IS_ERR(ctx->mrec)) { + ntfs_error(vol->sb, "Failed to restore attribute search " + "context.%s", es); NVolSetErrors(vol); } - flush_dcache_mft_record_page(ctx->ntfs_ino); - mark_mft_record_dirty(ctx->ntfs_ino); - } else if (IS_ERR(ctx->mrec)) { - ntfs_error(vol->sb, "Failed to restore attribute search " - "context.%s", es); - NVolSetErrors(vol); - } - if (ctx) ntfs_attr_put_search_ctx(ctx); + } if (!IS_ERR(mrec)) unmap_mft_record(mft_ni); up_write(&mft_ni->runlist.lock); -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

6 months, 3 weeks

1
0
0 0

[PATCH] HID: plantronics: Workaround for an unexcepted opposite volume key

by Wade Wang

Some Plantronics headset as the below send an unexcept opposite volume key's HID report for each volume key press after 200ms, like unecepted Volume Up Key following Volume Down key pressed by user. This patch adds a quirk to hid-plantronics for these devices, which will ignore the second unexcepted opposite volume key if it happens within 220ms from the last one that was handled. Plantronics EncorePro 500 Series (047f:431e) Plantronics Blackwire_3325 Series (047f:430c) The patch was tested on the mentioned model, it shouldn't affect other models, however, this quirk might be needed for them too. Auto-repeat (when a key is held pressed) is not affected per test result. Cc: stable(a)vger.kernel.org Signed-off-by: Wade Wang <wade.wang(a)hp.com> --- drivers/hid/hid-ids.h | 2 ++ drivers/hid/hid-plantronics.c | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h index 781c5aa29859..b72d70bc5628 100644 --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -1050,6 +1050,8 @@ #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056 #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057 #define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058 +#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES 0x430c +#define USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES 0x431e #define USB_VENDOR_ID_PANASONIC 0x04da #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044 diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c index 3d414ae194ac..25cfd964dc25 100644 --- a/drivers/hid/hid-plantronics.c +++ b/drivers/hid/hid-plantronics.c @@ -38,8 +38,10 @@ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER) #define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0) +#define PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS BIT(1) #define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */ +#define PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT 220 /* ms */ struct plt_drv_data { unsigned long device_type; @@ -137,6 +139,21 @@ static int plantronics_event(struct hid_device *hdev, struct hid_field *field, drv_data->last_volume_key_ts = cur_ts; } + if (drv_data->quirks & PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS) { + unsigned long prev_ts, cur_ts; + + /* Usages are filtered in plantronics_usages. */ + + if (!value) /* Handle key presses only. */ + return 0; + + prev_ts = drv_data->last_volume_key_ts; + cur_ts = jiffies; + if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_FOLLOWED_OPPOSITE_KEY_TIMEOUT) + return 1; /* Ignore the followed opposite volume key. */ + + drv_data->last_volume_key_ts = cur_ts; + } return 0; } @@ -210,6 +227,12 @@ static const struct hid_device_id plantronics_devices[] = { { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES), .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3325_SERIES), + .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, + { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, + USB_DEVICE_ID_PLANTRONICS_ENCOREPRO_500_SERIES), + .driver_data = PLT_QUIRK_FOLLOWED_OPPOSITE_VOLUME_KEYS }, { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) }, { } }; -- Change log: 1. 2nd patch submission: Add one Cc mail aoount in patch comment, per kernel test robot required 2. 3rd patch submission: Code and comment change to Separate this patch with previous patch 'commit f567d6ef8606 ("HID: plantronics: Workaround for double volume key presses")' 2.34.1

6 months, 3 weeks

2
1
0 0

[PATCH] r8169: add tally counter fields added with RTL8125

by Heiner Kallweit

RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org # up to 6.11 Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> --- Original commit: ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index 31e8634a6..d0a188cb3 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -579,6 +579,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.46.1

6 months, 3 weeks

2
1
0 0

Regression in 6.11.2

by Mario Limonciello

Hi, commit 872b8f14d772 ("drm/amd/display: Validate backlight caps are sane") was added to stable trees to fix a brightness problem on one laptop on a buggy firmware but with how aggressive it was it caused a problem on another. Fortunately the problem on the other was already fixed in 6.12 though! commit 87d749a6aab7 ("drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT`") Can that commit please be brought everywhere that 872b8f14d772 went? Thanks!

6 months, 3 weeks

4
3
0 0