- Linux-stable-mirror - lists.linaro.org

[PATCH] PCI/PM: Avoid redundant delays on D3hot->D3cold

by Brian Norris

From: Brian Norris <briannorris(a)google.com> When transitioning to D3cold, __pci_set_power_state() will first transition a device to D3hot. If the device was already in D3hot, this will add excess work: (a) read/modify/write PMCSR; and (b) excess delay (pci_dev_d3_sleep()). For (b), we already performed the necessary delay on the previous D3hot entry; this was extra noticeable when evaluating runtime PM transition latency. Check whether we're already in the target state before continuing. Note that __pci_set_power_state() already does this same check for other state transitions, but D3cold is special because __pci_set_power_state() converts it to D3hot for the purposes of PMCSR. This seems to be an oversight in commit 0aacdc957401 ("PCI/PM: Clean up pci_set_low_power_state()"). Fixes: 0aacdc957401 ("PCI/PM: Clean up pci_set_low_power_state()") Cc: <stable(a)vger.kernel.org> Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- drivers/pci/pci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index b0f4d98036cd..7517f1380201 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -1539,6 +1539,9 @@ static int pci_set_low_power_state(struct pci_dev *dev, pci_power_t state, bool || (state == PCI_D2 && !dev->d2_support)) return -EIO; + if (state == dev->current_state) + return 0; + pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); if (PCI_POSSIBLE_ERROR(pmcsr)) { pci_err(dev, "Unable to change power state from %s to %s, device inaccessible\n", -- 2.51.0.618.g983fd99d29-goog

2 weeks, 1 day

4
7
0 0

FAILED: patch "[PATCH] mptcp: decouple mptcp fastclose from tcp close" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x fff0c87996672816a84c3386797a5e69751c5888 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112412-trough-caloric-1503@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fff0c87996672816a84c3386797a5e69751c5888 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 18 Nov 2025 08:20:23 +0100 Subject: [PATCH] mptcp: decouple mptcp fastclose from tcp close With the current fastclose implementation, the mptcp_do_fastclose() helper is in charge of two distinct actions: send the fastclose reset and cleanup the subflows. Formally decouple the two steps, ensuring that mptcp explicitly closes all the subflows after the mentioned helper. This will make the upcoming fix simpler, and allows dropping the 2nd argument from mptcp_destroy_common(). The Fixes tag is then the same as in the next commit to help with the backports. Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios") Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-5-806d37… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 6f0e8f670d83..c59246c1fde6 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2808,7 +2808,11 @@ static void mptcp_worker(struct work_struct *work) __mptcp_close_subflow(sk); if (mptcp_close_tout_expired(sk)) { + struct mptcp_subflow_context *subflow, *tmp; + mptcp_do_fastclose(sk); + mptcp_for_each_subflow_safe(msk, subflow, tmp) + __mptcp_close_ssk(sk, subflow->tcp_sock, subflow, 0); mptcp_close_wake_up(sk); } @@ -3233,7 +3237,8 @@ static int mptcp_disconnect(struct sock *sk, int flags) /* msk->subflow is still intact, the following will not free the first * subflow */ - mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE); + mptcp_do_fastclose(sk); + mptcp_destroy_common(msk); /* The first subflow is already in TCP_CLOSE status, the following * can't overlap with a fallback anymore @@ -3412,7 +3417,7 @@ void mptcp_rcv_space_init(struct mptcp_sock *msk, const struct sock *ssk) msk->rcvq_space.space = TCP_INIT_CWND * TCP_MSS_DEFAULT; } -void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags) +void mptcp_destroy_common(struct mptcp_sock *msk) { struct mptcp_subflow_context *subflow, *tmp; struct sock *sk = (struct sock *)msk; @@ -3421,7 +3426,7 @@ void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags) /* join list will be eventually flushed (with rst) at sock lock release time */ mptcp_for_each_subflow_safe(msk, subflow, tmp) - __mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, flags); + __mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, 0); __skb_queue_purge(&sk->sk_receive_queue); skb_rbtree_purge(&msk->out_of_order_queue); @@ -3439,7 +3444,7 @@ static void mptcp_destroy(struct sock *sk) /* allow the following to close even the initial subflow */ msk->free_first = 1; - mptcp_destroy_common(msk, 0); + mptcp_destroy_common(msk); sk_sockets_allocated_dec(sk); } diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 5575ef64ea31..6ca97096607c 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -977,7 +977,7 @@ static inline void mptcp_propagate_sndbuf(struct sock *sk, struct sock *ssk) local_bh_enable(); } -void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags); +void mptcp_destroy_common(struct mptcp_sock *msk); #define MPTCP_TOKEN_MAX_RETRIES 4

2 weeks, 1 day

2
1
0 0

[PATCH 1/2] USB: serial: option: add Telit Cinterion FE910C04 new compositions

by Fabio Porcedda

From: Fabio Porcedda <Fabio.Porcedda(a)telit.com> Add the following Telit Cinterion new compositions: 0x10c1: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c1 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c2 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c3: ECM + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c3 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c5: RNDIS + tty (AT) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c5 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c6: MBIM + tty (AT) + tty (AT) + tty (diag) T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c6 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10c9: MBIM + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10c9 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FE910 S: SerialNumber=f71b8b32 C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10cb: RNDIS + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh=16 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0002 Rev=06.18 S: Manufacturer=Linux 6.18.0-rc3-usb+ xhci-hcd S: Product=xHCI Host Controller S: SerialNumber=0000:00:14.0 C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms T: Bus=01 Lev=01 Prnt=01 Port=11 Cnt=01 Dev#= 7 Spd=1.5 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=413c ProdID=2003 Rev=03.01 S: Manufacturer=Dell S: Product=Dell USB Keyboard C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=70mA I: If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=01 Driver=usbhid E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=24ms T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=10000 MxCh=10 D: Ver= 3.10 Cls=09(hub ) Sub=00 Prot=03 MxPS= 9 #Cfgs= 1 P: Vendor=1d6b ProdID=0003 Rev=06.18 S: Manufacturer=Linux 6.18.0-rc3-usb+ xhci-hcd S: Product=xHCI Host Controller S: SerialNumber=0000:00:14.0 C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 4 Ivl=256ms Cc: stable(a)vger.kernel.org Signed-off-by: Fabio Porcedda <fabio.porcedda(a)gmail.com> --- drivers/usb/serial/option.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index e9400727ad36..b9983e6f5eff 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -1433,10 +1433,24 @@ static const struct usb_device_id option_ids[] = { { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x60) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c0, 0xff), /* Telit FE910C04 (rmnet) */ .driver_info = RSVD(0) | NCTRL(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c1, 0xff), /* Telit FE910C04 (RNDIS) */ + .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c2, 0xff), /* Telit FE910C04 (MBIM) */ + .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c3, 0xff), /* Telit FE910C04 (ECM) */ + .driver_info = NCTRL(4) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c4, 0xff), /* Telit FE910C04 (rmnet) */ .driver_info = RSVD(0) | NCTRL(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c5, 0xff), /* Telit FE910C04 (RNDIS) */ + .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */ + .driver_info = NCTRL(4) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */ .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */ + .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10cb, 0xff), /* Telit FE910C04 (RNDIS) */ + .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x30), /* Telit FN990B (rmnet) */ .driver_info = NCTRL(5) }, { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) }, -- 2.52.0

2 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Prevent Gating DTBCLK before It Is Properly" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x cfa0904a35fd0231f4d05da0190f0a22ed881cce # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112425-aspirin-conduit-e44b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cfa0904a35fd0231f4d05da0190f0a22ed881cce Mon Sep 17 00:00:00 2001 From: Fangzhi Zuo <Jerry.Zuo(a)amd.com> Date: Thu, 18 Sep 2025 16:25:45 -0400 Subject: [PATCH] drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched [why] 1. With allow_0_dtb_clk enabled, the time required to latch DTBCLK to 600 MHz depends on the SMU. If DTBCLK is not latched to 600 MHz before set_mode completes, gating DTBCLK causes the DP2 sink to lose its clock source. 2. The existing DTBCLK gating sequence ungates DTBCLK based on both pix_clk and ref_dtbclk, but gates DTBCLK when either pix_clk or ref_dtbclk is zero. pix_clk can be zero outside the set_mode sequence before DTBCLK is properly latched, which can lead to DTBCLK being gated by mistake. [how] Consider both pixel_clk and ref_dtbclk when determining when it is safe to gate DTBCLK; this is more accurate. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4701 Fixes: 5949e7c4890c ("drm/amd/display: Enable Dynamic DTBCLK Switch") Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Fangzhi Zuo <Jerry.Zuo(a)amd.com> Signed-off-by: Roman Li <roman.li(a)amd.com> Tested-by: Dan Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit d04eb0c402780ca037b62a6aecf23b863545ebca) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c index b11383fba35f..1eb04772f5da 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c @@ -394,6 +394,8 @@ void dcn35_update_clocks(struct clk_mgr *clk_mgr_base, display_count = dcn35_get_active_display_cnt_wa(dc, context, &all_active_disps); if (new_clocks->dtbclk_en && !new_clocks->ref_dtbclk_khz) new_clocks->ref_dtbclk_khz = 600000; + else if (!new_clocks->dtbclk_en && new_clocks->ref_dtbclk_khz > 590000) + new_clocks->ref_dtbclk_khz = 0; /* * if it is safe to lower, but we are already in the lower state, we don't have to do anything @@ -435,7 +437,7 @@ void dcn35_update_clocks(struct clk_mgr *clk_mgr_base, actual_dtbclk = REG_READ(CLK1_CLK4_CURRENT_CNT); - if (actual_dtbclk) { + if (actual_dtbclk > 590000) { clk_mgr_base->clks.ref_dtbclk_khz = new_clocks->ref_dtbclk_khz; clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; } diff --git a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c index de6d62401362..c899c09ea31b 100644 --- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c @@ -1411,7 +1411,7 @@ static void dccg35_set_dtbclk_dto( __func__, params->otg_inst, params->pixclk_khz, params->ref_dtbclk_khz, req_dtbclk_khz, phase, modulo); - } else { + } else if (!params->ref_dtbclk_khz && !req_dtbclk_khz) { switch (params->otg_inst) { case 0: REG_UPDATE(DCCG_GATE_DISABLE_CNTL5, DTBCLK_P0_GATE_DISABLE, 0);

2 weeks, 1 day

2
4
0 0

[PATCH v2] KVM: x86: Add x2APIC "features" to control EOI broadcast suppression

by Khushit Shah

Add two flags for KVM_CAP_X2APIC_API to allow userspace to control support for Suppress EOI Broadcasts, which KVM completely mishandles. When x2APIC support was first added, KVM incorrectly advertised and "enabled" Suppress EOI Broadcast, without fully supporting the I/O APIC side of the equation, i.e. without adding directed EOI to KVM's in-kernel I/O APIC. That flaw was carried over to split IRQCHIP support, i.e. KVM advertised support for Suppress EOI Broadcasts irrespective of whether or not the userspace I/O APIC implementation supported directed EOIs. Even worse, KVM didn't actually suppress EOI broadcasts, i.e. userspace VMMs without support for directed EOI came to rely on the "spurious" broadcasts. KVM "fixed" the in-kernel I/O APIC implementation by completely disabling support for Suppress EOI Broadcasts in commit 0bcc3fb95b97 ("KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use"), but didn't do anything to remedy userspace I/O APIC implementations. KVM's bogus handling of Suppress EOI Broadcast is problematic when the guest relies on interrupts being masked in the I/O APIC until well after the initial local APIC EOI. E.g. Windows with Credential Guard enabled handles interrupts in the following order: 1. Interrupt for L2 arrives. 2. L1 APIC EOIs the interrupt. 3. L1 resumes L2 and injects the interrupt. 4. L2 EOIs after servicing. 5. L1 performs the I/O APIC EOI. Because KVM EOIs the I/O APIC at step #2, the guest can get an interrupt storm, e.g. if the IRQ line is still asserted and userspace reacts to the EOI by re-injecting the IRQ, because the guest doesn't de-assert the line until step #4, and doesn't expect the interrupt to be re-enabled until step #5. Unfortunately, simply "fixing" the bug isn't an option, as KVM has no way of knowing if the userspace I/O APIC supports directed EOIs, i.e. suppressing EOI broadcasts would result in interrupts being stuck masked in the userspace I/O APIC due to step #5 being ignored by userspace. And fully disabling support for Suppress EOI Broadcast is also undesirable, as picking up the fix would require a guest reboot, *and* more importantly would change the virtual CPU model exposed to the guest without any buy-in from userspace. Add two flags to allow userspace to choose exactly how to solve the immediate issue, and in the long term to allow userspace to control the virtual CPU model that is exposed to the guest (KVM should never have enabled support for Suppress EOI Broadcast without a userspace opt-in). Note, Suppress EOI Broadcasts is defined only in Intel's SDM, not in AMD's APM. But the bit is writable on some AMD CPUs, e.g. Turin, and KVM's ABI is to support Directed EOI (KVM's name) irrespective of guest CPU vendor. Fixes: 7543a635aa09 ("KVM: x86: Add KVM exit for IOAPIC EOIs") Closes: https://lore.kernel.org/kvm/7D497EF1-607D-4D37-98E7-DAF95F099342@nutanix.com Cc: stable(a)vger.kernel.org Co-developed-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Khushit Shah <khushit.shah(a)nutanix.com> --- All discussions on v1, v2 only apply the naming feedback and grammar fixes. Testing: I ran the tests with QEMU 9.1 and a 6.12 kernel with the patch applied. - With an unmodified QEMU build, KVM’s LAPIC SEOIB behavior remains unchanged. - Invoking the x2APIC API with KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK correctly suppresses LAPIC -> IOAPIC EOI broadcasts (verified via KVM tracepoints). - Invoking the x2APIC API with KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST results in SEOIB not being advertised to the guest, as expected (confirmed by checking the LAPIC LVR value inside the guest). I'll send the corresponding QEMU-side patch shortly. --- Documentation/virt/kvm/api.rst | 14 ++++++++++++-- arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/include/uapi/asm/kvm.h | 6 ++++-- arch/x86/kvm/lapic.c | 13 +++++++++++++ arch/x86/kvm/x86.c | 12 +++++++++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 57061fa29e6a..4141d2bd8156 100644 results in SEOIB not being advertised to the guest, as expected (confirmed by checking the LAPIC LVR value inside the guest). I'll send the corresponding QEMU-side patch shortly. --- Documentation/virt/kvm/api.rst | 14 ++++++++++++-- arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/include/uapi/asm/kvm.h | 6 ++++-- arch/x86/kvm/lapic.c | 13 +++++++++++++ arch/x86/kvm/x86.c | 12 +++++++++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 57061fa29e6a..4141d2bd8156 100644 results in SEOIB not being advertised to the guest, as expected (confirmed by checking the LAPIC LVR value inside the guest). I'll send the corresponding QEMU-side patch shortly. --- Documentation/virt/kvm/api.rst | 14 ++++++++++++-- arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/include/uapi/asm/kvm.h | 6 ++++-- arch/x86/kvm/lapic.c | 13 +++++++++++++ arch/x86/kvm/x86.c | 12 +++++++++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 57061fa29e6a..4141d2bd8156 100644 results in SEOIB not being advertised to the guest, as expected (confirmed by checking the LAPIC LVR value inside the guest). I'll send the corresponding QEMU-side patch shortly. --- Documentation/virt/kvm/api.rst | 14 ++++++++++++-- arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/include/uapi/asm/kvm.h | 6 ++++-- arch/x86/kvm/lapic.c | 13 +++++++++++++ arch/x86/kvm/x86.c | 12 +++++++++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 57061fa29e6a..4141d2bd8156 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -7800,8 +7800,10 @@ Will return -EBUSY if a VCPU has already been created. Valid feature flags in args[0] are:: - #define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) - #define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) + #define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) + #define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) + #define KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK (1ULL << 2) + #define KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST (1ULL << 3) Enabling KVM_X2APIC_API_USE_32BIT_IDS changes the behavior of KVM_SET_GSI_ROUTING, KVM_SIGNAL_MSI, KVM_SET_LAPIC, and KVM_GET_LAPIC, @@ -7814,6 +7816,14 @@ as a broadcast even in x2APIC mode in order to support physical x2APIC without interrupt remapping. This is undesirable in logical mode, where 0xff represents CPUs 0-7 in cluster 0. +Setting KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK overrides +KVM's quirky behavior of not actually suppressing EOI broadcasts for split IRQ +chips when support for Suppress EOI Broadcasts is advertised to the guest. + +Setting KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST disables support for +Suppress EOI Broadcasts entirely, i.e. instructs KVM to NOT advertise support +to the guest and thus disallow enabling EOI broadcast suppression in SPIV. + 7.8 KVM_CAP_S390_USER_INSTR0 ---------------------------- diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 48598d017d6f..f6fdc0842c05 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1480,6 +1480,8 @@ struct kvm_arch { bool x2apic_format; bool x2apic_broadcast_quirk_disabled; + bool disable_ignore_suppress_eoi_broadcast_quirk; + bool x2apic_disable_suppress_eoi_broadcast; + * Suppress EOI Broadcasts without actually suppressing EOIs). + */ + if ((kvm_lapic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI) && + apic->vcpu->kvm->arch.disable_ignore_suppress_eoi_broadcast_quirk) + return; + apic->vcpu->arch.pending_ioapic_eoi = vector; kvm_make_request(KVM_REQ_IOAPIC_EOI_EXIT, apic->vcpu); return; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c9c2aa6f4705..e1b6fe783615 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -121,8 +121,11 @@ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE); #define KVM_CAP_PMU_VALID_MASK KVM_PMU_CAP_DISABLE -#define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \ - KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK) +#define KVM_X2APIC_API_VALID_FLAGS \ + (KVM_X2APIC_API_USE_32BIT_IDS | \ + KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK | \ + KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK | \ + KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST) static void update_cr8_intercept(struct kvm_vcpu *vcpu); static void process_nmi(struct kvm_vcpu *vcpu); @@ -6782,7 +6785,10 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, kvm->arch.x2apic_format = true; if (cap->args[0] & KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK) kvm->arch.x2apic_broadcast_quirk_disabled = true; - + if (cap->args[0] & KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK) + kvm->arch.disable_ignore_suppress_eoi_broadcast_quirk = true; + if (cap->args[0] & KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST) + kvm->arch.x2apic_disable_suppress_eoi_broadcast = true; r = 0; break; case KVM_CAP_X86_DISABLE_EXITS: -- 2.39.3

2 weeks, 1 day

1
0
0 0

[PATCH v2] iommu/amd: Relay __modify_irte_ga() error in modify_irte_ga()

by Jinhui Guo

The return type of __modify_irte_ga() is int, but modify_irte_ga() treats it as a bool. Casting the int to bool discards the error code. To fix the issue, change the type of ret to int in modify_irte_ga(). Fixes: 57cdb720eaa5 ("iommu/amd: Do not flush IRTE when only updating isRun and destination fields") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> Reviewed-by: Ankit Soni <Ankit.Soni(a)amd.com> --- v1: https://lore.kernel.org/all/20251120154725.435-1-guojinhui.liam@bytedance.c… Changelog in v1 -> v2 (suggested by Ankit Soni) - Trim subject line to the recommanded length drivers/iommu/amd/iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 2e1865daa1ce..a38304f1a8df 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -3354,7 +3354,7 @@ static int __modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index, static int modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index, struct irte_ga *irte) { - bool ret; + int ret; ret = __modify_irte_ga(iommu, devid, index, irte); if (ret) -- 2.20.1

2 weeks, 1 day

3
2
0 0

[PATCH] iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga()

by Jinhui Guo

The return type of __modify_irte_ga() is int, but modify_irte_ga() treats it as a bool. Casting the int to bool discards the error code. To fix the issue, change the type of ret to int in modify_irte_ga(). Fixes: 57cdb720eaa5 ("iommu/amd: Do not flush IRTE when only updating isRun and destination fields") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> --- drivers/iommu/amd/iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 2e1865daa1ce..a38304f1a8df 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -3354,7 +3354,7 @@ static int __modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index, static int modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index, struct irte_ga *irte) { - bool ret; + int ret; ret = __modify_irte_ga(iommu, devid, index, irte); if (ret) -- 2.20.1

2 weeks, 1 day

4
3
0 0

FAILED: patch "[PATCH] drm/amd/display: Prevent Gating DTBCLK before It Is Properly" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x cfa0904a35fd0231f4d05da0190f0a22ed881cce # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112424-handball-smolder-0f15@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cfa0904a35fd0231f4d05da0190f0a22ed881cce Mon Sep 17 00:00:00 2001 From: Fangzhi Zuo <Jerry.Zuo(a)amd.com> Date: Thu, 18 Sep 2025 16:25:45 -0400 Subject: [PATCH] drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched [why] 1. With allow_0_dtb_clk enabled, the time required to latch DTBCLK to 600 MHz depends on the SMU. If DTBCLK is not latched to 600 MHz before set_mode completes, gating DTBCLK causes the DP2 sink to lose its clock source. 2. The existing DTBCLK gating sequence ungates DTBCLK based on both pix_clk and ref_dtbclk, but gates DTBCLK when either pix_clk or ref_dtbclk is zero. pix_clk can be zero outside the set_mode sequence before DTBCLK is properly latched, which can lead to DTBCLK being gated by mistake. [how] Consider both pixel_clk and ref_dtbclk when determining when it is safe to gate DTBCLK; this is more accurate. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4701 Fixes: 5949e7c4890c ("drm/amd/display: Enable Dynamic DTBCLK Switch") Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Fangzhi Zuo <Jerry.Zuo(a)amd.com> Signed-off-by: Roman Li <roman.li(a)amd.com> Tested-by: Dan Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit d04eb0c402780ca037b62a6aecf23b863545ebca) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c index b11383fba35f..1eb04772f5da 100644 --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c @@ -394,6 +394,8 @@ void dcn35_update_clocks(struct clk_mgr *clk_mgr_base, display_count = dcn35_get_active_display_cnt_wa(dc, context, &all_active_disps); if (new_clocks->dtbclk_en && !new_clocks->ref_dtbclk_khz) new_clocks->ref_dtbclk_khz = 600000; + else if (!new_clocks->dtbclk_en && new_clocks->ref_dtbclk_khz > 590000) + new_clocks->ref_dtbclk_khz = 0; /* * if it is safe to lower, but we are already in the lower state, we don't have to do anything @@ -435,7 +437,7 @@ void dcn35_update_clocks(struct clk_mgr *clk_mgr_base, actual_dtbclk = REG_READ(CLK1_CLK4_CURRENT_CNT); - if (actual_dtbclk) { + if (actual_dtbclk > 590000) { clk_mgr_base->clks.ref_dtbclk_khz = new_clocks->ref_dtbclk_khz; clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; } diff --git a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c index de6d62401362..c899c09ea31b 100644 --- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c @@ -1411,7 +1411,7 @@ static void dccg35_set_dtbclk_dto( __func__, params->otg_inst, params->pixclk_khz, params->ref_dtbclk_khz, req_dtbclk_khz, phase, modulo); - } else { + } else if (!params->ref_dtbclk_khz && !req_dtbclk_khz) { switch (params->otg_inst) { case 0: REG_UPDATE(DCCG_GATE_DISABLE_CNTL5, DTBCLK_P0_GATE_DISABLE, 0);

2 weeks, 1 day

2
2
0 0

[PATCH 3/4] ASoC: stm32: sai: fix OF node leak on probe

by Johan Hovold

The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. Fixes: 5914d285f6b7 ("ASoC: stm32: sai: Add synchronization support") Fixes: d4180b4c02e7 ("ASoC: stm32: sai: fix set_sync service") Cc: Olivier Moysan <olivier.moysan(a)st.com> Cc: stable(a)vger.kernel.org # 4.16: d4180b4c02e7 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- sound/soc/stm/stm32_sai.c | 12 +++--------- sound/soc/stm/stm32_sai_sub.c | 23 ++++++++++++++++------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/sound/soc/stm/stm32_sai.c b/sound/soc/stm/stm32_sai.c index 7065aeb0e524..00cf24ceca2d 100644 --- a/sound/soc/stm/stm32_sai.c +++ b/sound/soc/stm/stm32_sai.c @@ -138,7 +138,6 @@ static int stm32_sai_set_sync(struct stm32_sai_data *sai_client, if (!pdev) { dev_err(&sai_client->pdev->dev, "Device not found for node %pOFn\n", np_provider); - of_node_put(np_provider); return -ENODEV; } @@ -147,21 +146,16 @@ static int stm32_sai_set_sync(struct stm32_sai_data *sai_client, if (!sai_provider) { dev_err(&sai_client->pdev->dev, "SAI sync provider data not found\n"); - ret = -EINVAL; - goto error; + return -EINVAL; } /* Configure sync client */ ret = stm32_sai_sync_conf_client(sai_client, synci); if (ret < 0) - goto error; + return ret; /* Configure sync provider */ - ret = stm32_sai_sync_conf_provider(sai_provider, synco); - -error: - of_node_put(np_provider); - return ret; + return stm32_sai_sync_conf_provider(sai_provider, synco); } static int stm32_sai_get_parent_clk(struct stm32_sai_data *sai) diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c index 7a005b4ad304..5ae4d2577f28 100644 --- a/sound/soc/stm/stm32_sai_sub.c +++ b/sound/soc/stm/stm32_sai_sub.c @@ -1586,7 +1586,8 @@ static int stm32_sai_sub_parse_of(struct platform_device *pdev, dev_err(&pdev->dev, "External synchro not supported\n"); of_node_put(args.np); - return -EINVAL; + ret = -EINVAL; + goto err_put_sync_provider; } sai->sync = SAI_SYNC_EXTERNAL; @@ -1595,7 +1596,8 @@ static int stm32_sai_sub_parse_of(struct platform_device *pdev, (sai->synci > (SAI_GCR_SYNCIN_MAX + 1))) { dev_err(&pdev->dev, "Wrong SAI index\n"); of_node_put(args.np); - return -EINVAL; + ret = -EINVAL; + goto err_put_sync_provider; } if (of_property_match_string(args.np, "compatible", @@ -1609,7 +1611,8 @@ static int stm32_sai_sub_parse_of(struct platform_device *pdev, if (!sai->synco) { dev_err(&pdev->dev, "Unknown SAI sub-block\n"); of_node_put(args.np); - return -EINVAL; + ret = -EINVAL; + goto err_put_sync_provider; } } @@ -1619,13 +1622,15 @@ static int stm32_sai_sub_parse_of(struct platform_device *pdev, of_node_put(args.np); sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck"); - if (IS_ERR(sai->sai_ck)) - return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck), - "Missing kernel clock sai_ck\n"); + if (IS_ERR(sai->sai_ck)) { + ret = dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck), + "Missing kernel clock sai_ck\n"); + goto err_put_sync_provider; + } ret = clk_prepare(sai->pdata->pclk); if (ret < 0) - return ret; + goto err_put_sync_provider; if (STM_SAI_IS_F4(sai->pdata)) return 0; @@ -1647,6 +1652,8 @@ static int stm32_sai_sub_parse_of(struct platform_device *pdev, err_unprepare_pclk: clk_unprepare(sai->pdata->pclk); +err_put_sync_provider: + of_node_put(sai->np_sync_provider); return ret; } @@ -1720,6 +1727,7 @@ static int stm32_sai_sub_probe(struct platform_device *pdev) err_unprepare_pclk: clk_unprepare(sai->pdata->pclk); + of_node_put(sai->np_sync_provider); return ret; } @@ -1732,6 +1740,7 @@ static void stm32_sai_sub_remove(struct platform_device *pdev) snd_dmaengine_pcm_unregister(&pdev->dev); snd_soc_unregister_component(&pdev->dev); pm_runtime_disable(&pdev->dev); + of_node_put(sai->np_sync_provider); } static int stm32_sai_sub_suspend(struct device *dev) -- 2.51.2

2 weeks, 1 day

2
1
0 0

[PATCH 2/4] ASoC: stm32: sai: fix clk prepare imbalance on probe failure

by Johan Hovold

Make sure to unprepare the parent clock also on probe failures (e.g. probe deferral). Fixes: a14bf98c045b ("ASoC: stm32: sai: fix possible circular locking") Cc: stable(a)vger.kernel.org # 5.5 Cc: Olivier Moysan <olivier.moysan(a)st.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- sound/soc/stm/stm32_sai_sub.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/sound/soc/stm/stm32_sai_sub.c b/sound/soc/stm/stm32_sai_sub.c index 0ae1eae2a59e..7a005b4ad304 100644 --- a/sound/soc/stm/stm32_sai_sub.c +++ b/sound/soc/stm/stm32_sai_sub.c @@ -1634,14 +1634,21 @@ static int stm32_sai_sub_parse_of(struct platform_device *pdev, if (of_property_present(np, "#clock-cells")) { ret = stm32_sai_add_mclk_provider(sai); if (ret < 0) - return ret; + goto err_unprepare_pclk; } else { sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK"); - if (IS_ERR(sai->sai_mclk)) - return PTR_ERR(sai->sai_mclk); + if (IS_ERR(sai->sai_mclk)) { + ret = PTR_ERR(sai->sai_mclk); + goto err_unprepare_pclk; + } } return 0; + +err_unprepare_pclk: + clk_unprepare(sai->pdata->pclk); + + return ret; } static int stm32_sai_sub_probe(struct platform_device *pdev) @@ -1688,26 +1695,33 @@ static int stm32_sai_sub_probe(struct platform_device *pdev) IRQF_SHARED, dev_name(&pdev->dev), sai); if (ret) { dev_err(&pdev->dev, "IRQ request returned %d\n", ret); - return ret; + goto err_unprepare_pclk; } if (STM_SAI_PROTOCOL_IS_SPDIF(sai)) conf = &stm32_sai_pcm_config_spdif; ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0); - if (ret) - return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n"); + if (ret) { + ret = dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n"); + goto err_unprepare_pclk; + } ret = snd_soc_register_component(&pdev->dev, &stm32_component, &sai->cpu_dai_drv, 1); if (ret) { snd_dmaengine_pcm_unregister(&pdev->dev); - return ret; + goto err_unprepare_pclk; } pm_runtime_enable(&pdev->dev); return 0; + +err_unprepare_pclk: + clk_unprepare(sai->pdata->pclk); + + return ret; } static void stm32_sai_sub_remove(struct platform_device *pdev) -- 2.51.2

2 weeks, 1 day

2
1
0 0

[PATCH 1/4] ASoC: stm32: sai: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the sync provider device and its driver data during DAI probe on probe failures and on unbind. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 7dd0d835582f ("ASoC: stm32: sai: simplify sync modes management") Fixes: 1c3816a19487 ("ASoC: stm32: sai: add missing put_device()") Cc: stable(a)vger.kernel.org # 4.16: 1c3816a19487 Cc: olivier moysan <olivier.moysan(a)st.com> Cc: Wen Yang <yellowriver2010(a)hotmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- sound/soc/stm/stm32_sai.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/stm/stm32_sai.c b/sound/soc/stm/stm32_sai.c index fa821e3fb427..7065aeb0e524 100644 --- a/sound/soc/stm/stm32_sai.c +++ b/sound/soc/stm/stm32_sai.c @@ -143,6 +143,7 @@ static int stm32_sai_set_sync(struct stm32_sai_data *sai_client, } sai_provider = platform_get_drvdata(pdev); + put_device(&pdev->dev); if (!sai_provider) { dev_err(&sai_client->pdev->dev, "SAI sync provider data not found\n"); @@ -159,7 +160,6 @@ static int stm32_sai_set_sync(struct stm32_sai_data *sai_client, ret = stm32_sai_sync_conf_provider(sai_provider, synco); error: - put_device(&pdev->dev); of_node_put(np_provider); return ret; } -- 2.51.2

2 weeks, 1 day

2
1
0 0

[PATCH 6.12 000/565] 6.12.58-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.58 release. There are 565 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 13 Nov 2025 00:43:57 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.58-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.58-rc1 Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: fix phy_disable_eee Alex Hung <alex.hung(a)amd.com> drm/amd/display: Fix black screen with HDMI outputs Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Fix function header names in amdgpu_connectors.c Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu: Fix unintended error log in VCN5_0_0 Punit Agrawal <punit.agrawal(a)oss.qualcomm.com> ACPI: SPCR: Check for table version when using precise baudrate Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> extcon: adc-jack: Cleanup wakeup source only if it was enabled Melissa Wen <mwen(a)igalia.com> drm/amd/display: update color on atomic commit time Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: core: Add a quirk to suppress link_startup_again Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers Nathan Chancellor <nathan(a)kernel.org> lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: fix received length check in big packets Rong Zhang <i(a)rong.moe> drm/amd/display: Fix NULL deref in debugfs odm_combine_segments Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/smu: Handle S0ix for vangogh Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix potential UAF in smb2_close_cached_fid() Joshua Rogers <linux(a)joshua.hu> smb: client: validate change notify buffer before copy Mario Limonciello (AMD) <superm1(a)kernel.org> x86/microcode/AMD: Add more known models to entry sign checking Yuta Hayama <hayama(a)lineo.co.jp> rtc: rx8025: fix incorrect register reference Helge Deller <deller(a)gmx.de> parisc: Avoid crash due to unaligned access in unwinder Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Don't overflow during division for dirty tracking Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer(a)amd.com> drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Enable mst when it's detected but yet to be initialized Zilin Guan <zilin(a)seu.edu.cn> tracing: Fix memory leaks in create_field_var() Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: fix MST static key usage Nikolay Aleksandrov <razor(a)blackwall.org> net: bridge: fix use-after-free due to MST port state bypass Horatiu Vultur <horatiu.vultur(a)microchip.com> lan966x: Fix sleeping in atomic context Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix reserved multicast address table programming Haotian Zhang <vulab(a)iscas.ac.cn> net: wan: framer: pef2256: Switch to devm_mfd_add_devices() Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: SHAMPO, Fix skb size check for 64K pages Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix fdb hash size configuration Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix return value in case of module EEPROM read error Martin Willi <martin(a)strongswan.org> wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup Hongguang Gao <hongguang.gao(a)broadcom.com> bnxt_en: Add a 'force' parameter to bnxt_free_ctx_mem() Hongguang Gao <hongguang.gao(a)broadcom.com> bnxt_en: Refactor bnxt_free_ctx_mem() Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Add mem_valid bit to struct bnxt_ctx_mem_type Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix a possible memory leak in bnxt_ptp_init Qendrim Maxhuni <qendrim.maxhuni(a)garderos.com> net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Mohammad Heib <mheib(a)redhat.com> net: ionic: map SKB after pseudo-header checksum prep Mohammad Heib <mheib(a)redhat.com> net: ionic: add dma_wmb() before ringing TX doorbell Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Hold sock lock while iterating over address list Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Prevent TOCTOU out-of-bounds write Stefan Wiehler <stefan.wiehler(a)nokia.com> sctp: Hold RCU read lock while iterating over address list Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: stop reading ARL entries if search is done Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix enabling ip multicast Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix bcm63xx RGMII port link adjustment Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix resetting speed and pause on forced link Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpiolib: fix invalid pointer access in debugfs Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: swnode: don't use the swnode's name as the key for GPIO lookup Hangbin Liu <liuhangbin(a)gmail.com> net: vlan: sync VLAN features with lower device Wang Liang <wangliang74(a)huawei.com> selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh Anubhav Singh <anubhavsinggh(a)google.com> selftests/net: use destination options instead of hop-by-hop Anubhav Singh <anubhavsinggh(a)google.com> selftests/net: fix out-of-order delivery of FIN in gro:tcp test Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: tag_brcm: legacy: reorganize functions Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Bluetooth: hci_event: validate skb length for unknown CC opcode Josephine Pfeiffer <hi(a)josie.lol> riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: stacktrace: Disable KASAN checks for non-current tasks Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix device bus LAN ID Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Revert "wifi: ath10k: avoid unnecessary wait for service ready message" Ariel D'Alessandro <ariel.dalessandro(a)collabora.com> drm/mediatek: Disable AFBC support on Mediatek DRM driver Marek Szyprowski <m.szyprowski(a)samsung.com> media: videobuf2: forbid remove_bufs when legacy fileio is active Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Use heuristic to find stream entity Qu Wenruo <wqu(a)suse.com> btrfs: ensure no dirty metadata is written back for an fs with errors Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again Linus Torvalds <torvalds(a)linux-foundation.org> x86: uaccess: don't use runtime-const rewriting in modules Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/runtime-const: Add the RUNTIME_CONST_PTR assembly macro Linus Torvalds <torvalds(a)linux-foundation.org> x86: use cmov for user address masking Kotresh HR <khiremat(a)redhat.com> ceph: fix multifs mds auth caps issue Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: refactor wake_up_bit() pattern of calling Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: fix potential race condition in ceph_ioctl_lazyio() Viacheslav Dubeyko <Slava.Dubeyko(a)ibm.com> ceph: add checking of wait_for_completion_killable() return value Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Fix mmap write lock not release Valerio Setti <vsetti(a)baylibre.com> ASoC: meson: aiu-encoder-i2s: fix bit clock polarity Geert Uytterhoeven <geert(a)linux-m68k.org> kbuild: uapi: Strip comments before size type check Sammy Hsu <zelda3121(a)gmail.com> net: wwan: t7xx: add support for HP DRMR-H01 Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix watchdog interrupt mask on pcf2131 Albin Babu Varghese <albinbabuvarghese20(a)gmail.com> fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Sascha Hauer <s.hauer(a)pengutronix.de> tools: lib: thermal: use pkg-config to locate libnl3 Emil Dahl Juhl <juhl.emildahl(a)gmail.com> tools: lib: thermal: don't preserve owner in install Ian Rogers <irogers(a)google.com> tools bitmap: Add missing asm-generic/bitsperlong.h include Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle new atomic instructions for probes Sakari Ailus <sakari.ailus(a)linux.intel.com> ACPI: property: Return present device nodes only on fwnode interface Hoyoung Seo <hy50.seo(a)samsung.com> scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS Randall P. Embry <rpembry(a)gmail.com> 9p: sysfs_init: don't hardcode error to ENOMEM Aaron Kling <webgeek1234(a)gmail.com> cpufreq: tegra186: Initialize all cores to max frequencies Randall P. Embry <rpembry(a)gmail.com> 9p: fix /sys/fs/9p/caches overwriting itself Jerome Brunet <jbrunet(a)baylibre.com> NTB: epf: Allow arbitrary BAR mapping Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> clk: clocking-wizard: Fix output clock register offset for Versal platforms Jacky Bai <ping.bai(a)nxp.com> clk: scmi: Add duty cycle ops only when duty cycle is supported Matthias Schiffer <matthias.schiffer(a)tq-group.com> clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled Oleg Nesterov <oleg(a)redhat.com> 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN Nicolas Ferre <nicolas.ferre(a)microchip.com> clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register Ryan Wanner <Ryan.Wanner(a)microchip.com> clk: at91: clk-master: Add check for divide by 3 Balamanikandan Gunasundar <balamanikandan.gunasundar(a)microchip.com> clk: at91: sam9x7: Add peripheral clock id for pmecc Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: save and restore ACR during PLL disable/enable Josua Mayer <josua(a)solid-run.com> rtc: pcf2127: clear minute/second interrupt Chen-Yu Tsai <wens(a)csie.org> clk: sunxi-ng: sun6i-rtc: Add A523 specifics Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix help message for ssl-non-raw Yikang Yue <yikangy2(a)illinois.edu> fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink Marko Mäkelä <marko.makela(a)iki.fi> clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf austinchang <austinchang(a)synology.com> btrfs: mark dirty extent range for out of bound prealloc extents Shardul Bankar <shardulsb08(a)gmail.com> btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong WQE data when QP wraps around wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix the modification of max_send_sge Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix recv CQ and QP cache affinity Jacob Moroni <jmoroni(a)google.com> RDMA/irdma: Set irdma_cq cq_num field during CQ create Jacob Moroni <jmoroni(a)google.com> RDMA/irdma: Remove unused struct irdma_cq fields Jacob Moroni <jmoroni(a)google.com> RDMA/irdma: Fix SD index calculation Saket Dumbre <saket.dumbre(a)intel.com> ACPICA: Update dsmethod.c to get rid of unused variable warning Mario Limonciello <Mario.Limonciello(a)amd.com> drm/amd/display: Add fallback path for YCBCR422 Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> char: misc: restrict the dynamic range to exclude reserved minors Michal Pecio <michal.pecio(a)gmail.com> usb: xhci-pci: Fix USB2-only root hub registration Coiby Xu <coxu(a)redhat.com> ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Fiona Ebner <f.ebner(a)proxmox.com> smb: client: transport: avoid reconnects triggered by pending task work Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: use sock_create_kern interface to create kernel socket Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace: Fix softlockup in ftrace_module_enable Mike Marshall <hubcap(a)omnibond.com> orangefs: fix xattr related buffer overflow... Dragos Tatulea <dtatulea(a)nvidia.com> page_pool: Clamp pool size to max 16K pages Qingfang Deng <dqfext(a)gmail.com> 6pack: drop redundant locking and refcounting Namjae Jeon <linkinjeon(a)kernel.org> exfat: validate cluster allocation bits of the allocation bitmap Chi Zhiling <chizhiling(a)kylinos.cn> exfat: limit log print for IO error Rohan G Thomas <rohan.g.thomas(a)altera.com> net: stmmac: est: Drop frames causing HLBS error Roy Vegard Ovesen <roy.vegard.ovesen(a)gmail.com> ALSA: usb-audio: add mono main switch to Presonus S1824c Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: bcsp: receive data only if registered Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922 Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SCO: Fix UAF on sco_conn_free Arkadiusz Bokowy <arkadiusz.bokowy(a)gmail.com> Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames Théo Lebrun <theo.lebrun(a)bootlin.com> net: macb: avoid dealing with endianness in macb_set_hwaddr() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Don't query FEC statistics when FEC is disabled Timothy Pearson <tpearson(a)raptorengineering.com> vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices Sunil V L <sunilvl(a)ventanamicro.com> ACPI: scan: Update honor list for RPMI System MSI Primoz Fiser <primoz.fiser(a)norik.com> ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 Olivier Moysan <olivier.moysan(a)foss.st.com> ASoC: stm32: sai: manage context in set_sysclk callback Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw Julian Sun <sunjunchao(a)bytedance.com> ext4: increase IO priority of fastcommit chuguangqing <chuguangqing(a)inspur.com> fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock Moti Haimovski <moti.haimovski(a)intel.com> accel/habanalabs: support mapping cb with vmalloc-backed coherent memory Konstantin Sinyuk <konstantin.sinyuk(a)intel.com> accel/habanalabs/gaudi2: read preboot status after recovering from dirty state Tomer Tayar <tomer.tayar(a)intel.com> accel/habanalabs: return ENOMEM if less than requested pages were pinned Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate Vered Yavniely <vered.yavniely(a)intel.com> accel/habanalabs/gaudi2: fix BMON disable configuration Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Petr Machata <petrm(a)nvidia.com> net: bridge: Install FDB for bridge MAC on VLAN 0 Al Viro <viro(a)zeniv.linux.org.uk> nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Anthony Iliopoulos <ailiop(a)suse.com> NFSv4.1: fix mount hang after CREATE_SESSION failure Olga Kornievskaia <okorniev(a)redhat.com> NFSv4: handle ERR_GRACE on delegation recalls Melissa Wen <mwen(a)igalia.com> drm/amd/display: change dc stream color settings only in atomic commit Sridevi Arvindekar <sarvinde(a)amd.com> drm/amd/display: Fix for test crash due to power gating Lo-an Chen <lo-an.chen(a)amd.com> drm/amd/display: Init dispclk from bootup clock for DCN314 Karthi Kandasamy <karthi.kandasamy(a)amd.com> drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream Bastien Curutchet <bastien.curutchet(a)bootlin.com> net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463 Nithyanantham Paramasivam <nithyanantham.paramasivam(a)oss.qualcomm.com> wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 Stephan Gerhold <stephan.gerhold(a)linaro.org> remoteproc: qcom: q6v5: Avoid handling handover twice David Yang <mmyangfl(a)gmail.com> selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt Mario Limonciello <mario.limonciello(a)amd.com> PCI/PM: Skip resuming to D0 if device is disconnected Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - clear all VF configurations in the hardware Weili Qian <qianweili(a)huawei.com> crypto: hisilicon/qm - invalidate queues in use Alex Mastro <amastro(a)fb.com> vfio: return -ENOTTY for unsupported device feature Al Viro <viro(a)zeniv.linux.org.uk> sparc64: fix prototypes of reads[bwl]() Koakuma <koachan(a)protonmail.com> sparc/module: Add R_SPARC_UA64 relocation handling Chen Wang <unicorn_wang(a)outlook.com> PCI: cadence: Check for the existence of cdns_pcie::ops before using it ChunHao Lin <hau(a)realtek.com> r8169: set EEE speed down ratio to 1 Brahmajit Das <listout(a)listout.xyz> net: intel: fm10k: Fix parameter idx set but not used Ilan Peer <ilan.peer(a)intel.com> wifi: mac80211: Track NAN interface start/stop Loic Poulain <loic.poulain(a)oss.qualcomm.com> wifi: ath10k: Fix connection after GTK rekeying Seyediman Seyedarab <ImanDevel(a)gmail.com> iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot() Vivek Pernamitta <quic_vpernami(a)quicinc.com> bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state Robert Marko <robert.marko(a)sartura.hr> net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X Oleksij Rempel <o.rempel(a)pengutronix.de> net: phy: clear link parameters on admin link down Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() Guangshuo Li <lgs201920130244(a)gmail.com> drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() Shaurya Rane <ssrane_b23(a)ee.vjti.ac.in> jfs: fix uninitialized waitqueue in transaction manager Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> jfs: Verify inode mode when loading from disk Vlad Dumitrescu <vdumitrescu(a)nvidia.com> IB/ipoib: Ignore L3 master device Tatyana Nikolova <tatyana.e.nikolova(a)intel.com> RDMA/irdma: Update Kconfig Eric Dumazet <edumazet(a)google.com> ipv6: np->rxpmtu race annotation Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci-pci: add support for hosts with zero USB3 ports Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: renew a completion for each H2C command waiting C2H event Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw89: obtain RX path from ppdu status IE00 wangzijie <wangzijie1(a)honor.com> f2fs: fix infinite loop in __insert_extent_tree() Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Forest Crossman <cyrozap(a)gmail.com> usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Al Viro <viro(a)zeniv.linux.org.uk> allow finish_no_open(file, ERR_PTR(-E...)) Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Define size of debugfs entry for xri rebalancing Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Disable timestamp functionality if not supported Nai-Chen Cheng <bleach1827(a)gmail.com> selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Christian König <christian.koenig(a)amd.com> drm/amdgpu: reject gang submissions under SRIOV John Harrison <John.C.Harrison(a)Intel.com> drm/xe/guc: Return an error code if the GuC load fails Mario Limonciello (AMD) <superm1(a)kernel.org> HID: i2c-hid: Resolve touchpad issues on Dell systems during S4 Stefan Wahren <wahrenst(a)gmx.net> ethernet: Extend device_get_mac_address() to use NVMEM Jakub Kicinski <kuba(a)kernel.org> page_pool: always add GFP_NOWARN for ATOMIC allocations Xi Ruoyao <xry111(a)xry111.site> drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with DC_FP_START Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Disable VRR on DCE 6 Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fix DVI-D/HDMI adapters Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd: Avoid evicting resources at S5 Ausef Yousof <Ausef.Yousof(a)amd.com> drm/amd/display: fix dml ms order of operations Mario Limonciello <Mario.Limonciello(a)amd.com> drm/amd/display: Set up pixel encoding for YCBCR422 Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error John Keeping <jkeeping(a)inmusicbrands.com> ALSA: serial-generic: remove shared static buffer Rosen Penev <rosenp(a)gmail.com> wifi: mt76: mt76_eeprom_override to int Benjamin Lin <benjamin-jw.lin(a)mediatek.com> wifi: mt76: mt7996: Temporarily disable EPCS Quan Zhou <quan.zhou(a)mediatek.com> wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device Yafang Shao <laoar.shao(a)gmail.com> net/cls_cgroup: Fix task_get_classid() during qdisc run Gaurav Jain <gaurav.jain(a)nxp.com> crypto: caam - double the entropy delay interval for retry Yunseong Kim <ysk(a)kzalloc.com> crypto: ccp - Fix incorrect payload size calculation in psp_poulate_hsti() Niklas Cassel <cassel(a)kernel.org> PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - remove channel timeout field Sangwook Shin <sw617.shin(a)samsung.com> watchdog: s3c2410_wdt: Fix max_timeout being calculated larger Antheas Kapenekakis <lkml(a)antheas.dev> HID: asus: add Z13 folio to generic group for multitouch to work Alok Tiwari <alok.a.tiwari(a)oracle.com> udp_tunnel: use netdev_warn() instead of netdev_WARN() Stanislav Fomichev <sdf(a)fomichev.me> net: devmem: expose tcp_recvmsg_locked errors David Ahern <dsahern(a)kernel.org> selftests: Replace sleep with slowwait Daniel Palmer <daniel(a)thingy.jp> eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP David Ahern <dsahern(a)kernel.org> selftests: Disable dad for ipv6 in fcnal-test.sh Li RongQing <lirongqing(a)baidu.com> x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT Florian Westphal <fw(a)strlen.de> netfilter: nf_reject: don't reply to icmp error messages chenmiao <chenmiao.ku(a)gmail.com> openrisc: Add R_OR1K_32_PCREL relocation type module support Ido Schimmel <idosch(a)nvidia.com> selftests: traceroute: Return correct value on failure Ido Schimmel <idosch(a)nvidia.com> selftests: traceroute: Use require_command() Qianfeng Rong <rongqianfeng(a)vivo.com> media: redrat3: use int type to store negative error codes Jakub Kicinski <kuba(a)kernel.org> selftests: net: replace sleeps in fcnal-test with waits Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: sh_eth: Disable WoL if system can not suspend Rob Clark <robin.clark(a)oss.qualcomm.com> drm/msm/registers: Generate _HI/LO builders for reg64 Michael Riesch <michael.riesch(a)collabora.com> phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 Michael Dege <michael.dege(a)renesas.com> phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet Mario Limonciello (AMD) <superm1(a)kernel.org> Fix access to video_is_primary_device() when compiled without CONFIG_VIDEO Harikrishna Shenoy <h-shenoy(a)ti.com> phy: cadence: cdns-dphy: Enable lower resolutions in dphy Ilan Peer <ilan.peer(a)intel.com> wifi: mac80211: Fix HE capabilities element check Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> ntfs3: pretend $Extend records as regular files Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode changes Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Correct system PM flow Rohan G Thomas <rohan.g.thomas(a)altera.com> net: phy: marvell: Fix 88e1510 downshift counter errata Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Enhance recovery on resume failure Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: allow more time to send ADD_ADDR Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix wrong layout information on 16KB page Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer Hao Yao <hao.yao(a)intel.com> media: ov08x40: Fix the horizontal flip control Nidhish A N <nidhish.a.n(a)intel.com> wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list Marek Vasut <marek.vasut+renesas(a)mailbox.org> PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs Xion Wang <xion.wang(a)mediatek.com> char: Use list_del_init() in misc_deregister() to reinitialize list pointer Antonino Maniscalco <antomani103(a)gmail.com> drm/msm: make sure to not queue up recovery more than once Zizhi Wo <wozizhi(a)huaweicloud.com> tty/vt: Add missing return value for VT_RESIZE in vt_ioctl() Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget William Wu <william.wu(a)rock-chips.com> usb: gadget: f_hid: Fix zero length packet transfer Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: support phy-mode = "10g-qxgmii" Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Fix pbn_div Calculation Error Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add support for cyan skillfish gpu_info Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: don't enable SMU on cyan skillfish Alex Deucher <alexander.deucher(a)amd.com> drm/amd: add more cyan skillfish PCI ids Hector Martin <marcan(a)marcan.st> iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs Ashish Kalra <ashish.kalra(a)amd.com> crypto: ccp: Skip SEV and SNP INIT for kdump boot Ashish Kalra <ashish.kalra(a)amd.com> iommu/amd: Skip enabling command/event buffers for kdump Colin Foster <colin.foster(a)in-advantage.com> smsc911x: add second read of EEPROM mac when possible corruption seen Eric Dumazet <edumazet(a)google.com> net: call cond_resched() less often in __release_sock() Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/guc: Set upper limit of H2G retries over CTB Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Enable the Vaux supply if available Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: apply quirk for MOONDROP Quark2 Ramya Gnanasekar <ramya.gnanasekar(a)oss.qualcomm.com> wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in lower bands Paul Kocialkowski <paulk(a)sys-base.io> media: verisilicon: Explicitly disable selection api ioctls for decoders Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: adv7180: Only validate format in querystd Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: adv7180: Do not write format to device in set_fmt Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: adv7180: Add missing lock in suspend callback Juraj Šarinay <juraj(a)sarinay.com> net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Antheas Kapenekakis <lkml(a)antheas.dev> drm: panel-backlight-quirks: Make EDID match optional Chia-I Wu <olvaffe(a)gmail.com> drm/panthor: check bo offset alignment in vm bind Yue Haibing <yuehaibing(a)huawei.com> ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled Jakub Kicinski <kuba(a)kernel.org> selftests: drv-net: rss_ctx: make the test pass with few queues Zhanjun Dong <zhanjun.dong(a)intel.com> drm/xe/guc: Increase GuC crash dump buffer size David Francis <David.Francis(a)amd.com> drm/amdgpu: Allow kfd CRIU with no buffer objects Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> drm/msm/dsi/phy_7nm: Fix missing initial VCO rate Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL Devendra K Verma <devverma(a)amd.com> dmaengine: dw-edma: Set status for callback_result Rosen Penev <rosenp(a)gmail.com> dmaengine: mv_xor: match alloc_wc and free_wc Thomas Andreatta <thomasandreatta2000(a)gmail.com> dmaengine: sh: setup_xref error handling Miroslav Lichvar <mlichvar(a)redhat.com> ptp: Limit time setting of PTP clocks Bharat Uppal <bharat.uppal(a)samsung.com> scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on suspend Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: pm8001: Use int instead of u32 to store error codes Qianfeng Rong <rongqianfeng(a)vivo.com> crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() Eric Dumazet <edumazet(a)google.com> tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Parthiban Veerasooran <parthiban.veerasooran(a)microchip.com> microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl support Eric Dumazet <edumazet(a)google.com> inet_diag: annotate data-races in inet_diag_bc_sk() Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: rename stp node on EASY50712 reference board Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: xway: sysctrl: rename stp clock Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add missing device_type in pci node Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add model to EASY50712 dts Aleksander Jan Bajkowski <olek2(a)wp.pl> mips: lantiq: danube: add missing properties to cpu node Timur Kristóf <timur.kristof(a)gmail.com> drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2) Mangesh Gadre <Mangesh.Gadre(a)amd.com> drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest Clay King <clayking(a)amd.com> drm/amd/display: incorrect conditions for failing dto calculations Relja Vojvodic <rvojvodi(a)amd.com> drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-pcm: Add fixup for channels Martin Tůma <martin.tuma(a)digiteqautomotive.com> media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS Chelsy Ratnawat <chelsyratnawat2001(a)gmail.com> media: fix uninitialized symbol warnings Jakub Kicinski <kuba(a)kernel.org> selftests: drv-net: rss_ctx: fix the queue count check Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel-uncore-freq: Fix warning in partitioned system Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Support HW cursor 180 rot for any number of pipe splits Eric Huang <jinhuieric.huang(a)amd.com> drm/amdkfd: fix vram allocation failure for a special case Ce Sun <cesun102(a)amd.com> drm/amdgpu: Correct the counts of nr_banks and nr_errors Miklos Szeredi <mszeredi(a)redhat.com> fuse: zero initialize inode private data Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: fixed_phy: let fixed_phy_unregister free the phy_device Andrew Davis <afd(a)ti.com> remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> extcon: adc-jack: Fix wakeup source leaks on device unbind Francisco Gutierrez <frankramirez(a)google.com> scsi: pm80xx: Fix race condition caused by static variables Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Fix controller init failure on fault during queue creation Chandrakanth Patil <chandrakanth.patil(a)broadcom.com> scsi: mpi3mr: Fix I/O failures during controller reset Oscar Maes <oscmaes92(a)gmail.com> net: ipv4: allow directed broadcast routes to use dst hint Andrew Davis <afd(a)ti.com> rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ipu6: isys: Set embedded data type correctly for metadata formats Jiawen Wu <jiawenwu(a)trustnetic.com> net: wangxun: limit tx_max_coalesced_frames_irq Ujwal Kundur <ujwal.kundur(a)gmail.com> rds: Fix endianness annotation for RDS_MPATH_HASH Eric Dumazet <edumazet(a)google.com> idpf: do not linearize big TSO packets Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add validation of UAC2/UAC3 effect units Xichao Zhao <zhao.xichao(a)vivo.com> tty: serial: Modify the use of dev_err_probe() Pavan Chebbi <pavan.chebbi(a)broadcom.com> bnxt_en: Add Hyper-V VF ID Sungho Kim <sungho.kim(a)furiosa.ai> PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Chao Yu <chao(a)kernel.org> f2fs: fix to detect potential corrupted nid in free_nid_list Kuniyuki Iwashima <kuniyu(a)google.com> net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. Oleksij Rempel <o.rempel(a)pengutronix.de> net: stmmac: Correctly handle Rx checksum offload errors Christoph Paasch <cpaasch(a)openai.com> net: When removing nexthops, don't call synchronize_net if it is not necessary Zijun Hu <zijun.hu(a)oss.qualcomm.com> char: misc: Does not request module for miscdevice with dynamic minor Zijun Hu <zijun.hu(a)oss.qualcomm.com> char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor Christoph Hellwig <hch(a)lst.de> dm error: mark as DM_TARGET_PASSES_INTEGRITY Kuan-Chung Chen <damon.chen(a)realtek.com> wifi: rtw89: fix BSSID comparison for non-transmitted BSSID Kuan-Chung Chen <damon.chen(a)realtek.com> wifi: rtw89: wow: remove notify during WoWLAN net-detect raub camaioni <raubcameo(a)gmail.com> usb: gadget: f_ncm: Fix MAC assignment NCM ethernet Haibo Chen <haibo.chen(a)nxp.com> iio: adc: imx93_adc: load calibrated values even calibration failed Rodrigo Gobbi <rodrigo.gobbi.7(a)gmail.com> iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Kent Russell <kent.russell(a)amd.com> drm/amdkfd: Handle lack of READ permissions in SVM mapping Heng Zhou <Heng.Zhou(a)amd.com> drm/amdgpu: fix nullptr err of vm_handle_moved Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: PERMISSIVE_CONTROL quirk autodetection Tomasz Pakuła <tomasz.pakula.oficjalny(a)gmail.com> HID: pidff: Use direction fix only for conditional effects Karunika Choo <karunika.choo(a)arm.com> drm/panthor: Serialize GPU cache flush operations Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> media: imon: make send_packet() more robust Charalampos Mitrodimas <charmitro(a)posteo.net> net: ipv6: fix field-spanning memcpy warning in AH output Alice Chao <alice.chao(a)mediatek.com> scsi: ufs: host: mediatek: Fix invalid access in vccqx handling Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Change reset sequence for improved stability Alice Chao <alice.chao(a)mediatek.com> scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO mode change Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix PWM mode switch issue Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration Ido Schimmel <idosch(a)nvidia.com> bridge: Redirect to backup port when port is administratively down Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Use pci_uevent_ers() in PCI recovery Niklas Schnelle <schnelle(a)linux.ibm.com> powerpc/eeh: Use result of error_detected() in uevent Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> tty: serial: ip22zilog: Use platform device for probing Lukas Wunner <lukas(a)wunner.de> thunderbolt: Use is_pciehp instead of is_hotplug_bridge Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> ice: Don't use %pK through printk or tracepoints Tiezhu Yang <yangtiezhu(a)loongson.cn> net: stmmac: Check stmmac_hw_setup() in stmmac_resume() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall Lukas Wunner <lukas(a)wunner.de> PCI/ERR: Update device error_state already after reset Mehdi Djait <mehdi.djait(a)linux.intel.com> media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR Jayesh Choudhary <j-choudhary(a)ti.com> drm/tidss: Set crtc modesetting parameters with adjusted mode Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/tidss: Use the crtc_* timings when programming the HW Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: amphion: Delete v4l2_fh synchronously in .release() Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: pci: ivtv: Don't create fake v4l2_fh Geoffrey McRae <geoffrey.mcrae(a)amd.com> drm/amdkfd: return -ENOTTY for unsupported IOCTLs Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw88: sdio: use indirect IO for device registers before power-on Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: print just once for unknown C2H events Wake Liu <wakel(a)google.com> selftests/net: Ensure assert() triggers in psock_tpacket.c Wake Liu <wakel(a)google.com> selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 Marcos Del Sol Vives <marcos(a)orca.pet> PCI: Disable MSI on RDC PCI to PCIe bridges TungYu Lu <tungyu.lu(a)amd.com> drm/amd/display: Wait until OTG enable state is cleared Danny Wang <Danny.Wang(a)amd.com> drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off Terry Cheong <htcheong(a)chromium.org> ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks Seyediman Seyedarab <imandevel(a)gmail.com> drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Use cached metrics data on arcturus Lijo Lazar <lijo.lazar(a)amd.com> drm/amd/pm: Use cached metrics data on aldebaran Paul Hsieh <Paul.Hsieh(a)amd.com> drm/amd/display: update dpp/disp clock from smu clock table Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: add more cyan skillfish devices Xiang Liu <xiang.liu(a)amd.com> drm/amdgpu: Skip poison aca bank from UE channel Meng Li <li.meng(a)amd.com> drm/amd/amdgpu: Release xcp drm memory after unplug Ce Sun <cesun102(a)amd.com> drm/amdgpu: Avoid rma causes GPU duplicate reset Maarten Lankhorst <dev(a)lankhorst.se> drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. John Harrison <John.C.Harrison(a)Intel.com> drm/xe/guc: Add more GuC load error status codes Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Move setup_stream_attribute Sathishkumar S <sathishkumar.sundararaju(a)amd.com> drm/amdgpu: Check vcn sram load return value Tao Zhou <tao.zhou1(a)amd.com> drm/amdgpu: add range check for RAS bad page address Clay King <clayking(a)amd.com> drm/amd/display: ensure committing streams is seamless Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: fix condition for setting timing_adjust_pending Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs Bastien Curutchet <bastien.curutchet(a)bootlin.com> mfd: core: Increment of_node's refcount before linking it to the platform device Jens Kehne <jens.kehne(a)agilent.com> mfd: da9063: Split chip variant reading in two bus transactions Arnd Bergmann <arnd(a)arndb.de> mfd: madera: Work around false-positive -Wininitialized warning Alexander Stein <alexander.stein(a)ew.tq-group.com> mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexander Stein <alexander.stein(a)ew.tq-group.com> mfd: stmpe: Remove IRQ domain upon removal Len Brown <len.brown(a)intel.com> tools/power x86_energy_perf_policy: Prefer driver HWP limits Len Brown <len.brown(a)intel.com> tools/power x86_energy_perf_policy: Enhance HWP enable Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage Mykyta Yatsenko <yatsenko(a)meta.com> selftests/bpf: Fix flaky bpf_cookie selftest Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/cpupower: Fix incorrect size in cpuidle_state_disable() Armin Wolf <W_Armin(a)gmx.de> hwmon: (dell-smm) Remove Dell Precision 490 custom config data Ben Copeland <ben.copeland(a)linaro.org> hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex Jiri Olsa <jolsa(a)kernel.org> uprobe: Do not emulate/sstep original instruction when ip is changed Alistair Francis <alistair.francis(a)wdc.com> nvme: Use non zero KATO for persistent discovery connections Amery Hung <ameryhung(a)gmail.com> bpf: Clear pfmemalloc flag when freeing all fragments Chenghao Duan <duanchenghao(a)kylinos.cn> riscv: bpf: Fix uninitialized symbol 'retval_off' Yu Kuai <yukuai3(a)huawei.com> blk-cgroup: fix possible deadlock while configuring policy Markus Stockhausen <markus.stockhausen(a)gmx.de> clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts Markus Stockhausen <markus.stockhausen(a)gmx.de> clocksource/drivers/timer-rtl-otto: Work around dying timers Daniel Lezcano <daniel.lezcano(a)linaro.org> clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Chen Pei <cp0613(a)linux.alibaba.com> ACPI: SPCR: Support Precise Baud Rate field Biju Das <biju.das.jz(a)bp.renesas.com> spi: rpc-if: Add resume support for RZ/G3E Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix selftest verifier_arena_large failure Pranav Tyagi <pranav.tyagi03(a)gmail.com> futex: Don't leak robust_list pointer on exec race Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: Fail cpuidle device registration if there is one already Tom Stellard <tstellar(a)redhat.com> bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21 Fenglin Wu <fenglin.wu(a)oss.qualcomm.com> power: supply: qcom_battmgr: handle charging state change notifications Janne Grunau <j(a)jannau.net> pmdomain: apple: Add "apple,t8103-pmgr-pwrstate" Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> tools/cpupower: fix error return value in cpupower_write_sysfs() Svyatoslav Ryhel <clamor95(a)gmail.com> video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Jarkko Nikula <jarkko.nikula(a)linux.intel.com> i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C Kumar Kartikeya Dwivedi <memxor(a)gmail.com> bpf: Do not limit bpf_cgroup_from_id to current's namespace Daniel Wagner <wagi(a)kernel.org> nvme-fc: use lock accessing port_state and rport state Daniel Wagner <wagi(a)kernel.org> nvmet-fc: avoid scheduling association deletion twice Amirreza Zarrabi <amirreza.zarrabi(a)oss.qualcomm.com> tee: allow a driver to allocate a tee_device without a pool Hans de Goede <hansg(a)kernel.org> ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: pca9685: Use bulk write to atomicially update registers Sarthak Garg <quic_sartgarg(a)quicinc.com> mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Nikita Travkin <nikita(a)trvn.ru> firmware: qcom: tzmem: disable sc7180 platform Svyatoslav Ryhel <clamor95(a)gmail.com> ARM: tegra: transformer-20: fix audio-codec interrupt Svyatoslav Ryhel <clamor95(a)gmail.com> ARM: tegra: transformer-20: add missing magnetometer interrupt Jonas Schwöbel <jonasschwoebel(a)yahoo.de> ARM: tegra: p880: set correct touchscreen clipping Svyatoslav Ryhel <clamor95(a)gmail.com> soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106 Quanyang Wang <quanyang.wang(a)windriver.com> arm64: zynqmp: Disable coresight by default Sohil Mehta <sohil.mehta(a)intel.com> cpufreq: ondemand: Update the efficient idle check for Intel extended Families Ming Wang <wangming01(a)loongson.cn> irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller Andreas Kemnade <andreas(a)kemnade.info> hwmon: sy7636a: add alias Fabien Proriol <fabien.proriol(a)viavisolutions.com> power: supply: sbs-charger: Support multiple devices Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: keembay: release allocated memory in detach path Chuande Chen <chuachen(a)cisco.com> hwmon: (sbtsi_temp) AMD CPU extended temperature range support David Ober <dober6023(a)gmail.com> hwmon: (lenovo-ec-sensors) Update P8 supprt Rong Zhang <i(a)rong.moe> hwmon: (k10temp) Add device ID for Strix Halo Avadhut Naik <avadhut.naik(a)amd.com> hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models Christopher Ruehl <chris.ruehl(a)gtsys.com.hk> power: supply: qcom_battmgr: add OOI chemistry Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> thermal: intel: selftests: workload_hint: Mask unsupported types Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: gov_step_wise: Allow cooling level to be reduced earlier Hans de Goede <hansg(a)kernel.org> ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[] Sam van Kampen <sam(a)tehsvk.net> ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU Shang song (Lenovo) <shangsong2(a)foxmail.com> ACPI: PRM: Skip handlers with NULL handler_address or NULL VA Christian Bruel <christian.bruel(a)foss.st.com> irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment Ricardo B. Marlière <rbm(a)suse.com> selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh Yuan Chen <chenyuan(a)kylinos.cn> bpftool: Add CET-aware symbol matching for x86_64 architectures Kees Cook <kees(a)kernel.org> arc: Fix __fls() const-foldability via __builtin_clzl() Dennis Beier <nanovim(a)gmail.com> cpufreq/longhaul: handle NULL policy in longhaul_exit Ricardo B. Marlière <rbm(a)suse.com> selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 Jiawei Zhao <phoenix500526(a)163.com> libbpf: Fix USDT SIB argument handling causing unrecognized register error Mario Limonciello (AMD) <superm1(a)kernel.org> ACPI: video: force native for Lenovo 82K8 Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object Pavel Begunkov <asml.silence(a)gmail.com> io_uring/zctx: check chained notif contexts Inochi Amaoto <inochiama(a)gmail.com> irqchip/sifive-plic: Respect mask state when setting affinity Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: ohci: move self_id_complete tracepoint after validating register Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Use tnums for JEQ/JNE is_branch_taken logic Paresh Bhagat <p-bhagat(a)ti.com> cpufreq: ti: Add support for AM62D2 Jiayi Li <lijiayi(a)kylinos.cn> memstick: Add timeout to prevent indefinite waiting Biju Das <biju.das.jz(a)bp.renesas.com> mmc: host: renesas_sdhi: Fix the actual clock Chi Zhang <chizhang(a)asrmicro.com> pinctrl: single: fix bias pull up/down handling in pin_config_set Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> bpf: Don't use %pK through printk Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> soc: ti: pruss: don't use %pK through printk Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> spi: loopback-test: Don't use %pK through printk Jens Reidel <adrian(a)mainlining.org> soc: qcom: smem: Fix endian-unaware access of num_entries Mukesh Ojha <mukesh.ojha(a)oss.qualcomm.com> firmware: qcom: scm: preserve assign_mem() error return value Ryan Chen <ryan_chen(a)aspeedtech.com> soc: aspeed: socinfo: Add AST27xx silicon IDs Heiko Carstens <hca(a)linux.ibm.com> s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP Gerd Bayer <gbayer(a)linux.ibm.com> s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Philipp Stanner <phasta(a)kernel.org> drm/sched: Fix race in drm_sched_entity_select_rq() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Re-group and rename the entity run-queue lock Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Optimise drm_sched_entity_push_job Owen Gu <guhuinan(a)xiaomi.com> usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Gregory Price <gourry(a)gourry.net> x86/CPU/AMD: Add RDSEED fix for Zen5 Heijligen, Thomas <thomas.heijligen(a)secunet.com> mfd: kempld: Switch back to earlier ->init() behavior Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: governors: menu: Select polling state in some more cases Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: governors: menu: Rearrange main loop in menu_select() Tejun Heo <tj(a)kernel.org> sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> net: phy: dp83867: Disable EEE support as not implemented Heiner Kallweit <hkallweit1(a)gmail.com> net: phy: add phy_disable_eee Armin Wolf <W_Armin(a)gmx.de> ACPI: fan: Use platform device for devres-related actions Joshua Grisham <josh(a)joshuagrisham.com> ACPI: fan: Add fan speed reporting for fans with only _FST Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Fix incorrect return of vblank enable on unconfigured crtc Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Check that VPE has reached DPM0 in idle handler Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Clear preserved bits from register output value Johan Hovold <johan(a)kernel.org> drm/mediatek: Fix device use-after-free on unbind Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix race in nouveau_sched_fini() David Rosca <david.rosca(a)amd.com> drm/sched: avoid killing parent entity on child SIGKILL Thomas Zimmermann <tzimmermann(a)suse.de> drm/sysfb: Do not dereference NULL pointer in plane reset Matthew Brost <matthew.brost(a)intel.com> drm/xe: Do not wake device during a GT reset Miaoqian Lin <linmq006(a)gmail.com> s390/mm: Fix memory leak in add_marker() when kvrealloc() fails Alexey Klimov <alexey.klimov(a)linaro.org> regmap: slimbus: fix bus_context pointer in regmap init calls Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf/x86/intel: Fix KASAN global-out-of-bounds warning Damien Le Moal <dlemoal(a)kernel.org> block: make REQ_OP_ZONE_OPEN a write operation Damien Le Moal <dlemoal(a)kernel.org> block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL Armin Wolf <W_Armin(a)gmx.de> ACPI: fan: Use ACPI handle when retrieving _FST John Smith <itistotalbotnet(a)gmail.com> drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland John Smith <itistotalbotnet(a)gmail.com> drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji Yang Wang <kevinyang.wang(a)amd.com> drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() Daniel Palmer <daniel(a)0x0f.com> drm/radeon: Remove calls to drm_put_dev() Daniel Palmer <daniel(a)0x0f.com> drm/radeon: Do not kfree() devres managed rdev Maarten Zanders <maarten(a)zanders.be> ASoC: fsl_sai: Fix sync error in consumer mode Petr Oros <poros(a)redhat.com> dpll: spec: add missing module-name and clock-id to pin-get reply Abdun Nihaal <nihaal(a)cse.iitm.ac.in> sfc: fix potential memory leak in efx_mae_process_mport() Jijie Shao <shaojijie(a)huawei.com> net: hns3: return error code when function fails Petr Oros <poros(a)redhat.com> tools: ynl: fix string attribute length to include null terminator Tomeu Vizoso <tomeu(a)tomeuvizoso.net> drm/etnaviv: fix flush sequence logic Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix tracking of periodic advertisement Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix another instance of dst_type handling Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 Chris Lu <chris.lu(a)mediatek.com> Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during reset Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix BIS connection dst_type handling Iulia Tanasescu <iulia.tanasescu(a)nxp.com> Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave Cen Zhang <zzzccc427(a)163.com> Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once Lizhi Xu <lizhi.xu(a)windriver.com> usbnet: Prevents free active kevent Andrii Nakryiko <andrii(a)kernel.org> libbpf: Fix powerpc's stack register definition in bpf_tracing.h Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: fix bit order for DSD format Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: avs: Disable periods-elapsed work when closing PCM Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: avs: Unprepare a stream when XRUN occurs Haotian Zhang <vulab(a)iscas.ac.cn> crypto: aspeed - fix double free caused by devm Ondrej Mosnacek <omosnace(a)redhat.com> bpf: Do not audit capability check in do_jit() Yonghong Song <yonghong.song(a)linux.dev> bpf, x86: Avoid repeated usage of bpf_prog->aux->stack_depth Yonghong Song <yonghong.song(a)linux.dev> bpf: Find eligible subprogs for private stack support Wonkon Kim <wkon.kim(a)samsung.com> scsi: ufs: core: Initialize value of an attribute returned by uic cmd Noorain Eqbal <nooraineqbal(a)gmail.com> bpf: Sync pending IRQ work before freeing ring buffer Florian Schmaus <florian.schmaus(a)codasip.com> kunit: test_dev_action: Correctly cast 'priv' pointer to long* Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix key tailroom accounting leak Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: mac80211: don't mark keys for inactive links as uploaded Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h Roy Vegard Ovesen <roy.vegard.ovesen(a)gmail.com> ALSA: usb-audio: fix control pipe direction Akhil P Oommen <akhilpo(a)oss.qualcomm.com> drm/msm/a6xx: Fix GMU firmware parser Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath11k: avoid bit operation on key flags Yu Zhang(Yuriy) <quic_yuzha(a)quicinc.com> wifi: ath11k: add support for MU EDCA Karthik M <quic_karm(a)quicinc.com> wifi: ath12k: free skb during idr cleanup callback Mark Pearson <mpearson-lenovo(a)squebb.ca> wifi: ath11k: Add missing platform IDs for quirk table Loic Poulain <loic.poulain(a)oss.qualcomm.com> wifi: ath10k: Fix memory leak on unsupported WMI command Chang S. Bae <chang.seok.bae(a)intel.com> x86/fpu: Ensure XFD state on signal delivery Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix potential cfid UAF in smb2_query_info_compound Farhan Ali <alifm(a)linux.ibm.com> s390/pci: Restore IRQ unconditionally for the zPCI device Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> ASoC: qdsp6: q6asm: do not sleep while atomic Paolo Abeni <pabeni(a)redhat.com> mptcp: restore window probe Paolo Abeni <pabeni(a)redhat.com> mptcp: drop bogus optimization in __mptcp_check_push() Miaoqian Lin <linmq006(a)gmail.com> fbdev: valkyriefb: Fix reference count leak in valkyriefb_init Florian Fuchs <fuchsfl(a)gmail.com> fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Johan Hovold <johan(a)kernel.org> Bluetooth: rfcomm: fix modem control handling Junjie Cao <junjie.cao(a)intel.com> fbdev: bitblit: bound-check glyph index in bit_putcs* Bui Quang Minh <minhquangbui99(a)gmail.com> virtio-net: drop the multi-buffer XDP packet in zerocopy Kaushlendra Kumar <kaushlendra.kumar(a)intel.com> ACPI: button: Call input_free_device() on failing input device registration Yuhao Jiang <danisjiang(a)gmail.com> ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Daniel Palmer <daniel(a)0x0f.com> fbdev: atyfb: Check if pll_ops->init_pll failed Quanmin Yan <yanquanmin1(a)huawei.com> fbcon: Set fb_display[i]->mode to NULL when the mode is released Miaoqian Lin <linmq006(a)gmail.com> net: usb: asix_devices: Check return value of usbnet_get_endpoints Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix crash in nfsd4_read_release() ------------- Diffstat: Documentation/netlink/specs/dpll.yaml | 2 + Makefile | 4 +- arch/arc/include/asm/bitops.h | 2 + arch/arm/boot/dts/nvidia/tegra20-asus-tf101.dts | 5 +- arch/arm/boot/dts/nvidia/tegra30-lg-p880.dts | 4 +- arch/arm/mach-at91/pm_suspend.S | 8 +- arch/arm64/boot/dts/xilinx/zynqmp-zcu106-revA.dts | 4 +- arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 + arch/loongarch/include/asm/inst.h | 5 + arch/loongarch/kernel/inst.c | 12 + arch/mips/boot/dts/lantiq/danube.dtsi | 6 + arch/mips/boot/dts/lantiq/danube_easy50712.dts | 4 +- arch/mips/lantiq/xway/sysctrl.c | 2 +- arch/mips/sgi-ip22/ip22-platform.c | 32 ++ arch/openrisc/kernel/module.c | 4 + arch/parisc/include/asm/video.h | 2 +- arch/parisc/kernel/unwind.c | 13 +- arch/powerpc/kernel/eeh_driver.c | 2 +- arch/riscv/kernel/stacktrace.c | 21 +- arch/riscv/mm/ptdump.c | 2 +- arch/riscv/net/bpf_jit_comp64.c | 5 +- arch/s390/Kconfig | 1 - arch/s390/include/asm/pci.h | 1 - arch/s390/mm/dump_pagetables.c | 19 +- arch/s390/pci/pci_event.c | 7 +- arch/s390/pci/pci_irq.c | 9 +- arch/sparc/include/asm/elf_64.h | 1 + arch/sparc/include/asm/io_64.h | 6 +- arch/sparc/include/asm/video.h | 2 + arch/sparc/kernel/module.c | 1 + arch/um/drivers/ssl.c | 5 +- arch/x86/entry/vsyscall/vsyscall_64.c | 17 +- arch/x86/events/intel/ds.c | 3 +- arch/x86/include/asm/runtime-const.h | 17 + arch/x86/include/asm/uaccess_64.h | 22 +- arch/x86/include/asm/video.h | 2 + arch/x86/kernel/cpu/amd.c | 35 ++ arch/x86/kernel/cpu/common.c | 6 +- arch/x86/kernel/cpu/microcode/amd.c | 2 + arch/x86/kernel/fpu/core.c | 3 + arch/x86/kernel/kvm.c | 20 +- arch/x86/lib/getuser.S | 12 +- arch/x86/net/bpf_jit_comp.c | 13 +- block/blk-cgroup.c | 23 +- drivers/accel/habanalabs/common/memory.c | 2 +- drivers/accel/habanalabs/gaudi/gaudi.c | 19 + drivers/accel/habanalabs/gaudi2/gaudi2.c | 15 +- drivers/accel/habanalabs/gaudi2/gaudi2_coresight.c | 2 +- drivers/acpi/acpi_video.c | 4 +- drivers/acpi/acpica/dsmethod.c | 10 +- drivers/acpi/button.c | 4 +- drivers/acpi/device_sysfs.c | 2 +- drivers/acpi/fan.h | 8 +- drivers/acpi/fan_attr.c | 39 +- drivers/acpi/fan_core.c | 61 ++- drivers/acpi/fan_hwmon.c | 19 +- drivers/acpi/prmt.c | 19 +- drivers/acpi/property.c | 24 +- drivers/acpi/resource.c | 7 + drivers/acpi/scan.c | 4 + drivers/acpi/spcr.c | 10 +- drivers/acpi/video_detect.c | 8 + drivers/base/regmap/regmap-slimbus.c | 6 +- drivers/bluetooth/btmtksdio.c | 12 + drivers/bluetooth/btrtl.c | 4 +- drivers/bluetooth/btusb.c | 19 + drivers/bluetooth/hci_bcsp.c | 3 + drivers/bus/mhi/host/internal.h | 2 + drivers/bus/mhi/host/pm.c | 2 +- drivers/char/misc.c | 40 +- drivers/clk/at91/clk-master.c | 3 + drivers/clk/at91/clk-sam9x60-pll.c | 75 ++-- drivers/clk/at91/sam9x7.c | 1 + drivers/clk/clk-scmi.c | 11 +- drivers/clk/qcom/gcc-ipq6018.c | 60 +-- drivers/clk/sunxi-ng/ccu-sun6i-rtc.c | 11 + drivers/clk/ti/clk-33xx.c | 2 + drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 +- drivers/clocksource/timer-rtl-otto.c | 26 +- drivers/clocksource/timer-vf-pit.c | 22 +- drivers/cpufreq/cpufreq_ondemand.c | 25 +- drivers/cpufreq/cpufreq_ondemand.h | 23 ++ drivers/cpufreq/longhaul.c | 3 + drivers/cpufreq/tegra186-cpufreq.c | 27 +- drivers/cpufreq/ti-cpufreq.c | 2 + drivers/cpuidle/cpuidle.c | 8 +- drivers/cpuidle/governors/menu.c | 79 ++-- .../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 1 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 5 +- drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 2 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-trng.c | 1 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- drivers/crypto/aspeed/aspeed-acry.c | 2 - drivers/crypto/caam/ctrl.c | 4 +- drivers/crypto/ccp/hsti.c | 2 +- drivers/crypto/ccp/sev-dev.c | 10 + drivers/crypto/hisilicon/qm.c | 78 ++-- drivers/crypto/intel/qat/qat_common/qat_uclo.c | 2 +- drivers/dma/dw-edma/dw-edma-core.c | 22 ++ drivers/dma/mv_xor.c | 4 +- drivers/dma/sh/shdma-base.c | 25 +- drivers/dma/sh/shdmac.c | 17 +- drivers/extcon/extcon-adc-jack.c | 2 + drivers/firewire/ohci.c | 12 +- drivers/firmware/qcom/qcom_scm.c | 2 +- drivers/firmware/qcom/qcom_tzmem.c | 1 + drivers/gpio/gpiolib-swnode.c | 2 +- drivers/gpio/gpiolib.c | 8 +- drivers/gpu/drm/amd/amdgpu/amdgpu_aca.c | 53 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 66 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 21 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 + drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 77 ++-- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 34 +- drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.c | 1 + drivers/gpu/drm/amd/amdgpu/atom.c | 4 + drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 11 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 10 +- drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 13 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 19 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 10 +- drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 9 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 25 ++ drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.c | 56 ++- drivers/gpu/drm/amd/amdxcp/amdgpu_xcp_drv.h | 1 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 100 ++++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 3 + .../drm/amd/display/amdgpu_dm/amdgpu_dm_color.c | 86 ++-- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 10 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 3 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 13 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 2 +- .../drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 16 + .../amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c | 142 ++++++- .../amd/display/dc/clk_mgr/dcn314/dcn314_clk_mgr.h | 5 + drivers/gpu/drm/amd/display/dc/core/dc.c | 25 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 14 +- drivers/gpu/drm/amd/display/dc/dc_helper.c | 5 + drivers/gpu/drm/amd/display/dc/dc_stream.h | 3 + .../drm/amd/display/dc/dccg/dcn401/dcn401_dccg.c | 2 +- drivers/gpu/drm/amd/display/dc/dm_services.h | 2 + .../gpu/drm/amd/display/dc/dml/dcn301/dcn301_fpu.c | 20 +- .../drm/amd/display/dc/dml2/display_mode_core.c | 2 +- .../drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 + .../dml21/src/dml2_core/dml2_core_dcn4_calcs.c | 28 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 1 + .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 73 ++-- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 5 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 2 + .../gpu/drm/amd/display/dc/link/link_detection.c | 5 + drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 - .../display/dc/link/protocols/link_dp_training.c | 9 +- .../drm/amd/display/dc/optc/dcn401/dcn401_optc.c | 5 + .../display/dc/resource/dcn314/dcn314_resource.c | 1 + .../display/dc/virtual/virtual_stream_encoder.c | 7 + drivers/gpu/drm/amd/display/include/dal_asic_id.h | 5 + .../gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- .../drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 + drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- drivers/gpu/drm/ast/ast_drv.h | 8 +- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 12 +- drivers/gpu/drm/bridge/display-connector.c | 3 +- drivers/gpu/drm/drm_gem_atomic_helper.c | 8 +- drivers/gpu/drm/drm_panel_backlight_quirks.c | 2 +- drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 - drivers/gpu/drm/mediatek/mtk_plane.c | 24 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 3 + drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 10 + drivers/gpu/drm/msm/registers/gen_header.py | 7 + drivers/gpu/drm/nouveau/nouveau_sched.c | 14 +- drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 +- drivers/gpu/drm/panthor/panthor_gpu.c | 7 + drivers/gpu/drm/panthor/panthor_mmu.c | 4 +- drivers/gpu/drm/radeon/radeon_drv.c | 25 +- drivers/gpu/drm/radeon/radeon_kms.c | 1 - drivers/gpu/drm/scheduler/sched_entity.c | 73 ++-- drivers/gpu/drm/scheduler/sched_main.c | 6 +- drivers/gpu/drm/tidss/tidss_crtc.c | 7 +- drivers/gpu/drm/tidss/tidss_dispc.c | 16 +- drivers/gpu/drm/xe/abi/guc_errors_abi.h | 3 + drivers/gpu/drm/xe/xe_bo.c | 28 +- drivers/gpu/drm/xe/xe_gt.c | 19 +- drivers/gpu/drm/xe/xe_guc.c | 32 +- drivers/gpu/drm/xe/xe_guc_ct.c | 10 + drivers/gpu/drm/xe/xe_guc_log.h | 2 +- drivers/hid/hid-asus.c | 6 +- drivers/hid/hid-ids.h | 2 +- drivers/hid/hid-universal-pidff.c | 20 +- drivers/hid/i2c-hid/i2c-hid-acpi.c | 8 + drivers/hid/i2c-hid/i2c-hid-core.c | 28 +- drivers/hid/i2c-hid/i2c-hid.h | 2 + drivers/hid/usbhid/hid-pidff.c | 42 +- drivers/hid/usbhid/hid-pidff.h | 2 +- drivers/hwmon/asus-ec-sensors.c | 2 +- drivers/hwmon/dell-smm-hwmon.c | 14 - drivers/hwmon/k10temp.c | 10 + drivers/hwmon/lenovo-ec-sensors.c | 34 +- drivers/hwmon/sbtsi_temp.c | 46 ++- drivers/hwmon/sy7636a-hwmon.c | 1 + drivers/i3c/master/mipi-i3c-hci/mipi-i3c-hci-pci.c | 3 + drivers/iio/adc/imx93_adc.c | 18 +- drivers/iio/adc/spear_adc.c | 9 +- drivers/infiniband/hw/hns/hns_roce_cq.c | 58 ++- drivers/infiniband/hw/hns/hns_roce_device.h | 4 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 +- drivers/infiniband/hw/hns/hns_roce_main.c | 4 + drivers/infiniband/hw/hns/hns_roce_qp.c | 2 - drivers/infiniband/hw/irdma/Kconfig | 7 +- drivers/infiniband/hw/irdma/pble.c | 2 +- drivers/infiniband/hw/irdma/verbs.c | 4 +- drivers/infiniband/hw/irdma/verbs.h | 8 +- drivers/infiniband/ulp/ipoib/ipoib_main.c | 21 +- drivers/iommu/amd/init.c | 28 +- drivers/iommu/apple-dart.c | 5 + drivers/iommu/intel/debugfs.c | 10 +- drivers/iommu/intel/perf.c | 10 +- drivers/iommu/intel/perf.h | 5 +- drivers/iommu/iommufd/iova_bitmap.c | 5 +- drivers/irqchip/irq-gic-v2m.c | 13 +- drivers/irqchip/irq-loongson-pch-lpc.c | 9 +- drivers/irqchip/irq-sifive-plic.c | 6 +- drivers/md/dm-target.c | 3 +- drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 + drivers/media/i2c/Kconfig | 2 +- drivers/media/i2c/adv7180.c | 48 +-- drivers/media/i2c/ir-kbd-i2c.c | 6 +- drivers/media/i2c/og01a1b.c | 6 +- drivers/media/i2c/ov08x40.c | 2 +- drivers/media/pci/intel/ipu6/ipu6-isys-subdev.c | 6 + drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 - drivers/media/pci/ivtv/ivtv-driver.h | 3 +- drivers/media/pci/ivtv/ivtv-fileops.c | 18 +- drivers/media/pci/ivtv/ivtv-irq.c | 4 +- drivers/media/pci/mgb4/mgb4_vin.c | 3 +- drivers/media/platform/amphion/vpu_v4l2.c | 7 +- drivers/media/platform/verisilicon/hantro_drv.c | 2 + drivers/media/platform/verisilicon/hantro_v4l2.c | 6 +- drivers/media/rc/imon.c | 61 +-- drivers/media/rc/redrat3.c | 2 +- drivers/media/tuners/xc4000.c | 8 +- drivers/media/tuners/xc5000.c | 12 +- drivers/media/usb/uvc/uvc_driver.c | 15 +- drivers/memstick/core/memstick.c | 8 +- drivers/mfd/da9063-i2c.c | 27 +- drivers/mfd/intel-lpss-pci.c | 13 + drivers/mfd/kempld-core.c | 32 +- drivers/mfd/madera-core.c | 4 +- drivers/mfd/mfd-core.c | 1 + drivers/mfd/stmpe-i2c.c | 1 + drivers/mfd/stmpe.c | 3 + drivers/mmc/host/renesas_sdhi_core.c | 6 +- drivers/mmc/host/sdhci-msm.c | 15 + drivers/net/dsa/b53/b53_common.c | 27 +- drivers/net/dsa/b53/b53_regs.h | 3 +- drivers/net/dsa/dsa_loop.c | 9 +- drivers/net/dsa/microchip/ksz9477.c | 98 ++++- drivers/net/dsa/microchip/ksz9477_reg.h | 3 +- drivers/net/dsa/microchip/ksz_common.c | 49 +++ drivers/net/dsa/microchip/ksz_common.h | 2 + drivers/net/dsa/ocelot/felix.c | 4 + drivers/net/dsa/ocelot/felix.h | 3 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 75 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +- drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 +- drivers/net/ethernet/cadence/macb_main.c | 4 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 +- drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 +- drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 +- drivers/net/ethernet/intel/ice/ice_main.c | 2 +- drivers/net/ethernet/intel/ice/ice_trace.h | 10 +- drivers/net/ethernet/intel/idpf/idpf.h | 2 + drivers/net/ethernet/intel/idpf/idpf_lib.c | 102 ++++- drivers/net/ethernet/intel/idpf/idpf_txrx.c | 129 ++---- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 12 +- drivers/net/ethernet/microchip/lan865x/lan865x.c | 1 + .../ethernet/microchip/lan966x/lan966x_ethtool.c | 18 +- .../net/ethernet/microchip/lan966x/lan966x_main.c | 2 - .../net/ethernet/microchip/lan966x/lan966x_main.h | 4 +- .../ethernet/microchip/lan966x/lan966x_vcap_impl.c | 8 +- drivers/net/ethernet/microchip/sparx5/Kconfig | 2 +- drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 34 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 1 - drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 2 - drivers/net/ethernet/realtek/Kconfig | 2 +- drivers/net/ethernet/realtek/r8169_main.c | 6 +- drivers/net/ethernet/renesas/sh_eth.c | 4 + drivers/net/ethernet/sfc/mae.c | 4 + drivers/net/ethernet/smsc/smsc911x.c | 14 +- drivers/net/ethernet/stmicro/stmmac/common.h | 1 + drivers/net/ethernet/stmicro/stmmac/stmmac_est.c | 9 +- drivers/net/ethernet/stmicro/stmmac/stmmac_est.h | 1 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 +- drivers/net/ethernet/ti/icssg/icssg_config.c | 7 + drivers/net/ethernet/wangxun/libwx/wx_ethtool.c | 7 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 +- drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 +- drivers/net/hamradio/6pack.c | 57 +-- drivers/net/mdio/of_mdio.c | 1 - drivers/net/phy/dp83867.c | 6 + drivers/net/phy/fixed_phy.c | 1 + drivers/net/phy/marvell.c | 39 +- drivers/net/phy/phy.c | 13 + drivers/net/phy/phy_device.c | 17 + drivers/net/usb/asix_devices.c | 12 +- drivers/net/usb/qmi_wwan.c | 6 + drivers/net/usb/usbnet.c | 2 + drivers/net/virtio_net.c | 36 +- drivers/net/wan/framer/pef2256/pef2256.c | 7 +- drivers/net/wireless/ath/ath10k/mac.c | 12 +- drivers/net/wireless/ath/ath10k/wmi.c | 40 +- drivers/net/wireless/ath/ath11k/core.c | 54 ++- drivers/net/wireless/ath/ath11k/core.h | 3 +- drivers/net/wireless/ath/ath11k/mac.c | 61 ++- drivers/net/wireless/ath/ath11k/wmi.c | 11 +- drivers/net/wireless/ath/ath11k/wmi.h | 10 +- drivers/net/wireless/ath/ath12k/dp.h | 2 +- drivers/net/wireless/ath/ath12k/mac.c | 34 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +- .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 +- .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 +- drivers/net/wireless/intel/iwlwifi/fw/regulatory.c | 14 +- drivers/net/wireless/mediatek/mt76/eeprom.c | 9 +- drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- drivers/net/wireless/mediatek/mt76/mt7603/eeprom.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7615/init.c | 5 +- drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 6 +- drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7915/init.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/init.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c | 3 +- drivers/net/wireless/mediatek/mt76/mt7996/init.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 +- drivers/net/wireless/realtek/rtw88/sdio.c | 4 + drivers/net/wireless/realtek/rtw89/core.c | 61 ++- drivers/net/wireless/realtek/rtw89/core.h | 12 +- drivers/net/wireless/realtek/rtw89/debug.h | 1 + drivers/net/wireless/realtek/rtw89/fw.c | 4 +- drivers/net/wireless/realtek/rtw89/mac.c | 7 +- drivers/net/wireless/realtek/rtw89/phy.c | 7 +- drivers/net/wireless/realtek/rtw89/txrx.h | 1 + drivers/net/wireless/virtual/mac80211_hwsim.c | 7 +- drivers/net/wwan/t7xx/t7xx_pci.c | 1 + drivers/ntb/hw/epf/ntb_hw_epf.c | 103 ++--- drivers/nvme/host/core.c | 8 +- drivers/nvme/host/fc.c | 10 +- drivers/nvme/target/fc.c | 16 +- drivers/pci/controller/cadence/pcie-cadence-host.c | 2 +- drivers/pci/controller/cadence/pcie-cadence.c | 4 +- drivers/pci/controller/cadence/pcie-cadence.h | 6 +- drivers/pci/controller/dwc/pci-imx6.c | 4 + drivers/pci/controller/dwc/pcie-designware.c | 4 +- drivers/pci/endpoint/functions/pci-epf-test.c | 7 +- drivers/pci/p2pdma.c | 2 +- drivers/pci/pci-driver.c | 2 +- drivers/pci/pci.c | 5 + drivers/pci/pcie/err.c | 3 +- drivers/pci/quirks.c | 3 +- drivers/phy/cadence/cdns-dphy.c | 4 +- drivers/phy/renesas/r8a779f0-ether-serdes.c | 28 ++ drivers/phy/rockchip/phy-rockchip-inno-csidphy.c | 5 +- drivers/pinctrl/pinctrl-keembay.c | 7 +- drivers/pinctrl/pinctrl-single.c | 4 +- .../intel/uncore-frequency/uncore-frequency-tpmi.c | 2 +- drivers/pmdomain/apple/pmgr-pwrstate.c | 1 + drivers/power/supply/qcom_battmgr.c | 8 +- drivers/power/supply/sbs-charger.c | 16 +- drivers/ptp/ptp_clock.c | 13 +- drivers/pwm/pwm-pca9685.c | 46 ++- drivers/remoteproc/qcom_q6v5.c | 5 + drivers/remoteproc/wkup_m3_rproc.c | 6 +- drivers/rpmsg/rpmsg_char.c | 3 +- drivers/rtc/rtc-pcf2127.c | 19 +- drivers/rtc/rtc-rx8025.c | 2 +- drivers/scsi/libfc/fc_encode.h | 2 +- drivers/scsi/lpfc/lpfc_debugfs.h | 3 + drivers/scsi/lpfc/lpfc_els.c | 21 +- drivers/scsi/lpfc/lpfc_init.c | 7 - drivers/scsi/lpfc/lpfc_nportdisc.c | 23 +- drivers/scsi/lpfc/lpfc_scsi.c | 14 +- drivers/scsi/lpfc/lpfc_sli.c | 3 +- drivers/scsi/mpi3mr/mpi3mr_fw.c | 13 + drivers/scsi/mpi3mr/mpi3mr_os.c | 2 + drivers/scsi/mpt3sas/mpt3sas_transport.c | 3 + drivers/scsi/pm8001/pm8001_ctl.c | 24 +- drivers/scsi/pm8001/pm8001_init.c | 1 + drivers/scsi/pm8001/pm8001_sas.h | 4 + drivers/scsi/qla2xxx/qla_os.c | 5 - drivers/soc/aspeed/aspeed-socinfo.c | 4 + drivers/soc/qcom/smem.c | 2 +- drivers/soc/tegra/fuse/fuse-tegra30.c | 122 ++++++ drivers/soc/ti/pruss.c | 2 +- drivers/spi/spi-loopback-test.c | 12 +- drivers/spi/spi-rpc-if.c | 2 + drivers/tee/tee_core.c | 2 +- drivers/thermal/gov_step_wise.c | 15 +- drivers/thunderbolt/tb.c | 2 +- drivers/tty/serial/ip22zilog.c | 360 +++++++---------- drivers/tty/serial/max3100.c | 2 +- drivers/tty/serial/max310x.c | 3 +- drivers/tty/vt/vt_ioctl.c | 4 +- drivers/ufs/core/ufshcd.c | 16 +- drivers/ufs/host/ufs-exynos.c | 8 + drivers/ufs/host/ufs-mediatek.c | 222 ++++++++--- drivers/ufs/host/ufshcd-pci.c | 70 +++- drivers/usb/cdns3/cdnsp-gadget.c | 8 +- drivers/usb/gadget/function/f_fs.c | 8 +- drivers/usb/gadget/function/f_hid.c | 4 +- drivers/usb/gadget/function/f_ncm.c | 3 +- drivers/usb/host/xhci-pci.c | 45 ++- drivers/usb/host/xhci-plat.c | 1 + drivers/usb/mon/mon_bin.c | 14 +- drivers/vfio/pci/vfio_pci_intrs.c | 7 + drivers/vfio/vfio_main.c | 2 +- drivers/video/backlight/lp855x_bl.c | 2 +- drivers/video/fbdev/aty/atyfb_base.c | 8 +- drivers/video/fbdev/core/bitblit.c | 33 +- drivers/video/fbdev/core/fbcon.c | 19 + drivers/video/fbdev/core/fbmem.c | 1 + drivers/video/fbdev/pvr2fb.c | 2 +- drivers/video/fbdev/valkyriefb.c | 2 + drivers/watchdog/s3c2410_wdt.c | 10 +- fs/9p/v9fs.c | 9 +- fs/btrfs/extent_io.c | 8 + fs/btrfs/file.c | 10 + fs/btrfs/qgroup.c | 4 +- fs/ceph/dir.c | 3 +- fs/ceph/file.c | 6 +- fs/ceph/ioctl.c | 17 +- fs/ceph/locks.c | 5 +- fs/ceph/mds_client.c | 8 + fs/ceph/mdsmap.c | 14 +- fs/ceph/super.c | 14 - fs/ceph/super.h | 14 + fs/exfat/balloc.c | 72 +++- fs/exfat/fatent.c | 11 +- fs/ext4/fast_commit.c | 2 +- fs/ext4/xattr.c | 2 +- fs/f2fs/extent_cache.c | 6 + fs/f2fs/node.c | 17 +- fs/f2fs/sysfs.c | 9 +- fs/fuse/inode.c | 11 +- fs/hpfs/namei.c | 18 +- fs/jfs/inode.c | 8 +- fs/jfs/jfs_txnmgr.c | 9 +- fs/nfs/nfs4proc.c | 6 +- fs/nfs/nfs4state.c | 3 + fs/nfsd/nfs4proc.c | 7 +- fs/ntfs3/inode.c | 1 + fs/open.c | 10 +- fs/orangefs/xattr.c | 12 +- fs/smb/client/cached_dir.c | 16 +- fs/smb/client/smb2ops.c | 3 +- fs/smb/client/smb2pdu.c | 7 +- fs/smb/client/transport.c | 10 +- fs/smb/server/transport_tcp.c | 7 +- include/drm/gpu_scheduler.h | 23 +- include/linux/blk_types.h | 11 +- include/linux/bpf_verifier.h | 7 + include/linux/cgroup.h | 1 + include/linux/f2fs_fs.h | 1 + include/linux/fbcon.h | 2 + include/linux/filter.h | 3 +- include/linux/pci.h | 2 +- include/linux/phy.h | 1 + include/linux/shdma-base.h | 2 +- include/linux/tnum.h | 3 + include/net/bluetooth/hci.h | 1 + include/net/bluetooth/hci_core.h | 13 +- include/net/bluetooth/mgmt.h | 2 +- include/net/cls_cgroup.h | 2 +- include/net/nfc/nci_core.h | 2 +- include/net/xdp.h | 5 + include/ufs/ufs_quirks.h | 3 + include/ufs/ufshcd.h | 8 + include/ufs/ufshci.h | 4 +- io_uring/notif.c | 5 + kernel/bpf/core.c | 5 + kernel/bpf/helpers.c | 2 +- kernel/bpf/ringbuf.c | 2 + kernel/bpf/tnum.c | 8 + kernel/bpf/verifier.c | 100 ++++- kernel/cgroup/cgroup.c | 24 +- kernel/events/uprobes.c | 7 + kernel/futex/syscalls.c | 106 ++--- kernel/sched/ext.c | 8 +- kernel/trace/ftrace.c | 2 + kernel/trace/ring_buffer.c | 4 + kernel/trace/trace_events_hist.c | 6 +- lib/crypto/Makefile | 2 +- lib/kunit/kunit-test.c | 2 +- net/8021q/vlan.c | 2 + net/9p/trans_fd.c | 9 +- net/bluetooth/hci_event.c | 19 +- net/bluetooth/hci_sync.c | 23 +- net/bluetooth/iso.c | 11 +- net/bluetooth/mgmt.c | 6 +- net/bluetooth/rfcomm/tty.c | 26 +- net/bluetooth/sco.c | 7 + net/bridge/br.c | 5 + net/bridge/br_forward.c | 5 +- net/bridge/br_if.c | 1 + net/bridge/br_input.c | 4 +- net/bridge/br_mst.c | 10 +- net/bridge/br_private.h | 13 +- net/core/filter.c | 1 + net/core/page_pool.c | 12 +- net/core/sock.c | 15 +- net/dsa/tag_brcm.c | 70 ++-- net/ethernet/eth.c | 5 +- net/ipv4/inet_diag.c | 14 +- net/ipv4/ip_input.c | 11 +- net/ipv4/netfilter/nf_reject_ipv4.c | 25 ++ net/ipv4/nexthop.c | 6 + net/ipv4/route.c | 2 +- net/ipv4/tcp.c | 4 +- net/ipv4/tcp_fastopen.c | 7 +- net/ipv4/udp_tunnel_nic.c | 2 +- net/ipv6/addrconf.c | 4 +- net/ipv6/ah6.c | 50 ++- net/ipv6/netfilter/nf_reject_ipv6.c | 30 ++ net/ipv6/raw.c | 2 +- net/ipv6/udp.c | 2 +- net/mac80211/cfg.c | 20 +- net/mac80211/ieee80211_i.h | 2 + net/mac80211/iface.c | 9 + net/mac80211/key.c | 10 +- net/mac80211/mesh.c | 3 + net/mac80211/mlme.c | 5 +- net/mptcp/protocol.c | 18 +- net/mptcp/protocol.h | 2 +- net/rds/rds.h | 2 +- net/sctp/diag.c | 23 +- security/integrity/ima/ima_appraise.c | 23 +- sound/drivers/serial-generic.c | 12 +- sound/pci/hda/patch_realtek.c | 17 +- sound/soc/codecs/cs-amp-lib-test.c | 1 + sound/soc/codecs/tlv320aic3x.c | 32 +- sound/soc/fsl/fsl_sai.c | 11 +- sound/soc/intel/avs/pcm.c | 3 + sound/soc/mediatek/mt8173/mt8173-rt5650.c | 2 +- sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c | 2 +- .../mt8183/mt8183-mt6358-ts3a227-max98357.c | 2 +- sound/soc/mediatek/mt8186/mt8186-mt6366.c | 2 +- sound/soc/mediatek/mt8188/mt8188-mt6359.c | 8 +- .../mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c | 2 +- sound/soc/mediatek/mt8195/mt8195-mt6359.c | 4 +- sound/soc/meson/aiu-encoder-i2s.c | 9 +- sound/soc/qcom/qdsp6/q6asm.c | 2 +- sound/soc/qcom/sc8280xp.c | 3 + sound/soc/sof/ipc4-pcm.c | 56 +++ sound/soc/stm/stm32_sai_sub.c | 8 + sound/usb/mixer.c | 7 + sound/usb/mixer_s1810c.c | 28 +- sound/usb/validate.c | 9 +- tools/bpf/bpftool/btf_dumper.c | 2 +- tools/bpf/bpftool/link.c | 54 ++- tools/bpf/bpftool/prog.c | 2 +- tools/include/linux/bitmap.h | 1 + tools/lib/bpf/bpf_tracing.h | 2 +- tools/lib/bpf/usdt.bpf.h | 44 ++- tools/lib/bpf/usdt.c | 62 ++- tools/lib/thermal/Makefile | 9 +- tools/net/ynl/lib/ynl-priv.h | 4 +- tools/power/cpupower/lib/cpuidle.c | 5 +- tools/power/cpupower/lib/cpupower.c | 2 +- .../x86_energy_perf_policy.c | 30 +- tools/testing/selftests/Makefile | 2 +- .../testing/selftests/bpf/prog_tests/bpf_cookie.c | 3 +- .../selftests/bpf/progs/verifier_arena_large.c | 1 + tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 +- tools/testing/selftests/bpf/test_xsk.sh | 2 + tools/testing/selftests/drivers/net/hw/rss_ctx.py | 11 +- .../selftests/drivers/net/netdevsim/Makefile | 4 + tools/testing/selftests/net/fcnal-test.sh | 432 +++++++++++---------- .../net/forwarding/custom_multipath_hash.sh | 2 +- .../net/forwarding/gre_custom_multipath_hash.sh | 2 +- .../net/forwarding/ip6_forward_instats_vrf.sh | 6 +- .../net/forwarding/ip6gre_custom_multipath_hash.sh | 2 +- tools/testing/selftests/net/forwarding/lib.sh | 8 +- .../net/forwarding/mirror_gre_bridge_1q_lag.sh | 2 +- .../net/forwarding/mirror_gre_vlan_bridge_1q.sh | 4 +- tools/testing/selftests/net/gro.c | 12 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 6 +- tools/testing/selftests/net/psock_tpacket.c | 4 +- tools/testing/selftests/net/traceroute.sh | 51 +-- .../intel/workload_hint/workload_hint_test.c | 2 + usr/include/headers_check.pl | 2 + 616 files changed, 5942 insertions(+), 2723 deletions(-)

2 weeks, 1 day

8
575
0 0

Re: stable 6.6: commit "sched/cpufreq: Rework schedutil governor performance estimation' causes a regression

by Christian Loehle

On 11/21/25 15:37, Yu-Che Cheng wrote: > Hi Vincent, > > On Fri, Nov 21, 2025 at 10:00 PM Vincent Guittot <vincent.guittot(a)linaro.org> > wrote: >> >> On Fri, 21 Nov 2025 at 04:55, Sergey Senozhatsky >> <senozhatsky(a)chromium.org> wrote: >>> >>> Hi Christian, >>> >>> On (25/11/20 10:15), Christian Loehle wrote: >>>> On 11/20/25 04:45, Sergey Senozhatsky wrote: >>>>> Hi, >>>>> >>>>> We are observing a performance regression on one of our arm64 > boards. >>>>> We tracked it down to the linux-6.6.y commit ada8d7fa0ad4 > ("sched/cpufreq: >> >> You mentioned that you tracked down to linux-6.6.y but which kernel >> are you using ? >> > > We're using ChromeOS 6.6 kernel, which is currently on top of linux-v6.6.99. > But we've tested that the performance regression still happens on exactly > the same scheduler codes (`kernel/sched`) as upstream v6.6.99, compared to > those on v6.6.88. > >>>>> Rework schedutil governor performance estimation"). >>>>> >>>>> UI speedometer benchmark: >>>>> w/commit: 395 +/-38 >>>>> w/o commit: 439 +/-14 >>>>> >>>> >>>> Hi Sergey, >>>> Would be nice to get some details. What board? >>> >>> It's an MT8196 chromebook. >>> >>>> What do the OPPs look like? >>> >>> How do I find that out? >> >> In /sys/kernel/debug/opp/cpu*/ >> or >> /sys/devices/system/cpu/cpufreq/policy*/scaling_available_frequencies >> with related_cpus >> > > The energy model on the device is: > > CPU0-3: > +------------+------------+ > | freq (khz) | power (uw) | > +============+============+ > | 339000 | 34362 | > | 400000 | 42099 | > | 500000 | 52907 | > | 600000 | 63795 | > | 700000 | 74747 | > | 800000 | 88445 | > | 900000 | 101444 | > | 1000000 | 120377 | > | 1100000 | 136859 | > | 1200000 | 154162 | > | 1300000 | 174843 | > | 1400000 | 196833 | > | 1500000 | 217052 | > | 1600000 | 247844 | > | 1700000 | 281464 | > | 1800000 | 321764 | > | 1900000 | 352114 | > | 2000000 | 383791 | > | 2100000 | 421809 | > | 2200000 | 461767 | > | 2300000 | 503648 | > | 2400000 | 540731 | > +------------+------------+ > > CPU4-6: > +------------+------------+ > | freq (khz) | power (uw) | > +============+============+ > | 622000 | 131738 | > | 700000 | 147102 | > | 800000 | 172219 | > | 900000 | 205455 | > | 1000000 | 233632 | > | 1100000 | 254313 | > | 1200000 | 288843 | > | 1300000 | 330863 | > | 1400000 | 358947 | > | 1500000 | 400589 | > | 1600000 | 444247 | > | 1700000 | 497941 | > | 1800000 | 539959 | > | 1900000 | 584011 | > | 2000000 | 657172 | > | 2100000 | 746489 | > | 2200000 | 822854 | > | 2300000 | 904913 | > | 2400000 | 1006581 | > | 2500000 | 1115458 | > | 2600000 | 1205167 | > | 2700000 | 1330751 | > | 2800000 | 1450661 | > | 2900000 | 1596740 | > | 3000000 | 1736568 | > | 3100000 | 1887001 | > | 3200000 | 2048877 | > | 3300000 | 2201141 | > +------------+------------+ > > CPU7: > > +------------+------------+ > | freq (khz) | power (uw) | > +============+============+ > | 798000 | 320028 | > | 900000 | 330714 | > | 1000000 | 358108 | > | 1100000 | 384730 | > | 1200000 | 410669 | > | 1300000 | 438355 | > | 1400000 | 469865 | > | 1500000 | 502740 | > | 1600000 | 531645 | > | 1700000 | 560380 | > | 1800000 | 588902 | > | 1900000 | 617278 | > | 2000000 | 645584 | > | 2100000 | 698653 | > | 2200000 | 744179 | > | 2300000 | 810471 | > | 2400000 | 895816 | > | 2500000 | 985234 | > | 2600000 | 1097802 | > | 2700000 | 1201162 | > | 2800000 | 1332076 | > | 2900000 | 1439847 | > | 3000000 | 1575917 | > | 3100000 | 1741987 | > | 3200000 | 1877346 | > | 3300000 | 2161512 | > | 3400000 | 2437879 | > | 3500000 | 2933742 | > | 3600000 | 3322959 | > | 3626000 | 3486345 | > +------------+------------+ > >>> >>>> Does this system use uclamp during the benchmark? How? >>> >>> How do I find that out? >> >> it can be set per cgroup >> /sys/fs/cgroup/system.slice/<name>/cpu.uclam.min|max >> or per task with sched_setattr() >> >> You most probably use it because it's the main reason for ada8d7fa0ad4 >> to remove wrong overestimate of OPP >> > > For the speedometer case, yes, we set the uclamp.min to 20 for the whole > browser and UI (chrome). > There's no system-wide uclamp settings though. (From Sergey's traces) Per-cluster time‑weighted average frequency base => revert: little (cpu0–3, max 2.4 GHz): 0.746 GHz => 1.132 GHz (+51.6%) mid (cpu4–6, max 3.3 GHz): 1.043 GHz => 1.303 GHz (+24.9%) big (cpu7, max 3.626 GHz): 2.563 GHz => 3.116 GHz (+21.6%) And in particular time spent at OPPs (base => revert): Big core at upper 10%: 29.6% => 61.5% little cluster at 339 MHz: 50.1% => 1.0% Interesting that a uclamp.min of 20 (which shouldn't really have much affect on big CPU at all, with or without headroom AFAICS?) makes such a big difference here? > > But we also found other performance regressions in an Android guest VM, > where there's no uclamp for the VM and vCPU processes from the host side. > Particularly, the RAR extraction throughput reduces about 20% in the RAR > app (from RARLAB). > Although it's hard to tell if this is some sort of a side-effect of the UI > regression as the UI is also running at the same time. > I'd be inclined to say that is because of the vastly different DVFS from the UI workload, yes.

2 weeks, 1 day

4
6
0 0

🚀 Spaceboard 2.0: Like Coffee but for Your Browser!

by Aleksandar

Hello, Are you ready to send your productivity soaring, fuelled by none other than Spaceboard 2.0? Buckle up, because this ride is taking us straight to the planet of Achievement (it's right next to Planet Procrastination, which we’re leaving far behind). Brace Yourself for Awesomeness: 🤖 AI-Powered Assistant – Our Robot Friends Are Here! We brought more than 90 AI models to the party. Yes, 90! Use them wisely or use them wildly; either way, they’re here to serve (and maybe dance a little jig). 📚 Smart Collections – Organize or Chaos-‘nize! Think of it as your personal organization ninja, ready to karate-chop your digital mess into a zen-like order. 📅 Advanced Task Management – Because To-Do Lists Deserve Better It's more than just a list – it's a life coach that fits in your browser. Automatic deadline tracking and Google Calendar integration might mean you’ve finally found your planner soulmate. 🎨 Chrome Sidepanel – Cool Features On-the-Go Who needs to jump tabs when Spaceboard’s right there? Consider this your personal assistant, minus the coffee runs (AI is still working on that). 🌤 Weather & Location Services – Because Knowing Is Half the Battle Avoid surprising rain showers with real-time forecasts. We promise it will not predict catnados – yet. 🔍 Universal Search – Find All the Things! It’s like having a GPS for your brain! From bookmarks to hidden chocolates at the back of your mind – find it all instantly. 🎯 Subscription Plans – More Choices than a Dessert Menu Explorer Plan for beginners, Visionary Plan for Jedis. Pick your path to ultimate productivity enlightenment. So, What Are You Waiting For? Zoom over to spaceboard.ai [https://emailmarketingsrb.inboxingproserver.com/index.php/campaigns/qw394ew…] and update your extension today. Go ahead, transform your browser into a bustling hub of energy and excitement! Questions, comments, or philosophical musings? We're here to chat, brainstorm, or just swap dad jokes. Catch you at the productivity summit! Cheers, The Spaceboard Crew 🙌 Unsubscribe here [https://emailmarketingsrb.inboxingproserver.com/index.php/campaigns/qw394ew…]

2 weeks, 1 day

1
0
0 0

[PATCH net v3] atm/fore200e: Fix possible data race in fore200e_open()

by Gui-Dong Han

Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> --- v3: * Expanded the commit message to describe the specific call paths causing the race, as suggested by Jakub Kicinski and Paolo Abeni. v2: * Added a description of the data race hazard in fore200e_open(), as suggested by Jakub Kicinski and Simon Horman. --- drivers/atm/fore200e.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c index 4fea1149e003..f62e38571440 100644 --- a/drivers/atm/fore200e.c +++ b/drivers/atm/fore200e.c @@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc) vcc->dev_data = NULL; + mutex_lock(&fore200e->rate_mtx); fore200e->available_cell_rate += vcc->qos.txtp.max_pcr; + mutex_unlock(&fore200e->rate_mtx); kfree(fore200e_vcc); return -EINVAL; -- 2.34.1

2 weeks, 1 day

2
1
0 0

[PATCH net v6 0/5] net: dsa: microchip: Fix resource releases in error path

by Bastien Curutchet (Schneider Electric)

Hi all, I worked on adding PTP support for the KSZ8463. While doing so, I ran into a few bugs in the resource release process that occur when things go wrong arount IRQ initialization. This small series fixes those bugs. The next series, which will add the PTP support, depend on this one. Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> --- Changes in v6: - PATCH 4: Jump in the middle of the release loop instead of partially freeing resource before jumping at the beginning of the release loop. - PATCH 5: Add Andrew's Reviewed-By. - Link to v5: https://lore.kernel.org/r/20251118-ksz-fix-v5-0-8e9c7f56618d@bootlin.com Changes in v5: - All: Add Cc Tag. - PATCH 3: Use dsa_switch_for_each_user_port_continue_reverse() to only iterate over initialized ports. - PATCH 4: Also clean PTP IRQs on port initialization failures - Link to v4: https://lore.kernel.org/r/20251117-ksz-fix-v4-0-13e1da58a492@bootlin.com Changes in v4: - PATCH 1 & 2: Add Andrew's Reviewed-By. - PATCH 3: Ensure ksz_irq is initialized outside of ksz_irq_free() - Add PATCH 4 - PATCH 5: Fix symetry issues in ksz_ptp_msg_irq_{setup/free}() - Link to v3: https://lore.kernel.org/r/20251114-ksz-fix-v3-0-acbb3b9cc32f@bootlin.com Changes in v3: - PATCH 1 and 3: Fix Fixes tags - PATCH 3: Move the irq_dispose_mapping() behind the check that verifies that the domain is initialized - Link to v2: https://lore.kernel.org/r/20251106-ksz-fix-v2-0-07188f608873@bootlin.com Changes in v2: - Add Fixes tag. - Split PATCH 1 in two patches as it needed two different Fixes tags - Add details in commit logs - Link to v1: https://lore.kernel.org/r/20251031-ksz-fix-v1-0-7e46de999ed1@bootlin.com --- Bastien Curutchet (Schneider Electric) (5): net: dsa: microchip: common: Fix checks on irq_find_mapping() net: dsa: microchip: ptp: Fix checks on irq_find_mapping() net: dsa: microchip: Don't free uninitialized ksz_irq net: dsa: microchip: Free previously initialized ports on init failures net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() drivers/net/dsa/microchip/ksz_common.c | 31 +++++++++++++++---------------- drivers/net/dsa/microchip/ksz_ptp.c | 22 +++++++++------------- 2 files changed, 24 insertions(+), 29 deletions(-) --- base-commit: 09652e543e809c2369dca142fee5d9b05be9bdc7 change-id: 20251031-ksz-fix-db345df7635f Best regards, -- Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com>

2 weeks, 1 day

2
6
0 0

[PATCH] KVM: x86: Add x2APIC "features" to control EOI broadcast suppression

by Khushit Shah

Add two flags for KVM_CAP_X2APIC_API to allow userspace to control support for Suppress EOI Broadcasts, which KVM completely mishandles. When x2APIC support was first added, KVM incorrectly advertised and "enabled" Suppress EOI Broadcast, without fully supporting the I/O APIC side of the equation, i.e. without adding directed EOI to KVM's in-kernel I/O APIC. That flaw was carried over to split IRQCHIP support, i.e. KVM advertised support for Suppress EOI Broadcasts irrespective of whether or not the userspace I/O APIC implementation supported directed EOIs. Even worse, KVM didn't actually suppress EOI broadcasts, i.e. userspace VMMs without support for directed EOI came to rely on the "spurious" broadcasts. KVM "fixed" the in-kernel I/O APIC implementation by completely disabling support for Supress EOI Broadcasts in commit 0bcc3fb95b97 ("KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use"), but didn't do anything to remedy userspace I/O APIC implementations. KVM's bogus handling of Supress EOI Broad is problematic when the guest relies on interrupts being masked in the I/O APIC until well after the initial local APIC EOI. E.g. Windows with Credential Guard enabled handles interrupts in the following order:` 1. Interrupt for L2 arrives. 2. L1 APIC EOIs the interrupt. 3. L1 resumes L2 and injects the interrupt. 4. L2 EOIs after servicing. 5. L1 performs the I/O APIC EOI. Because KVM EOIs the I/O APIC at step #2, the guest can get an interrupt storm, e.g. if the IRQ line is still asserted and userspace reacts to the EOI by re-injecting the IRQ, because the guest doesn't de-assert the line until step #4, and doesn't expect the interrupt to be re-enabled until step #5. Unfortunately, simply "fixing" the bug isn't an option, as KVM has no way of knowing if the userspace I/O APIC supports directed EOIs, i.e. suppressing EOI broadcasts would result in interrupts being stuck masked in the userspace I/O APIC due to step #5 being ignored by userspace. And fully disabling support for Suppress EOI Broadcast is also undesirable, as picking up the fix would require a guest reboot, *and* more importantly would change the virtual CPU model exposed to the guest without any buy-in from userspace. Add two flags to allow userspace to choose exactly how to solve the immediate issue, and in the long term to allow userspace to control the virtual CPU model that is exposed to the guest (KVM should never have enabled supported for Supress EOI Broadcast without a userspace opt-in). Note, Suppress EOI Broadcasts is defined only in Intel's SDM, not in AMD's APM. But the bit is writable on some AMD CPUs, e.g. Turin, and KVM's ABI is to support Directed EOI (KVM's name) irrespective of guest CPU vendor. Fixes: 7543a635aa09 ("KVM: x86: Add KVM exit for IOAPIC EOIs") Closes: https://lore.kernel.org/kvm/7D497EF1-607D-4D37-98E7-DAF95F099342@nutanix.com Cc: stable(a)vger.kernel.org Co-developed-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Khushit Shah <khushit.shah(a)nutanix.com> --- Documentation/virt/kvm/api.rst | 14 ++++++++++++-- arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/include/uapi/asm/kvm.h | 6 ++++-- arch/x86/kvm/lapic.c | 13 +++++++++++++ arch/x86/kvm/x86.c | 12 +++++++++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 57061fa29e6a..4141d2bd8156 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -7800,8 +7800,10 @@ Will return -EBUSY if a VCPU has already been created. Valid feature flags in args[0] are:: - #define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) - #define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) + #define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) + #define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) + #define KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK (1ULL << 2) + #define KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST (1ULL << 3) Enabling KVM_X2APIC_API_USE_32BIT_IDS changes the behavior of KVM_SET_GSI_ROUTING, KVM_SIGNAL_MSI, KVM_SET_LAPIC, and KVM_GET_LAPIC, @@ -7814,6 +7816,14 @@ as a broadcast even in x2APIC mode in order to support physical x2APIC without interrupt remapping. This is undesirable in logical mode, where 0xff represents CPUs 0-7 in cluster 0. +Setting KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK overrides +KVM's quirky behavior of not actually suppressing EOI broadcasts for split IRQ +chips when support for Suppress EOI Broadcasts is advertised to the guest. + +Setting KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST disables support for +Suppress EOI Broadcasts entirely, i.e. instructs KVM to NOT advertise support +to the guest and thus disallow enabling EOI broadcast suppression in SPIV. + 7.8 KVM_CAP_S390_USER_INSTR0 ---------------------------- diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 48598d017d6f..f6fdc0842c05 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1480,6 +1480,8 @@ struct kvm_arch { bool x2apic_format; bool x2apic_broadcast_quirk_disabled; + bool disable_ignore_suppress_eoi_broadcast_quirk; + bool x2apic_disable_suppress_eoi_broadcast; bool has_mapped_host_mmio; bool guest_can_read_msr_platform_info; diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h index d420c9c066d4..82d49696118f 100644 --- a/arch/x86/include/uapi/asm/kvm.h +++ b/arch/x86/include/uapi/asm/kvm.h @@ -913,8 +913,10 @@ struct kvm_sev_snp_launch_finish { __u64 pad1[4]; }; -#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) -#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) +#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0) +#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1) +#define KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK (1ULL << 2) +#define KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST (1ULL << 3) struct kvm_hyperv_eventfd { __u32 conn_id; diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 0ae7f913d782..cf8a2162872b 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -562,6 +562,7 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) * IOAPIC. */ if (guest_cpu_cap_has(vcpu, X86_FEATURE_X2APIC) && + !vcpu->kvm->arch.x2apic_disable_suppress_eoi_broadcast && !ioapic_in_kernel(vcpu->kvm)) v |= APIC_LVR_DIRECTED_EOI; kvm_lapic_set_reg(apic, APIC_LVR, v); @@ -1517,6 +1518,18 @@ static void kvm_ioapic_send_eoi(struct kvm_lapic *apic, int vector) /* Request a KVM exit to inform the userspace IOAPIC. */ if (irqchip_split(apic->vcpu->kvm)) { + /* + * Don't exit to userspace if the guest has enabled Directed + * EOI, a.k.a. Suppress EOI Broadcasts, in which case the local + * APIC doesn't broadcast EOIs (the guest must EOI the target + * I/O APIC(s) directly). Ignore the suppression if userspace + * has NOT disabled KVM's quirk (KVM advertised support for + * Suppress EOI Broadcasts without actually suppressing EOIs). + */ + if ((kvm_lapic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI) && + apic->vcpu->kvm->arch.disable_ignore_suppress_eoi_broadcast_quirk) + return; + apic->vcpu->arch.pending_ioapic_eoi = vector; kvm_make_request(KVM_REQ_IOAPIC_EOI_EXIT, apic->vcpu); return; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c9c2aa6f4705..e1b6fe783615 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -121,8 +121,11 @@ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE); #define KVM_CAP_PMU_VALID_MASK KVM_PMU_CAP_DISABLE -#define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \ - KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK) +#define KVM_X2APIC_API_VALID_FLAGS \ + (KVM_X2APIC_API_USE_32BIT_IDS | \ + KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK | \ + KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK | \ + KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST) static void update_cr8_intercept(struct kvm_vcpu *vcpu); static void process_nmi(struct kvm_vcpu *vcpu); @@ -6782,7 +6785,10 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, kvm->arch.x2apic_format = true; if (cap->args[0] & KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK) kvm->arch.x2apic_broadcast_quirk_disabled = true; - + if (cap->args[0] & KVM_X2APIC_API_DISABLE_IGNORE_SUPPRESS_EOI_BROADCAST_QUIRK) + kvm->arch.disable_ignore_suppress_eoi_broadcast_quirk = true; + if (cap->args[0] & KVM_X2APIC_API_DISABLE_SUPPRESS_EOI_BROADCAST) + kvm->arch.x2apic_disable_suppress_eoi_broadcast = true; r = 0; break; case KVM_CAP_X86_DISABLE_EXITS: -- 2.39.3

2 weeks, 1 day

1
0
0 0

[PATCH] LoongArch: Add new PCI ID for pci_fixup_vgadev()

by Huacai Chen

Loongson-2K3000 has a new PCI ID (0x7a46) for its display controller, Add it for pci_fixup_vgadev() since we prefer a discrete graphics card as default boot device if present. Cc: stable(a)vger.kernel.org Signed-off-by: Tianrui Zhao <zhaotianrui(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/pci/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/loongarch/pci/pci.c b/arch/loongarch/pci/pci.c index d9fc5d520b37..d923295ab8c6 100644 --- a/arch/loongarch/pci/pci.c +++ b/arch/loongarch/pci/pci.c @@ -14,6 +14,7 @@ #define PCI_DEVICE_ID_LOONGSON_HOST 0x7a00 #define PCI_DEVICE_ID_LOONGSON_DC1 0x7a06 #define PCI_DEVICE_ID_LOONGSON_DC2 0x7a36 +#define PCI_DEVICE_ID_LOONGSON_DC3 0x7a46 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn, int reg, int len, u32 *val) @@ -97,3 +98,4 @@ static void pci_fixup_vgadev(struct pci_dev *pdev) } DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC1, pci_fixup_vgadev); DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC2, pci_fixup_vgadev); +DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC3, pci_fixup_vgadev); -- 2.47.3

2 weeks, 1 day

1
0
0 0

[PATCH v1] phy: fsl-imx8mq-usb: fix typec orientation switch when built as module

by Franz Schnyder

From: Franz Schnyder <franz.schnyder(a)toradex.com> Currently, the PHY only registers the typec orientation switch when it is built in. If the typec driver is built as a module, the switch registration is skipped due to the preprocessor condition, causing orientation detection to fail. This patch replaces the preprocessor condition so that the orientation switch is correctly registered for both built-in and module builds. Fixes: b58f0f86fd61 ("phy: fsl-imx8mq-usb: add tca function driver for imx95") Cc: stable(a)vger.kernel.org Signed-off-by: Franz Schnyder <franz.schnyder(a)toradex.com> --- drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c index b94f242420fc..d498a6b7234b 100644 --- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c @@ -124,7 +124,7 @@ struct imx8mq_usb_phy { static void tca_blk_orientation_set(struct tca_blk *tca, enum typec_orientation orientation); -#ifdef CONFIG_TYPEC +#if IS_ENABLED(CONFIG_TYPEC) static int tca_blk_typec_switch_set(struct typec_switch_dev *sw, enum typec_orientation orientation) -- 2.43.0

2 weeks, 1 day

4
4
0 0

[PATCH] [SCSI] hptiop: Add inbound queue offset bounds check in iop_get_config_itl

by Guangshuo Li

In the driver code for the MV‑based queue variant (struct hpt_iopmu_mv of the hptiop driver), the field "inbound_head" is read from the hardware register and used as an index into the array "inbound_q[MVIOP_QUEUE_LEN]". For example: u32 inbound_head = readl(&hba->u.mv.mu->inbound_head); /* ... */ memcpy_toio(&hba->u.mv.mu->inbound_q[inbound_head], &p, 8); The code then increments head and wraps it to zero when it equals MVIOP_QUEUE_LEN. However, the driver does *not* check that the initial value of "inbound_head" is strictly less than "MVIOP_QUEUE_LEN". If the hardware (or attacker‑controlled firmware/hardware device) writes a malicious value into the inbound_head register (which could be ≥ MVIOP_QUEUE_LEN), then subsequent "memcpy_toio" will write past the end of "inbound_q", leading to an out‑of‑bounds write condition. Since inbound_q is allocated with exactly MVIOP_QUEUE_LEN entries (see: __le64 inbound_q[MVIOP_QUEUE_LEN]; /* MVIOP_QUEUE_LEN == 512 */ ), indexing at e.g. "inbound_head == 512" or greater results in undefined memory access and potential corruption of adjacent fields or memory regions. This issue is particularly concerning in scenarios where an attacker has control or influence over the hardware/firmware on the adapter card (for example a malicious or compromised controller), because they could deliberately set "inbound_head" to a value outside the expected [0, MVIOP_QUEUE_LEN‑1] range, thus forcing the driver to write arbitrary data beyond the queue bounds. To mitigate this issue, we add a check to validate the value of "inbound_head" before it is used as an index. If "inbound_head" is found to be out of bounds (≥ MVIOP_QUEUE_LEN), the head will be reset to 0, and "head" will be set to 1 to ensure that a valid entry is written to the queue. The resetting of "inbound_head" to 0 ensures that the queue processing can continue safely and predictably, while the adjustment of "head = 1" ensures that the next valid index is used for subsequent writes. This prevents any out-of-bounds writes and ensures that the queue continues to operate safely even if the hardware is compromised. Fixes: 00f5970193e22 ("[SCSI] hptiop: add more adapter models and other fixes") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/scsi/hptiop.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/scsi/hptiop.c b/drivers/scsi/hptiop.c index c01370893a81..a1a3840e6ea8 100644 --- a/drivers/scsi/hptiop.c +++ b/drivers/scsi/hptiop.c @@ -166,6 +166,14 @@ static void mv_inbound_write(u64 p, struct hptiop_hba *hba) if (head == MVIOP_QUEUE_LEN) head = 0; + if (inbound_head >= MVIOP_QUEUE_LEN) { + dev_err(&hba->pdev->dev, + "hptiop: inbound_head out of range (%u)\n", + inbound_head); + inbound_head = 0; + head = 1; + } + memcpy_toio(&hba->u.mv.mu->inbound_q[inbound_head], &p, 8); writel(head, &hba->u.mv.mu->inbound_head); writel(MVIOP_MU_INBOUND_INT_POSTQUEUE, -- 2.43.0

2 weeks, 1 day

2
1
0 0

[PATCH V1 5.4.y 0/2] Fix bad pmd due to race between change_prot_numa() and THP migration

by Harry Yoo

# TL;DR previous discussion: https://lore.kernel.org/linux-mm/20250921232709.1608699-1-harry.yoo@oracle.… A "bad pmd" error occurs due to race condition between change_prot_numa() and THP migration. The mainline kernel does not have this bug as commit 670ddd8cdc fixes the race condition. 6.1.y, 5.15.y, 5.10.y, 5.4.y are affected by this bug. Fixing this in -stable kernels is tricky because pte_map_offset_lock() has different semantics in pre-6.5 and post-6.5 kernels. I am trying to backport the same mechanism we have in the mainline kernel. # Testing I verified that the bug described below is not reproduced anymore (on a downstream kernel) after applying this patch series. It used to trigger in few days of intensive numa balancing testing, but it survived 2 weeks with this applied. # Bug Description It was reported that a bad pmd is seen when automatic NUMA balancing is marking page table entries as prot_numa: [2437548.196018] mm/pgtable-generic.c:50: bad pmd 00000000af22fc02(dffffffe71fbfe02) [2437548.235022] Call Trace: [2437548.238234] <TASK> [2437548.241060] dump_stack_lvl+0x46/0x61 [2437548.245689] panic+0x106/0x2e5 [2437548.249497] pmd_clear_bad+0x3c/0x3c [2437548.253967] change_pmd_range.isra.0+0x34d/0x3a7 [2437548.259537] change_p4d_range+0x156/0x20e [2437548.264392] change_protection_range+0x116/0x1a9 [2437548.269976] change_prot_numa+0x15/0x37 [2437548.274774] task_numa_work+0x1b8/0x302 [2437548.279512] task_work_run+0x62/0x95 [2437548.283882] exit_to_user_mode_loop+0x1a4/0x1a9 [2437548.289277] exit_to_user_mode_prepare+0xf4/0xfc [2437548.294751] ? sysvec_apic_timer_interrupt+0x34/0x81 [2437548.300677] irqentry_exit_to_user_mode+0x5/0x25 [2437548.306153] asm_sysvec_apic_timer_interrupt+0x16/0x1b This is due to a race condition between change_prot_numa() and THP migration because the kernel doesn't check is_swap_pmd() and pmd_trans_huge() atomically: change_prot_numa() THP migration ====================================================================== - change_pmd_range() -> is_swap_pmd() returns false, meaning it's not a PMD migration entry. - do_huge_pmd_numa_page() -> migrate_misplaced_page() sets migration entries for the THP. - change_pmd_range() -> pmd_none_or_clear_bad_unless_trans_huge() -> pmd_none() and pmd_trans_huge() returns false - pmd_none_or_clear_bad_unless_trans_huge() -> pmd_bad() returns true for the migration entry! The upstream commit 670ddd8cdcbd ("mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge()") closes this race condition by checking is_swap_pmd() and pmd_trans_huge() atomically. # Backporting note commit a79390f5d6a7 ("mm/mprotect: use long for page accountings and retval") is backported to return an error code (negative value) in change_pte_range(). Unlike the mainline, pte_offset_map_lock() does not check if the pmd entry is a migration entry or a hugepage; acquires PTL unconditionally instead of returning failure. Therefore, it is necessary to keep the !is_swap_pmd() && !pmd_trans_huge() && !pmd_devmap() checks in change_pmd_range() before acquiring the PTL. After acquiring the lock, open-code the semantics of pte_offset_map_lock() in the mainline kernel; change_pte_range() fails if the pmd value has changed. This requires adding pmd_old parameter (pmd_t value that is read before calling the function) to change_pte_range(). Hugh Dickins (1): mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge() Peter Xu (1): mm/mprotect: use long for page accountings and retval include/linux/hugetlb.h | 4 +- include/linux/mm.h | 2 +- mm/hugetlb.c | 4 +- mm/mempolicy.c | 2 +- mm/mprotect.c | 124 +++++++++++++++++----------------------- 5 files changed, 60 insertions(+), 76 deletions(-) -- 2.43.0

2 weeks, 1 day

1
2
0 0

[PATCH V1 5.10.y 0/2] Fix bad pmd due to race between change_prot_numa() and THP migration

by Harry Yoo

# TL;DR previous discussion: https://lore.kernel.org/linux-mm/20250921232709.1608699-1-harry.yoo@oracle.… A "bad pmd" error occurs due to race condition between change_prot_numa() and THP migration. The mainline kernel does not have this bug as commit 670ddd8cdc fixes the race condition. 6.1.y, 5.15.y, 5.10.y, 5.4.y are affected by this bug. Fixing this in -stable kernels is tricky because pte_map_offset_lock() has different semantics in pre-6.5 and post-6.5 kernels. I am trying to backport the same mechanism we have in the mainline kernel. # Testing I verified that the bug described below is not reproduced anymore (on a downstream kernel) after applying this patch series. It used to trigger in few days of intensive numa balancing testing, but it survived 2 weeks with this applied. # Bug Description It was reported that a bad pmd is seen when automatic NUMA balancing is marking page table entries as prot_numa: [2437548.196018] mm/pgtable-generic.c:50: bad pmd 00000000af22fc02(dffffffe71fbfe02) [2437548.235022] Call Trace: [2437548.238234] <TASK> [2437548.241060] dump_stack_lvl+0x46/0x61 [2437548.245689] panic+0x106/0x2e5 [2437548.249497] pmd_clear_bad+0x3c/0x3c [2437548.253967] change_pmd_range.isra.0+0x34d/0x3a7 [2437548.259537] change_p4d_range+0x156/0x20e [2437548.264392] change_protection_range+0x116/0x1a9 [2437548.269976] change_prot_numa+0x15/0x37 [2437548.274774] task_numa_work+0x1b8/0x302 [2437548.279512] task_work_run+0x62/0x95 [2437548.283882] exit_to_user_mode_loop+0x1a4/0x1a9 [2437548.289277] exit_to_user_mode_prepare+0xf4/0xfc [2437548.294751] ? sysvec_apic_timer_interrupt+0x34/0x81 [2437548.300677] irqentry_exit_to_user_mode+0x5/0x25 [2437548.306153] asm_sysvec_apic_timer_interrupt+0x16/0x1b This is due to a race condition between change_prot_numa() and THP migration because the kernel doesn't check is_swap_pmd() and pmd_trans_huge() atomically: change_prot_numa() THP migration ====================================================================== - change_pmd_range() -> is_swap_pmd() returns false, meaning it's not a PMD migration entry. - do_huge_pmd_numa_page() -> migrate_misplaced_page() sets migration entries for the THP. - change_pmd_range() -> pmd_none_or_clear_bad_unless_trans_huge() -> pmd_none() and pmd_trans_huge() returns false - pmd_none_or_clear_bad_unless_trans_huge() -> pmd_bad() returns true for the migration entry! The upstream commit 670ddd8cdcbd ("mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge()") closes this race condition by checking is_swap_pmd() and pmd_trans_huge() atomically. # Backporting note commit a79390f5d6a7 ("mm/mprotect: use long for page accountings and retval") is backported to return an error code (negative value) in change_pte_range(). Unlike the mainline, pte_offset_map_lock() does not check if the pmd entry is a migration entry or a hugepage; acquires PTL unconditionally instead of returning failure. Therefore, it is necessary to keep the !is_swap_pmd() && !pmd_trans_huge() && !pmd_devmap() checks in change_pmd_range() before acquiring the PTL. After acquiring the lock, open-code the semantics of pte_offset_map_lock() in the mainline kernel; change_pte_range() fails if the pmd value has changed. This requires adding pmd_old parameter (pmd_t value that is read before calling the function) to change_pte_range(). Hugh Dickins (1): mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge() Peter Xu (1): mm/mprotect: use long for page accountings and retval include/linux/hugetlb.h | 4 +- include/linux/mm.h | 2 +- mm/hugetlb.c | 4 +- mm/mempolicy.c | 2 +- mm/mprotect.c | 107 ++++++++++++++++++++++------------------ 5 files changed, 64 insertions(+), 55 deletions(-) -- 2.43.0

2 weeks, 1 day

1
2
0 0

[PATCH] media: venus: vdec: restrict EOS addr quirk to IRIS2 only

by Dikshita Agarwal

On SM8250 (IRIS2) with firmware older than 1.0.087, the firmware could not handle a dummy device address for EOS buffers, so a NULL device address is sent instead. The existing check used IS_V6() alongside a firmware version gate: if (IS_V6(core) && is_fw_rev_or_older(core, 1, 0, 87)) fdata.device_addr = 0; else fdata.device_addr = 0xdeadb000; However, SC7280 which is also V6, uses a firmware string of the form "1.0.<commit-hash>", which the version parser translates to 1.0.0. This unintentionally satisfies the `is_fw_rev_or_older(..., 1, 0, 87)` condition on SC7280. Combined with IS_V6() matching there as well, the quirk is incorrectly applied to SC7280, causing VP9 decode failures. Constrain the check to IRIS2 (SM8250) only, which is the only platform that needed this quirk, by replacing IS_V6() with IS_IRIS2(). This restores correct behavior on SC7280 (no forced NULL EOS buffer address). Fixes: 47f867cb1b63 ("media: venus: fix EOS handling in decoder stop command") Cc: stable(a)vger.kernel.org Reported-by: Mecid <notifications(a)github.com> Closes: https://github.com/qualcomm-linux/kernel-topics/issues/222 Co-developed-by: Renjiang Han <renjiang.han(a)oss.qualcomm.com> Signed-off-by: Renjiang Han <renjiang.han(a)oss.qualcomm.com> Signed-off-by: Dikshita Agarwal <dikshita.agarwal(a)oss.qualcomm.com> --- drivers/media/platform/qcom/venus/vdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c index 4a6641fdffcf79705893be58c7ec5cf485e2fab9..dc85a5b8c989eb8339e5de9fea7ab49532e7f15a 100644 --- a/drivers/media/platform/qcom/venus/vdec.c +++ b/drivers/media/platform/qcom/venus/vdec.c @@ -565,7 +565,7 @@ vdec_decoder_cmd(struct file *file, void *fh, struct v4l2_decoder_cmd *cmd) fdata.buffer_type = HFI_BUFFER_INPUT; fdata.flags |= HFI_BUFFERFLAG_EOS; - if (IS_V6(inst->core) && is_fw_rev_or_older(inst->core, 1, 0, 87)) + if (IS_IRIS2(inst->core) && is_fw_rev_or_older(inst->core, 1, 0, 87)) fdata.device_addr = 0; else fdata.device_addr = 0xdeadb000; --- base-commit: 1f2353f5a1af995efbf7bea44341aa0d03460b28 change-id: 20251121-venus-vp9-fix-1ff602724c02 Best regards, -- Dikshita Agarwal <dikshita.agarwal(a)oss.qualcomm.com>

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] mptcp: fix address removal logic in mptcp_pm_nl_rm_addr" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 92e239e36d600002559074994a545fcfac9afd2d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112435-stray-aflutter-0f77@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 92e239e36d600002559074994a545fcfac9afd2d Mon Sep 17 00:00:00 2001 From: Gang Yan <yangang(a)kylinos.cn> Date: Tue, 18 Nov 2025 08:20:28 +0100 Subject: [PATCH] mptcp: fix address removal logic in mptcp_pm_nl_rm_addr Fix inverted WARN_ON_ONCE condition that prevented normal address removal counter updates. The current code only executes decrement logic when the counter is already 0 (abnormal state), while normal removals (counter > 0) are ignored. Signed-off-by: Gang Yan <yangang(a)kylinos.cn> Fixes: 636113918508 ("mptcp: pm: remove '_nl' from mptcp_pm_nl_rm_addr_received") Cc: stable(a)vger.kernel.org Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-10-806d3… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c index 2ae95476dba3..0a50fd5edc06 100644 --- a/net/mptcp/pm_kernel.c +++ b/net/mptcp/pm_kernel.c @@ -672,7 +672,7 @@ static void mptcp_pm_nl_add_addr_received(struct mptcp_sock *msk) void mptcp_pm_nl_rm_addr(struct mptcp_sock *msk, u8 rm_id) { - if (rm_id && WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) { + if (rm_id && !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) { u8 limit_add_addr_accepted = mptcp_pm_get_limit_add_addr_accepted(msk);

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mptcp: do not fallback when OoO is present" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1bba3f219c5e8c29e63afa3c1fc24f875ebec119 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112426-backroom-negate-d125@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1bba3f219c5e8c29e63afa3c1fc24f875ebec119 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 18 Nov 2025 08:20:22 +0100 Subject: [PATCH] mptcp: do not fallback when OoO is present In case of DSS corruption, the MPTCP protocol tries to avoid the subflow reset if fallback is possible. Such corruptions happen in the receive path; to ensure fallback is possible the stack additionally needs to check for OoO data, otherwise the fallback will break the data stream. Fixes: e32d262c89e2 ("mptcp: handle consistently DSS corruption") Cc: stable(a)vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/598 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-4-806d37… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e30e9043a694..6f0e8f670d83 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -76,6 +76,13 @@ bool __mptcp_try_fallback(struct mptcp_sock *msk, int fb_mib) if (__mptcp_check_fallback(msk)) return true; + /* The caller possibly is not holding the msk socket lock, but + * in the fallback case only the current subflow is touching + * the OoO queue. + */ + if (!RB_EMPTY_ROOT(&msk->out_of_order_queue)) + return false; + spin_lock_bh(&msk->fallback_lock); if (!msk->allow_infinite_fallback) { spin_unlock_bh(&msk->fallback_lock);

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mptcp: do not fallback when OoO is present" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1bba3f219c5e8c29e63afa3c1fc24f875ebec119 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112425-math-lasso-c3b8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1bba3f219c5e8c29e63afa3c1fc24f875ebec119 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 18 Nov 2025 08:20:22 +0100 Subject: [PATCH] mptcp: do not fallback when OoO is present In case of DSS corruption, the MPTCP protocol tries to avoid the subflow reset if fallback is possible. Such corruptions happen in the receive path; to ensure fallback is possible the stack additionally needs to check for OoO data, otherwise the fallback will break the data stream. Fixes: e32d262c89e2 ("mptcp: handle consistently DSS corruption") Cc: stable(a)vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/598 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-4-806d37… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e30e9043a694..6f0e8f670d83 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -76,6 +76,13 @@ bool __mptcp_try_fallback(struct mptcp_sock *msk, int fb_mib) if (__mptcp_check_fallback(msk)) return true; + /* The caller possibly is not holding the msk socket lock, but + * in the fallback case only the current subflow is touching + * the OoO queue. + */ + if (!RB_EMPTY_ROOT(&msk->out_of_order_queue)) + return false; + spin_lock_bh(&msk->fallback_lock); if (!msk->allow_infinite_fallback) { spin_unlock_bh(&msk->fallback_lock);

2 weeks, 1 day

2
1
0 0

[REGRESSION] stable-rc/linux-6.11.y: (build) ./include/net/ip.h:472:14: error: default initialization of an obj...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.11.y: --- ./include/net/ip.h:472:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] in security/selinux/avc.o (security/selinux/avc.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:16f2d4d7ea51d0d2cee2101fea4a5d762aaeca6d - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: f6d41443f54856ceece0d5b584f47f681513bde4 - tags: v6.11.11 Log excerpt: ===================================================== In file included from security/selinux/avc.c:30: In file included from ./security/selinux/include/avc.h:18: In file included from ./include/linux/lsm_audit.h:25: In file included from ./include/rdma/ib_verbs.h:26: ./include/net/ip.h:472:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] 472 | if (mtu && time_before(jiffies, rt->dst.expires)) | ^ ./include/linux/jiffies.h:138:26: note: expanded from macro 'time_before' 138 | #define time_before(a,b) time_after(b,a) | ^ ./include/linux/jiffies.h:128:3: note: expanded from macro 'time_after' 128 | (typecheck(unsigned long, a) && \ | ^ ./include/linux/typecheck.h:11:12: note: expanded from macro 'typecheck' 11 | typeof(x) __dummy2; \ | ^ 1 error generated. CC security/keys/request_key_auth.o ===================================================== # Builds where the incident occurred: ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-i386-allmodconfig-69250a4bf5b874… - dashboard: https://d.kernelci.org/build/maestro:69250a4bf5b8743b1f5fbe05 ## x86_64_defconfig on (x86_64): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-x86-69250a16f5b8743b1f5fbddc/.co… - dashboard: https://d.kernelci.org/build/maestro:69250a16f5b8743b1f5fbddc #kernelci issue maestro:16f2d4d7ea51d0d2cee2101fea4a5d762aaeca6d Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 1 day

1
0
0 0

[REGRESSION] stable-rc/linux-6.10.y: (build) the frame size of 1192 bytes is larger than 1024 bytes [-Werror=fr...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.10.y: --- the frame size of 1192 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] in drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_state.o (drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_state.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:2fa2a6ca830cbfb7c388f6da90bf40ae58e3185b - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 47c2f92131c47a37ea0e3d8e1a4e4c82a9b473d4 - tags: v6.10.14 Log excerpt: ===================================================== drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_state.c:219:1: error: the frame size of 1192 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] 219 | } | ^ CC drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_reg.o CC drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_dcn20.o CC drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_dcn21.o CC drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_dcn30.o CC drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_dcn301.o CC drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_dcn302.o cc1: all warnings being treated as errors ===================================================== # Builds where the incident occurred: ## defconfig+kcidebug+x86-board on (i386): - compiler: gcc-14 - config: https://files.kernelci.org/kbuild-gcc-14-x86-kcidebug-6924fef4f5b8743b1f5fa… - dashboard: https://d.kernelci.org/build/maestro:6924fef4f5b8743b1f5fac6f #kernelci issue maestro:2fa2a6ca830cbfb7c388f6da90bf40ae58e3185b Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] mptcp: fix a race in mptcp_pm_del_add_timer()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 426358d9be7ce3518966422f87b96f1bad27295f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112436-parlor-sleeve-f7d9@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 426358d9be7ce3518966422f87b96f1bad27295f Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Mon, 17 Nov 2025 10:07:44 +0000 Subject: [PATCH] mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2523 [inline] slab_free mm/slub.c:6611 [inline] kfree+0x197/0x950 mm/slub.c:6818 mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x508/0x820 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: stable(a)vger.kernel.org Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") Reported-by: syzbot+2a6fbf0f0530375968df(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 2ff1b9499568..9604b91902b8 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -18,6 +18,7 @@ struct mptcp_pm_add_entry { u8 retrans_times; struct timer_list add_timer; struct mptcp_sock *sock; + struct rcu_head rcu; }; static DEFINE_SPINLOCK(mptcp_pm_list_lock); @@ -155,7 +156,7 @@ bool mptcp_remove_anno_list_by_saddr(struct mptcp_sock *msk, entry = mptcp_pm_del_add_timer(msk, addr, false); ret = entry; - kfree(entry); + kfree_rcu(entry, rcu); return ret; } @@ -345,22 +346,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk, { struct mptcp_pm_add_entry *entry; struct sock *sk = (struct sock *)msk; - struct timer_list *add_timer = NULL; + bool stop_timer = false; + + rcu_read_lock(); spin_lock_bh(&msk->pm.lock); entry = mptcp_lookup_anno_list_by_saddr(msk, addr); if (entry && (!check_id || entry->addr.id == addr->id)) { entry->retrans_times = ADD_ADDR_RETRANS_MAX; - add_timer = &entry->add_timer; + stop_timer = true; } if (!check_id && entry) list_del(&entry->list); spin_unlock_bh(&msk->pm.lock); - /* no lock, because sk_stop_timer_sync() is calling timer_delete_sync() */ - if (add_timer) - sk_stop_timer_sync(sk, add_timer); + /* Note: entry might have been removed by another thread. + * We hold rcu_read_lock() to ensure it is not freed under us. + */ + if (stop_timer) + sk_stop_timer_sync(sk, &entry->add_timer); + rcu_read_unlock(); return entry; } @@ -415,7 +421,7 @@ static void mptcp_pm_free_anno_list(struct mptcp_sock *msk) list_for_each_entry_safe(entry, tmp, &free_list, list) { sk_stop_timer_sync(sk, &entry->add_timer); - kfree(entry); + kfree_rcu(entry, rcu); } }

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mptcp: fix a race in mptcp_pm_del_add_timer()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 426358d9be7ce3518966422f87b96f1bad27295f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112435-maimed-muskiness-bb78@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 426358d9be7ce3518966422f87b96f1bad27295f Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Mon, 17 Nov 2025 10:07:44 +0000 Subject: [PATCH] mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2523 [inline] slab_free mm/slub.c:6611 [inline] kfree+0x197/0x950 mm/slub.c:6818 mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x508/0x820 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: stable(a)vger.kernel.org Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") Reported-by: syzbot+2a6fbf0f0530375968df(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 2ff1b9499568..9604b91902b8 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -18,6 +18,7 @@ struct mptcp_pm_add_entry { u8 retrans_times; struct timer_list add_timer; struct mptcp_sock *sock; + struct rcu_head rcu; }; static DEFINE_SPINLOCK(mptcp_pm_list_lock); @@ -155,7 +156,7 @@ bool mptcp_remove_anno_list_by_saddr(struct mptcp_sock *msk, entry = mptcp_pm_del_add_timer(msk, addr, false); ret = entry; - kfree(entry); + kfree_rcu(entry, rcu); return ret; } @@ -345,22 +346,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk, { struct mptcp_pm_add_entry *entry; struct sock *sk = (struct sock *)msk; - struct timer_list *add_timer = NULL; + bool stop_timer = false; + + rcu_read_lock(); spin_lock_bh(&msk->pm.lock); entry = mptcp_lookup_anno_list_by_saddr(msk, addr); if (entry && (!check_id || entry->addr.id == addr->id)) { entry->retrans_times = ADD_ADDR_RETRANS_MAX; - add_timer = &entry->add_timer; + stop_timer = true; } if (!check_id && entry) list_del(&entry->list); spin_unlock_bh(&msk->pm.lock); - /* no lock, because sk_stop_timer_sync() is calling timer_delete_sync() */ - if (add_timer) - sk_stop_timer_sync(sk, add_timer); + /* Note: entry might have been removed by another thread. + * We hold rcu_read_lock() to ensure it is not freed under us. + */ + if (stop_timer) + sk_stop_timer_sync(sk, &entry->add_timer); + rcu_read_unlock(); return entry; } @@ -415,7 +421,7 @@ static void mptcp_pm_free_anno_list(struct mptcp_sock *msk) list_for_each_entry_safe(entry, tmp, &free_list, list) { sk_stop_timer_sync(sk, &entry->add_timer); - kfree(entry); + kfree_rcu(entry, rcu); } }

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mptcp: fix a race in mptcp_pm_del_add_timer()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 426358d9be7ce3518966422f87b96f1bad27295f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112434-dating-unwashed-a971@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 426358d9be7ce3518966422f87b96f1bad27295f Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Mon, 17 Nov 2025 10:07:44 +0000 Subject: [PATCH] mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2523 [inline] slab_free mm/slub.c:6611 [inline] kfree+0x197/0x950 mm/slub.c:6818 mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x508/0x820 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: stable(a)vger.kernel.org Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") Reported-by: syzbot+2a6fbf0f0530375968df(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 2ff1b9499568..9604b91902b8 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -18,6 +18,7 @@ struct mptcp_pm_add_entry { u8 retrans_times; struct timer_list add_timer; struct mptcp_sock *sock; + struct rcu_head rcu; }; static DEFINE_SPINLOCK(mptcp_pm_list_lock); @@ -155,7 +156,7 @@ bool mptcp_remove_anno_list_by_saddr(struct mptcp_sock *msk, entry = mptcp_pm_del_add_timer(msk, addr, false); ret = entry; - kfree(entry); + kfree_rcu(entry, rcu); return ret; } @@ -345,22 +346,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk, { struct mptcp_pm_add_entry *entry; struct sock *sk = (struct sock *)msk; - struct timer_list *add_timer = NULL; + bool stop_timer = false; + + rcu_read_lock(); spin_lock_bh(&msk->pm.lock); entry = mptcp_lookup_anno_list_by_saddr(msk, addr); if (entry && (!check_id || entry->addr.id == addr->id)) { entry->retrans_times = ADD_ADDR_RETRANS_MAX; - add_timer = &entry->add_timer; + stop_timer = true; } if (!check_id && entry) list_del(&entry->list); spin_unlock_bh(&msk->pm.lock); - /* no lock, because sk_stop_timer_sync() is calling timer_delete_sync() */ - if (add_timer) - sk_stop_timer_sync(sk, add_timer); + /* Note: entry might have been removed by another thread. + * We hold rcu_read_lock() to ensure it is not freed under us. + */ + if (stop_timer) + sk_stop_timer_sync(sk, &entry->add_timer); + rcu_read_unlock(); return entry; } @@ -415,7 +421,7 @@ static void mptcp_pm_free_anno_list(struct mptcp_sock *msk) list_for_each_entry_safe(entry, tmp, &free_list, list) { sk_stop_timer_sync(sk, &entry->add_timer); - kfree(entry); + kfree_rcu(entry, rcu); } }

2 weeks, 1 day

2
1
0 0

[REGRESSION] stable-rc/linux-6.7.y: (build) ./include/net/ip.h:466:14: error: default initialization of an obj...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.7.y: --- ./include/net/ip.h:466:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] in fs/select.o (fs/select.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:ef7b256354a7cedfb60e6ae7cbe595e4f34cf4ed - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: dacf7e83da42bd9d3978560e41869a784c24d912 - tags: v6.7.12 Log excerpt: ===================================================== In file included from fs/select.c:33: In file included from ./include/net/busy_poll.h:18: ./include/net/ip.h:466:14: error: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Werror,-Wdefault-const-init-var-unsafe] 466 | if (mtu && time_before(jiffies, rt->dst.expires)) | ^ ./include/linux/jiffies.h:135:26: note: expanded from macro 'time_before' 135 | #define time_before(a,b) time_after(b,a) | ^ ./include/linux/jiffies.h:125:3: note: expanded from macro 'time_after' 125 | (typecheck(unsigned long, a) && \ | ^ ./include/linux/typecheck.h:11:12: note: expanded from macro 'typecheck' 11 | typeof(x) __dummy2; \ | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## x86_64_defconfig on (x86_64): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-x86-6924fd86f5b8743b1f5fa865/.co… - dashboard: https://d.kernelci.org/build/maestro:6924fd86f5b8743b1f5fa865 #kernelci issue maestro:ef7b256354a7cedfb60e6ae7cbe595e4f34cf4ed Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 1 day

1
0
0 0

[PATCH net] platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak

by yongxin.liu＠windriver.com

From: Yongxin Liu <yongxin.liu(a)windriver.com> The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory for the ACPI evaluation result but never frees it, causing a 192-byte memory leak on each call. This leak is triggered during network interface initialization when the stmmac driver calls intel_mac_finish() -> intel_pmc_ipc(). unreferenced object 0xffff96a848d6ea80 (size 192): comm "dhcpcd", pid 541, jiffies 4294684345 hex dump (first 32 bytes): 04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H.... 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ backtrace (crc b1564374): kmemleak_alloc+0x2d/0x40 __kmalloc_noprof+0x2fa/0x730 acpi_ut_initialize_buffer+0x83/0xc0 acpi_evaluate_object+0x29a/0x2f0 intel_pmc_ipc+0xfd/0x170 intel_mac_finish+0x168/0x230 stmmac_mac_finish+0x3d/0x50 phylink_major_config+0x22b/0x5b0 phylink_mac_initial_config.constprop.0+0xf1/0x1b0 phylink_start+0x8e/0x210 __stmmac_open+0x12c/0x2b0 stmmac_open+0x23c/0x380 __dev_open+0x11d/0x2c0 __dev_change_flags+0x1d2/0x250 netif_change_flags+0x2b/0x70 dev_change_flags+0x40/0xb0 Add kfree() to properly release the allocated buffer. Cc: stable(a)vger.kernel.org Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC register access") Signed-off-by: Yongxin Liu <yongxin.liu(a)windriver.com> --- include/linux/platform_data/x86/intel_pmc_ipc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/platform_data/x86/intel_pmc_ipc.h b/include/linux/platform_data/x86/intel_pmc_ipc.h index 1d34435b7001..2fd5e684ce26 100644 --- a/include/linux/platform_data/x86/intel_pmc_ipc.h +++ b/include/linux/platform_data/x86/intel_pmc_ipc.h @@ -89,6 +89,7 @@ static inline int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, struct pmc_ipc_rbuf return -EINVAL; } + kfree (obj); return 0; #else return -ENODEV; -- 2.46.2

2 weeks, 1 day

4
3
0 0

[REGRESSION] stable-rc/linux-6.7.y: (build) default initialization of an object of type 'struct kernel_param' ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.7.y: --- default initialization of an object of type 'struct kernel_param' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] in kernel/params.o (kernel/params.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:b49cc34e36d28dfb446fecde078c599d5e502b0f - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: dacf7e83da42bd9d3978560e41869a784c24d912 - tags: v6.7.12 Log excerpt: ===================================================== kernel/params.c:368:22: error: default initialization of an object of type 'struct kernel_param' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] 368 | struct kernel_param dummy; | ^ ./include/linux/moduleparam.h:73:12: note: member 'perm' declared 'const' here 73 | const u16 perm; | ^ kernel/params.c:424:22: error: default initialization of an object of type 'struct kernel_param' with const member leaves the object uninitialized [-Werror,-Wdefault-const-init-field-unsafe] 424 | struct kernel_param kp; | ^ ./include/linux/moduleparam.h:73:12: note: member 'perm' declared 'const' here 73 | co CC arch/x86/xen/setup.o nst u16 perm; | ^ HDRTEST usr/include/linux/net_namespace.h 2 errors generated. ===================================================== # Builds where the incident occurred: ## x86_64_defconfig+allmodconfig on (x86_64): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-x86-allmodconfig-6924fd8bf5b8743… - dashboard: https://d.kernelci.org/build/maestro:6924fd8bf5b8743b1f5fa868 #kernelci issue maestro:b49cc34e36d28dfb446fecde078c599d5e502b0f Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] mptcp: fix premature close in case of fallback" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 17393fa7b7086664be519e7230cb6ed7ec7d9462 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112424-drift-duffel-a7f9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 17393fa7b7086664be519e7230cb6ed7ec7d9462 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 18 Nov 2025 08:20:21 +0100 Subject: [PATCH] mptcp: fix premature close in case of fallback I'm observing very frequent self-tests failures in case of fallback when running on a CONFIG_PREEMPT kernel. The root cause is that subflow_sched_work_if_closed() closes any subflow as soon as it is half-closed and has no incoming data pending. That works well for regular subflows - MPTCP needs bi-directional connectivity to operate on a given subflow - but for fallback socket is race prone. When TCP peer closes the connection before the MPTCP one, subflow_sched_work_if_closed() will schedule the MPTCP worker to gracefully close the subflow, and shortly after will do another schedule to inject and process a dummy incoming DATA_FIN. On CONFIG_PREEMPT kernel, the MPTCP worker can kick-in and close the fallback subflow before subflow_sched_work_if_closed() is able to create the dummy DATA_FIN, unexpectedly interrupting the transfer. Address the issue explicitly avoiding closing fallback subflows on when the peer is only half-closed. Note that, when the subflow is able to create the DATA_FIN before the worker invocation, the worker will change the msk state before trying to close the subflow and will skip the latter operation as the msk will not match anymore the precondition in __mptcp_close_subflow(). Fixes: f09b0ad55a11 ("mptcp: close subflow when receiving TCP+FIN") Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-3-806d37… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e27e0fe2460f..e30e9043a694 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2563,7 +2563,8 @@ static void __mptcp_close_subflow(struct sock *sk) if (ssk_state != TCP_CLOSE && (ssk_state != TCP_CLOSE_WAIT || - inet_sk_state_load(sk) != TCP_ESTABLISHED)) + inet_sk_state_load(sk) != TCP_ESTABLISHED || + __mptcp_check_fallback(msk))) continue; /* 'subflow_data_ready' will re-sched once rx queue is empty */

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mptcp: fix a race in mptcp_pm_del_add_timer()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 426358d9be7ce3518966422f87b96f1bad27295f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112433-mortuary-favorable-330a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 426358d9be7ce3518966422f87b96f1bad27295f Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Mon, 17 Nov 2025 10:07:44 +0000 Subject: [PATCH] mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2523 [inline] slab_free mm/slub.c:6611 [inline] kfree+0x197/0x950 mm/slub.c:6818 mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x508/0x820 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: stable(a)vger.kernel.org Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") Reported-by: syzbot+2a6fbf0f0530375968df(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 2ff1b9499568..9604b91902b8 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -18,6 +18,7 @@ struct mptcp_pm_add_entry { u8 retrans_times; struct timer_list add_timer; struct mptcp_sock *sock; + struct rcu_head rcu; }; static DEFINE_SPINLOCK(mptcp_pm_list_lock); @@ -155,7 +156,7 @@ bool mptcp_remove_anno_list_by_saddr(struct mptcp_sock *msk, entry = mptcp_pm_del_add_timer(msk, addr, false); ret = entry; - kfree(entry); + kfree_rcu(entry, rcu); return ret; } @@ -345,22 +346,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk, { struct mptcp_pm_add_entry *entry; struct sock *sk = (struct sock *)msk; - struct timer_list *add_timer = NULL; + bool stop_timer = false; + + rcu_read_lock(); spin_lock_bh(&msk->pm.lock); entry = mptcp_lookup_anno_list_by_saddr(msk, addr); if (entry && (!check_id || entry->addr.id == addr->id)) { entry->retrans_times = ADD_ADDR_RETRANS_MAX; - add_timer = &entry->add_timer; + stop_timer = true; } if (!check_id && entry) list_del(&entry->list); spin_unlock_bh(&msk->pm.lock); - /* no lock, because sk_stop_timer_sync() is calling timer_delete_sync() */ - if (add_timer) - sk_stop_timer_sync(sk, add_timer); + /* Note: entry might have been removed by another thread. + * We hold rcu_read_lock() to ensure it is not freed under us. + */ + if (stop_timer) + sk_stop_timer_sync(sk, &entry->add_timer); + rcu_read_unlock(); return entry; } @@ -415,7 +421,7 @@ static void mptcp_pm_free_anno_list(struct mptcp_sock *msk) list_for_each_entry_safe(entry, tmp, &free_list, list) { sk_stop_timer_sync(sk, &entry->add_timer); - kfree(entry); + kfree_rcu(entry, rcu); } }

2 weeks, 1 day

2
1
0 0

Re: [PATCH rtw-next] wifi: rtw88: sdio: use indirect IO for device registers before power-on

by Andrey Skvortsov

Hi, This patch was recently backported to stable kernels (v6.12.58) and it broke wlan on PinePhone, that uses 8723cs SDIO chip. The same problem appears of course on latest 6.18-rc6. Reverting this change resolves the problem. ``` $ sudo dmesg | grep -i rtw88 [ 24.940551] rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0 [ 24.953085] rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0 [ 24.955892] rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 [ 24.973135] rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110 [ 24.980673] rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 ... [ 25.446691] rtw88_8723cs mmc1:0001:1: sdio read8 failed (0x100): -110 [ 25.453569] rtw88_8723cs mmc1:0001:1: mac power on failed [ 25.459077] rtw88_8723cs mmc1:0001:1: failed to power on mac [ 25.464841] rtw88_8723cs mmc1:0001:1: failed to setup chip efuse info [ 25.464856] rtw88_8723cs mmc1:0001:1: failed to setup chip information [ 25.478341] rtw88_8723cs mmc1:0001:1: probe with driver rtw88_8723cs failed with error -114 ``` On 25-07-24 08:48, Ping-Ke Shih wrote: > The register REG_SYS_CFG1 is used to determine chip basic information > as arguments of following flows, such as download firmware and load PHY > parameters, so driver read the value early (before power-on). > > However, the direct IO is disallowed before power-on, or it causes wrong > values, which driver recognizes a chip as a wrong type RF_1T1R, but > actually RF_2T2R, causing driver warns: > > rtw88_8822cs mmc1:0001:1: unsupported rf path (1) > > Fix it by using indirect IO before power-on. > > Reported-by: Piotr Oniszczuk <piotr.oniszczuk(a)gmail.com> > Closes: https://lore.kernel.org/linux-wireless/699C22B4-A3E3-4206-97D0-22AB3348EBF6… > Suggested-by: Bitterblue Smith <rtl8821cerfe2(a)gmail.com> > Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> > --- > drivers/net/wireless/realtek/rtw88/sdio.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c > index cc2d4fef3587..99d7c629eac6 100644 > --- a/drivers/net/wireless/realtek/rtw88/sdio.c > +++ b/drivers/net/wireless/realtek/rtw88/sdio.c > @@ -144,6 +144,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr, > > static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr) > { > + if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) && > + !rtw_sdio_is_bus_addr(addr)) > + return false; > + > return !rtw_sdio_is_sdio30_supported(rtwdev) || > rtw_sdio_is_bus_addr(addr); > } > -- > 2.25.1 > -- Best regards, Andrey Skvortsov

2 weeks, 1 day

2
3
0 0

Mejora la gestión de compensaciones en tu empresa

by Daniel Rodríguez

Optimiza la gestión de compensaciones Garantiza remuneraciones justas y competitivas con Vorecol Compensation Management. Hola , Garantizar remuneraciones justas y competitivas es clave para atraer y retener talento, pero muchas veces determinar el salario adecuado puede ser complejo. Con Vorecol Compensation Management podrás establecer con precisión el salario para cada puesto, respaldado por criterios objetivos basados en los factores más relevantes de tu organización. Con Vorecol Compensation Management puedes: • Determinar salarios adecuados y equitativos para todos los roles. • Respaldar las decisiones de compensación con justificaciones objetivas. • Facilitar la transparencia y confianza en la gestión de remuneraciones. Esto permite crear un entorno laboral más justo, motivador y competitivo, beneficiando tanto a tu equipo como a la empresa. Si quieres conocer más sobre cómo optimizar la gestión de compensaciones, puedes responder a este correo o contactarme directamente, mis datos están abajo. Saludos, -------------- Atte.: Daniel Rodríguez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqeyseup">click aquí</a>

2 weeks, 1 day

1
0
0 0

[merged mm-stable] mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/huge_memory: merge uniform_split_supported() and non_uniform_split_supported() has been removed from the -mm tree. Its filename was mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: mm/huge_memory: merge uniform_split_supported() and non_uniform_split_supported() Date: Thu, 6 Nov 2025 03:41:55 +0000 uniform_split_supported() and non_uniform_split_supported() share significantly similar logic. The only functional difference is that uniform_split_supported() includes an additional check on the requested @new_order. The reason for this check comes from the following two aspects: * some file system or swap cache just supports order-0 folio * the behavioral difference between uniform/non-uniform split The behavioral difference between uniform split and non-uniform: * uniform split splits folio directly to @new_order * non-uniform split creates after-split folios with orders from folio_order(folio) - 1 to new_order. This means for non-uniform split or !new_order split we should check the file system and swap cache respectively. This commit unifies the logic and merge the two functions into a single combined helper, removing redundant code and simplifying the split support checking mechanism. Link: https://lkml.kernel.org/r/20251106034155.21398-3-richard.weiyang@gmail.com Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: "David Hildenbrand (Red Hat)" <david(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Lance Yang <lance.yang(a)linux.dev> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Nico Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/huge_mm.h | 8 +--- mm/huge_memory.c | 71 ++++++++++++++++---------------------- 2 files changed, 33 insertions(+), 46 deletions(-) --- a/include/linux/huge_mm.h~mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported +++ a/include/linux/huge_mm.h @@ -374,10 +374,8 @@ int __split_huge_page_to_list_to_order(s unsigned int new_order, bool unmapped); int min_order_for_split(struct folio *folio); int split_folio_to_list(struct folio *folio, struct list_head *list); -bool uniform_split_supported(struct folio *folio, unsigned int new_order, - bool warns); -bool non_uniform_split_supported(struct folio *folio, unsigned int new_order, - bool warns); +bool folio_split_supported(struct folio *folio, unsigned int new_order, + enum split_type split_type, bool warns); int folio_split(struct folio *folio, unsigned int new_order, struct page *page, struct list_head *list); @@ -408,7 +406,7 @@ static inline int split_huge_page_to_ord static inline int try_folio_split_to_order(struct folio *folio, struct page *page, unsigned int new_order) { - if (!non_uniform_split_supported(folio, new_order, /* warns= */ false)) + if (!folio_split_supported(folio, new_order, SPLIT_TYPE_NON_UNIFORM, /* warns= */ false)) return split_huge_page_to_order(&folio->page, new_order); return folio_split(folio, new_order, page, NULL); } --- a/mm/huge_memory.c~mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported +++ a/mm/huge_memory.c @@ -3593,8 +3593,8 @@ static int __split_unmapped_folio(struct return 0; } -bool non_uniform_split_supported(struct folio *folio, unsigned int new_order, - bool warns) +bool folio_split_supported(struct folio *folio, unsigned int new_order, + enum split_type split_type, bool warns) { if (folio_test_anon(folio)) { /* order-1 is not supported for anonymous THP. */ @@ -3602,48 +3602,41 @@ bool non_uniform_split_supported(struct "Cannot split to order-1 folio"); if (new_order == 1) return false; - } else if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && - !mapping_large_folio_support(folio->mapping)) { - /* - * No split if the file system does not support large folio. - * Note that we might still have THPs in such mappings due to - * CONFIG_READ_ONLY_THP_FOR_FS. But in that case, the mapping - * does not actually support large folios properly. - */ - VM_WARN_ONCE(warns, - "Cannot split file folio to non-0 order"); - return false; - } - - /* Only swapping a whole PMD-mapped folio is supported */ - if (folio_test_swapcache(folio)) { - VM_WARN_ONCE(warns, - "Cannot split swapcache folio to non-0 order"); - return false; - } - - return true; -} - -/* See comments in non_uniform_split_supported() */ -bool uniform_split_supported(struct folio *folio, unsigned int new_order, - bool warns) -{ - if (folio_test_anon(folio)) { - VM_WARN_ONCE(warns && new_order == 1, - "Cannot split to order-1 folio"); - if (new_order == 1) - return false; - } else if (new_order) { + } else if (split_type == SPLIT_TYPE_NON_UNIFORM || new_order) { if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !mapping_large_folio_support(folio->mapping)) { + /* + * We can always split a folio down to a single page + * (new_order == 0) uniformly. + * + * For any other scenario + * a) uniform split targeting a large folio + * (new_order > 0) + * b) any non-uniform split + * we must confirm that the file system supports large + * folios. + * + * Note that we might still have THPs in such + * mappings, which is created from khugepaged when + * CONFIG_READ_ONLY_THP_FOR_FS is enabled. But in that + * case, the mapping does not actually support large + * folios properly. + */ VM_WARN_ONCE(warns, "Cannot split file folio to non-0 order"); return false; } } - if (new_order && folio_test_swapcache(folio)) { + /* + * swapcache folio could only be split to order 0 + * + * non-uniform split creates after-split folios with orders from + * folio_order(folio) - 1 to new_order, making it not suitable for any + * swapcache folio split. Only uniform split to order-0 can be used + * here. + */ + if ((split_type == SPLIT_TYPE_NON_UNIFORM || new_order) && folio_test_swapcache(folio)) { VM_WARN_ONCE(warns, "Cannot split swapcache folio to non-0 order"); return false; @@ -3711,11 +3704,7 @@ static int __folio_split(struct folio *f if (new_order >= old_order) return -EINVAL; - if (split_type == SPLIT_TYPE_UNIFORM && !uniform_split_supported(folio, new_order, true)) - return -EINVAL; - - if (split_type == SPLIT_TYPE_NON_UNIFORM && - !non_uniform_split_supported(folio, new_order, true)) + if (!folio_split_supported(folio, new_order, split_type, /* warn = */ true)) return -EINVAL; is_hzp = is_huge_zero_folio(folio); _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are

2 weeks, 1 day

1
0
0 0

[merged mm-stable] mm-huge_memory-add-pmd-folio-to-ds_queue-in-do_huge_zero_wp_pmd.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/huge_memory: add pmd folio to ds_queue in do_huge_zero_wp_pmd() has been removed from the -mm tree. Its filename was mm-huge_memory-add-pmd-folio-to-ds_queue-in-do_huge_zero_wp_pmd.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: mm/huge_memory: add pmd folio to ds_queue in do_huge_zero_wp_pmd() Date: Wed, 8 Oct 2025 09:54:52 +0000 We add pmd folio into ds_queue on the first page fault in __do_huge_pmd_anonymous_page(), so that we can split it in case of memory pressure. This should be the same for a pmd folio during wp page fault. Commit 1ced09e0331f ("mm: allocate THP on hugezeropage wp-fault") miss to add it to ds_queue, which means system may not reclaim enough memory in case of memory pressure even the pmd folio is under used. Move deferred_split_folio() into map_anon_folio_pmd() to make the pmd folio installation consistent. Link: https://lkml.kernel.org/r/20251008095453.18772-2-richard.weiyang@gmail.com Fixes: 1ced09e0331f ("mm: allocate THP on hugezeropage wp-fault") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Lance Yang <lance.yang(a)linux.dev> Reviewed-by: Dev Jain <dev.jain(a)arm.com> Acked-by: Usama Arif <usamaarif642(a)gmail.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/huge_memory.c~mm-huge_memory-add-pmd-folio-to-ds_queue-in-do_huge_zero_wp_pmd +++ a/mm/huge_memory.c @@ -1233,6 +1233,7 @@ static void map_anon_folio_pmd(struct fo count_vm_event(THP_FAULT_ALLOC); count_mthp_stat(HPAGE_PMD_ORDER, MTHP_STAT_ANON_FAULT_ALLOC); count_memcg_event_mm(vma->vm_mm, THP_FAULT_ALLOC); + deferred_split_folio(folio, false); } static vm_fault_t __do_huge_pmd_anonymous_page(struct vm_fault *vmf) @@ -1273,7 +1274,6 @@ static vm_fault_t __do_huge_pmd_anonymou pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable); map_anon_folio_pmd(folio, vmf->pmd, vma, haddr); mm_inc_nr_ptes(vma->vm_mm); - deferred_split_folio(folio, false); spin_unlock(vmf->ptl); } _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are

2 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] mptcp: fix ack generation for fallback msk" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5e15395f6d9ec07395866c5511f4b4ac566c0c9b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112448-naming-survey-424d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5e15395f6d9ec07395866c5511f4b4ac566c0c9b Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Tue, 18 Nov 2025 08:20:19 +0100 Subject: [PATCH] mptcp: fix ack generation for fallback msk mptcp_cleanup_rbuf() needs to know the last most recent, mptcp-level rcv_wnd sent, and such information is tracked into the msk->old_wspace field, updated at ack transmission time by mptcp_write_options(). Fallback socket do not add any mptcp options, such helper is never invoked, and msk->old_wspace value remain stale. That in turn makes ack generation at recvmsg() time quite random. Address the issue ensuring mptcp_write_options() is invoked even for fallback sockets, and just update the needed info in such a case. The issue went unnoticed for a long time, as mptcp currently overshots the fallback socket receive buffer autotune significantly. It is going to change in the near future. Fixes: e3859603ba13 ("mptcp: better msk receive window updates") Cc: stable(a)vger.kernel.org Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/594 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-1-806d37… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 1103b3341a70..8a63bd00807d 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -838,8 +838,11 @@ bool mptcp_established_options(struct sock *sk, struct sk_buff *skb, opts->suboptions = 0; + /* Force later mptcp_write_options(), but do not use any actual + * option space. + */ if (unlikely(__mptcp_check_fallback(msk) && !mptcp_check_infinite_map(skb))) - return false; + return true; if (unlikely(skb && TCP_SKB_CB(skb)->tcp_flags & TCPHDR_RST)) { if (mptcp_established_options_fastclose(sk, &opt_size, remaining, opts) || @@ -1319,6 +1322,20 @@ static void mptcp_set_rwin(struct tcp_sock *tp, struct tcphdr *th) WRITE_ONCE(msk->old_wspace, tp->rcv_wnd); } +static void mptcp_track_rwin(struct tcp_sock *tp) +{ + const struct sock *ssk = (const struct sock *)tp; + struct mptcp_subflow_context *subflow; + struct mptcp_sock *msk; + + if (!ssk) + return; + + subflow = mptcp_subflow_ctx(ssk); + msk = mptcp_sk(subflow->conn); + WRITE_ONCE(msk->old_wspace, tp->rcv_wnd); +} + __sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) { struct csum_pseudo_header header; @@ -1611,6 +1628,10 @@ void mptcp_write_options(struct tcphdr *th, __be32 *ptr, struct tcp_sock *tp, opts->reset_transient, opts->reset_reason); return; + } else if (unlikely(!opts->suboptions)) { + /* Fallback to TCP */ + mptcp_track_rwin(tp); + return; } if (OPTION_MPTCP_PRIO & opts->suboptions) {

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mptcp: fix a race in mptcp_pm_del_add_timer()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 426358d9be7ce3518966422f87b96f1bad27295f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112431-pentagon-posture-3ba1@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 426358d9be7ce3518966422f87b96f1bad27295f Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Mon, 17 Nov 2025 10:07:44 +0000 Subject: [PATCH] mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2523 [inline] slab_free mm/slub.c:6611 [inline] kfree+0x197/0x950 mm/slub.c:6818 mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x508/0x820 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cc: stable(a)vger.kernel.org Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") Reported-by: syzbot+2a6fbf0f0530375968df(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Geliang Tang <geliang(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 2ff1b9499568..9604b91902b8 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -18,6 +18,7 @@ struct mptcp_pm_add_entry { u8 retrans_times; struct timer_list add_timer; struct mptcp_sock *sock; + struct rcu_head rcu; }; static DEFINE_SPINLOCK(mptcp_pm_list_lock); @@ -155,7 +156,7 @@ bool mptcp_remove_anno_list_by_saddr(struct mptcp_sock *msk, entry = mptcp_pm_del_add_timer(msk, addr, false); ret = entry; - kfree(entry); + kfree_rcu(entry, rcu); return ret; } @@ -345,22 +346,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk, { struct mptcp_pm_add_entry *entry; struct sock *sk = (struct sock *)msk; - struct timer_list *add_timer = NULL; + bool stop_timer = false; + + rcu_read_lock(); spin_lock_bh(&msk->pm.lock); entry = mptcp_lookup_anno_list_by_saddr(msk, addr); if (entry && (!check_id || entry->addr.id == addr->id)) { entry->retrans_times = ADD_ADDR_RETRANS_MAX; - add_timer = &entry->add_timer; + stop_timer = true; } if (!check_id && entry) list_del(&entry->list); spin_unlock_bh(&msk->pm.lock); - /* no lock, because sk_stop_timer_sync() is calling timer_delete_sync() */ - if (add_timer) - sk_stop_timer_sync(sk, add_timer); + /* Note: entry might have been removed by another thread. + * We hold rcu_read_lock() to ensure it is not freed under us. + */ + if (stop_timer) + sk_stop_timer_sync(sk, &entry->add_timer); + rcu_read_unlock(); return entry; } @@ -415,7 +421,7 @@ static void mptcp_pm_free_anno_list(struct mptcp_sock *msk) list_for_each_entry_safe(entry, tmp, &free_list, list) { sk_stop_timer_sync(sk, &entry->add_timer); - kfree(entry); + kfree_rcu(entry, rcu); } }

2 weeks, 1 day

2
1
0 0

[merged mm-hotfixes-stable] mm-huge_memory-fix-null-pointer-deference-when-splitting-folio.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/huge_memory: fix NULL pointer deference when splitting folio has been removed from the -mm tree. Its filename was mm-huge_memory-fix-null-pointer-deference-when-splitting-folio.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: mm/huge_memory: fix NULL pointer deference when splitting folio Date: Wed, 19 Nov 2025 23:53:02 +0000 Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags. Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand (Red Hat) <david(a)kernel.org> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-fix-null-pointer-deference-when-splitting-folio +++ a/mm/huge_memory.c @@ -3619,6 +3619,16 @@ static int __folio_split(struct folio *f if (folio != page_folio(split_at) || folio != page_folio(lock_at)) return -EINVAL; + /* + * Folios that just got truncated cannot get split. Signal to the + * caller that there was a race. + * + * TODO: this will also currently refuse shmem folios that are in the + * swapcache. + */ + if (!is_anon && !folio->mapping) + return -EBUSY; + if (new_order >= folio_order(folio)) return -EINVAL; @@ -3659,18 +3669,6 @@ static int __folio_split(struct folio *f gfp_t gfp; mapping = folio->mapping; - - /* Truncated ? */ - /* - * TODO: add support for large shmem folio in swap cache. - * When shmem is in swap cache, mapping is NULL and - * folio_test_swapcache() is true. - */ - if (!mapping) { - ret = -EBUSY; - goto out; - } - min_order = mapping_min_folio_order(folio->mapping); if (new_order < min_order) { ret = -EINVAL; _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are mm-huge_memory-add-pmd-folio-to-ds_queue-in-do_huge_zero_wp_pmd.patch mm-khugepaged-unify-pmd-folio-installation-with-map_anon_folio_pmd.patch mm-huge_memory-only-get-folio_order-once-during-__folio_split.patch mm-huge_memory-introduce-enum-split_type-for-clarity.patch mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported.patch mm-khugepaged-remove-redundant-clearing-of-struct-collapse_control.patch mm-khugepaged-continue-to-collapse-on-scan_pmd_none.patch mm-khugepaged-unify-scan_pmd_none-and-scan_pmd_null-into-scan_no_pte_table.patch

2 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] selftests-mm-fix-division-by-zero-in-uffd-unit-tests.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests/mm: fix division-by-zero in uffd-unit-tests has been removed from the -mm tree. Its filename was selftests-mm-fix-division-by-zero-in-uffd-unit-tests.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Carlos Llamas <cmllamas(a)google.com> Subject: selftests/mm: fix division-by-zero in uffd-unit-tests Date: Thu, 13 Nov 2025 03:46:22 +0000 Commit 4dfd4bba8578 ("selftests/mm/uffd: refactor non-composite global vars into struct") moved some of the operations previously implemented in uffd_setup_environment() earlier in the main test loop. The calculation of nr_pages, which involves a division by page_size, now occurs before checking that default_huge_page_size() returns a non-zero This leads to a division-by-zero error on systems with !CONFIG_HUGETLB. Fix this by relocating the non-zero page_size check before the nr_pages calculation, as it was originally implemented. Link: https://lkml.kernel.org/r/20251113034623.3127012-1-cmllamas@google.com Fixes: 4dfd4bba8578 ("selftests/mm/uffd: refactor non-composite global vars into struct") Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Acked-by: David Hildenbrand (Red Hat) <david(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Ujwal Kundur <ujwal.kundur(a)gmail.com> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/uffd-unit-tests.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) --- a/tools/testing/selftests/mm/uffd-unit-tests.c~selftests-mm-fix-division-by-zero-in-uffd-unit-tests +++ a/tools/testing/selftests/mm/uffd-unit-tests.c @@ -1758,10 +1758,15 @@ int main(int argc, char *argv[]) uffd_test_ops = mem_type->mem_ops; uffd_test_case_ops = test->test_case_ops; - if (mem_type->mem_flag & (MEM_HUGETLB_PRIVATE | MEM_HUGETLB)) + if (mem_type->mem_flag & (MEM_HUGETLB_PRIVATE | MEM_HUGETLB)) { gopts.page_size = default_huge_page_size(); - else + if (gopts.page_size == 0) { + uffd_test_skip("huge page size is 0, feature missing?"); + continue; + } + } else { gopts.page_size = psize(); + } /* Ensure we have at least 2 pages */ gopts.nr_pages = MAX(UFFD_TEST_MEM_SIZE, gopts.page_size * 2) @@ -1776,12 +1781,6 @@ int main(int argc, char *argv[]) continue; uffd_test_start("%s on %s", test->name, mem_type->name); - if ((mem_type->mem_flag == MEM_HUGETLB || - mem_type->mem_flag == MEM_HUGETLB_PRIVATE) && - (default_huge_page_size() == 0)) { - uffd_test_skip("huge page size is 0, feature missing?"); - continue; - } if (!uffd_feature_supported(test)) { uffd_test_skip("feature missing"); continue; _ Patches currently in -mm which might be from cmllamas(a)google.com are

2 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-memfd-fix-information-leak-in-hugetlb-folios.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memfd: fix information leak in hugetlb folios has been removed from the -mm tree. Its filename was mm-memfd-fix-information-leak-in-hugetlb-folios.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: mm/memfd: fix information leak in hugetlb folios Date: Wed, 12 Nov 2025 20:20:34 +0530 When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2. Folios are not marked uptodate before adding to page cache 3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache() The memfd allocation path bypasses the normal page fault handler (hugetlb_no_page) which would handle all of these initialization steps. This is problematic especially for udmabuf use cases where folios are pinned and directly accessed by userspace via DMA. Fix by matching the initialization pattern used in hugetlb_no_page(): - Zero the folio using folio_zero_user() which is optimized for huge pages - Mark it uptodate with folio_mark_uptodate() - Take hugetlb_fault_mutex before adding to page cache to prevent races The folio_zero_user() change also fixes a potential security issue where uninitialized kernel memory could be disclosed to userspace through read() or mmap() operations on the memfd. Link: https://lkml.kernel.org/r/20251112145034.2320452-1-kartikey406@gmail.com Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+f64019ba229e3a5c411b(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20251112031631.2315651-1-kartikey406@gmail.com/ [v1] Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b Suggested-by: Oscar Salvador <osalvador(a)suse.de> Suggested-by: David Hildenbrand <david(a)redhat.com> Tested-by: syzbot+f64019ba229e3a5c411b(a)syzkaller.appspotmail.com Acked-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: David Hildenbrand (Red Hat) <david(a)kernel.org> Acked-by: Hugh Dickins <hughd(a)google.com> Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> (v2) Cc: Christoph Hellwig <hch(a)lst.de> (v6) Cc: Dave Airlie <airlied(a)redhat.com> Cc: Gerd Hoffmann <kraxel(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memfd.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) --- a/mm/memfd.c~mm-memfd-fix-information-leak-in-hugetlb-folios +++ a/mm/memfd.c @@ -96,9 +96,36 @@ struct folio *memfd_alloc_folio(struct f NULL, gfp_mask); if (folio) { + u32 hash; + + /* + * Zero the folio to prevent information leaks to userspace. + * Use folio_zero_user() which is optimized for huge/gigantic + * pages. Pass 0 as addr_hint since this is not a faulting path + * and we don't have a user virtual address yet. + */ + folio_zero_user(folio, 0); + + /* + * Mark the folio uptodate before adding to page cache, + * as required by filemap.c and other hugetlb paths. + */ + __folio_mark_uptodate(folio); + + /* + * Serialize hugepage allocation and instantiation to prevent + * races with concurrent allocations, as required by all other + * callers of hugetlb_add_to_page_cache(). + */ + hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + err = hugetlb_add_to_page_cache(folio, memfd->f_mapping, idx); + + mutex_unlock(&hugetlb_fault_mutex_table[hash]); + if (err) { folio_put(folio); goto err_unresv; _ Patches currently in -mm which might be from kartikey406(a)gmail.com are

2 weeks, 1 day

1
0
0 0

[merged mm-hotfixes-stable] mm-swap-remove-duplicate-nr_swap_pages-decrement-in-get_swap_page_of_type.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type() has been removed from the -mm tree. Its filename was mm-swap-remove-duplicate-nr_swap_pages-decrement-in-get_swap_page_of_type.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Youngjun Park <youngjun.park(a)lge.com> Subject: mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type() Date: Sun, 2 Nov 2025 17:24:56 +0900 After commit 4f78252da887, nr_swap_pages is decremented in swap_range_alloc(). Since cluster_alloc_swap_entry() calls swap_range_alloc() internally, the decrement in get_swap_page_of_type() causes double-decrementing. As a representative userspace-visible runtime example of the impact, /proc/meminfo reports increasingly inaccurate SwapFree values. The discrepancy grows with each swap allocation, and during hibernation when large amounts of memory are written to swap, the reported value can deviate significantly from actual available swap space, misleading users and monitoring tools. Remove the duplicate decrement. Link: https://lkml.kernel.org/r/20251102082456.79807-1-youngjun.park@lge.com Fixes: 4f78252da887 ("mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc()") Signed-off-by: Youngjun Park <youngjun.park(a)lge.com> Acked-by: Chris Li <chrisl(a)kernel.org> Reviewed-by: Barry Song <baohua(a)kernel.org> Reviewed-by: Kairui Song <kasong(a)tencent.com> Acked-by: Nhat Pham <nphamcs(a)gmail.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: <stable(a)vger.kernel.org> [6.17+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/mm/swapfile.c~mm-swap-remove-duplicate-nr_swap_pages-decrement-in-get_swap_page_of_type +++ a/mm/swapfile.c @@ -2005,10 +2005,8 @@ swp_entry_t get_swap_page_of_type(int ty local_lock(&percpu_swap_cluster.lock); offset = cluster_alloc_swap_entry(si, 0, 1); local_unlock(&percpu_swap_cluster.lock); - if (offset) { + if (offset) entry = swp_entry(si->type, offset); - atomic_long_dec(&nr_swap_pages); - } } put_swap_device(si); } _ Patches currently in -mm which might be from youngjun.park(a)lge.com are mm-swap-fix-wrong-plist-empty-check-in-swap_alloc_slow.patch mm-swap-fix-memory-leak-in-setup_clusters-error-path.patch mm-swap-use-swp_solidstate-to-determine-if-swap-is-rotational.patch mm-swap-remove-redundant-comment-for-read_swap_cache_async.patch mm-swap-change-swap_alloc_slow-to-void.patch mm-swap-remove-scan_swap_map_slots-references-from-comments.patch

2 weeks, 1 day

1
0
0 0

[tip: x86/urgent] x86/CPU/AMD: Add RDSEED fix for Zen5

by tip-bot2 for Gregory Price

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 607b9fb2ce248cc5b633c5949e0153838992c152 Gitweb: https://git.kernel.org/tip/607b9fb2ce248cc5b633c5949e0153838992c152 Author: Gregory Price <gourry(a)gourry.net> AuthorDate: Mon, 20 Oct 2025 11:13:55 +02:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Tue, 28 Oct 2025 12:37:49 +01:00 x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 "at a rate inconsistent with randomness while incorrectly signaling success (CF=1)". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ] Cc: stable(a)vger.kernel.org Signed-off-by: Gregory Price <gourry(a)gourry.net> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Link: https://lore.kernel.org/r/20251018024010.4112396-1-gourry@gourry.net --- arch/x86/kernel/cpu/amd.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index ccaa51c..bc29be6 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -1035,8 +1035,18 @@ static void init_amd_zen4(struct cpuinfo_x86 *c) } } +static const struct x86_cpu_id zen5_rdseed_microcode[] = { + ZEN_MODEL_STEP_UCODE(0x1a, 0x02, 0x1, 0x0b00215a), + ZEN_MODEL_STEP_UCODE(0x1a, 0x11, 0x0, 0x0b101054), +}; + static void init_amd_zen5(struct cpuinfo_x86 *c) { + if (!x86_match_min_microcode_rev(zen5_rdseed_microcode)) { + clear_cpu_cap(c, X86_FEATURE_RDSEED); + msr_clear_bit(MSR_AMD64_CPUID_FN_7, 18); + pr_emerg_once("RDSEED32 is broken. Disabling the corresponding CPUID bit.\n"); + } } static void init_amd(struct cpuinfo_x86 *c)

2 weeks, 1 day

6
6
0 0

FAILED: patch "[PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ec33b59542d96830e3c89845ff833cf7b25ef172 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112438-stoppable-bribe-71e6@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Thu, 13 Nov 2025 19:54:35 +0100 Subject: [PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages. Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com Analyzed-by: Christoph Hellwig <hch(a)lst.de> Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") Cc: stable(a)vger.kernel.org Tested-by: kernel test robot <oliver.sang(a)intel.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/mempool.c b/mm/mempool.c index 1c38e873e546..d7bbf1189db9 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -68,10 +68,20 @@ static void check_element(mempool_t *pool, void *element) } else if (pool->free == mempool_free_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __check_element(pool, addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __check_element(pool, addr, PAGE_SIZE << order); +#endif } } @@ -97,10 +107,20 @@ static void poison_element(mempool_t *pool, void *element) } else if (pool->alloc == mempool_alloc_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __poison_element(addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __poison_element(addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __poison_element(addr, PAGE_SIZE << order); +#endif } } #else /* CONFIG_SLUB_DEBUG_ON */

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ec33b59542d96830e3c89845ff833cf7b25ef172 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112437-sandpaper-almighty-8e37@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Thu, 13 Nov 2025 19:54:35 +0100 Subject: [PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages. Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com Analyzed-by: Christoph Hellwig <hch(a)lst.de> Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") Cc: stable(a)vger.kernel.org Tested-by: kernel test robot <oliver.sang(a)intel.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/mempool.c b/mm/mempool.c index 1c38e873e546..d7bbf1189db9 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -68,10 +68,20 @@ static void check_element(mempool_t *pool, void *element) } else if (pool->free == mempool_free_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __check_element(pool, addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __check_element(pool, addr, PAGE_SIZE << order); +#endif } } @@ -97,10 +107,20 @@ static void poison_element(mempool_t *pool, void *element) } else if (pool->alloc == mempool_alloc_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __poison_element(addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __poison_element(addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __poison_element(addr, PAGE_SIZE << order); +#endif } } #else /* CONFIG_SLUB_DEBUG_ON */

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x ec33b59542d96830e3c89845ff833cf7b25ef172 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112436-unabashed-tacky-b8b3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Thu, 13 Nov 2025 19:54:35 +0100 Subject: [PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages. Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com Analyzed-by: Christoph Hellwig <hch(a)lst.de> Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") Cc: stable(a)vger.kernel.org Tested-by: kernel test robot <oliver.sang(a)intel.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/mempool.c b/mm/mempool.c index 1c38e873e546..d7bbf1189db9 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -68,10 +68,20 @@ static void check_element(mempool_t *pool, void *element) } else if (pool->free == mempool_free_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __check_element(pool, addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __check_element(pool, addr, PAGE_SIZE << order); +#endif } } @@ -97,10 +107,20 @@ static void poison_element(mempool_t *pool, void *element) } else if (pool->alloc == mempool_alloc_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __poison_element(addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __poison_element(addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __poison_element(addr, PAGE_SIZE << order); +#endif } } #else /* CONFIG_SLUB_DEBUG_ON */

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] dt-bindings: pinctrl: toshiba,visconti: Fix number of items" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 316e361b5d2cdeb8d778983794a1c6eadcb26814 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112405-vixen-monogamy-fb80@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 316e361b5d2cdeb8d778983794a1c6eadcb26814 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzk(a)kernel.org> Date: Wed, 22 Oct 2025 15:34:26 +0200 Subject: [PATCH] dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups The "groups" property can hold multiple entries (e.g. toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect type (pinmux-node.yaml schema already defines that as string-array) and adding constraints for items. This fixes dtbs_check warnings like: toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl): pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Acked-by: Conor Dooley <conor.dooley(a)microchip.com> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> diff --git a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml index 19d47fd414bc..ce04d2eadec9 100644 --- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml +++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml @@ -50,18 +50,20 @@ patternProperties: groups: description: Name of the pin group to use for the functions. - $ref: /schemas/types.yaml#/definitions/string - enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, - i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, - spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, - spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, - uart0_grp, uart1_grp, uart2_grp, uart3_grp, - pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, - pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, - pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, - pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, - pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, - pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] + items: + enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, + i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, + spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, + spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, + uart0_grp, uart1_grp, uart2_grp, uart3_grp, + pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, + pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, + pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, + pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, + pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, + pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] + minItems: 1 + maxItems: 8 drive-strength: enum: [2, 4, 6, 8, 16, 24, 32]

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] dt-bindings: pinctrl: toshiba,visconti: Fix number of items" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 316e361b5d2cdeb8d778983794a1c6eadcb26814 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112404-radial-yoyo-25b9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 316e361b5d2cdeb8d778983794a1c6eadcb26814 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzk(a)kernel.org> Date: Wed, 22 Oct 2025 15:34:26 +0200 Subject: [PATCH] dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups The "groups" property can hold multiple entries (e.g. toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect type (pinmux-node.yaml schema already defines that as string-array) and adding constraints for items. This fixes dtbs_check warnings like: toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl): pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Acked-by: Conor Dooley <conor.dooley(a)microchip.com> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> diff --git a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml index 19d47fd414bc..ce04d2eadec9 100644 --- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml +++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml @@ -50,18 +50,20 @@ patternProperties: groups: description: Name of the pin group to use for the functions. - $ref: /schemas/types.yaml#/definitions/string - enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, - i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, - spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, - spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, - uart0_grp, uart1_grp, uart2_grp, uart3_grp, - pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, - pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, - pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, - pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, - pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, - pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] + items: + enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, + i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, + spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, + spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, + uart0_grp, uart1_grp, uart2_grp, uart3_grp, + pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, + pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, + pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, + pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, + pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, + pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] + minItems: 1 + maxItems: 8 drive-strength: enum: [2, 4, 6, 8, 16, 24, 32]

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x ec33b59542d96830e3c89845ff833cf7b25ef172 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112435-agile-sprawl-f420@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Thu, 13 Nov 2025 19:54:35 +0100 Subject: [PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages. Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com Analyzed-by: Christoph Hellwig <hch(a)lst.de> Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") Cc: stable(a)vger.kernel.org Tested-by: kernel test robot <oliver.sang(a)intel.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/mempool.c b/mm/mempool.c index 1c38e873e546..d7bbf1189db9 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -68,10 +68,20 @@ static void check_element(mempool_t *pool, void *element) } else if (pool->free == mempool_free_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __check_element(pool, addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __check_element(pool, addr, PAGE_SIZE << order); +#endif } } @@ -97,10 +107,20 @@ static void poison_element(mempool_t *pool, void *element) } else if (pool->alloc == mempool_alloc_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __poison_element(addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __poison_element(addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __poison_element(addr, PAGE_SIZE << order); +#endif } } #else /* CONFIG_SLUB_DEBUG_ON */

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] dt-bindings: pinctrl: toshiba,visconti: Fix number of items" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 316e361b5d2cdeb8d778983794a1c6eadcb26814 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112404-uninsured-retorted-4758@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 316e361b5d2cdeb8d778983794a1c6eadcb26814 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzk(a)kernel.org> Date: Wed, 22 Oct 2025 15:34:26 +0200 Subject: [PATCH] dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups The "groups" property can hold multiple entries (e.g. toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect type (pinmux-node.yaml schema already defines that as string-array) and adding constraints for items. This fixes dtbs_check warnings like: toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl): pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Acked-by: Conor Dooley <conor.dooley(a)microchip.com> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> diff --git a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml index 19d47fd414bc..ce04d2eadec9 100644 --- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml +++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml @@ -50,18 +50,20 @@ patternProperties: groups: description: Name of the pin group to use for the functions. - $ref: /schemas/types.yaml#/definitions/string - enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, - i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, - spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, - spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, - uart0_grp, uart1_grp, uart2_grp, uart3_grp, - pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, - pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, - pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, - pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, - pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, - pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] + items: + enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, + i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, + spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, + spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, + uart0_grp, uart1_grp, uart2_grp, uart3_grp, + pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, + pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, + pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, + pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, + pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, + pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] + minItems: 1 + maxItems: 8 drive-strength: enum: [2, 4, 6, 8, 16, 24, 32]

2 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x ec33b59542d96830e3c89845ff833cf7b25ef172 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112434-uncle-ethics-cb16@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ec33b59542d96830e3c89845ff833cf7b25ef172 Mon Sep 17 00:00:00 2001 From: Vlastimil Babka <vbabka(a)suse.cz> Date: Thu, 13 Nov 2025 19:54:35 +0100 Subject: [PATCH] mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages. Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com Analyzed-by: Christoph Hellwig <hch(a)lst.de> Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") Cc: stable(a)vger.kernel.org Tested-by: kernel test robot <oliver.sang(a)intel.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/mempool.c b/mm/mempool.c index 1c38e873e546..d7bbf1189db9 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -68,10 +68,20 @@ static void check_element(mempool_t *pool, void *element) } else if (pool->free == mempool_free_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __check_element(pool, addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __check_element(pool, addr, PAGE_SIZE << order); +#endif } } @@ -97,10 +107,20 @@ static void poison_element(mempool_t *pool, void *element) } else if (pool->alloc == mempool_alloc_pages) { /* Mempools backed by page allocator */ int order = (int)(long)pool->pool_data; - void *addr = kmap_local_page((struct page *)element); - __poison_element(addr, 1UL << (PAGE_SHIFT + order)); - kunmap_local(addr); +#ifdef CONFIG_HIGHMEM + for (int i = 0; i < (1 << order); i++) { + struct page *page = (struct page *)element; + void *addr = kmap_local_page(page + i); + + __poison_element(addr, PAGE_SIZE); + kunmap_local(addr); + } +#else + void *addr = page_address((struct page *)element); + + __poison_element(addr, PAGE_SIZE << order); +#endif } } #else /* CONFIG_SLUB_DEBUG_ON */

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] mptcp: fix race condition in mptcp_schedule_work()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 035bca3f017ee9dea3a5a756e77a6f7138cc6eea # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112402-confiding-slideshow-217f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 035bca3f017ee9dea3a5a756e77a6f7138cc6eea Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet(a)google.com> Date: Thu, 13 Nov 2025 10:39:24 +0000 Subject: [PATCH] mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk); [1] refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: <TASK> __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Cc: stable(a)vger.kernel.org Fixes: 3b1d6210a957 ("mptcp: implement and use MPTCP-level retransmission") Reported-by: syzbot+355158e7e301548a1424(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6915b46f.050a0220.3565dc.0028.GAE@google.com… Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251113103924.3737425-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 2d6b8de35c44..e27e0fe2460f 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -935,14 +935,19 @@ static void mptcp_reset_rtx_timer(struct sock *sk) bool mptcp_schedule_work(struct sock *sk) { - if (inet_sk_state_load(sk) != TCP_CLOSE && - schedule_work(&mptcp_sk(sk)->work)) { - /* each subflow already holds a reference to the sk, and the - * workqueue is invoked by a subflow, so sk can't go away here. - */ - sock_hold(sk); + if (inet_sk_state_load(sk) == TCP_CLOSE) + return false; + + /* Get a reference on this socket, mptcp_worker() will release it. + * As mptcp_worker() might complete before us, we can not avoid + * a sock_hold()/sock_put() if schedule_work() returns false. + */ + sock_hold(sk); + + if (schedule_work(&mptcp_sk(sk)->work)) return true; - } + + sock_put(sk); return false; }

2 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 103e17aac09cdd358133f9e00998b75d6c1f1518 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112429-pasture-geometry-591b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 From: Sebastian Ene <sebastianene(a)google.com> Date: Fri, 17 Oct 2025 07:57:10 +0000 Subject: [PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene(a)google.com> Acked-by: Will Deacon <will(a)kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz(a)kernel.org> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 4e16f9b96f63..58b7d0c477d7 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; }

2 weeks, 2 days

4
6
0 0

FAILED: patch "[PATCH] Input: pegasus-notetaker - fix potential out-of-bounds access" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 69aeb507312306f73495598a055293fa749d454e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112420-barman-maybe-9927@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 69aeb507312306f73495598a055293fa749d454e Mon Sep 17 00:00:00 2001 From: Seungjin Bae <eeodqql09(a)gmail.com> Date: Fri, 17 Oct 2025 15:36:31 -0700 Subject: [PATCH] Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <eeodqql09(a)gmail.com> Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 8d6b71d59793..eabb4a0b8a0d 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -63,6 +63,9 @@ #define BUTTON_PRESSED 0xb5 #define COMMAND_VERSION 0xa9 +/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */ +#define NOTETAKER_PACKET_SIZE 6 + /* in xy data packet */ #define BATTERY_NO_REPORT 0x40 #define BATTERY_LOW 0x41 @@ -311,6 +314,12 @@ static int pegasus_probe(struct usb_interface *intf, } pegasus->data_len = usb_maxpacket(dev, pipe); + if (pegasus->data_len < NOTETAKER_PACKET_SIZE) { + dev_err(&intf->dev, "packet size is too small (%d)\n", + pegasus->data_len); + error = -EINVAL; + goto err_free_mem; + } pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, &pegasus->data_dma);

2 weeks, 2 days

2
3
0 0

FAILED: patch "[PATCH] ata: libata-scsi: Fix system suspend for a security locked" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b11890683380a36b8488229f818d5e76e8204587 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112403-stalemate-unbuckled-dda5@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Wed, 19 Nov 2025 15:13:14 +0100 Subject: [PATCH] ata: libata-scsi: Fix system suspend for a security locked drive Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") fixed ata_to_sense_error() to properly generate sense key ABORTED COMMAND (without any additional sense code), instead of the previous bogus sense key ILLEGAL REQUEST with the additional sense code UNALIGNED WRITE COMMAND, for a failed command. However, this broke suspend for Security locked drives (drives that have Security enabled, and have not been Security unlocked by boot firmware). The reason for this is that the SCSI disk driver, for the Synchronize Cache command only, treats any sense data with sense key ILLEGAL REQUEST as a successful command (regardless of ASC / ASCQ). After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") the code that treats any sense data with sense key ILLEGAL REQUEST as a successful command is no longer applicable, so the command fails, which causes the system suspend to be aborted: sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 sd 1:0:0:0: PM: failed to suspend async: error -5 PM: Some devices failed to suspend, or early wake event detected To make suspend work once again, for a Security locked device only, return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense data which a real SCSI device would have returned if locked. The SCSI disk driver treats this sense data as a successful command. Cc: stable(a)vger.kernel.org Reported-by: Ilia Baryshnikov <qwelias(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: Martin K. Petersen <martin.petersen(a)oracle.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 3fb84f690644..434774e71fe6 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -992,6 +992,13 @@ static void ata_gen_ata_sense(struct ata_queued_cmd *qc) return; } + if (ata_id_is_locked(dev->id)) { + /* Security locked */ + /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ + ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); + return; + } + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { ata_dev_dbg(dev, "Missing result TF: reporting aborted command\n"); diff --git a/include/linux/ata.h b/include/linux/ata.h index 792e10a09787..c9013e472aa3 100644 --- a/include/linux/ata.h +++ b/include/linux/ata.h @@ -566,6 +566,7 @@ struct ata_bmdma_prd { #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) +#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) #define ata_id_has_atapi_AN(id) \ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \

2 weeks, 2 days

2
1
0 0

FAILED: patch "[PATCH] ata: libata-scsi: Fix system suspend for a security locked" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b11890683380a36b8488229f818d5e76e8204587 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112458-uncharted-juggling-eb88@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Wed, 19 Nov 2025 15:13:14 +0100 Subject: [PATCH] ata: libata-scsi: Fix system suspend for a security locked drive Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") fixed ata_to_sense_error() to properly generate sense key ABORTED COMMAND (without any additional sense code), instead of the previous bogus sense key ILLEGAL REQUEST with the additional sense code UNALIGNED WRITE COMMAND, for a failed command. However, this broke suspend for Security locked drives (drives that have Security enabled, and have not been Security unlocked by boot firmware). The reason for this is that the SCSI disk driver, for the Synchronize Cache command only, treats any sense data with sense key ILLEGAL REQUEST as a successful command (regardless of ASC / ASCQ). After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") the code that treats any sense data with sense key ILLEGAL REQUEST as a successful command is no longer applicable, so the command fails, which causes the system suspend to be aborted: sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 sd 1:0:0:0: PM: failed to suspend async: error -5 PM: Some devices failed to suspend, or early wake event detected To make suspend work once again, for a Security locked device only, return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense data which a real SCSI device would have returned if locked. The SCSI disk driver treats this sense data as a successful command. Cc: stable(a)vger.kernel.org Reported-by: Ilia Baryshnikov <qwelias(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: Martin K. Petersen <martin.petersen(a)oracle.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 3fb84f690644..434774e71fe6 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -992,6 +992,13 @@ static void ata_gen_ata_sense(struct ata_queued_cmd *qc) return; } + if (ata_id_is_locked(dev->id)) { + /* Security locked */ + /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ + ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); + return; + } + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { ata_dev_dbg(dev, "Missing result TF: reporting aborted command\n"); diff --git a/include/linux/ata.h b/include/linux/ata.h index 792e10a09787..c9013e472aa3 100644 --- a/include/linux/ata.h +++ b/include/linux/ata.h @@ -566,6 +566,7 @@ struct ata_bmdma_prd { #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) +#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) #define ata_id_has_atapi_AN(id) \ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \

2 weeks, 2 days

2
1
0 0

FAILED: patch "[PATCH] Input: pegasus-notetaker - fix potential out-of-bounds access" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 69aeb507312306f73495598a055293fa749d454e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112420-cleaver-backlight-0d73@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 69aeb507312306f73495598a055293fa749d454e Mon Sep 17 00:00:00 2001 From: Seungjin Bae <eeodqql09(a)gmail.com> Date: Fri, 17 Oct 2025 15:36:31 -0700 Subject: [PATCH] Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <eeodqql09(a)gmail.com> Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 8d6b71d59793..eabb4a0b8a0d 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -63,6 +63,9 @@ #define BUTTON_PRESSED 0xb5 #define COMMAND_VERSION 0xa9 +/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */ +#define NOTETAKER_PACKET_SIZE 6 + /* in xy data packet */ #define BATTERY_NO_REPORT 0x40 #define BATTERY_LOW 0x41 @@ -311,6 +314,12 @@ static int pegasus_probe(struct usb_interface *intf, } pegasus->data_len = usb_maxpacket(dev, pipe); + if (pegasus->data_len < NOTETAKER_PACKET_SIZE) { + dev_err(&intf->dev, "packet size is too small (%d)\n", + pegasus->data_len); + error = -EINVAL; + goto err_free_mem; + } pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, &pegasus->data_dma);

2 weeks, 2 days

2
3
0 0

FAILED: patch "[PATCH] ata: libata-scsi: Fix system suspend for a security locked" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b11890683380a36b8488229f818d5e76e8204587 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112453-paramedic-agonizing-0a51@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Wed, 19 Nov 2025 15:13:14 +0100 Subject: [PATCH] ata: libata-scsi: Fix system suspend for a security locked drive Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") fixed ata_to_sense_error() to properly generate sense key ABORTED COMMAND (without any additional sense code), instead of the previous bogus sense key ILLEGAL REQUEST with the additional sense code UNALIGNED WRITE COMMAND, for a failed command. However, this broke suspend for Security locked drives (drives that have Security enabled, and have not been Security unlocked by boot firmware). The reason for this is that the SCSI disk driver, for the Synchronize Cache command only, treats any sense data with sense key ILLEGAL REQUEST as a successful command (regardless of ASC / ASCQ). After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") the code that treats any sense data with sense key ILLEGAL REQUEST as a successful command is no longer applicable, so the command fails, which causes the system suspend to be aborted: sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 sd 1:0:0:0: PM: failed to suspend async: error -5 PM: Some devices failed to suspend, or early wake event detected To make suspend work once again, for a Security locked device only, return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense data which a real SCSI device would have returned if locked. The SCSI disk driver treats this sense data as a successful command. Cc: stable(a)vger.kernel.org Reported-by: Ilia Baryshnikov <qwelias(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: Martin K. Petersen <martin.petersen(a)oracle.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 3fb84f690644..434774e71fe6 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -992,6 +992,13 @@ static void ata_gen_ata_sense(struct ata_queued_cmd *qc) return; } + if (ata_id_is_locked(dev->id)) { + /* Security locked */ + /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ + ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); + return; + } + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { ata_dev_dbg(dev, "Missing result TF: reporting aborted command\n"); diff --git a/include/linux/ata.h b/include/linux/ata.h index 792e10a09787..c9013e472aa3 100644 --- a/include/linux/ata.h +++ b/include/linux/ata.h @@ -566,6 +566,7 @@ struct ata_bmdma_prd { #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) +#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) #define ata_id_has_atapi_AN(id) \ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \

2 weeks, 2 days

2
1
0 0

FAILED: patch "[PATCH] Input: pegasus-notetaker - fix potential out-of-bounds access" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 69aeb507312306f73495598a055293fa749d454e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112419-scariness-motive-d737@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 69aeb507312306f73495598a055293fa749d454e Mon Sep 17 00:00:00 2001 From: Seungjin Bae <eeodqql09(a)gmail.com> Date: Fri, 17 Oct 2025 15:36:31 -0700 Subject: [PATCH] Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Signed-off-by: Seungjin Bae <eeodqql09(a)gmail.com> Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 8d6b71d59793..eabb4a0b8a0d 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -63,6 +63,9 @@ #define BUTTON_PRESSED 0xb5 #define COMMAND_VERSION 0xa9 +/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */ +#define NOTETAKER_PACKET_SIZE 6 + /* in xy data packet */ #define BATTERY_NO_REPORT 0x40 #define BATTERY_LOW 0x41 @@ -311,6 +314,12 @@ static int pegasus_probe(struct usb_interface *intf, } pegasus->data_len = usb_maxpacket(dev, pipe); + if (pegasus->data_len < NOTETAKER_PACKET_SIZE) { + dev_err(&intf->dev, "packet size is too small (%d)\n", + pegasus->data_len); + error = -EINVAL; + goto err_free_mem; + } pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, &pegasus->data_dma);

2 weeks, 2 days

2
3
0 0

FAILED: patch "[PATCH] ata: libata-scsi: Fix system suspend for a security locked" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b11890683380a36b8488229f818d5e76e8204587 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112448-speller-puritan-f075@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b11890683380a36b8488229f818d5e76e8204587 Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Wed, 19 Nov 2025 15:13:14 +0100 Subject: [PATCH] ata: libata-scsi: Fix system suspend for a security locked drive Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") fixed ata_to_sense_error() to properly generate sense key ABORTED COMMAND (without any additional sense code), instead of the previous bogus sense key ILLEGAL REQUEST with the additional sense code UNALIGNED WRITE COMMAND, for a failed command. However, this broke suspend for Security locked drives (drives that have Security enabled, and have not been Security unlocked by boot firmware). The reason for this is that the SCSI disk driver, for the Synchronize Cache command only, treats any sense data with sense key ILLEGAL REQUEST as a successful command (regardless of ASC / ASCQ). After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") the code that treats any sense data with sense key ILLEGAL REQUEST as a successful command is no longer applicable, so the command fails, which causes the system suspend to be aborted: sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 sd 1:0:0:0: PM: failed to suspend async: error -5 PM: Some devices failed to suspend, or early wake event detected To make suspend work once again, for a Security locked device only, return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense data which a real SCSI device would have returned if locked. The SCSI disk driver treats this sense data as a successful command. Cc: stable(a)vger.kernel.org Reported-by: Ilia Baryshnikov <qwelias(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: Martin K. Petersen <martin.petersen(a)oracle.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 3fb84f690644..434774e71fe6 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -992,6 +992,13 @@ static void ata_gen_ata_sense(struct ata_queued_cmd *qc) return; } + if (ata_id_is_locked(dev->id)) { + /* Security locked */ + /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ + ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); + return; + } + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { ata_dev_dbg(dev, "Missing result TF: reporting aborted command\n"); diff --git a/include/linux/ata.h b/include/linux/ata.h index 792e10a09787..c9013e472aa3 100644 --- a/include/linux/ata.h +++ b/include/linux/ata.h @@ -566,6 +566,7 @@ struct ata_bmdma_prd { #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) +#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) #define ata_id_has_atapi_AN(id) \ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \

2 weeks, 2 days

2
1
0 0

[PATCH v3] drm/tilcdc: Fix removal actions in case of failed probe

by Kory Maincent

From: "Kory Maincent (TI.com)" <kory.maincent(a)bootlin.com> The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. Cc: stable(a)vger.kernel.org Fixes: 3c4babae3c4a ("drm: Call drm_atomic_helper_shutdown() at shutdown/remove time for misc drivers") Signed-off-by: Kory Maincent (TI.com) <kory.maincent(a)bootlin.com> --- I'm working on removing the usage of deprecated functions as well as general improvements to this driver, but it will take some time so for now this is a simple fix to a functional bug. Change in v3: - Rewrite the failed probe clean up path using goto - Remove the is_registered flag Change in v2: - Add missing cc: stable tag - Add Swamil reviewed-by --- drivers/gpu/drm/tilcdc/tilcdc_crtc.c | 2 +- drivers/gpu/drm/tilcdc/tilcdc_drv.c | 53 ++++++++++++++++++---------- drivers/gpu/drm/tilcdc/tilcdc_drv.h | 2 +- 3 files changed, 37 insertions(+), 20 deletions(-) diff --git a/drivers/gpu/drm/tilcdc/tilcdc_crtc.c b/drivers/gpu/drm/tilcdc/tilcdc_crtc.c index 5718d9d83a49f..52c95131af5af 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_crtc.c +++ b/drivers/gpu/drm/tilcdc/tilcdc_crtc.c @@ -586,7 +586,7 @@ static void tilcdc_crtc_recover_work(struct work_struct *work) drm_modeset_unlock(&crtc->mutex); } -static void tilcdc_crtc_destroy(struct drm_crtc *crtc) +void tilcdc_crtc_destroy(struct drm_crtc *crtc) { struct tilcdc_drm_private *priv = crtc->dev->dev_private; diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.c b/drivers/gpu/drm/tilcdc/tilcdc_drv.c index 7caec4d38ddf0..2a88cce445b8f 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c +++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c @@ -172,8 +172,7 @@ static void tilcdc_fini(struct drm_device *dev) if (priv->crtc) tilcdc_crtc_shutdown(priv->crtc); - if (priv->is_registered) - drm_dev_unregister(dev); + drm_dev_unregister(dev); drm_kms_helper_poll_fini(dev); drm_atomic_helper_shutdown(dev); @@ -220,21 +219,21 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) priv->wq = alloc_ordered_workqueue("tilcdc", 0); if (!priv->wq) { ret = -ENOMEM; - goto init_failed; + goto put_drm; } priv->mmio = devm_platform_ioremap_resource(pdev, 0); if (IS_ERR(priv->mmio)) { dev_err(dev, "failed to request / ioremap\n"); ret = PTR_ERR(priv->mmio); - goto init_failed; + goto free_wq; } priv->clk = clk_get(dev, "fck"); if (IS_ERR(priv->clk)) { dev_err(dev, "failed to get functional clock\n"); ret = -ENODEV; - goto init_failed; + goto free_wq; } pm_runtime_enable(dev); @@ -313,7 +312,7 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) ret = tilcdc_crtc_create(ddev); if (ret < 0) { dev_err(dev, "failed to create crtc\n"); - goto init_failed; + goto disable_pm; } modeset_init(ddev); @@ -324,46 +323,46 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) if (ret) { dev_err(dev, "failed to register cpufreq notifier\n"); priv->freq_transition.notifier_call = NULL; - goto init_failed; + goto destroy_crtc; } #endif if (priv->is_componentized) { ret = component_bind_all(dev, ddev); if (ret < 0) - goto init_failed; + goto unregister_cpufreq_notif; ret = tilcdc_add_component_encoder(ddev); if (ret < 0) - goto init_failed; + goto unbind_component; } else { ret = tilcdc_attach_external_device(ddev); if (ret) - goto init_failed; + goto unregister_cpufreq_notif; } if (!priv->external_connector && ((priv->num_encoders == 0) || (priv->num_connectors == 0))) { dev_err(dev, "no encoders/connectors found\n"); ret = -EPROBE_DEFER; - goto init_failed; + goto unbind_component; } ret = drm_vblank_init(ddev, 1); if (ret < 0) { dev_err(dev, "failed to initialize vblank\n"); - goto init_failed; + goto unbind_component; } ret = platform_get_irq(pdev, 0); if (ret < 0) - goto init_failed; + goto unbind_component; priv->irq = ret; ret = tilcdc_irq_install(ddev, priv->irq); if (ret < 0) { dev_err(dev, "failed to install IRQ handler\n"); - goto init_failed; + goto unbind_component; } drm_mode_config_reset(ddev); @@ -372,16 +371,34 @@ static int tilcdc_init(const struct drm_driver *ddrv, struct device *dev) ret = drm_dev_register(ddev, 0); if (ret) - goto init_failed; - priv->is_registered = true; + goto stop_poll; drm_client_setup_with_color_mode(ddev, bpp); return 0; -init_failed: - tilcdc_fini(ddev); +stop_poll: + drm_kms_helper_poll_fini(ddev); + tilcdc_irq_uninstall(ddev); +unbind_component: + if (priv->is_componentized) + component_unbind_all(dev, ddev); +unregister_cpufreq_notif: +#ifdef CONFIG_CPU_FREQ + cpufreq_unregister_notifier(&priv->freq_transition, + CPUFREQ_TRANSITION_NOTIFIER); +#endif +destroy_crtc: + tilcdc_crtc_destroy(priv->crtc); +disable_pm: + pm_runtime_disable(dev); + clk_put(priv->clk); +free_wq: + destroy_workqueue(priv->wq); +put_drm: platform_set_drvdata(pdev, NULL); + ddev->dev_private = NULL; + drm_dev_put(ddev); return ret; } diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.h b/drivers/gpu/drm/tilcdc/tilcdc_drv.h index b818448c83f61..58b276f82a669 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_drv.h +++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.h @@ -82,7 +82,6 @@ struct tilcdc_drm_private { struct drm_encoder *external_encoder; struct drm_connector *external_connector; - bool is_registered; bool is_componentized; bool irq_enabled; }; @@ -164,6 +163,7 @@ void tilcdc_crtc_set_panel_info(struct drm_crtc *crtc, void tilcdc_crtc_set_simulate_vesa_sync(struct drm_crtc *crtc, bool simulate_vesa_sync); void tilcdc_crtc_shutdown(struct drm_crtc *crtc); +void tilcdc_crtc_destroy(struct drm_crtc *crtc); int tilcdc_crtc_update_fb(struct drm_crtc *crtc, struct drm_framebuffer *fb, struct drm_pending_vblank_event *event); -- 2.43.0

2 weeks, 2 days

3
5
0 0

[PATCH v2] dvb-usb: dtv5100: rewrite i2c message usb_control send/recv

by Nalivayko Sergey

syzbot reports a WARNING issue as below: usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 WARNING: CPU: 0 PID: 5833 at drivers/usb/core/urb.c:413 usb_submit_urb+0x1112/0x1870 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 UID: 0 PID: 5833 Comm: syz-executor411 Not tainted 6.15.0-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> usb_start_wait_urb+0x114/0x4c0 drivers/usb/core/message.c:59 usb_internal_control_msg drivers/usb/core/message.c:103 [inline] usb_control_msg+0x232/0x3e0 drivers/usb/core/message.c:154 dtv5100_i2c_msg+0x250/0x330 drivers/media/usb/dvb-usb/dtv5100.c:60 dtv5100_i2c_xfer+0x1a4/0x3c0 drivers/media/usb/dvb-usb/dtv5100.c:86 __i2c_transfer+0x871/0x2170 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x25b/0x3a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x105/0x190 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x112/0x1b0 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev include/linux/uio.h:-1 [inline] vfs_writev+0x4a5/0x9a0 fs/read_write.c:1057 do_writev+0x14d/0x2d0 fs/read_write.c:1101 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The issue occurs due to insufficient validation of data passed to the USB API. In the current implementation, the dtv5100 driver expects two I2C non-zero length messages for a combined write/read request. However, when only a single message is provided, the driver incorrectly processes message of size 1, passing a read data size of zero to the dtv5100_i2c_msg function. When usb_control_msg() is called with a PIPEOUT type and a read length of zero, a mismatch error occurs between the operation type and the expected transfer direction in function usb_submit_urb. This is the trigger for warning. Replace usb_control_msg() with usb_control_msg_recv() and usb_control_msg_send() to rely on the USB API for proper validation and prevent inconsistencies in the future. Reported-by: syzbot+0335df380edd9bd3ff70(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0335df380edd9bd3ff70 Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- v2: Expand problem description. drivers/media/usb/dvb-usb/dtv5100.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dtv5100.c b/drivers/media/usb/dvb-usb/dtv5100.c index 3d85c6f7f6ec..05860f5d5053 100644 --- a/drivers/media/usb/dvb-usb/dtv5100.c +++ b/drivers/media/usb/dvb-usb/dtv5100.c @@ -26,40 +26,37 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr, u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen) { struct dtv5100_state *st = d->priv; - unsigned int pipe; u8 request; u8 type; u16 value; u16 index; + index = (addr << 8) + wbuf[0]; + + memcpy(st->data, rbuf, rlen); + msleep(1); /* avoid I2C errors */ + switch (wlen) { case 1: /* write { reg }, read { value } */ - pipe = usb_rcvctrlpipe(d->udev, 0); request = (addr == DTV5100_DEMOD_ADDR ? DTV5100_DEMOD_READ : DTV5100_TUNER_READ); type = USB_TYPE_VENDOR | USB_DIR_IN; value = 0; - break; + return usb_control_msg_recv(d->udev, 0, request, type, value, index, + st->data, rlen, DTV5100_USB_TIMEOUT, GFP_KERNEL); case 2: /* write { reg, value } */ - pipe = usb_sndctrlpipe(d->udev, 0); request = (addr == DTV5100_DEMOD_ADDR ? DTV5100_DEMOD_WRITE : DTV5100_TUNER_WRITE); type = USB_TYPE_VENDOR | USB_DIR_OUT; value = wbuf[1]; - break; + return usb_control_msg_send(d->udev, 0, request, type, value, index, + st->data, rlen, DTV5100_USB_TIMEOUT, GFP_KERNEL); default: warn("wlen = %x, aborting.", wlen); return -EINVAL; } - index = (addr << 8) + wbuf[0]; - - memcpy(st->data, rbuf, rlen); - msleep(1); /* avoid I2C errors */ - return usb_control_msg(d->udev, pipe, request, - type, value, index, st->data, rlen, - DTV5100_USB_TIMEOUT); } /* I2C */ -- 2.39.5

2 weeks, 2 days

2
1
0 0

[PATCH] perf/arm_cspmu: fix device leaks on module unload

by Johan Hovold

Make sure to drop the references taken when looking up the backend devices during vendor module unload. Fixes: bfc653aa89cb ("perf: arm_cspmu: Separate Arm and vendor module") Cc: stable(a)vger.kernel.org # 6.7 Cc: Besar Wicaksono <bwicaksono(a)nvidia.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/perf/arm_cspmu/arm_cspmu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/perf/arm_cspmu/arm_cspmu.c b/drivers/perf/arm_cspmu/arm_cspmu.c index efa9b229e701..e0d4293f06f9 100644 --- a/drivers/perf/arm_cspmu/arm_cspmu.c +++ b/drivers/perf/arm_cspmu/arm_cspmu.c @@ -1365,8 +1365,10 @@ void arm_cspmu_impl_unregister(const struct arm_cspmu_impl_match *impl_match) /* Unbind the driver from all matching backend devices. */ while ((dev = driver_find_device(&arm_cspmu_driver.driver, NULL, - match, arm_cspmu_match_device))) + match, arm_cspmu_match_device))) { device_release_driver(dev); + put_device(dev); + } mutex_lock(&arm_cspmu_lock); -- 2.51.2

2 weeks, 2 days

2
2
0 0

[PATCH 6.12.y] KVM: VMX: Fix check for valid GVA on an EPT violation

by Sukrit Bhatnagar

On an EPT violation, bit 7 of the exit qualification is set if the guest linear-address is valid. The derived page fault error code should not be checked for this bit. Fixes: f3009482512e ("KVM: VMX: Set PFERR_GUEST_{FINAL,PAGE}_MASK if and only if the GVA is valid") Cc: stable(a)vger.kernel.org Signed-off-by: Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> Reviewed-by: Xiaoyao Li <xiaoyao.li(a)intel.com> Link: https://patch.msgid.link/20251106052853.3071088-1-Sukrit.Bhatnagar@sony.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> (cherry picked from commit d0164c161923ac303bd843e04ebe95cfd03c6e19) Signed-off-by: Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> --- arch/x86/kvm/vmx/vmx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6c185a260c5b..d0387f543107 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5810,7 +5810,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu) error_code |= (exit_qualification & EPT_VIOLATION_RWX_MASK) ? PFERR_PRESENT_MASK : 0; - if (error_code & EPT_VIOLATION_GVA_IS_VALID) + if (exit_qualification & EPT_VIOLATION_GVA_IS_VALID) error_code |= (exit_qualification & EPT_VIOLATION_GVA_TRANSLATED) ? PFERR_GUEST_FINAL_MASK : PFERR_GUEST_PAGE_MASK; -- 2.43.0

2 weeks, 2 days

3
3
0 0

FAILED: patch "[PATCH] xfs: fix various problems in xfs_atomic_write_cow_iomap_begin" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 8d7bba1e8314013ecc817a91624104ceb9352ddc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025110942-language-suspect-13bc@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8d7bba1e8314013ecc817a91624104ceb9352ddc Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Tue, 4 Nov 2025 16:15:38 -0800 Subject: [PATCH] xfs: fix various problems in xfs_atomic_write_cow_iomap_begin I think there are several things wrong with this function: A) xfs_bmapi_write can return a much larger unwritten mapping than what the caller asked for. We convert part of that range to written, but return the entire written mapping to iomap even though that's inaccurate. B) The arguments to xfs_reflink_convert_cow_locked are wrong -- an unwritten mapping could be *smaller* than the write range (or even the hole range). In this case, we convert too much file range to written state because we then return a smaller mapping to iomap. C) It doesn't handle delalloc mappings. This I covered in the patch that I already sent to the list. D) Reassigning count_fsb to handle the hole means that if the second cmap lookup attempt succeeds (due to racing with someone else) we trim the mapping more than is strictly necessary. The changing meaning of count_fsb makes this harder to notice. E) The tracepoint is kinda wrong because @length is mutated. That makes it harder to chase the data flows through this function because you can't just grep on the pos/bytecount strings. F) We don't actually check that the br_state = XFS_EXT_NORM assignment is accurate, i.e that the cow fork actually contains a written mapping for the range we're interested in G) Somewhat inadequate documentation of why we need to xfs_trim_extent so aggressively in this function. H) Not sure why xfs_iomap_end_fsb is used here, the vfs already clamped the write range to s_maxbytes. Fix these issues, and then the atomic writes regressions in generic/760, generic/617, generic/091, generic/263, and generic/521 all go away for me. Cc: stable(a)vger.kernel.org # v6.16 Fixes: bd1d2c21d5d249 ("xfs: add xfs_atomic_write_cow_iomap_begin()") Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c index 788bfdce608a..490e12cb99be 100644 --- a/fs/xfs/xfs_iomap.c +++ b/fs/xfs/xfs_iomap.c @@ -1091,6 +1091,29 @@ const struct iomap_ops xfs_zoned_direct_write_iomap_ops = { }; #endif /* CONFIG_XFS_RT */ +#ifdef DEBUG +static void +xfs_check_atomic_cow_conversion( + struct xfs_inode *ip, + xfs_fileoff_t offset_fsb, + xfs_filblks_t count_fsb, + const struct xfs_bmbt_irec *cmap) +{ + struct xfs_iext_cursor icur; + struct xfs_bmbt_irec cmap2 = { }; + + if (xfs_iext_lookup_extent(ip, ip->i_cowfp, offset_fsb, &icur, &cmap2)) + xfs_trim_extent(&cmap2, offset_fsb, count_fsb); + + ASSERT(cmap2.br_startoff == cmap->br_startoff); + ASSERT(cmap2.br_blockcount == cmap->br_blockcount); + ASSERT(cmap2.br_startblock == cmap->br_startblock); + ASSERT(cmap2.br_state == cmap->br_state); +} +#else +# define xfs_check_atomic_cow_conversion(...) ((void)0) +#endif + static int xfs_atomic_write_cow_iomap_begin( struct inode *inode, @@ -1102,9 +1125,10 @@ xfs_atomic_write_cow_iomap_begin( { struct xfs_inode *ip = XFS_I(inode); struct xfs_mount *mp = ip->i_mount; - const xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset); - xfs_fileoff_t end_fsb = xfs_iomap_end_fsb(mp, offset, length); - xfs_filblks_t count_fsb = end_fsb - offset_fsb; + const xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset); + const xfs_fileoff_t end_fsb = XFS_B_TO_FSB(mp, offset + length); + const xfs_filblks_t count_fsb = end_fsb - offset_fsb; + xfs_filblks_t hole_count_fsb; int nmaps = 1; xfs_filblks_t resaligned; struct xfs_bmbt_irec cmap; @@ -1143,14 +1167,20 @@ xfs_atomic_write_cow_iomap_begin( if (cmap.br_startoff <= offset_fsb) { if (isnullstartblock(cmap.br_startblock)) goto convert_delay; + + /* + * cmap could extend outside the write range due to previous + * speculative preallocations. We must trim cmap to the write + * range because the cow fork treats written mappings to mean + * "write in progress". + */ xfs_trim_extent(&cmap, offset_fsb, count_fsb); goto found; } - end_fsb = cmap.br_startoff; - count_fsb = end_fsb - offset_fsb; + hole_count_fsb = cmap.br_startoff - offset_fsb; - resaligned = xfs_aligned_fsb_count(offset_fsb, count_fsb, + resaligned = xfs_aligned_fsb_count(offset_fsb, hole_count_fsb, xfs_get_cowextsz_hint(ip)); xfs_iunlock(ip, XFS_ILOCK_EXCL); @@ -1186,7 +1216,7 @@ xfs_atomic_write_cow_iomap_begin( * atomic writes to that same range will be aligned (and don't require * this COW-based method). */ - error = xfs_bmapi_write(tp, ip, offset_fsb, count_fsb, + error = xfs_bmapi_write(tp, ip, offset_fsb, hole_count_fsb, XFS_BMAPI_COWFORK | XFS_BMAPI_PREALLOC | XFS_BMAPI_EXTSZALIGN, 0, &cmap, &nmaps); if (error) { @@ -1199,17 +1229,26 @@ xfs_atomic_write_cow_iomap_begin( if (error) goto out_unlock; + /* + * cmap could map more blocks than the range we passed into bmapi_write + * because of EXTSZALIGN or adjacent pre-existing unwritten mappings + * that were merged. Trim cmap to the original write range so that we + * don't convert more than we were asked to do for this write. + */ + xfs_trim_extent(&cmap, offset_fsb, count_fsb); + found: if (cmap.br_state != XFS_EXT_NORM) { - error = xfs_reflink_convert_cow_locked(ip, offset_fsb, - count_fsb); + error = xfs_reflink_convert_cow_locked(ip, cmap.br_startoff, + cmap.br_blockcount); if (error) goto out_unlock; cmap.br_state = XFS_EXT_NORM; + xfs_check_atomic_cow_conversion(ip, offset_fsb, count_fsb, + &cmap); } - length = XFS_FSB_TO_B(mp, cmap.br_startoff + cmap.br_blockcount); - trace_xfs_iomap_found(ip, offset, length - offset, XFS_COW_FORK, &cmap); + trace_xfs_iomap_found(ip, offset, length, XFS_COW_FORK, &cmap); seq = xfs_iomap_inode_sequence(ip, IOMAP_F_SHARED); xfs_iunlock(ip, XFS_ILOCK_EXCL); return xfs_bmbt_to_iomap(ip, iomap, &cmap, flags, IOMAP_F_SHARED, seq);

2 weeks, 2 days

3
5
0 0

FAILED: patch "[PATCH] mptcp: Disallow MPTCP subflows from sockmap" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x fbade4bd08ba52cbc74a71c4e86e736f059f99f7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112454-crib-recognize-8675@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fbade4bd08ba52cbc74a71c4e86e736f059f99f7 Mon Sep 17 00:00:00 2001 From: Jiayuan Chen <jiayuan.chen(a)linux.dev> Date: Tue, 11 Nov 2025 14:02:50 +0800 Subject: [PATCH] mptcp: Disallow MPTCP subflows from sockmap The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' Consider two scenarios: 1. When the server has MPTCP enabled and the client also requests MPTCP, the sk passed to the BPF program is a subflow sk. Since subflows only handle partial data, replacing their sk_prot is meaningless and will cause traffic disruption. 2. When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops() converts the subflow to plain TCP. For the first case, we should prevent it from being combined with sockmap by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by sockmap's own flow. For the second case, since subflow_syn_recv_sock() has already restored sk_prot to native tcp_prot/tcpv6_prot, no further action is needed. Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index e8325890a322..af707ce0f624 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -2144,6 +2144,10 @@ void __init mptcp_subflow_init(void) tcp_prot_override = tcp_prot; tcp_prot_override.release_cb = tcp_release_cb_override; tcp_prot_override.diag_destroy = tcp_abort_override; +#ifdef CONFIG_BPF_SYSCALL + /* Disable sockmap processing for subflows */ + tcp_prot_override.psock_update_sk_prot = NULL; +#endif #if IS_ENABLED(CONFIG_MPTCP_IPV6) /* In struct mptcp_subflow_request_sock, we assume the TCP request sock @@ -2180,6 +2184,10 @@ void __init mptcp_subflow_init(void) tcpv6_prot_override = tcpv6_prot; tcpv6_prot_override.release_cb = tcp_release_cb_override; tcpv6_prot_override.diag_destroy = tcp_abort_override; +#ifdef CONFIG_BPF_SYSCALL + /* Disable sockmap processing for subflows */ + tcpv6_prot_override.psock_update_sk_prot = NULL; +#endif #endif mptcp_diag_subflow_init(&subflow_ulp_ops);

2 weeks, 2 days

2
1
0 0

FAILED: patch "[PATCH] HID: amd_sfh: Stop sensor before starting" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 4d3a13afa8b64dc49293b3eab3e7beac11072c12 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112405-dispense-dealing-3eec@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4d3a13afa8b64dc49293b3eab3e7beac11072c12 Mon Sep 17 00:00:00 2001 From: "Mario Limonciello (AMD)" <superm1(a)kernel.org> Date: Mon, 20 Oct 2025 10:50:42 -0500 Subject: [PATCH] HID: amd_sfh: Stop sensor before starting Titas reports that the accelerometer sensor on their laptop only works after a warm boot or unloading/reloading the amd-sfh kernel module. Presumably the sensor is in a bad state on cold boot and failing to start, so explicitly stop it before starting. Cc: stable(a)vger.kernel.org Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality") Reported-by: Titas <novatitas366(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670 Tested-by: Titas <novatitas366(a)gmail.com> Signed-off-by: Mario Limonciello (AMD) <superm1(a)kernel.org> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c index 0a9b44ce4904..b0bab2a1ddcc 100644 --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c @@ -194,6 +194,8 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) if (rc) goto cleanup; + mp2_ops->stop(privdata, cl_data->sensor_idx[i]); + amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR); writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); mp2_ops->start(privdata, info); status = amd_sfh_wait_for_response

2 weeks, 2 days

2
1
0 0

FAILED: patch "[PATCH] HID: amd_sfh: Stop sensor before starting" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 4d3a13afa8b64dc49293b3eab3e7beac11072c12 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112405-canine-herbal-25c6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4d3a13afa8b64dc49293b3eab3e7beac11072c12 Mon Sep 17 00:00:00 2001 From: "Mario Limonciello (AMD)" <superm1(a)kernel.org> Date: Mon, 20 Oct 2025 10:50:42 -0500 Subject: [PATCH] HID: amd_sfh: Stop sensor before starting Titas reports that the accelerometer sensor on their laptop only works after a warm boot or unloading/reloading the amd-sfh kernel module. Presumably the sensor is in a bad state on cold boot and failing to start, so explicitly stop it before starting. Cc: stable(a)vger.kernel.org Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality") Reported-by: Titas <novatitas366(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670 Tested-by: Titas <novatitas366(a)gmail.com> Signed-off-by: Mario Limonciello (AMD) <superm1(a)kernel.org> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c index 0a9b44ce4904..b0bab2a1ddcc 100644 --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c @@ -194,6 +194,8 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) if (rc) goto cleanup; + mp2_ops->stop(privdata, cl_data->sensor_idx[i]); + amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR); writel(0, privdata->mmio + amd_get_p2c_val(privdata, 0)); mp2_ops->start(privdata, info); status = amd_sfh_wait_for_response

2 weeks, 2 days

2
1
0 0

[PATCH 6.6.y 1/2] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi

by lanbincn＠qq.com

From: Zhiguo Niu <zhiguo.niu(a)unisoc.com> [ Upstream commit 8e2a9b656474d67c55010f2c003ea2cf889a19ff ] No logic changes, just cleanup and prepare for fixing the UAF issue in f2fs_free_dic. Signed-off-by: Zhiguo Niu <zhiguo.niu(a)unisoc.com> Signed-off-by: Baocong Liu <baocong.liu(a)unisoc.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Bin Lan <lanbincn(a)qq.com> --- fs/f2fs/compress.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c index e962de4ecaa2..3a0d0adc4736 100644 --- a/fs/f2fs/compress.c +++ b/fs/f2fs/compress.c @@ -23,20 +23,18 @@ static struct kmem_cache *cic_entry_slab; static struct kmem_cache *dic_entry_slab; -static void *page_array_alloc(struct inode *inode, int nr) +static void *page_array_alloc(struct f2fs_sb_info *sbi, int nr) { - struct f2fs_sb_info *sbi = F2FS_I_SB(inode); unsigned int size = sizeof(struct page *) * nr; if (likely(size <= sbi->page_array_slab_size)) return f2fs_kmem_cache_alloc(sbi->page_array_slab, - GFP_F2FS_ZERO, false, F2FS_I_SB(inode)); + GFP_F2FS_ZERO, false, sbi); return f2fs_kzalloc(sbi, size, GFP_NOFS); } -static void page_array_free(struct inode *inode, void *pages, int nr) +static void page_array_free(struct f2fs_sb_info *sbi, void *pages, int nr) { - struct f2fs_sb_info *sbi = F2FS_I_SB(inode); unsigned int size = sizeof(struct page *) * nr; if (!pages) @@ -145,13 +143,13 @@ int f2fs_init_compress_ctx(struct compress_ctx *cc) if (cc->rpages) return 0; - cc->rpages = page_array_alloc(cc->inode, cc->cluster_size); + cc->rpages = page_array_alloc(F2FS_I_SB(cc->inode), cc->cluster_size); return cc->rpages ? 0 : -ENOMEM; } void f2fs_destroy_compress_ctx(struct compress_ctx *cc, bool reuse) { - page_array_free(cc->inode, cc->rpages, cc->cluster_size); + page_array_free(F2FS_I_SB(cc->inode), cc->rpages, cc->cluster_size); cc->rpages = NULL; cc->nr_rpages = 0; cc->nr_cpages = 0; @@ -614,6 +612,7 @@ static void *f2fs_vmap(struct page **pages, unsigned int count) static int f2fs_compress_pages(struct compress_ctx *cc) { + struct f2fs_sb_info *sbi = F2FS_I_SB(cc->inode); struct f2fs_inode_info *fi = F2FS_I(cc->inode); const struct f2fs_compress_ops *cops = f2fs_cops[fi->i_compress_algorithm]; @@ -634,7 +633,7 @@ static int f2fs_compress_pages(struct compress_ctx *cc) cc->nr_cpages = DIV_ROUND_UP(max_len, PAGE_SIZE); cc->valid_nr_cpages = cc->nr_cpages; - cc->cpages = page_array_alloc(cc->inode, cc->nr_cpages); + cc->cpages = page_array_alloc(sbi, cc->nr_cpages); if (!cc->cpages) { ret = -ENOMEM; goto destroy_compress_ctx; @@ -709,7 +708,7 @@ static int f2fs_compress_pages(struct compress_ctx *cc) if (cc->cpages[i]) f2fs_compress_free_page(cc->cpages[i]); } - page_array_free(cc->inode, cc->cpages, cc->nr_cpages); + page_array_free(sbi, cc->cpages, cc->nr_cpages); cc->cpages = NULL; destroy_compress_ctx: if (cops->destroy_compress_ctx) @@ -1302,7 +1301,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc, cic->magic = F2FS_COMPRESSED_PAGE_MAGIC; cic->inode = inode; atomic_set(&cic->pending_pages, cc->valid_nr_cpages); - cic->rpages = page_array_alloc(cc->inode, cc->cluster_size); + cic->rpages = page_array_alloc(sbi, cc->cluster_size); if (!cic->rpages) goto out_put_cic; @@ -1395,13 +1394,13 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc, spin_unlock(&fi->i_size_lock); f2fs_put_rpages(cc); - page_array_free(cc->inode, cc->cpages, cc->nr_cpages); + page_array_free(sbi, cc->cpages, cc->nr_cpages); cc->cpages = NULL; f2fs_destroy_compress_ctx(cc, false); return 0; out_destroy_crypt: - page_array_free(cc->inode, cic->rpages, cc->cluster_size); + page_array_free(sbi, cic->rpages, cc->cluster_size); for (--i; i >= 0; i--) fscrypt_finalize_bounce_page(&cc->cpages[i]); @@ -1419,7 +1418,7 @@ static int f2fs_write_compressed_pages(struct compress_ctx *cc, f2fs_compress_free_page(cc->cpages[i]); cc->cpages[i] = NULL; } - page_array_free(cc->inode, cc->cpages, cc->nr_cpages); + page_array_free(sbi, cc->cpages, cc->nr_cpages); cc->cpages = NULL; return -EAGAIN; } @@ -1449,7 +1448,7 @@ void f2fs_compress_write_end_io(struct bio *bio, struct page *page) end_page_writeback(cic->rpages[i]); } - page_array_free(cic->inode, cic->rpages, cic->nr_rpages); + page_array_free(sbi, cic->rpages, cic->nr_rpages); kmem_cache_free(cic_entry_slab, cic); } @@ -1587,7 +1586,7 @@ static int f2fs_prepare_decomp_mem(struct decompress_io_ctx *dic, if (!allow_memalloc_for_decomp(F2FS_I_SB(dic->inode), pre_alloc)) return 0; - dic->tpages = page_array_alloc(dic->inode, dic->cluster_size); + dic->tpages = page_array_alloc(F2FS_I_SB(dic->inode), dic->cluster_size); if (!dic->tpages) return -ENOMEM; @@ -1647,7 +1646,7 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc) if (!dic) return ERR_PTR(-ENOMEM); - dic->rpages = page_array_alloc(cc->inode, cc->cluster_size); + dic->rpages = page_array_alloc(sbi, cc->cluster_size); if (!dic->rpages) { kmem_cache_free(dic_entry_slab, dic); return ERR_PTR(-ENOMEM); @@ -1668,7 +1667,7 @@ struct decompress_io_ctx *f2fs_alloc_dic(struct compress_ctx *cc) dic->rpages[i] = cc->rpages[i]; dic->nr_rpages = cc->cluster_size; - dic->cpages = page_array_alloc(dic->inode, dic->nr_cpages); + dic->cpages = page_array_alloc(sbi, dic->nr_cpages); if (!dic->cpages) { ret = -ENOMEM; goto out_free; @@ -1698,6 +1697,7 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic, bool bypass_destroy_callback) { int i; + struct f2fs_sb_info *sbi = F2FS_I_SB(dic->inode); f2fs_release_decomp_mem(dic, bypass_destroy_callback, true); @@ -1709,7 +1709,7 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic, continue; f2fs_compress_free_page(dic->tpages[i]); } - page_array_free(dic->inode, dic->tpages, dic->cluster_size); + page_array_free(sbi, dic->tpages, dic->cluster_size); } if (dic->cpages) { @@ -1718,10 +1718,10 @@ static void f2fs_free_dic(struct decompress_io_ctx *dic, continue; f2fs_compress_free_page(dic->cpages[i]); } - page_array_free(dic->inode, dic->cpages, dic->nr_cpages); + page_array_free(sbi, dic->cpages, dic->nr_cpages); } - page_array_free(dic->inode, dic->rpages, dic->nr_rpages); + page_array_free(sbi, dic->rpages, dic->nr_rpages); kmem_cache_free(dic_entry_slab, dic); } -- 2.43.0

2 weeks, 2 days

2
1
0 0

[PATCH] clk: renesas: rzg2l: Fix intin variable size

by Chris Brandt

INTIN is a 12-bit register value, so u8 is too small. Fixes: 1561380ee72f ("clk: renesas: rzg2l: Add FOUTPOSTDIV clk support") Cc: stable(a)vger.kernel.org Reported-by: Hugo Villeneuve <hugo(a)hugovil.com> Signed-off-by: Chris Brandt <chris.brandt(a)renesas.com> --- drivers/clk/renesas/rzg2l-cpg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c index 07909e80bae2..4c3f6ce71f2f 100644 --- a/drivers/clk/renesas/rzg2l-cpg.c +++ b/drivers/clk/renesas/rzg2l-cpg.c @@ -122,8 +122,8 @@ struct div_hw_data { struct rzg2l_pll5_param { u32 pl5_fracin; + u16 pl5_intin; u8 pl5_refdiv; - u8 pl5_intin; u8 pl5_postdiv1; u8 pl5_postdiv2; u8 pl5_spread; -- 2.50.1

2 weeks, 2 days

2
1
0 0

[PATCH] [SCSI] hptiop: Add inbound queue offset bounds check in iop_get_config_itl

by Guangshuo Li

The function iop_get_config_itl() reads a 32‑bit offset (req32) from the inbound queue register (hba->u.itl.iop->inbound_queue) and then uses it without validation to compute: req = (base + req32) followed by memcpy_fromio(config, req, sizeof(*config)). Without verifying that req32 is within the valid I/O region and that req32 + sizeof(*config) does not overflow the mapped I/O region, a malicious or faulty device/firmware could cause the driver to read memory outside the intended request structure — leading to an out‑of‑bounds I/O read. According to kernel documentation: "The value returned from the inbound queue port is an offset relative to the IOP BAR0." ([docs.kernel.org](https://docs.kernel.org/scsi/hptiop.html)) However, the documentation does *not* specify a maximum offset, nor a bound such as “offset + size ≤ IOP memory region size”. In the driver code, hptiop_map_pci_bar_itl() does: hba->u.itl.iop = hptiop_map_pci_bar(hba, 0); and uses pci_resource_len(hba->pcidev, 0) to obtain the mapped region size for BAR0. Therefore we can use that size at runtime to bound req32 safely. To implement the fix in iop_get_config_itl(): - Retrieve the BAR0 region size via: struct pci_dev *pcidev = hba->pcidev; u32 length = pci_resource_len(pcidev, 0); - Then check: if (req32 == IOPMU_QUEUE_EMPTY || req32 + sizeof(*config) > length) return -EINVAL; - This ensures we do not rely on a hard‑coded maximum, but use the actual mapped region size for the bound. Fixes: ede1e6f8b4324 ("[SCSI] hptiop: HighPoint RocketRAID 3xxx controller driver") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/scsi/hptiop.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/hptiop.c b/drivers/scsi/hptiop.c index f18b770626e6..c01370893a81 100644 --- a/drivers/scsi/hptiop.c +++ b/drivers/scsi/hptiop.c @@ -404,7 +404,10 @@ static int iop_get_config_itl(struct hptiop_hba *hba, struct hpt_iop_request_get_config __iomem *req; req32 = readl(&hba->u.itl.iop->inbound_queue); - if (req32 == IOPMU_QUEUE_EMPTY) + + struct pci_dev *pcidev = hba->pcidev; + u32 length = pci_resource_len(pcidev, 0); + if (req32 == IOPMU_QUEUE_EMPTY || req32 + sizeof(*config) > length) return -1; req = (struct hpt_iop_request_get_config __iomem *) -- 2.43.0

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112436-ferment-finalize-0d66@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 Mon Sep 17 00:00:00 2001 From: Shikang Fan <shikang.fan(a)amd.com> Date: Wed, 19 Nov 2025 18:05:10 +0800 Subject: [PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset support. Add SRIOV check when setting VCN ring's supported reset mask. Signed-off-by: Shikang Fan <shikang.fan(a)amd.com> Reviewed-by: Lijo Lazar <lijo.lazar(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ee9b603ad43f9870eb75184f9fb0a84f8c3cc852) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c index eacf4e93ba2f..cb7123ec1a5d 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c @@ -141,7 +141,7 @@ static int vcn_v4_0_3_late_init(struct amdgpu_ip_block *ip_block) adev->vcn.supported_reset = amdgpu_get_soft_full_reset_mask(&adev->vcn.inst[0].ring_enc[0]); - if (amdgpu_dpm_reset_vcn_is_supported(adev)) + if (amdgpu_dpm_reset_vcn_is_supported(adev) && !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c index 714350cabf2f..8bd457dea4cf 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c @@ -122,7 +122,9 @@ static int vcn_v5_0_1_late_init(struct amdgpu_ip_block *ip_block) switch (amdgpu_ip_version(adev, MP0_HWIP, 0)) { case IP_VERSION(13, 0, 12): - if ((adev->psp.sos.fw_version >= 0x00450025) && amdgpu_dpm_reset_vcn_is_supported(adev)) + if ((adev->psp.sos.fw_version >= 0x00450025) && + amdgpu_dpm_reset_vcn_is_supported(adev) && + !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; break; default:

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112436-uninsured-scrutiny-e92e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 Mon Sep 17 00:00:00 2001 From: Shikang Fan <shikang.fan(a)amd.com> Date: Wed, 19 Nov 2025 18:05:10 +0800 Subject: [PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset support. Add SRIOV check when setting VCN ring's supported reset mask. Signed-off-by: Shikang Fan <shikang.fan(a)amd.com> Reviewed-by: Lijo Lazar <lijo.lazar(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ee9b603ad43f9870eb75184f9fb0a84f8c3cc852) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c index eacf4e93ba2f..cb7123ec1a5d 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c @@ -141,7 +141,7 @@ static int vcn_v4_0_3_late_init(struct amdgpu_ip_block *ip_block) adev->vcn.supported_reset = amdgpu_get_soft_full_reset_mask(&adev->vcn.inst[0].ring_enc[0]); - if (amdgpu_dpm_reset_vcn_is_supported(adev)) + if (amdgpu_dpm_reset_vcn_is_supported(adev) && !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c index 714350cabf2f..8bd457dea4cf 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c @@ -122,7 +122,9 @@ static int vcn_v5_0_1_late_init(struct amdgpu_ip_block *ip_block) switch (amdgpu_ip_version(adev, MP0_HWIP, 0)) { case IP_VERSION(13, 0, 12): - if ((adev->psp.sos.fw_version >= 0x00450025) && amdgpu_dpm_reset_vcn_is_supported(adev)) + if ((adev->psp.sos.fw_version >= 0x00450025) && + amdgpu_dpm_reset_vcn_is_supported(adev) && + !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; break; default:

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112435-frequency-flashing-6d4e@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 Mon Sep 17 00:00:00 2001 From: Shikang Fan <shikang.fan(a)amd.com> Date: Wed, 19 Nov 2025 18:05:10 +0800 Subject: [PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset support. Add SRIOV check when setting VCN ring's supported reset mask. Signed-off-by: Shikang Fan <shikang.fan(a)amd.com> Reviewed-by: Lijo Lazar <lijo.lazar(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ee9b603ad43f9870eb75184f9fb0a84f8c3cc852) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c index eacf4e93ba2f..cb7123ec1a5d 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c @@ -141,7 +141,7 @@ static int vcn_v4_0_3_late_init(struct amdgpu_ip_block *ip_block) adev->vcn.supported_reset = amdgpu_get_soft_full_reset_mask(&adev->vcn.inst[0].ring_enc[0]); - if (amdgpu_dpm_reset_vcn_is_supported(adev)) + if (amdgpu_dpm_reset_vcn_is_supported(adev) && !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c index 714350cabf2f..8bd457dea4cf 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c @@ -122,7 +122,9 @@ static int vcn_v5_0_1_late_init(struct amdgpu_ip_block *ip_block) switch (amdgpu_ip_version(adev, MP0_HWIP, 0)) { case IP_VERSION(13, 0, 12): - if ((adev->psp.sos.fw_version >= 0x00450025) && amdgpu_dpm_reset_vcn_is_supported(adev)) + if ((adev->psp.sos.fw_version >= 0x00450025) && + amdgpu_dpm_reset_vcn_is_supported(adev) && + !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; break; default:

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112435-nutlike-subsiding-17df@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c156c7f27ecdb7b89dbbeaaa1f40d9fadc3c1680 Mon Sep 17 00:00:00 2001 From: Shikang Fan <shikang.fan(a)amd.com> Date: Wed, 19 Nov 2025 18:05:10 +0800 Subject: [PATCH] drm/amdgpu: Add sriov vf check for VCN per queue reset support. Add SRIOV check when setting VCN ring's supported reset mask. Signed-off-by: Shikang Fan <shikang.fan(a)amd.com> Reviewed-by: Lijo Lazar <lijo.lazar(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit ee9b603ad43f9870eb75184f9fb0a84f8c3cc852) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c index eacf4e93ba2f..cb7123ec1a5d 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c @@ -141,7 +141,7 @@ static int vcn_v4_0_3_late_init(struct amdgpu_ip_block *ip_block) adev->vcn.supported_reset = amdgpu_get_soft_full_reset_mask(&adev->vcn.inst[0].ring_enc[0]); - if (amdgpu_dpm_reset_vcn_is_supported(adev)) + if (amdgpu_dpm_reset_vcn_is_supported(adev) && !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c index 714350cabf2f..8bd457dea4cf 100644 --- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c +++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c @@ -122,7 +122,9 @@ static int vcn_v5_0_1_late_init(struct amdgpu_ip_block *ip_block) switch (amdgpu_ip_version(adev, MP0_HWIP, 0)) { case IP_VERSION(13, 0, 12): - if ((adev->psp.sos.fw_version >= 0x00450025) && amdgpu_dpm_reset_vcn_is_supported(adev)) + if ((adev->psp.sos.fw_version >= 0x00450025) && + amdgpu_dpm_reset_vcn_is_supported(adev) && + !amdgpu_sriov_vf(adev)) adev->vcn.supported_reset |= AMDGPU_RESET_TYPE_PER_QUEUE; break; default:

2 weeks, 2 days

1
0
0 0

[PATCH v3 1/2] drm/xe/uapi: disallow bind queue sharing

by Matthew Auld

Currently this is very broken if someone attempts to create a bind queue and share it across multiple VMs. For example currently we assume it is safe to acquire the user VM lock to protect some of the bind queue state, but if allow sharing the bind queue with multiple VMs then this quickly breaks down. To fix this reject using a bind queue with any VM that is not the same VM that was originally passed when creating the bind queue. This a uAPI change, however this was more of an oversight on kernel side that we didn't reject this, and expectation is that userspace shouldn't be using bind queues in this way, so in theory this change should go unnoticed. Based on a patch from Matt Brost. v2 (Matt B): - Hold the vm lock over queue create, to ensure it can't be closed as we attach the user_vm to the queue. - Make sure we actually check for NULL user_vm in destruction path. v3: - Fix error path handling. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Reported-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Michal Mrozek <michal.mrozek(a)intel.com> Cc: Carl Zhang <carl.zhang(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Acked-by: José Roberto de Souza <jose.souza(a)intel.com> --- drivers/gpu/drm/xe/xe_exec_queue.c | 32 +++++++++++++++++++++++- drivers/gpu/drm/xe/xe_exec_queue.h | 1 + drivers/gpu/drm/xe/xe_exec_queue_types.h | 6 +++++ drivers/gpu/drm/xe/xe_sriov_vf_ccs.c | 2 +- drivers/gpu/drm/xe/xe_vm.c | 7 +++++- 5 files changed, 45 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c index 8724f8de67e2..779d7e7e2d2e 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue.c +++ b/drivers/gpu/drm/xe/xe_exec_queue.c @@ -328,6 +328,7 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe * @xe: Xe device. * @tile: tile which bind exec queue belongs to. * @flags: exec queue creation flags + * @user_vm: The user VM which this exec queue belongs to * @extensions: exec queue creation extensions * * Normalize bind exec queue creation. Bind exec queue is tied to migration VM @@ -341,6 +342,7 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe */ struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe, struct xe_tile *tile, + struct xe_vm *user_vm, u32 flags, u64 extensions) { struct xe_gt *gt = tile->primary_gt; @@ -377,6 +379,9 @@ struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe, xe_exec_queue_put(q); return ERR_PTR(err); } + + if (user_vm) + q->user_vm = xe_vm_get(user_vm); } return q; @@ -407,6 +412,11 @@ void xe_exec_queue_destroy(struct kref *ref) xe_exec_queue_put(eq); } + if (q->user_vm) { + xe_vm_put(q->user_vm); + q->user_vm = NULL; + } + q->ops->destroy(q); } @@ -742,6 +752,22 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, XE_IOCTL_DBG(xe, eci[0].engine_instance != 0)) return -EINVAL; + vm = xe_vm_lookup(xef, args->vm_id); + if (XE_IOCTL_DBG(xe, !vm)) + return -ENOENT; + + err = down_read_interruptible(&vm->lock); + if (err) { + xe_vm_put(vm); + return err; + } + + if (XE_IOCTL_DBG(xe, xe_vm_is_closed_or_banned(vm))) { + up_read(&vm->lock); + xe_vm_put(vm); + return -ENOENT; + } + for_each_tile(tile, xe, id) { struct xe_exec_queue *new; @@ -749,9 +775,11 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, if (id) flags |= EXEC_QUEUE_FLAG_BIND_ENGINE_CHILD; - new = xe_exec_queue_create_bind(xe, tile, flags, + new = xe_exec_queue_create_bind(xe, tile, vm, flags, args->extensions); if (IS_ERR(new)) { + up_read(&vm->lock); + xe_vm_put(vm); err = PTR_ERR(new); if (q) goto put_exec_queue; @@ -763,6 +791,8 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, list_add_tail(&new->multi_gt_list, &q->multi_gt_link); } + up_read(&vm->lock); + xe_vm_put(vm); } else { logical_mask = calc_validate_logical_mask(xe, eci, args->width, diff --git a/drivers/gpu/drm/xe/xe_exec_queue.h b/drivers/gpu/drm/xe/xe_exec_queue.h index fda4d4f9bda8..37a9da22f420 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue.h +++ b/drivers/gpu/drm/xe/xe_exec_queue.h @@ -28,6 +28,7 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe u32 flags, u64 extensions); struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe, struct xe_tile *tile, + struct xe_vm *user_vm, u32 flags, u64 extensions); void xe_exec_queue_fini(struct xe_exec_queue *q); diff --git a/drivers/gpu/drm/xe/xe_exec_queue_types.h b/drivers/gpu/drm/xe/xe_exec_queue_types.h index 771ffe35cd0c..3a4263c92b3d 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue_types.h +++ b/drivers/gpu/drm/xe/xe_exec_queue_types.h @@ -54,6 +54,12 @@ struct xe_exec_queue { struct kref refcount; /** @vm: VM (address space) for this exec queue */ struct xe_vm *vm; + /** + * @user_vm: User VM (address space) for this exec queue (bind queues + * only) + */ + struct xe_vm *user_vm; + /** @class: class of this exec queue */ enum xe_engine_class class; /** diff --git a/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c b/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c index 052a5071e69f..db023fb66a27 100644 --- a/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c +++ b/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c @@ -350,7 +350,7 @@ int xe_sriov_vf_ccs_init(struct xe_device *xe) flags = EXEC_QUEUE_FLAG_KERNEL | EXEC_QUEUE_FLAG_PERMANENT | EXEC_QUEUE_FLAG_MIGRATE; - q = xe_exec_queue_create_bind(xe, tile, flags, 0); + q = xe_exec_queue_create_bind(xe, tile, NULL, flags, 0); if (IS_ERR(q)) { err = PTR_ERR(q); goto err_ret; diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index f9989a7a710c..7973d654540a 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1614,7 +1614,7 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags, struct xe_file *xef) if (!vm->pt_root[id]) continue; - q = xe_exec_queue_create_bind(xe, tile, create_flags, 0); + q = xe_exec_queue_create_bind(xe, tile, vm, create_flags, 0); if (IS_ERR(q)) { err = PTR_ERR(q); goto err_close; @@ -3571,6 +3571,11 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file) } } + if (XE_IOCTL_DBG(xe, q && vm != q->user_vm)) { + err = -EINVAL; + goto put_exec_queue; + } + /* Ensure all UNMAPs visible */ xe_svm_flush(vm); -- 2.51.1

2 weeks, 2 days

3
3
0 0

FAILED: patch "[PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 660b299bed2a2a55a1f9102d029549d0235f881c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112439-squealing-sixties-951d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001 From: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Date: Mon, 3 Nov 2025 14:14:15 +0000 Subject: [PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") was introduced so that all power domains get initialized to a known working state when booting and it does this by shutting them down (including asserting resets and disabling clocks) before registering each power domain with the genpd framework, leaving it to each driver to later on power its needed domains. This caused the Google Pixel C to hang when booting due to a workaround in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi: Clear enable register if powered by bootloader") meant to handle the case where the bootloader enabled the DSI hardware module. The workaround relies on reading a hardware register to determine the current status and after b6bcbce33596 that now happens in a powered down state thus leading to the boot hang. Fix this by reverting b22fd0b9639e since currently we are guaranteed that the hardware will be fully reset by the time we start enabling the DSI module. Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") Cc: stable(a)vger.kernel.org Signed-off-by: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Signed-off-by: Thierry Reding <treding(a)nvidia.com> Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@te… diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index b5089b772267..ddfb2858acbf 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(struct drm_encoder *encoder) u32 value; int err; - /* If the bootloader enabled DSI it needs to be disabled - * in order for the panel initialization commands to be - * properly sent. - */ - value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL); - - if (value & DSI_POWER_CONTROL_ENABLE) - tegra_dsi_disable(dsi); - err = tegra_dsi_prepare(dsi); if (err < 0) { dev_err(dsi->dev, "failed to prepare: %d\n", err);

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 660b299bed2a2a55a1f9102d029549d0235f881c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112438-strict-pessimist-d344@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001 From: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Date: Mon, 3 Nov 2025 14:14:15 +0000 Subject: [PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") was introduced so that all power domains get initialized to a known working state when booting and it does this by shutting them down (including asserting resets and disabling clocks) before registering each power domain with the genpd framework, leaving it to each driver to later on power its needed domains. This caused the Google Pixel C to hang when booting due to a workaround in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi: Clear enable register if powered by bootloader") meant to handle the case where the bootloader enabled the DSI hardware module. The workaround relies on reading a hardware register to determine the current status and after b6bcbce33596 that now happens in a powered down state thus leading to the boot hang. Fix this by reverting b22fd0b9639e since currently we are guaranteed that the hardware will be fully reset by the time we start enabling the DSI module. Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") Cc: stable(a)vger.kernel.org Signed-off-by: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Signed-off-by: Thierry Reding <treding(a)nvidia.com> Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@te… diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index b5089b772267..ddfb2858acbf 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(struct drm_encoder *encoder) u32 value; int err; - /* If the bootloader enabled DSI it needs to be disabled - * in order for the panel initialization commands to be - * properly sent. - */ - value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL); - - if (value & DSI_POWER_CONTROL_ENABLE) - tegra_dsi_disable(dsi); - err = tegra_dsi_prepare(dsi); if (err < 0) { dev_err(dsi->dev, "failed to prepare: %d\n", err);

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 660b299bed2a2a55a1f9102d029549d0235f881c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112437-dancing-superhero-785c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001 From: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Date: Mon, 3 Nov 2025 14:14:15 +0000 Subject: [PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") was introduced so that all power domains get initialized to a known working state when booting and it does this by shutting them down (including asserting resets and disabling clocks) before registering each power domain with the genpd framework, leaving it to each driver to later on power its needed domains. This caused the Google Pixel C to hang when booting due to a workaround in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi: Clear enable register if powered by bootloader") meant to handle the case where the bootloader enabled the DSI hardware module. The workaround relies on reading a hardware register to determine the current status and after b6bcbce33596 that now happens in a powered down state thus leading to the boot hang. Fix this by reverting b22fd0b9639e since currently we are guaranteed that the hardware will be fully reset by the time we start enabling the DSI module. Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") Cc: stable(a)vger.kernel.org Signed-off-by: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Signed-off-by: Thierry Reding <treding(a)nvidia.com> Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@te… diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index b5089b772267..ddfb2858acbf 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(struct drm_encoder *encoder) u32 value; int err; - /* If the bootloader enabled DSI it needs to be disabled - * in order for the panel initialization commands to be - * properly sent. - */ - value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL); - - if (value & DSI_POWER_CONTROL_ENABLE) - tegra_dsi_disable(dsi); - err = tegra_dsi_prepare(dsi); if (err < 0) { dev_err(dsi->dev, "failed to prepare: %d\n", err);

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 660b299bed2a2a55a1f9102d029549d0235f881c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112437-unpiloted-wharf-9cfb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 660b299bed2a2a55a1f9102d029549d0235f881c Mon Sep 17 00:00:00 2001 From: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Date: Mon, 3 Nov 2025 14:14:15 +0000 Subject: [PATCH] Revert "drm/tegra: dsi: Clear enable register if powered by bootloader" Commit b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") was introduced so that all power domains get initialized to a known working state when booting and it does this by shutting them down (including asserting resets and disabling clocks) before registering each power domain with the genpd framework, leaving it to each driver to later on power its needed domains. This caused the Google Pixel C to hang when booting due to a workaround in the DSI driver introduced in commit b22fd0b9639e ("drm/tegra: dsi: Clear enable register if powered by bootloader") meant to handle the case where the bootloader enabled the DSI hardware module. The workaround relies on reading a hardware register to determine the current status and after b6bcbce33596 that now happens in a powered down state thus leading to the boot hang. Fix this by reverting b22fd0b9639e since currently we are guaranteed that the hardware will be fully reset by the time we start enabling the DSI module. Fixes: b6bcbce33596 ("soc/tegra: pmc: Ensure power-domains are in a known state") Cc: stable(a)vger.kernel.org Signed-off-by: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> Signed-off-by: Thierry Reding <treding(a)nvidia.com> Link: https://patch.msgid.link/20251103-diogo-smaug_ec_typec-v1-1-be656ccda391@te… diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index b5089b772267..ddfb2858acbf 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -913,15 +913,6 @@ static void tegra_dsi_encoder_enable(struct drm_encoder *encoder) u32 value; int err; - /* If the bootloader enabled DSI it needs to be disabled - * in order for the panel initialization commands to be - * properly sent. - */ - value = tegra_dsi_readl(dsi, DSI_POWER_CONTROL); - - if (value & DSI_POWER_CONTROL_ENABLE) - tegra_dsi_disable(dsi); - err = tegra_dsi_prepare(dsi); if (err < 0) { dev_err(dsi->dev, "failed to prepare: %d\n", err);

2 weeks, 2 days

1
0
0 0

[PATCH] drm: sti: fix device leaks at component probe

by Johan Hovold

Make sure to drop the references taken to the vtg devices by of_find_device_by_node() when looking up their driver data during component probe. Note that holding a reference to a platform device does not prevent its driver data from going away so there is no point in keeping the reference after the lookup helper returns. Fixes: cc6b741c6f63 ("drm: sti: remove useless fields from vtg structure") Cc: stable(a)vger.kernel.org # 4.16 Cc: Benjamin Gaignard <benjamin.gaignard(a)collabora.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/sti/sti_vtg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/sti/sti_vtg.c b/drivers/gpu/drm/sti/sti_vtg.c index ee81691b3203..ce6bc7e7b135 100644 --- a/drivers/gpu/drm/sti/sti_vtg.c +++ b/drivers/gpu/drm/sti/sti_vtg.c @@ -143,12 +143,17 @@ struct sti_vtg { struct sti_vtg *of_vtg_find(struct device_node *np) { struct platform_device *pdev; + struct sti_vtg *vtg; pdev = of_find_device_by_node(np); if (!pdev) return NULL; - return (struct sti_vtg *)platform_get_drvdata(pdev); + vtg = platform_get_drvdata(pdev); + + put_device(&pdev->dev); + + return vtg; } static void vtg_reset(struct sti_vtg *vtg) -- 2.49.1

2 weeks, 2 days

4
9
0 0

WTF: patch "[PATCH] block: add __must_check attribute to sb_min_blocksize()" was seriously submitted to be applied to the 6.15-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 6.15-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8637fa89e678422995301ddb20b74190dffcccee Mon Sep 17 00:00:00 2001 From: Yongpeng Yang <yangyongpeng(a)xiaomi.com> Date: Tue, 4 Nov 2025 20:50:10 +0800 Subject: [PATCH] block: add __must_check attribute to sb_min_blocksize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When sb_min_blocksize() returns 0 and the return value is not checked, it may lead to a situation where sb->s_blocksize is 0 when accessing the filesystem super block. After commit a64e5a596067bd ("bdev: add back PAGE_SIZE block size validation for sb_set_blocksize()"), this becomes more likely to happen when the block device’s logical_block_size is larger than PAGE_SIZE and the filesystem is unformatted. Add the __must_check attribute to ensure callers always check the return value. Cc: stable(a)vger.kernel.org # v6.15 Suggested-by: Matthew Wilcox <willy(a)infradead.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Yongpeng Yang <yangyongpeng(a)xiaomi.com> Link: https://patch.msgid.link/20251104125009.2111925-6-yangyongpeng.storage@gmai… Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/block/bdev.c b/block/bdev.c index 810707cca970..638f0cd458ae 100644 --- a/block/bdev.c +++ b/block/bdev.c @@ -231,7 +231,7 @@ int sb_set_blocksize(struct super_block *sb, int size) EXPORT_SYMBOL(sb_set_blocksize); -int sb_min_blocksize(struct super_block *sb, int size) +int __must_check sb_min_blocksize(struct super_block *sb, int size) { int minsize = bdev_logical_block_size(sb->s_bdev); if (size < minsize) diff --git a/include/linux/fs.h b/include/linux/fs.h index c895146c1444..3ea98c6cce81 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3423,8 +3423,8 @@ static inline void remove_inode_hash(struct inode *inode) extern void inode_sb_list_add(struct inode *inode); extern void inode_add_lru(struct inode *inode); -extern int sb_set_blocksize(struct super_block *, int); -extern int sb_min_blocksize(struct super_block *, int); +int sb_set_blocksize(struct super_block *sb, int size); +int __must_check sb_min_blocksize(struct super_block *sb, int size); int generic_file_mmap(struct file *, struct vm_area_struct *); int generic_file_mmap_prepare(struct vm_area_desc *desc);

2 weeks, 2 days

1
0
0 0

[PATCH 6.17 000/244] 6.17.9-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.9 release. There are 244 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 23 Nov 2025 16:05:54 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.9-rc2… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.9-rc2 Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Fix lan8814_config_init Abdun Nihaal <nihaal(a)cse.iitm.ac.in> isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Sean Christopherson <seanjc(a)google.com> KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL Xin Li <xin(a)zytor.com> KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel Sean Christopherson <seanjc(a)google.com> KVM: x86: Rename local "ecx" variables to "msr" and "pmc" as appropriate Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> ASoC: da7213: Use component driver suspend/resume Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS() Carlos Llamas <cmllamas(a)google.com> scripts/decode_stacktrace.sh: fix build ID and PC source parsing Matthieu Baerts (NGI0) <matttbe(a)kernel.org> scripts/decode_stacktrace.sh: symbol: preserve alignment Matthieu Baerts (NGI0) <matttbe(a)kernel.org> scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces Kiryl Shutsemau <kas(a)kernel.org> mm/memory: do not populate page table entries beyond i_size Zi Yan <ziy(a)nvidia.com> mm/huge_memory: do not change split_huge_page*() target order silently Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: properly kill background tasks Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer transfer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: trunc: read all recv data Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer transfer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: rm: set backup flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: fix fallback note due to OoO Marek Szyprowski <m.szyprowski(a)samsung.com> pmdomain: samsung: Rework legacy splash-screen handover workaround André Draszik <andre.draszik(a)linaro.org> pmdomain: samsung: plug potential memleak during probe Miaoqian Lin <linmq006(a)gmail.com> pmdomain: imx: Fix reference count leak in imx_gpc_remove Sudeep Holla <sudeep.holla(a)arm.com> pmdomain: arm: scmi: Fix genpd leak on provider registration failure Nitin Gote <nitin.r.gote(a)intel.com> drm/xe/xe3: Add WA_14024681466 for Xe3_LPG Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu(a)intel.com> drm/xe/xe3: Extend wa_14023061436 Nitin Gote <nitin.r.gote(a)intel.com> drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg Jani Nikula <jani.nikula(a)intel.com> drm/i915/psr: fix pipe to vblank conversion Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Jesse.Zhang <Jesse.Zhang(a)amd.com> drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process Jonathan Kim <jonathan.kim(a)amd.com> drm/amdkfd: relax checks for over allocation of save area Zilin Guan <zilin(a)seu.edu.cn> btrfs: release root after error in data_reloc_print_warning_inode() Filipe Manana <fdmanana(a)suse.com> btrfs: do not update last_log_commit when logging inode due to a new name Zilin Guan <zilin(a)seu.edu.cn> btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix stripe width calculation Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix conventional zone capacity calculation Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Use atomic64_t for compressed_size variable Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Emit an error when image writing fails Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Handle OCRAM ECC enable after warm reset Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Consolidate max_pfn & max_low_pfn calculation Song Liu <song(a)kernel.org> ftrace: Fix BPF fexit with livepatch Jens Axboe <axboe(a)kernel.dk> io_uring/rw: ensure allocated iovec gets cleared for early failure Sami Tolvanen <samitolvanen(a)google.com> gendwarfksyms: Skip files with no exports Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> selftests/user_events: fix type cast for write_index packed member in perf_test Mario Limonciello <mario.limonciello(a)amd.com> x86/CPU/AMD: Add additional fixed RDSEED microcode revisions Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Hans de Goede <hansg(a)kernel.org> spi: Try to get ACPI GPIO IRQ earlier Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix cifs_pick_channel when channel needs reconnect Miaoqian Lin <linmq006(a)gmail.com> crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value Sourabh Jain <sourabhjain(a)linux.ibm.com> crash: fix crashkernel resource shrink Hao Ge <gehao(a)kylinos.cn> codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Edward Adam Davis <eadavis(a)qq.com> cifs: client: fix memory leak in smb3_fs_context_parse_param Miaoqian Lin <linmq006(a)gmail.com> ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present() Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver Shawn Lin <shawn.lin(a)rock-chips.com> mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Rakuram Eswaran <rakuram.e96(a)gmail.com> mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs Shawn Lin <shawn.lin(a)rock-chips.com> mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 Zi Yan <ziy(a)nvidia.com> mm/huge_memory: fix folio split check for anon folios in swapcache Kairui Song <kasong(a)tencent.com> mm, swap: fix potential UAF issue for VMA readahead Dev Jain <dev.jain(a)arm.com> mm/mremap: honour writable bit in mremap pte batching Kairui Song <kasong(a)tencent.com> mm/shmem: fix THP allocation and fallback loop Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/stat: change last_refresh_jiffies to a global variable Isaac J. Manjarres <isaacmanjarres(a)google.com> mm/mm_init: fix hash table order logging in alloc_large_system_hash() Wei Yang <albinwyang(a)tencent.com> fs/proc: fix uaf in proc_readdir_de() Zi Yan <ziy(a)nvidia.com> mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: reject address change while connecting Steven Rostedt <rostedt(a)goodmis.org> selftests/tracing: Run sample events to clear page cache events Lance Yang <lance.yang(a)linux.dev> mm/secretmem: fix use-after-free race in fault handler Breno Leitao <leitao(a)debian.org> net: netpoll: fix incorrect refcount handling causing incorrect cleanup Edward Adam Davis <eadavis(a)qq.com> nilfs2: avoid having an active sc_timer before freeing sci Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/sysfs: change next_update_jiffies to a global variable Chuang Wang <nashuiliang(a)gmail.com> ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Tianyang Zhang <zhangtianyang(a)loongson.cn> LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use correct accessor to read FWPC/MWPC Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Consolidate early_ioremap()/ioremap_prot() Martin Kaiser <martin(a)kaiser.cx> maple_tree: fix tracepoint string pointers Qinxin Xia <xiaqinxin(a)huawei.com> dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Nate Karstens <nate.karstens(a)garmin.com> strparser: Fix signed/unsigned mismatch bug Pratyush Yadav <pratyush(a)kernel.org> kho: warn and exit when unpreserved page wasn't preserved Pedro Demarchi Gomes <pedrodemargomes(a)gmail.com> ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Joshua Rogers <linux(a)joshua.hu> ksmbd: close accepted socket when per-IP limit rejects connection Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 15 Olga Kornievskaia <okorniev(a)redhat.com> NFSD: free copynotify stateid in nfs4_free_ol_stateid() Olga Kornievskaia <okorniev(a)redhat.com> nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes NeilBrown <neil(a)brown.name> nfsd: fix refcount leak in nfsd_set_fh_dentry() Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> KVM: VMX: Fix check for valid GVA on an EPT violation Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Fix and simplify LBR virtualization handling with nested Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make all 32bit ID registers fully writable Sean Christopherson <seanjc(a)google.com> KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix max supported vCPUs set with EIOINTC Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Add delay until timer interrupt injected Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Restore guest PMU if it is enabled Abdun Nihaal <nihaal(a)cse.iitm.ac.in> HID: uclogic: Fix potential memory leak in error path Abdun Nihaal <nihaal(a)cse.iitm.ac.in> HID: playstation: Fix memory leak in dualshock4_get_calibration_data() Luke Wang <ziniu.wang_1(a)nxp.com> pwm: adp5585: Correct mismatched pwm chip info Chukun Pan <amadeus(a)jmu.edu.cn> arm64: dts: rockchip: drop reset from rk3576 i2c9 node Andrey Leonchikov <andreil499(a)gmail.com> arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2 Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY Masami Ichikawa <masami256(a)gmail.com> HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Frieder Schrempf <frieder.schrempf(a)kontron.de> arm64: dts: imx8mp-kontron: Fix USB OTG role switching João Paulo Gonçalves <joao.goncalves(a)toradex.com> arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: imx51-zii-rdu1: Fix audmux node names Dario Binacchi <dario.binacchi(a)amarulasolutions.com> ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Andrey Leonchikov <andreil499(a)gmail.com> arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and Pi2 Anand Moon <linux.amoon(a)gmail.com> arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Ravi Bangoria <ravi.bangoria(a)amd.com> perf test: Fix lock contention test Ian Rogers <irogers(a)google.com> perf test shell lock_contention: Extra debug diagnostics Ravi Bangoria <ravi.bangoria(a)amd.com> perf lock: Fix segfault due to missing kernel map Arnaldo Carvalho de Melo <acme(a)kernel.org> perf build: Don't fail fast path feature detection when binutils-devel is not available Thomas Falcon <thomas.falcon(a)intel.com> perf header: Write bpf_prog (infos|btfs)_cnt to data file Zqiang <qiang.zhang(a)linux.dev> sched_ext: Fix unsafe locking in the scx_dump_state() Andrei Vagin <avagin(a)google.com> fs/namespace: correctly handle errors returned by grab_requested_mnt_ns Zilin Guan <zilin(a)seu.edu.cn> binfmt_misc: restore write access before closing files opened by open_exec() Alok Tiwari <alok.a.tiwari(a)oracle.com> virtio-fs: fix incorrect check for fsvq->kobj Dan Carpenter <dan.carpenter(a)linaro.org> mtd: onenand: Pass correct pointer to IRQ handler David Howells <dhowells(a)redhat.com> afs: Fix dynamic lookup to fail on cell lookup failure Hongbo Li <lihongbo22(a)huawei.com> hostfs: Fix only passing host root in boot stage with new mount Eric Biggers <ebiggers(a)kernel.org> lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Eslam Khafagy <eslam.medhat1993(a)gmail.com> posix-timers: Plug potential memory leak in do_timer_create() Nick Hu <nick.hu(a)sifive.com> irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Eduard Zingerman <eddyz87(a)gmail.com> bpf: account for current allocated stack depth in widen_imprecise_scalars() Eric Dumazet <edumazet(a)google.com> bpf: Add bpf_prog_run_data_pointers() Randy Dunlap <rdunlap(a)infradead.org> drm/client: fix MODULE_PARM_DESC string for "active" Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe() Dave Jiang <dave.jiang(a)intel.com> acpi/hmat: Fix lockdep warning for hmem_register_resource() Sultan Alsawaf <sultan(a)kerneltoast.com> drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO Haein Lee <lhi0729(a)kaist.ac.kr> ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Dai Ngo <dai.ngo(a)oracle.com> NFS: Fix LTP test failures when timestamps are delegated Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Yang Xiuwei <yangxiuwei(a)kylinos.cn> NFS: sysfs: fix leak when nfs_client kobject add fails Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv2/v3: Fix error handling in nfs_atomic_open_v23() Al Viro <viro(a)zeniv.linux.org.uk> simplify nfs_atomic_open_v23() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Check the TLS certificate fields in nfs_match_client() Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect() Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Flush shmem writes before mapping buffers CPU-uncached Shenghao Ding <shenghao-ding(a)ti.com> ASoC: tas2781: fix getting the wrong device number Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Restore Guest-Backed only cursor plane support Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: codecs: va-macro: fix resource leak in probe error path Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: cs4271: Fix regulator leak on probe failure Haotian Zhang <vulab(a)iscas.ac.cn> regulator: fixed: fix GPIO descriptor leak on register failure Shuai Xue <xueshuai(a)linux.alibaba.com> acpi,srat: Fix incorrect device handle check for Generic Initiator Caleb Sander Mateos <csander(a)purestorage.com> io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs Andrii Melnychenko <a.melnychenko(a)vyos.io> netfilter: nft_ct: add seqadj extension for natted connections Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: export l2cap_chan_hold for modules Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Perform fast check switch only for online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Check _CPC validity for only the online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Detect preferred core availability on online CPUs Felix Maurer <fmaurer(a)redhat.com> hsr: Follow standard for HSRv0 supervision frames Felix Maurer <fmaurer(a)redhat.com> hsr: Fix supervision frame sending on HSRv0 Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio-net: fix incorrect flags recording in big mode Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mld: always take beacon ies in link grading Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: fix beacon template/fixed rate Eric Dumazet <edumazet(a)google.com> net_sched: limit try_bulk_dequeue_skb() batches Akiva Goldberger <agoldberger(a)nvidia.com> mlx5: Fix default values in create CQ Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Prepare for using different CQ doorbells Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Store the global doorbell in mlx5_priv Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix potentially misleading debug message Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix maxrate wraparound in threshold between units Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state() Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not handling PA Sync Lost event Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Initialise scc_index in unix_add_edge(). Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: skip rate verification for not captured PSDUs Buday Csaba <buday.csaba(a)prolan.hu> net: mdio: fix resource leak in mdiobus_register_device() Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_mon_reinit_self(). Aksh Garg <a-garg7(a)ti.com> net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Aksh Garg <a-garg7(a)ti.com> net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout Zilin Guan <zilin(a)seu.edu.cn> net/handshake: Fix memory leak in tls_handshake_accept() D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix mismatch between CLC header and proposal Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: tag_brcm: do not mark link local traffic as offloaded Eric Dumazet <edumazet(a)google.com> sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Pauli Virtanen <pav(a)iki.fi> Bluetooth: MGMT: cancel mesh send timer when hdev removed Chuck Lever <chuck.lever(a)oracle.com> NFSD: Skip close replay processing if XDR encoding fails Xi Ruoyao <xry111(a)xry111.site> rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: lan8814 fix reset of the QSGMII interface Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Replace hardcoded pages with defines Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Introduce lanphy_modify_page_reg Wei Fang <wei.fang(a)nxp.com> net: fec: correct rx_bytes statistic for the case SHIFT16 is set Alexander Sverdlin <alexander.sverdlin(a)gmail.com> selftests: net: local_termination: Wait for interfaces to come up Gao Xiang <xiang(a)kernel.org> erofs: avoid infinite loop due to incomplete zstd-compressed data Nicolas Escande <nico.escande(a)gmail.com> wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd Dawn Gardner <dawn.auroali(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx Sharique Mohammad <sharq0406(a)gmail.com> ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Stuart Hayhurst <stuart.a.hayhurst(a)gmail.com> HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL ZhangGuoDong <zhangguodong(a)kylinos.cn> smb/server: fix possible refcount leak in smb2_sess_setup() ZhangGuoDong <zhangguodong(a)kylinos.cn> smb/server: fix possible memory leak in smb2_read() Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix unexpected placement on same size resizing Jaehun Gou <p22gone(a)gmail.com> exfat: fix improper check of dentry.stream.valid_size Oleg Makarenko <oleg(a)makarenk.ooo> HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Scott Mayhew <smayhew(a)redhat.com> NFS: check if suid/sgid was cleared after a write as needed Vicki Pfau <vi(a)endrift.com> HID: nintendo: Wait longer for initial probe Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation Tristan Lobb <tristan.lobb(a)it-lobb.de> HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Abhishek Tamboli <abhishektamboli9(a)gmail.com> HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's Joshua Watt <jpewhacker(a)gmail.com> NFS4: Apply delay_retrans to async operations Jonathan Kim <jonathan.kim(a)amd.com> drm/amdkfd: fix suspend/resume all calls in mes based eviction path Joshua Watt <jpewhacker(a)gmail.com> NFS4: Fix state renewals missing after boot Jesse.Zhang <Jesse.Zhang(a)amd.com> drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Christian König <christian.koenig(a)amd.com> drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Christian König <christian.koenig(a)amd.com> drm/amdgpu: remove two invalid BUG_ON()s Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Avoid unnecessary blocking in IRQ handler Andrey Albershteyn <aalbersh(a)redhat.com> fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls Han Gao <rabenda.cn(a)gmail.com> riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Danil Skrebenkov <danil.skrebenkov(a)cloudbear.ru> RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Feng Jiang <jiangfeng(a)kylinos.cn> riscv: Build loader.bin exclusively for Canaan K210 Peter Zijlstra <peterz(a)infradead.org> compiler_types: Move unused static inline functions warning to W=2 Yang Shi <yang(a)os.amperecomputing.com> arm64: kprobes: check the return value of set_memory_rox() Timur Kristóf <timur.kristof(a)gmail.com> drm/amd: Disable ASPM on SI Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Disable fastboot on DCE 6 too Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Use pm_display_cfg in legacy DPM (v2) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Add pixel_clock to amd_pp_display_configuration Jouni Högander <jouni.hogander(a)intel.com> drm/xe: Do clean shutdown also when using flr Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Move declarations under conditional branch Balasubramani Vivekanandan <balasubramani.vivekanandan(a)intel.com> drm/xe/guc: Synchronize Dead CT worker with unbind Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Fix suspend failure with secure display TA Peter Zijlstra <peterz(a)infradead.org> futex: Optimize per-cpu reference counting Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Make vfio_compat's unmap succeed if the range is already empty Shuhao Fu <sfual(a)cse.ust.hk> smb: client: fix refcount leak in smb2_set_path_attr Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Don't stretch non-native images by default in eDP Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: set default gfx reset masks for gfx6-8 Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> drm/i915: Fix conversion between clock ticks and nanoseconds Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Jason-JH Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add pm_runtime support for GCE power control Nicolin Chen <nicolinc(a)nvidia.com> iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents() ------------- Diffstat: Makefile | 4 +- .../boot/dts/broadcom/bcm47189-luxul-xap-1440.dts | 4 +- arch/arm/boot/dts/nxp/imx/imx51-zii-rdu1.dts | 4 +- .../dts/nxp/imx/imx6ull-engicam-microgea-rmm.dts | 2 +- arch/arm/crypto/Kconfig | 2 +- arch/arm64/boot/dts/freescale/imx8-ss-img.dtsi | 2 - .../boot/dts/freescale/imx8mp-kontron-bl-osm-s.dts | 24 +- .../boot/dts/rockchip/rk3566-bigtreetech-cb2.dtsi | 6 +- arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 + arch/arm64/boot/dts/rockchip/rk3576.dtsi | 2 - arch/arm64/boot/dts/rockchip/rk3588-opp.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 2 +- arch/arm64/kernel/probes/kprobes.c | 5 +- arch/arm64/kvm/sys_regs.c | 59 +-- arch/loongarch/include/asm/hw_breakpoint.h | 4 +- arch/loongarch/include/asm/io.h | 5 +- arch/loongarch/include/asm/pgtable.h | 11 +- arch/loongarch/kernel/mem.c | 7 +- arch/loongarch/kernel/numa.c | 23 +- arch/loongarch/kernel/setup.c | 5 +- arch/loongarch/kernel/traps.c | 4 +- arch/loongarch/kvm/intc/eiointc.c | 2 +- arch/loongarch/kvm/timer.c | 2 + arch/loongarch/kvm/vcpu.c | 5 + arch/loongarch/mm/init.c | 2 - arch/loongarch/mm/ioremap.c | 2 +- arch/riscv/Makefile | 2 +- arch/riscv/kernel/cpu-hotplug.c | 1 + arch/riscv/kernel/setup.c | 7 +- arch/x86/include/asm/kvm_host.h | 3 + arch/x86/include/uapi/asm/vmx.h | 7 +- arch/x86/kernel/acpi/cppc.c | 2 +- arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/microcode/amd.c | 1 + arch/x86/kvm/svm/nested.c | 20 +- arch/x86/kvm/svm/svm.c | 73 ++- arch/x86/kvm/vmx/common.h | 2 +- arch/x86/kvm/vmx/nested.c | 21 +- arch/x86/kvm/vmx/vmx.c | 29 ++ arch/x86/kvm/vmx/vmx.h | 5 + arch/x86/kvm/x86.c | 75 ++- drivers/acpi/cppc_acpi.c | 6 +- drivers/acpi/numa/hmat.c | 46 +- drivers/acpi/numa/srat.c | 2 +- drivers/bluetooth/btusb.c | 13 +- drivers/cpufreq/intel_pstate.c | 9 +- drivers/crypto/hisilicon/qm.c | 2 + drivers/edac/altera_edac.c | 22 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 + drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 12 + drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 5 + drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 5 + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 5 + .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 73 +-- drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 + .../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +- drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 6 +- drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 + drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 67 +++ drivers/gpu/drm/amd/pm/inc/amdgpu_dpm_internal.h | 2 + drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +- drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 6 +- drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 70 ++- drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 11 +- drivers/gpu/drm/clients/drm_client_setup.c | 4 +- drivers/gpu/drm/i915/display/intel_psr.c | 3 +- drivers/gpu/drm/i915/gt/intel_gt_clock_utils.c | 4 +- drivers/gpu/drm/i915/i915_vma.c | 16 +- drivers/gpu/drm/mediatek/mtk_crtc.c | 7 + drivers/gpu/drm/panthor/panthor_gem.c | 18 + drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c | 16 +- drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h | 1 + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 + drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 + drivers/gpu/drm/xe/xe_device.c | 14 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 + drivers/gpu/drm/xe/xe_wa.c | 11 + drivers/hid/hid-ids.h | 4 + drivers/hid/hid-logitech-hidpp.c | 21 + drivers/hid/hid-nintendo.c | 2 +- drivers/hid/hid-ntrig.c | 7 +- drivers/hid/hid-playstation.c | 2 + drivers/hid/hid-quirks.c | 2 + drivers/hid/hid-uclogic-params.c | 4 +- .../intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 + .../intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 + drivers/infiniband/hw/mlx5/cq.c | 15 +- drivers/iommu/iommufd/io_pagetable.c | 12 +- drivers/iommu/iommufd/ioas.c | 4 + drivers/irqchip/irq-riscv-intc.c | 3 +- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +- drivers/mmc/host/dw_mmc-rockchip.c | 4 +- drivers/mmc/host/pxamci.c | 56 +-- drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +- drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 15 + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 79 ++++ drivers/net/ethernet/mellanox/mlx5/core/cq.c | 24 +- drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 + .../net/ethernet/mellanox/mlx5/core/en/params.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h | 5 +- .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 +- .../net/ethernet/mellanox/mlx5/core/en_common.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 33 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 +- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 8 +- .../net/ethernet/mellanox/mlx5/core/fpga/conn.c | 16 +- drivers/net/ethernet/mellanox/mlx5/core/lib/aso.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 11 +- .../mellanox/mlx5/core/steering/hws/send.c | 15 +- .../mellanox/mlx5/core/steering/sws/dr_send.c | 29 +- drivers/net/ethernet/mellanox/mlx5/core/wc.c | 4 +- drivers/net/ethernet/ti/am65-cpsw-qos.c | 53 ++- drivers/net/phy/mdio_bus.c | 5 +- drivers/net/phy/micrel.c | 515 +++++++++++++-------- drivers/net/virtio_net.c | 16 +- drivers/net/wireless/ath/ath11k/wmi.c | 3 + drivers/net/wireless/intel/iwlwifi/mld/link.c | 7 +- drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 13 +- drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 12 +- drivers/pmdomain/arm/scmi_pm_domain.c | 13 +- drivers/pmdomain/imx/gpc.c | 2 + drivers/pmdomain/samsung/exynos-pm-domains.c | 29 +- drivers/pwm/pwm-adp5585.c | 4 +- drivers/regulator/fixed.c | 1 + drivers/spi/spi.c | 10 + drivers/vdpa/mlx5/net/mlx5_vnet.c | 6 +- fs/afs/cell.c | 78 +++- fs/afs/dynroot.c | 3 +- fs/afs/internal.h | 12 +- fs/afs/mntpt.c | 3 +- fs/afs/proc.c | 3 +- fs/afs/super.c | 2 +- fs/afs/vl_alias.c | 3 +- fs/binfmt_misc.c | 4 +- fs/btrfs/inode.c | 4 +- fs/btrfs/scrub.c | 2 + fs/btrfs/tree-log.c | 2 +- fs/btrfs/zoned.c | 60 ++- fs/erofs/decompressor_zstd.c | 11 +- fs/exfat/namei.c | 6 +- fs/file_attr.c | 4 + fs/fuse/virtio_fs.c | 2 +- fs/hostfs/hostfs_kern.c | 29 +- fs/namespace.c | 32 +- fs/nfs/client.c | 8 + fs/nfs/dir.c | 23 +- fs/nfs/inode.c | 18 +- fs/nfs/nfs3client.c | 14 +- fs/nfs/nfs4client.c | 15 +- fs/nfs/nfs4proc.c | 22 +- fs/nfs/pnfs_nfs.c | 66 +-- fs/nfs/sysfs.c | 1 + fs/nfs/write.c | 3 +- fs/nfsd/nfs4state.c | 3 +- fs/nfsd/nfs4xdr.c | 3 +- fs/nfsd/nfsd.h | 1 + fs/nfsd/nfsfh.c | 6 +- fs/nilfs2/segment.c | 7 +- fs/proc/generic.c | 12 +- fs/smb/client/fs_context.c | 2 + fs/smb/client/smb2inode.c | 2 + fs/smb/client/transport.c | 2 +- fs/smb/server/smb2pdu.c | 2 + fs/smb/server/transport_tcp.c | 5 +- include/linux/compiler_types.h | 5 +- include/linux/filter.h | 20 + include/linux/huge_mm.h | 55 +-- include/linux/map_benchmark.h | 1 + include/linux/mlx5/cq.h | 2 +- include/linux/mlx5/driver.h | 3 +- include/linux/nfs_xdr.h | 1 + include/net/bluetooth/hci.h | 5 + include/uapi/linux/mount.h | 2 +- io_uring/register.c | 7 - io_uring/rsrc.c | 16 +- io_uring/rw.c | 3 + kernel/bpf/trampoline.c | 5 - kernel/bpf/verifier.c | 6 +- kernel/crash_core.c | 2 +- kernel/futex/core.c | 12 +- kernel/gcov/gcc_4_7.c | 4 +- kernel/kexec_handover.c | 8 +- kernel/power/swap.c | 17 +- kernel/sched/ext.c | 4 +- kernel/time/posix-timers.c | 12 +- kernel/trace/ftrace.c | 20 +- lib/maple_tree.c | 30 +- mm/damon/stat.c | 9 +- mm/damon/sysfs.c | 10 +- mm/filemap.c | 20 +- mm/huge_memory.c | 38 +- mm/kmsan/core.c | 3 - mm/kmsan/hooks.c | 6 +- mm/kmsan/shadow.c | 2 +- mm/ksm.c | 113 ++++- mm/memory.c | 20 +- mm/mm_init.c | 2 +- mm/mremap.c | 2 +- mm/secretmem.c | 2 +- mm/shmem.c | 9 +- mm/slub.c | 6 +- mm/swap_state.c | 13 + mm/truncate.c | 6 +- net/bluetooth/6lowpan.c | 103 +++-- net/bluetooth/hci_conn.c | 33 +- net/bluetooth/hci_event.c | 56 ++- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_core.c | 1 + net/bluetooth/mgmt.c | 1 + net/core/netpoll.c | 7 +- net/dsa/tag_brcm.c | 6 +- net/handshake/tlshd.c | 1 + net/hsr/hsr_device.c | 5 +- net/hsr/hsr_forward.c | 22 +- net/ipv4/route.c | 5 + net/mac80211/iface.c | 14 +- net/mac80211/rx.c | 10 +- net/netfilter/nft_ct.c | 5 + net/sched/act_bpf.c | 6 +- net/sched/act_connmark.c | 12 +- net/sched/act_ife.c | 12 +- net/sched/cls_bpf.c | 6 +- net/sched/sch_generic.c | 17 +- net/sctp/transport.c | 13 +- net/smc/smc_clc.c | 1 + net/strparser/strparser.c | 2 +- net/tipc/net.c | 2 + net/unix/garbage.c | 14 +- rust/Makefile | 2 +- scripts/decode_stacktrace.sh | 43 +- scripts/gendwarfksyms/gendwarfksyms.c | 3 +- scripts/gendwarfksyms/gendwarfksyms.h | 2 +- scripts/gendwarfksyms/symbols.c | 4 +- sound/hda/codecs/hdmi/nvhdmi-mcp.c | 4 +- sound/hda/codecs/realtek/alc269.c | 1 + sound/soc/codecs/cs4271.c | 10 +- sound/soc/codecs/da7213.c | 65 ++- sound/soc/codecs/da7213.h | 1 + sound/soc/codecs/lpass-va-macro.c | 2 +- sound/soc/codecs/max98090.c | 6 +- sound/soc/codecs/nau8821.c | 22 +- sound/soc/codecs/nau8821.h | 2 +- sound/soc/codecs/tas2781-i2c.c | 9 +- sound/soc/renesas/rcar/ssiu.c | 3 +- sound/soc/sdw_utils/soc_sdw_utils.c | 20 +- sound/usb/endpoint.c | 5 + sound/usb/mixer.c | 2 + tools/build/feature/Makefile | 4 +- tools/perf/Makefile.config | 5 +- tools/perf/builtin-lock.c | 2 + tools/perf/tests/shell/lock_contention.sh | 21 +- tools/perf/util/header.c | 10 +- .../ftrace/test.d/filter/event-filter-function.tc | 4 + tools/testing/selftests/iommu/iommufd.c | 2 + tools/testing/selftests/iommu/iommufd_utils.h | 4 +- .../selftests/net/forwarding/local_termination.sh | 2 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 +- tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 90 ++-- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 + tools/testing/selftests/user_events/perf_test.c | 2 +- virt/kvm/guest_memfd.c | 47 +- 277 files changed, 2501 insertions(+), 1388 deletions(-)

2 weeks, 2 days

16
15
0 0

[REGRESSION] stable-rc/linux-6.12.y: (build) in vmlinux (scripts/Makefile.vmlinux:34) [logspec:kbuild,kbuild.ot...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-6.12.y: --- in vmlinux (scripts/Makefile.vmlinux:34) [logspec:kbuild,kbuild.other] --- - dashboard: https://d.kernelci.org/i/maestro:35cde1a01734118c6b52274afdf25ae5a8a9dbb2 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: d5dc97879a97b328a89ec092271faa3db9f2bff3 - tags: v6.12.59 Log excerpt: ===================================================== .lds Inconsistent kallsyms data Try "make KALLSYMS_EXTRA_PASS=1" as a workaround ===================================================== # Builds where the incident occurred: ## defconfig+arm64-chromebook+kcidebug+lab-setup on (arm64): - compiler: gcc-14 - config: https://files.kernelci.org/kbuild-gcc-14-arm64-chromebook-kcidebug-69243346… - dashboard: https://d.kernelci.org/build/maestro:69243346f5b8743b1f5e53b5 #kernelci issue maestro:35cde1a01734118c6b52274afdf25ae5a8a9dbb2 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 2 days

1
0
0 0

[PATCH v4] w1: therm: Fix off-by-one buffer overflow in alarms_store

by Thorsten Blum

The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. Cc: stable(a)vger.kernel.org Fixes: e2c94d6f5720 ("w1_therm: adding alarm sysfs entry") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- Compile-tested only. Changes in v4: - Use simple_strtoll because kstrtoint also parses long long internally - Return -ERANGE in addition to -EINVAL to match kstrtoint's behavior - Remove any changes unrelated to fixing the buffer overflow (Krzysztof) while maintaining the same behavior and return values as before - Link to v3: https://lore.kernel.org/lkml/20251030155614.447905-1-thorsten.blum@linux.de… Changes in v3: - Add integer range check for 'temp' to match kstrtoint() behavior - Explicitly cast 'temp' to int when calling int_to_short() - Link to v2: https://lore.kernel.org/lkml/20251029130045.70127-2-thorsten.blum@linux.dev/ Changes in v2: - Fix buffer overflow instead of truncating the copy using strscpy() - Parse buffer directly using simple_strtol() as suggested by David - Update patch subject and description - Link to v1: https://lore.kernel.org/lkml/20251017170047.114224-2-thorsten.blum@linux.de… --- drivers/w1/slaves/w1_therm.c | 64 ++++++++++++------------------------ 1 file changed, 21 insertions(+), 43 deletions(-) diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c index 9ccedb3264fb..5707fa34e804 100644 --- a/drivers/w1/slaves/w1_therm.c +++ b/drivers/w1/slaves/w1_therm.c @@ -1836,55 +1836,36 @@ static ssize_t alarms_store(struct device *device, struct w1_slave *sl = dev_to_w1_slave(device); struct therm_info info; u8 new_config_register[3]; /* array of data to be written */ - int temp, ret; - char *token = NULL; + long long temp; + int ret = 0; s8 tl, th; /* 1 byte per value + temp ring order */ - char *p_args, *orig; - - p_args = orig = kmalloc(size, GFP_KERNEL); - /* Safe string copys as buf is const */ - if (!p_args) { - dev_warn(device, - "%s: error unable to allocate memory %d\n", - __func__, -ENOMEM); - return size; - } - strcpy(p_args, buf); - - /* Split string using space char */ - token = strsep(&p_args, " "); - - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - - /* Convert 1st entry to int */ - ret = kstrtoint (token, 10, &temp); + const char *p = buf; + char *endp; + + temp = simple_strtoll(p, &endp, 10); + if (p == endp || *endp != ' ') + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + goto err; } tl = int_to_short(temp); - /* Split string using space char */ - token = strsep(&p_args, " "); - if (!token) { - dev_info(device, - "%s: error parsing args %d\n", __func__, -EINVAL); - goto free_m; - } - /* Convert 2nd entry to int */ - ret = kstrtoint (token, 10, &temp); + p = endp + 1; + temp = simple_strtoll(p, &endp, 10); + if (p == endp) + ret = -EINVAL; + else if (temp < INT_MIN || temp > INT_MAX) + ret = -ERANGE; if (ret) { dev_info(device, "%s: error parsing args %d\n", __func__, ret); - goto free_m; + goto err; } - /* Prepare to cast to short by eliminating out of range values */ th = int_to_short(temp); @@ -1905,7 +1886,7 @@ static ssize_t alarms_store(struct device *device, dev_info(device, "%s: error reading from the slave device %d\n", __func__, ret); - goto free_m; + goto err; } /* Write data in the device RAM */ @@ -1913,7 +1894,7 @@ static ssize_t alarms_store(struct device *device, dev_info(device, "%s: Device not supported by the driver %d\n", __func__, -ENODEV); - goto free_m; + goto err; } ret = SLAVE_SPECIFIC_FUNC(sl)->write_data(sl, new_config_register); @@ -1922,10 +1903,7 @@ static ssize_t alarms_store(struct device *device, "%s: error writing to the slave device %d\n", __func__, ret); -free_m: - /* free allocated memory */ - kfree(orig); - +err: return size; } -- 2.51.1

2 weeks, 2 days

1
1
0 0

FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 103e17aac09cdd358133f9e00998b75d6c1f1518 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112434-arise-unlimited-9689@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 From: Sebastian Ene <sebastianene(a)google.com> Date: Fri, 17 Oct 2025 07:57:10 +0000 Subject: [PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene(a)google.com> Acked-by: Will Deacon <will(a)kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz(a)kernel.org> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 4e16f9b96f63..58b7d0c477d7 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; }

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 103e17aac09cdd358133f9e00998b75d6c1f1518 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112434-impending-cupid-a11e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 From: Sebastian Ene <sebastianene(a)google.com> Date: Fri, 17 Oct 2025 07:57:10 +0000 Subject: [PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene(a)google.com> Acked-by: Will Deacon <will(a)kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz(a)kernel.org> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 4e16f9b96f63..58b7d0c477d7 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; }

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 103e17aac09cdd358133f9e00998b75d6c1f1518 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112430-brunch-scone-7ffb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 From: Sebastian Ene <sebastianene(a)google.com> Date: Fri, 17 Oct 2025 07:57:10 +0000 Subject: [PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene(a)google.com> Acked-by: Will Deacon <will(a)kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz(a)kernel.org> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 4e16f9b96f63..58b7d0c477d7 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; }

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 103e17aac09cdd358133f9e00998b75d6c1f1518 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112430-imperial-yearling-e395@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 103e17aac09cdd358133f9e00998b75d6c1f1518 Mon Sep 17 00:00:00 2001 From: Sebastian Ene <sebastianene(a)google.com> Date: Fri, 17 Oct 2025 07:57:10 +0000 Subject: [PATCH] KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. Signed-off-by: Sebastian Ene <sebastianene(a)google.com> Acked-by: Will Deacon <will(a)kernel.org> Link: https://patch.msgid.link/20251017075710.2605118-1-sebastianene@google.com Signed-off-by: Marc Zyngier <maz(a)kernel.org> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 4e16f9b96f63..58b7d0c477d7 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges; + u32 offset, nr_ranges, checked_offset; int ret = 0; if (addr_mbz || npages_mbz || fraglen > len || @@ -516,7 +516,12 @@ static void __do_ffa_mem_xfer(const u64 func_id, goto out_unlock; } - if (fraglen < offset + sizeof(struct ffa_composite_mem_region)) { + if (check_add_overflow(offset, sizeof(struct ffa_composite_mem_region), &checked_offset)) { + ret = FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + if (fraglen < checked_offset) { ret = FFA_RET_INVALID_PARAMETERS; goto out_unlock; }

2 weeks, 2 days

1
0
0 0

[PATCH] crypto: hisilicon/qm - fix device leak on QoS updates

by Johan Hovold

Make sure to drop the reference taken when looking up the PCI device on QoS updates. Fixes: 22d7a6c39cab ("crypto: hisilicon/qm - add pci bdf number check") Cc: stable(a)vger.kernel.org # 6.2 Cc: Kai Ye <yekai13(a)huawei.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/crypto/hisilicon/qm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c index a5b96adf2d1e..ef6fdcc3dbcb 100644 --- a/drivers/crypto/hisilicon/qm.c +++ b/drivers/crypto/hisilicon/qm.c @@ -3871,11 +3871,14 @@ static ssize_t qm_get_qos_value(struct hisi_qm *qm, const char *buf, pdev = container_of(dev, struct pci_dev, dev); if (pci_physfn(pdev) != qm->pdev) { pci_err(qm->pdev, "the pdev input does not match the pf!\n"); + put_device(dev); return -EINVAL; } *fun_index = pdev->devfn; + put_device(dev); + return 0; } -- 2.51.2

2 weeks, 2 days

2
2
0 0

[PATCH] drm/tegra: fix device leak on probe()

by Johan Hovold

Make sure to drop the reference taken when looking up the companion device during probe(). Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: f68ba6912bd2 ("drm/tegra: dc: Link DC1 to DC0 on Tegra20") Cc: stable(a)vger.kernel.org # 4.16 Cc: Dmitry Osipenko <digetx(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/tegra/dc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index 59d5c1ba145a..7a6b30df6a89 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -3148,6 +3148,8 @@ static int tegra_dc_couple(struct tegra_dc *dc) dc->client.parent = &parent->client; dev_dbg(dc->dev, "coupled to %s\n", dev_name(companion)); + + put_device(companion); } return 0; -- 2.51.2

2 weeks, 2 days

1
1
0 0

[PATCH] crypto: zstd - fix double-free in per-CPU stream cleanup

by Giovanni Cabiddu

The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed. The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free. This leads to a stack trace similar to: BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 ... Change the lifecycle management of zstd_streams to free the streams only once during module cleanup. Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp") Cc: stable(a)vger.kernel.org Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Reviewed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty(a)intel.com> --- crypto/zstd.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/crypto/zstd.c b/crypto/zstd.c index dc5b36141ff8..cbbd0413751a 100644 --- a/crypto/zstd.c +++ b/crypto/zstd.c @@ -75,11 +75,6 @@ static int zstd_init(struct crypto_acomp *acomp_tfm) return ret; } -static void zstd_exit(struct crypto_acomp *acomp_tfm) -{ - crypto_acomp_free_streams(&zstd_streams); -} - static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx, const void *src, void *dst, unsigned int *dlen) { @@ -297,7 +292,6 @@ static struct acomp_alg zstd_acomp = { .cra_module = THIS_MODULE, }, .init = zstd_init, - .exit = zstd_exit, .compress = zstd_compress, .decompress = zstd_decompress, }; @@ -310,6 +304,7 @@ static int __init zstd_mod_init(void) static void __exit zstd_mod_fini(void) { crypto_unregister_acomp(&zstd_acomp); + crypto_acomp_free_streams(&zstd_streams); } module_init(zstd_mod_init); base-commit: 8faa5c4b47998c5930314a3bb8ee53534cfdc1ce -- 2.51.1

2 weeks, 2 days

2
1
0 0

Linux 6.17.9

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.9 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dts | 4 arch/arm/boot/dts/nxp/imx/imx51-zii-rdu1.dts | 4 arch/arm/boot/dts/nxp/imx/imx6ull-engicam-microgea-rmm.dts | 2 arch/arm/crypto/Kconfig | 2 arch/arm64/boot/dts/freescale/imx8-ss-img.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mp-kontron-bl-osm-s.dts | 24 arch/arm64/boot/dts/rockchip/rk3566-bigtreetech-cb2.dtsi | 6 arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 arch/arm64/boot/dts/rockchip/rk3576.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3588-opp.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 2 arch/arm64/kernel/probes/kprobes.c | 5 arch/arm64/kvm/sys_regs.c | 59 - arch/loongarch/include/asm/hw_breakpoint.h | 4 arch/loongarch/include/asm/io.h | 5 arch/loongarch/include/asm/pgtable.h | 11 arch/loongarch/kernel/mem.c | 7 arch/loongarch/kernel/numa.c | 23 arch/loongarch/kernel/setup.c | 5 arch/loongarch/kernel/traps.c | 4 arch/loongarch/kvm/intc/eiointc.c | 2 arch/loongarch/kvm/timer.c | 2 arch/loongarch/kvm/vcpu.c | 5 arch/loongarch/mm/init.c | 2 arch/loongarch/mm/ioremap.c | 2 arch/riscv/Makefile | 2 arch/riscv/kernel/cpu-hotplug.c | 1 arch/riscv/kernel/setup.c | 7 arch/x86/include/asm/kvm_host.h | 3 arch/x86/include/uapi/asm/vmx.h | 7 arch/x86/kernel/acpi/cppc.c | 2 arch/x86/kernel/cpu/amd.c | 7 arch/x86/kernel/cpu/microcode/amd.c | 1 arch/x86/kvm/svm/nested.c | 20 arch/x86/kvm/svm/svm.c | 71 - arch/x86/kvm/vmx/common.h | 2 arch/x86/kvm/vmx/nested.c | 21 arch/x86/kvm/vmx/vmx.c | 29 arch/x86/kvm/vmx/vmx.h | 5 arch/x86/kvm/x86.c | 75 + drivers/acpi/cppc_acpi.c | 6 drivers/acpi/numa/hmat.c | 46 drivers/acpi/numa/srat.c | 2 drivers/bluetooth/btusb.c | 13 drivers/cpufreq/intel_pstate.c | 9 drivers/crypto/hisilicon/qm.c | 2 drivers/edac/altera_edac.c | 22 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 5 drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 5 drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 73 - drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 6 drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 67 + drivers/gpu/drm/amd/pm/inc/amdgpu_dpm_internal.h | 2 drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 6 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 70 - drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 11 drivers/gpu/drm/clients/drm_client_setup.c | 4 drivers/gpu/drm/i915/display/intel_psr.c | 3 drivers/gpu/drm/i915/gt/intel_gt_clock_utils.c | 4 drivers/gpu/drm/i915/i915_vma.c | 16 drivers/gpu/drm/mediatek/mtk_crtc.c | 7 drivers/gpu/drm/panthor/panthor_gem.c | 18 drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c | 16 drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h | 1 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 drivers/gpu/drm/xe/xe_device.c | 14 drivers/gpu/drm/xe/xe_guc_ct.c | 3 drivers/gpu/drm/xe/xe_wa.c | 11 drivers/hid/hid-ids.h | 4 drivers/hid/hid-logitech-hidpp.c | 21 drivers/hid/hid-nintendo.c | 2 drivers/hid/hid-ntrig.c | 7 drivers/hid/hid-playstation.c | 2 drivers/hid/hid-quirks.c | 2 drivers/hid/hid-uclogic-params.c | 4 drivers/hid/intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 drivers/hid/intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 drivers/infiniband/hw/mlx5/cq.c | 15 drivers/iommu/iommufd/io_pagetable.c | 12 drivers/iommu/iommufd/ioas.c | 4 drivers/irqchip/irq-riscv-intc.c | 3 drivers/isdn/hardware/mISDN/hfcsusb.c | 18 drivers/mmc/host/dw_mmc-rockchip.c | 4 drivers/mmc/host/pxamci.c | 56 - drivers/mmc/host/sdhci-of-dwcmshc.c | 2 drivers/mtd/nand/onenand/onenand_samsung.c | 2 drivers/net/ethernet/freescale/fec_main.c | 2 drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 15 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 79 + drivers/net/ethernet/mellanox/mlx5/core/cq.c | 24 drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en/params.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h | 5 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 11 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 33 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 drivers/net/ethernet/mellanox/mlx5/core/eq.c | 8 drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c | 16 drivers/net/ethernet/mellanox/mlx5/core/lib/aso.c | 8 drivers/net/ethernet/mellanox/mlx5/core/main.c | 11 drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c | 15 drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c | 29 drivers/net/ethernet/mellanox/mlx5/core/wc.c | 4 drivers/net/ethernet/ti/am65-cpsw-qos.c | 51 drivers/net/phy/mdio_bus.c | 5 drivers/net/phy/micrel.c | 515 ++++++---- drivers/net/virtio_net.c | 16 drivers/net/wireless/ath/ath11k/wmi.c | 3 drivers/net/wireless/intel/iwlwifi/mld/link.c | 7 drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 13 drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 12 drivers/pmdomain/arm/scmi_pm_domain.c | 13 drivers/pmdomain/imx/gpc.c | 2 drivers/pmdomain/samsung/exynos-pm-domains.c | 29 drivers/pwm/pwm-adp5585.c | 4 drivers/regulator/fixed.c | 1 drivers/spi/spi.c | 10 drivers/vdpa/mlx5/net/mlx5_vnet.c | 6 fs/afs/cell.c | 78 + fs/afs/dynroot.c | 3 fs/afs/internal.h | 12 fs/afs/mntpt.c | 3 fs/afs/proc.c | 3 fs/afs/super.c | 2 fs/afs/vl_alias.c | 3 fs/binfmt_misc.c | 4 fs/btrfs/inode.c | 4 fs/btrfs/scrub.c | 2 fs/btrfs/tree-log.c | 2 fs/btrfs/zoned.c | 60 - fs/erofs/decompressor_zstd.c | 11 fs/exfat/namei.c | 6 fs/file_attr.c | 4 fs/fuse/virtio_fs.c | 2 fs/hostfs/hostfs_kern.c | 29 fs/namespace.c | 32 fs/nfs/client.c | 8 fs/nfs/dir.c | 23 fs/nfs/inode.c | 18 fs/nfs/nfs3client.c | 14 fs/nfs/nfs4client.c | 15 fs/nfs/nfs4proc.c | 22 fs/nfs/pnfs_nfs.c | 66 - fs/nfs/sysfs.c | 1 fs/nfs/write.c | 3 fs/nfsd/nfs4state.c | 3 fs/nfsd/nfs4xdr.c | 3 fs/nfsd/nfsd.h | 1 fs/nfsd/nfsfh.c | 6 fs/nilfs2/segment.c | 7 fs/proc/generic.c | 12 fs/smb/client/fs_context.c | 2 fs/smb/client/smb2inode.c | 2 fs/smb/client/transport.c | 2 fs/smb/server/smb2pdu.c | 2 fs/smb/server/transport_tcp.c | 5 include/linux/compiler_types.h | 5 include/linux/filter.h | 20 include/linux/huge_mm.h | 55 - include/linux/map_benchmark.h | 1 include/linux/mlx5/cq.h | 2 include/linux/mlx5/driver.h | 3 include/linux/nfs_xdr.h | 1 include/net/bluetooth/hci.h | 5 include/uapi/linux/mount.h | 2 io_uring/register.c | 7 io_uring/rsrc.c | 16 io_uring/rw.c | 3 kernel/bpf/trampoline.c | 5 kernel/bpf/verifier.c | 6 kernel/crash_core.c | 2 kernel/futex/core.c | 12 kernel/gcov/gcc_4_7.c | 4 kernel/kexec_handover.c | 8 kernel/power/swap.c | 17 kernel/sched/ext.c | 4 kernel/time/posix-timers.c | 12 kernel/trace/ftrace.c | 20 lib/maple_tree.c | 30 mm/damon/stat.c | 9 mm/damon/sysfs.c | 10 mm/filemap.c | 20 mm/huge_memory.c | 38 mm/kmsan/core.c | 3 mm/kmsan/hooks.c | 6 mm/kmsan/shadow.c | 2 mm/ksm.c | 113 ++ mm/memory.c | 20 mm/mm_init.c | 2 mm/mremap.c | 2 mm/secretmem.c | 2 mm/shmem.c | 9 mm/slub.c | 6 mm/swap_state.c | 13 mm/truncate.c | 6 net/bluetooth/6lowpan.c | 97 + net/bluetooth/hci_conn.c | 33 net/bluetooth/hci_event.c | 56 - net/bluetooth/hci_sync.c | 2 net/bluetooth/l2cap_core.c | 1 net/bluetooth/mgmt.c | 1 net/core/netpoll.c | 7 net/dsa/tag_brcm.c | 6 net/handshake/tlshd.c | 1 net/hsr/hsr_device.c | 5 net/hsr/hsr_forward.c | 22 net/ipv4/route.c | 5 net/mac80211/iface.c | 14 net/mac80211/rx.c | 10 net/netfilter/nft_ct.c | 5 net/sched/act_bpf.c | 6 net/sched/act_connmark.c | 12 net/sched/act_ife.c | 12 net/sched/cls_bpf.c | 6 net/sched/sch_generic.c | 17 net/sctp/transport.c | 13 net/smc/smc_clc.c | 1 net/strparser/strparser.c | 2 net/tipc/net.c | 2 net/unix/garbage.c | 14 rust/Makefile | 2 scripts/decode_stacktrace.sh | 43 scripts/gendwarfksyms/gendwarfksyms.c | 3 scripts/gendwarfksyms/gendwarfksyms.h | 2 scripts/gendwarfksyms/symbols.c | 4 sound/hda/codecs/hdmi/nvhdmi-mcp.c | 4 sound/hda/codecs/realtek/alc269.c | 1 sound/soc/codecs/cs4271.c | 10 sound/soc/codecs/da7213.c | 65 - sound/soc/codecs/da7213.h | 1 sound/soc/codecs/lpass-va-macro.c | 2 sound/soc/codecs/max98090.c | 6 sound/soc/codecs/nau8821.c | 22 sound/soc/codecs/nau8821.h | 2 sound/soc/codecs/tas2781-i2c.c | 9 sound/soc/renesas/rcar/ssiu.c | 3 sound/soc/sdw_utils/soc_sdw_utils.c | 20 sound/usb/endpoint.c | 5 sound/usb/mixer.c | 2 tools/build/feature/Makefile | 4 tools/perf/Makefile.config | 5 tools/perf/builtin-lock.c | 2 tools/perf/tests/shell/lock_contention.sh | 21 tools/perf/util/header.c | 10 tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 4 tools/testing/selftests/iommu/iommufd.c | 2 tools/testing/selftests/iommu/iommufd_utils.h | 4 tools/testing/selftests/net/forwarding/local_termination.sh | 2 tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 90 - tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 tools/testing/selftests/user_events/perf_test.c | 2 virt/kvm/guest_memfd.c | 45 277 files changed, 2494 insertions(+), 1381 deletions(-) Abdun Nihaal (3): HID: playstation: Fix memory leak in dualshock4_get_calibration_data() HID: uclogic: Fix potential memory leak in error path isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Abhishek Tamboli (1): HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's Akiva Goldberger (1): mlx5: Fix default values in create CQ Aksh Garg (2): net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Al Viro (1): simplify nfs_atomic_open_v23() Aleksei Nikiforov (1): mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet Alex Deucher (1): drm/amdgpu: set default gfx reset masks for gfx6-8 Alexander Sverdlin (1): selftests: net: local_termination: Wait for interfaces to come up Alok Tiwari (1): virtio-fs: fix incorrect check for fsvq->kobj Anand Moon (1): arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Andrei Vagin (1): fs/namespace: correctly handle errors returned by grab_requested_mnt_ns Andrey Albershteyn (1): fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls Andrey Leonchikov (2): arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and Pi2 arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2 Andrii Melnychenko (1): netfilter: nft_ct: add seqadj extension for natted connections André Draszik (1): pmdomain: samsung: plug potential memleak during probe Ankit Khushwaha (1): selftests/user_events: fix type cast for write_index packed member in perf_test Arnaldo Carvalho de Melo (1): perf build: Don't fail fast path feature detection when binutils-devel is not available Balasubramani Vivekanandan (1): drm/xe/guc: Synchronize Dead CT worker with unbind Benjamin Berg (1): wifi: mac80211: skip rate verification for not captured PSDUs Bibo Mao (3): LoongArch: KVM: Restore guest PMU if it is enabled LoongArch: KVM: Add delay until timer interrupt injected LoongArch: KVM: Fix max supported vCPUs set with EIOINTC Boris Brezillon (1): drm/panthor: Flush shmem writes before mapping buffers CPU-uncached Borislav Petkov (AMD) (1): x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Breno Leitao (1): net: netpoll: fix incorrect refcount handling causing incorrect cleanup Buday Csaba (1): net: mdio: fix resource leak in mdiobus_register_device() Caleb Sander Mateos (1): io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs Carlos Llamas (1): scripts/decode_stacktrace.sh: fix build ID and PC source parsing Carolina Jubran (1): net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state() Christian König (2): drm/amdgpu: remove two invalid BUG_ON()s drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Chuang Wang (1): ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Chuck Lever (1): NFSD: Skip close replay processing if XDR encoding fails Chukun Pan (1): arm64: dts: rockchip: drop reset from rk3576 i2c9 node Claudiu Beznea (1): ASoC: da7213: Use component driver suspend/resume Cosmin Ratiu (3): net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET net/mlx5: Store the global doorbell in mlx5_priv net/mlx5e: Prepare for using different CQ doorbells Cristian Ciocaltea (1): ASoC: nau8821: Avoid unnecessary blocking in IRQ handler D. Wythe (1): net/smc: fix mismatch between CLC header and proposal Dai Ngo (1): NFS: Fix LTP test failures when timestamps are delegated Dan Carpenter (1): mtd: onenand: Pass correct pointer to IRQ handler Danil Skrebenkov (1): RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Dario Binacchi (1): ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value Dave Jiang (1): acpi/hmat: Fix lockdep warning for hmem_register_resource() David Howells (1): afs: Fix dynamic lookup to fail on cell lookup failure Dawn Gardner (1): ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx Dev Jain (1): mm/mremap: honour writable bit in mremap pte batching Dragan Simic (1): arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Eduard Zingerman (1): bpf: account for current allocated stack depth in widen_imprecise_scalars() Edward Adam Davis (2): nilfs2: avoid having an active sc_timer before freeing sci cifs: client: fix memory leak in smb3_fs_context_parse_param Eric Biggers (1): lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Eric Dumazet (3): sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto net_sched: limit try_bulk_dequeue_skb() batches bpf: Add bpf_prog_run_data_pointers() Eslam Khafagy (1): posix-timers: Plug potential memory leak in do_timer_create() Felix Maurer (2): hsr: Fix supervision frame sending on HSRv0 hsr: Follow standard for HSRv0 supervision frames Feng Jiang (1): riscv: Build loader.bin exclusively for Canaan K210 Filipe Manana (1): btrfs: do not update last_log_commit when logging inode due to a new name Frieder Schrempf (1): arm64: dts: imx8mp-kontron: Fix USB OTG role switching Gal Pressman (3): net/mlx5e: Fix maxrate wraparound in threshold between units net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps net/mlx5e: Fix potentially misleading debug message Gao Xiang (1): erofs: avoid infinite loop due to incomplete zstd-compressed data Gautham R. Shenoy (4): ACPI: CPPC: Detect preferred core availability on online CPUs ACPI: CPPC: Check _CPC validity for only the online CPUs ACPI: CPPC: Perform fast check switch only for online CPUs ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs Geert Uytterhoeven (1): ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS() Greg Kroah-Hartman (1): Linux 6.17.9 Haein Lee (1): ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Han Gao (1): riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Hans de Goede (1): spi: Try to get ACPI GPIO IRQ earlier Hao Ge (1): codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Haotian Zhang (4): regulator: fixed: fix GPIO descriptor leak on register failure ASoC: cs4271: Fix regulator leak on probe failure ASoC: codecs: va-macro: fix resource leak in probe error path ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe() Henrique Carvalho (1): smb: client: fix cifs_pick_channel when channel needs reconnect Hongbo Li (1): hostfs: Fix only passing host root in boot stage with new mount Horatiu Vultur (4): net: phy: micrel: Introduce lanphy_modify_page_reg net: phy: micrel: Replace hardcoded pages with defines net: phy: micrel: lan8814 fix reset of the QSGMII interface net: phy: micrel: Fix lan8814_config_init Huacai Chen (4): LoongArch: Consolidate early_ioremap()/ioremap_prot() LoongArch: Use correct accessor to read FWPC/MWPC LoongArch: Consolidate max_pfn & max_low_pfn calculation LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Ian Forbes (2): drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE drm/vmwgfx: Restore Guest-Backed only cursor plane support Ian Rogers (1): perf test shell lock_contention: Extra debug diagnostics Isaac J. Manjarres (1): mm/mm_init: fix hash table order logging in alloc_large_system_hash() Jaehun Gou (1): exfat: fix improper check of dentry.stream.valid_size Jani Nikula (1): drm/i915/psr: fix pipe to vblank conversion Janusz Krzysztofik (1): drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Jason Gunthorpe (1): iommufd: Make vfio_compat's unmap succeed if the range is already empty Jason-JH Lin (1): drm/mediatek: Add pm_runtime support for GCE power control Jedrzej Jagielski (2): ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd Jens Axboe (1): io_uring/rw: ensure allocated iovec gets cleared for early failure Jesse.Zhang (2): drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process Jihed Chaibi (1): ARM: dts: imx51-zii-rdu1: Fix audmux node names Johannes Berg (2): wifi: iwlwifi: mvm: fix beacon template/fixed rate wifi: mac80211: reject address change while connecting Jonas Gorski (1): net: dsa: tag_brcm: do not mark link local traffic as offloaded Jonathan Kim (2): drm/amdkfd: fix suspend/resume all calls in mes based eviction path drm/amdkfd: relax checks for over allocation of save area Joshua Rogers (1): ksmbd: close accepted socket when per-IP limit rejects connection Joshua Watt (2): NFS4: Fix state renewals missing after boot NFS4: Apply delay_retrans to async operations Jouni Högander (1): drm/xe: Do clean shutdown also when using flr João Paulo Gonçalves (1): arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred Kairui Song (2): mm/shmem: fix THP allocation and fallback loop mm, swap: fix potential UAF issue for VMA readahead Kiryl Shutsemau (1): mm/memory: do not populate page table entries beyond i_size Kuniyuki Iwashima (2): tipc: Fix use-after-free in tipc_mon_reinit_self(). af_unix: Initialise scc_index in unix_add_edge(). Lance Yang (1): mm/secretmem: fix use-after-free race in fault handler Luiz Augusto von Dentz (2): Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections Bluetooth: hci_event: Fix not handling PA Sync Lost event Luke Wang (1): pwm: adp5585: Correct mismatched pwm chip info Marc Zyngier (1): KVM: arm64: Make all 32bit ID registers fully writable Marek Szyprowski (1): pmdomain: samsung: Rework legacy splash-screen handover workaround Mario Limonciello (2): drm/amd: Fix suspend failure with secure display TA x86/CPU/AMD: Add additional fixed RDSEED microcode revisions Mario Limonciello (AMD) (3): drm/amd/display: Don't stretch non-native images by default in eDP PM: hibernate: Emit an error when image writing fails PM: hibernate: Use atomic64_t for compressed_size variable Martin Kaiser (1): maple_tree: fix tracepoint string pointers Masami Ichikawa (1): HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Matthieu Baerts (NGI0) (8): selftests: mptcp: connect: fix fallback note due to OoO selftests: mptcp: join: rm: set backup flag selftests: mptcp: join: endpoints: longer transfer selftests: mptcp: connect: trunc: read all recv data selftests: mptcp: join: userspace: longer transfer selftests: mptcp: join: properly kill background tasks scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces scripts/decode_stacktrace.sh: symbol: preserve alignment Miaoqian Lin (3): ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present() crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value pmdomain: imx: Fix reference count leak in imx_gpc_remove Miri Korenblit (1): wifi: iwlwifi: mld: always take beacon ies in link grading Naohiro Aota (2): btrfs: zoned: fix conventional zone capacity calculation btrfs: zoned: fix stripe width calculation Nate Karstens (1): strparser: Fix signed/unsigned mismatch bug NeilBrown (1): nfsd: fix refcount leak in nfsd_set_fh_dentry() Nick Hu (1): irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Nicolas Escande (1): wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Nicolin Chen (1): iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents() Niravkumar L Rabara (2): EDAC/altera: Handle OCRAM ECC enable after warm reset EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Nitin Gote (2): drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg drm/xe/xe3: Add WA_14024681466 for Xe3_LPG Oleg Makarenko (1): HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Olga Kornievskaia (2): nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes NFSD: free copynotify stateid in nfs4_free_ol_stateid() Pauli Virtanen (5): Bluetooth: MGMT: cancel mesh send timer when hdev removed Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Bluetooth: L2CAP: export l2cap_chan_hold for modules Pavel Begunkov (1): io_uring: fix unexpected placement on same size resizing Pedro Demarchi Gomes (1): ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Peter Oberparleiter (1): gcov: add support for GCC 15 Peter Zijlstra (2): futex: Optimize per-cpu reference counting compiler_types: Move unused static inline functions warning to W=2 Pratyush Yadav (1): kho: warn and exit when unpreserved page wasn't preserved Qinxin Xia (1): dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Quanmin Yan (2): mm/damon/sysfs: change next_update_jiffies to a global variable mm/damon/stat: change last_refresh_jiffies to a global variable Rafał Miłecki (1): ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY Rakuram Eswaran (1): mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs Randy Dunlap (1): drm/client: fix MODULE_PARM_DESC string for "active" Ranganath V N (2): net: sched: act_connmark: initialize struct tc_ife to fix kernel leak net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Raphael Pinsonneault-Thibeault (1): Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Ravi Bangoria (2): perf lock: Fix segfault due to missing kernel map perf test: Fix lock contention test Sami Tolvanen (1): gendwarfksyms: Skip files with no exports Scott Mayhew (1): NFS: check if suid/sgid was cleared after a write as needed Sean Christopherson (3): KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying KVM: x86: Rename local "ecx" variables to "msr" and "pmc" as appropriate KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL Sharique Mohammad (1): ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Shawn Lin (2): mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Shenghao Ding (1): ASoC: tas2781: fix getting the wrong device number Shuai Xue (1): acpi,srat: Fix incorrect device handle check for Generic Initiator Shuhao Fu (1): smb: client: fix refcount leak in smb2_set_path_attr Song Liu (1): ftrace: Fix BPF fexit with livepatch Sourabh Jain (1): crash: fix crashkernel resource shrink Srinivas Pandruvada (1): cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes Steven Rostedt (1): selftests/tracing: Run sample events to clear page cache events Stuart Hayhurst (1): HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL Sudeep Holla (1): pmdomain: arm: scmi: Fix genpd leak on provider registration failure Sukrit Bhatnagar (1): KVM: VMX: Fix check for valid GVA on an EPT violation Sultan Alsawaf (1): drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO Takashi Iwai (2): ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Tangudu Tilak Tirumalesh (1): drm/xe/xe3: Extend wa_14023061436 Tejas Upadhyay (1): drm/xe: Move declarations under conditional branch Thomas Falcon (1): perf header: Write bpf_prog (infos|btfs)_cnt to data file Tianyang Zhang (1): LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Timur Kristóf (5): drm/amd/display: Add pixel_clock to amd_pp_display_configuration drm/amd/pm: Use pm_display_cfg in legacy DPM (v2) drm/amd/display: Disable fastboot on DCE 6 too drm/amd/pm: Disable MCLK switching on SI at high pixel clocks drm/amd: Disable ASPM on SI Tristan Lobb (1): HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Trond Myklebust (6): pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect() pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS NFS: Check the TLS certificate fields in nfs_match_client() NFSv2/v3: Fix error handling in nfs_atomic_open_v23() NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Umesh Nerlige Ramappa (1): drm/i915: Fix conversion between clock ticks and nanoseconds Vicki Pfau (1): HID: nintendo: Wait longer for initial probe Vitaly Prosyak (1): drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Wei Fang (1): net: fec: correct rx_bytes statistic for the case SHIFT16 is set Wei Yang (1): fs/proc: fix uaf in proc_readdir_de() Xi Ruoyao (1): rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Xin Li (1): KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel Xuan Zhuo (1): virtio-net: fix incorrect flags recording in big mode Yang Shi (1): arm64: kprobes: check the return value of set_memory_rox() Yang Xiuwei (1): NFS: sysfs: fix leak when nfs_client kobject add fails Yosry Ahmed (3): KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() KVM: nSVM: Fix and simplify LBR virtualization handling with nested ZhangGuoDong (2): smb/server: fix possible memory leak in smb2_read() smb/server: fix possible refcount leak in smb2_sess_setup() Zi Yan (3): mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order mm/huge_memory: fix folio split check for anon folios in swapcache mm/huge_memory: do not change split_huge_page*() target order silently Zilin Guan (4): net/handshake: Fix memory leak in tls_handshake_accept() binfmt_misc: restore write access before closing files opened by open_exec() btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() btrfs: release root after error in data_reloc_print_warning_inode() Zqiang (1): sched_ext: Fix unsafe locking in the scx_dump_state()

2 weeks, 2 days

1
1
0 0

Linux 6.12.59

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.59 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dts | 4 arch/arm/boot/dts/nxp/imx/imx51-zii-rdu1.dts | 4 arch/arm/crypto/Kconfig | 2 arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 arch/arm64/boot/dts/rockchip/rk3588-opp.dtsi | 2 arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 2 arch/arm64/kernel/probes/kprobes.c | 5 arch/loongarch/include/asm/hw_breakpoint.h | 4 arch/loongarch/include/asm/pgtable.h | 11 arch/loongarch/kernel/traps.c | 4 arch/loongarch/kvm/timer.c | 2 arch/loongarch/kvm/vcpu.c | 5 arch/riscv/Makefile | 2 arch/riscv/kernel/cpu-hotplug.c | 1 arch/riscv/kernel/setup.c | 7 arch/x86/kernel/acpi/cppc.c | 2 arch/x86/kernel/cpu/microcode/amd.c | 1 arch/x86/kvm/svm/svm.c | 4 arch/x86/kvm/vmx/common.h | 34 arch/x86/kvm/vmx/vmx.c | 25 drivers/acpi/cppc_acpi.c | 6 drivers/acpi/numa/hmat.c | 46 drivers/acpi/numa/srat.c | 2 drivers/bluetooth/btusb.c | 13 drivers/crypto/hisilicon/qm.c | 2 drivers/edac/altera_edac.c | 22 drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 5 drivers/gpu/drm/i915/gt/intel_gt_clock_utils.c | 4 drivers/gpu/drm/i915/i915_vma.c | 16 drivers/gpu/drm/mediatek/mtk_crtc.c | 7 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 drivers/gpu/drm/xe/xe_device.c | 14 drivers/gpu/drm/xe/xe_guc_ct.c | 3 drivers/hid/hid-ids.h | 4 drivers/hid/hid-logitech-hidpp.c | 21 drivers/hid/hid-nintendo.c | 2 drivers/hid/hid-ntrig.c | 7 drivers/hid/hid-playstation.c | 2 drivers/hid/hid-quirks.c | 2 drivers/hid/hid-uclogic-params.c | 4 drivers/iommu/iommufd/io_pagetable.c | 12 drivers/iommu/iommufd/ioas.c | 4 drivers/irqchip/irq-riscv-intc.c | 3 drivers/isdn/hardware/mISDN/hfcsusb.c | 18 drivers/mmc/host/dw_mmc-rockchip.c | 4 drivers/mmc/host/sdhci-of-dwcmshc.c | 2 drivers/mtd/nand/onenand/onenand_samsung.c | 2 drivers/net/dsa/sja1105/sja1105_static_config.c | 6 drivers/net/ethernet/freescale/fec_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 33 drivers/net/ethernet/ti/am65-cpsw-qos.c | 51 drivers/net/phy/mdio_bus.c | 5 drivers/net/phy/micrel.c | 515 ++++++---- drivers/net/virtio_net.c | 16 drivers/net/wireless/ath/ath11k/pci.c | 2 drivers/net/wireless/ath/ath11k/wmi.c | 3 drivers/pmdomain/arm/scmi_pm_domain.c | 13 drivers/pmdomain/imx/gpc.c | 2 drivers/pmdomain/samsung/exynos-pm-domains.c | 11 drivers/regulator/fixed.c | 1 drivers/spi/spi.c | 10 drivers/uio/uio_hv_generic.c | 32 fs/btrfs/inode.c | 4 fs/btrfs/scrub.c | 2 fs/btrfs/tree-log.c | 2 fs/btrfs/zoned.c | 4 fs/erofs/decompressor_zstd.c | 11 fs/exfat/namei.c | 6 fs/ext4/inode.c | 5 fs/ext4/xattr.c | 32 fs/ext4/xattr.h | 10 fs/f2fs/compress.c | 2 fs/fuse/virtio_fs.c | 2 fs/hostfs/hostfs_kern.c | 29 fs/namespace.c | 32 fs/nfs/dir.c | 23 fs/nfs/inode.c | 18 fs/nfs/nfs3client.c | 14 fs/nfs/nfs4client.c | 15 fs/nfs/nfs4proc.c | 22 fs/nfs/pnfs_nfs.c | 34 fs/nfs/sysfs.c | 1 fs/nfs/write.c | 3 fs/nfsd/nfs4state.c | 3 fs/nfsd/nfs4xdr.c | 3 fs/nfsd/nfsd.h | 1 fs/nfsd/nfsfh.c | 6 fs/nilfs2/segment.c | 7 fs/proc/base.c | 12 fs/proc/generic.c | 12 fs/proc/task_mmu.c | 8 fs/proc/task_nommu.c | 4 fs/smb/client/fs_context.c | 2 fs/smb/client/smb2inode.c | 2 fs/smb/client/transport.c | 2 fs/smb/server/smb2pdu.c | 2 fs/smb/server/transport_tcp.c | 5 include/linux/compiler_types.h | 5 include/linux/filter.h | 20 include/linux/huge_mm.h | 21 include/linux/kvm_host.h | 7 include/linux/map_benchmark.h | 1 include/linux/netpoll.h | 1 include/linux/nfs_xdr.h | 1 include/net/bluetooth/mgmt.h | 2 include/net/cfg80211.h | 78 + include/net/tc_act/tc_connmark.h | 1 include/uapi/linux/mount.h | 2 io_uring/napi.c | 19 kernel/bpf/trampoline.c | 5 kernel/bpf/verifier.c | 6 kernel/crash_core.c | 2 kernel/gcov/gcc_4_7.c | 4 kernel/power/swap.c | 17 kernel/sched/ext.c | 4 kernel/trace/ftrace.c | 20 mm/filemap.c | 20 mm/huge_memory.c | 32 mm/ksm.c | 113 ++ mm/memory.c | 23 mm/mm_init.c | 2 mm/percpu.c | 8 mm/secretmem.c | 2 mm/shmem.c | 9 mm/slub.c | 6 mm/truncate.c | 27 net/bluetooth/6lowpan.c | 97 + net/bluetooth/l2cap_core.c | 1 net/bluetooth/mgmt.c | 260 +++-- net/bluetooth/mgmt_util.c | 46 net/bluetooth/mgmt_util.h | 3 net/core/netpoll.c | 56 - net/handshake/tlshd.c | 1 net/hsr/hsr_device.c | 3 net/ipv4/route.c | 5 net/mac80211/chan.c | 2 net/mac80211/ieee80211_i.h | 4 net/mac80211/iface.c | 14 net/mac80211/link.c | 4 net/mac80211/mlme.c | 18 net/mac80211/rx.c | 10 net/mptcp/protocol.c | 36 net/netfilter/nf_tables_api.c | 66 - net/sched/act_bpf.c | 6 net/sched/act_connmark.c | 30 net/sched/act_ife.c | 12 net/sched/cls_bpf.c | 6 net/sched/sch_generic.c | 17 net/sctp/transport.c | 13 net/smc/smc_clc.c | 1 net/strparser/strparser.c | 2 net/tipc/net.c | 2 net/unix/garbage.c | 14 net/wireless/core.c | 56 + net/wireless/trace.h | 21 rust/Makefile | 16 sound/pci/hda/hda_component.c | 4 sound/soc/codecs/cs4271.c | 10 sound/soc/codecs/lpass-va-macro.c | 2 sound/soc/codecs/max98090.c | 6 sound/soc/codecs/tas2781-i2c.c | 9 sound/usb/endpoint.c | 5 sound/usb/mixer.c | 2 tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 4 tools/testing/selftests/iommu/iommufd.c | 2 tools/testing/selftests/net/forwarding/local_termination.sh | 2 tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 90 - tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 tools/testing/selftests/user_events/perf_test.c | 2 virt/kvm/guest_memfd.c | 89 + 182 files changed, 2089 insertions(+), 907 deletions(-) Abdun Nihaal (3): HID: playstation: Fix memory leak in dualshock4_get_calibration_data() HID: uclogic: Fix potential memory leak in error path isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Aksh Garg (2): net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Al Viro (1): simplify nfs_atomic_open_v23() Alexander Sverdlin (1): selftests: net: local_termination: Wait for interfaces to come up Alok Tiwari (1): virtio-fs: fix incorrect check for fsvq->kobj Anand Moon (1): arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Andrei Vagin (1): fs/namespace: correctly handle errors returned by grab_requested_mnt_ns André Draszik (1): pmdomain: samsung: plug potential memleak during probe Ankit Khushwaha (1): selftests/user_events: fix type cast for write_index packed member in perf_test Balasubramani Vivekanandan (1): drm/xe/guc: Synchronize Dead CT worker with unbind Benjamin Berg (3): wifi: mac80211: skip rate verification for not captured PSDUs wifi: cfg80211: add an hrtimer based delayed work item wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work Bibo Mao (2): LoongArch: KVM: Restore guest PMU if it is enabled LoongArch: KVM: Add delay until timer interrupt injected Borislav Petkov (AMD) (1): x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Breno Leitao (3): net: netpoll: Individualize the skb pool net: netpoll: flush skb pool during cleanup net: netpoll: fix incorrect refcount handling causing incorrect cleanup Buday Csaba (1): net: mdio: fix resource leak in mdiobus_register_device() Chao Yu (1): f2fs: fix to avoid overflow while left shift operation Christian König (2): drm/amdgpu: remove two invalid BUG_ON()s drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Chuang Wang (1): ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Chuck Lever (1): NFSD: Skip close replay processing if XDR encoding fails D. Wythe (1): net/smc: fix mismatch between CLC header and proposal Dai Ngo (1): NFS: Fix LTP test failures when timestamps are delegated Dan Carpenter (1): mtd: onenand: Pass correct pointer to IRQ handler Danil Skrebenkov (1): RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Dave Jiang (1): acpi/hmat: Fix lockdep warning for hmem_register_resource() Denis Arefev (1): ALSA: hda: Fix missing pointer check in hda_component_manager_init function Dragan Simic (1): arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Eduard Zingerman (1): bpf: account for current allocated stack depth in widen_imprecise_scalars() Edward Adam Davis (2): nilfs2: avoid having an active sc_timer before freeing sci cifs: client: fix memory leak in smb3_fs_context_parse_param Eric Biggers (1): lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Eric Dumazet (4): sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto net_sched: act_connmark: use RCU in tcf_connmark_dump() net_sched: limit try_bulk_dequeue_skb() batches bpf: Add bpf_prog_run_data_pointers() Felix Maurer (1): hsr: Fix supervision frame sending on HSRv0 Feng Jiang (1): riscv: Build loader.bin exclusively for Canaan K210 Filipe Manana (1): btrfs: do not update last_log_commit when logging inode due to a new name Gal Pressman (3): net/mlx5e: Fix maxrate wraparound in threshold between units net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps net/mlx5e: Fix potentially misleading debug message Gao Xiang (1): erofs: avoid infinite loop due to incomplete zstd-compressed data Gautham R. Shenoy (4): ACPI: CPPC: Detect preferred core availability on online CPUs ACPI: CPPC: Check _CPC validity for only the online CPUs ACPI: CPPC: Perform fast check switch only for online CPUs ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs Greg Kroah-Hartman (1): Linux 6.12.59 Haein Lee (1): ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Han Gao (1): riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Hans de Goede (1): spi: Try to get ACPI GPIO IRQ earlier Hao Ge (1): codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Haotian Zhang (3): regulator: fixed: fix GPIO descriptor leak on register failure ASoC: cs4271: Fix regulator leak on probe failure ASoC: codecs: va-macro: fix resource leak in probe error path Henrique Carvalho (1): smb: client: fix cifs_pick_channel when channel needs reconnect Hongbo Li (1): hostfs: Fix only passing host root in boot stage with new mount Horatiu Vultur (4): net: phy: micrel: Introduce lanphy_modify_page_reg net: phy: micrel: Replace hardcoded pages with defines net: phy: micrel: lan8814 fix reset of the QSGMII interface net: phy: micrel: Fix lan8814_config_init Huacai Chen (2): LoongArch: Use correct accessor to read FWPC/MWPC LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Ian Forbes (1): drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Isaac J. Manjarres (1): mm/mm_init: fix hash table order logging in alloc_large_system_hash() Jaehun Gou (1): exfat: fix improper check of dentry.stream.valid_size Janusz Krzysztofik (1): drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Jason Gunthorpe (1): iommufd: Make vfio_compat's unmap succeed if the range is already empty Jason-JH Lin (1): drm/mediatek: Add pm_runtime support for GCE power control Jesse.Zhang (1): drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Jialin Wang (1): proc: proc_maps_open allow proc_mem_open to return NULL Jihed Chaibi (1): ARM: dts: imx51-zii-rdu1: Fix audmux node names Johannes Berg (1): wifi: mac80211: reject address change while connecting John Sperbeck (1): net: netpoll: ensure skb_pool list is always initialized Jonathan Kim (1): drm/amdkfd: relax checks for over allocation of save area Joshua Rogers (1): ksmbd: close accepted socket when per-IP limit rejects connection Joshua Watt (2): NFS4: Fix state renewals missing after boot NFS4: Apply delay_retrans to async operations Jouni Högander (1): drm/xe: Do clean shutdown also when using flr Kairui Song (1): mm/shmem: fix THP allocation and fallback loop Kiryl Shutsemau (2): mm/memory: do not populate page table entries beyond i_size mm/truncate: unmap large folio on split failure Kuniyuki Iwashima (2): tipc: Fix use-after-free in tipc_mon_reinit_self(). af_unix: Initialise scc_index in unix_add_edge(). Lance Yang (1): mm/secretmem: fix use-after-free race in fault handler Long Li (1): uio_hv_generic: Set event for all channels on the device Luiz Augusto von Dentz (1): Bluetooth: MGMT: Fix possible UAFs Manivannan Sadhasivam (1): wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path Mario Limonciello (1): drm/amd: Fix suspend failure with secure display TA Mario Limonciello (AMD) (2): PM: hibernate: Emit an error when image writing fails PM: hibernate: Use atomic64_t for compressed_size variable Masami Ichikawa (1): HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Matthieu Baerts (NGI0) (6): selftests: mptcp: connect: fix fallback note due to OoO selftests: mptcp: join: rm: set backup flag selftests: mptcp: join: endpoints: longer transfer selftests: mptcp: connect: trunc: read all recv data selftests: mptcp: join: userspace: longer transfer selftests: mptcp: join: properly kill background tasks Miaoqian Lin (2): crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value pmdomain: imx: Fix reference count leak in imx_gpc_remove Michal Hocko (1): mm, percpu: do not consider sleepable allocations atomic Miguel Ojeda (2): rust: kbuild: treat `build_error` and `rustdoc` as kernel objects rust: kbuild: workaround `rustdoc` doctests modifier bug Naohiro Aota (1): btrfs: zoned: fix conventional zone capacity calculation Nate Karstens (1): strparser: Fix signed/unsigned mismatch bug NeilBrown (1): nfsd: fix refcount leak in nfsd_set_fh_dentry() Nick Hu (1): irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Nicolas Escande (1): wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Niravkumar L Rabara (2): EDAC/altera: Handle OCRAM ECC enable after warm reset EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Oleg Makarenko (1): HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Olga Kornievskaia (2): nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes NFSD: free copynotify stateid in nfs4_free_ol_stateid() Olivier Langlois (1): io_uring/napi: fix io_napi_entry RCU accesses Pablo Neira Ayuso (2): Revert "netfilter: nf_tables: Reintroduce shortened deletion notifications" netfilter: nf_tables: reject duplicate device on updates Paolo Abeni (1): mptcp: fix MSG_PEEK stream corruption Pauli Virtanen (6): Bluetooth: MGMT: cancel mesh send timer when hdev removed Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Bluetooth: L2CAP: export l2cap_chan_hold for modules Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete Pedro Demarchi Gomes (1): ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Penglei Jiang (1): proc: fix the issue of proc_mem_open returning NULL Peter Oberparleiter (1): gcov: add support for GCC 15 Peter Zijlstra (1): compiler_types: Move unused static inline functions warning to W=2 Qinxin Xia (1): dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Rafał Miłecki (1): ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY Ranganath V N (2): net: sched: act_connmark: initialize struct tc_ife to fix kernel leak net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Raphael Pinsonneault-Thibeault (1): Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Scott Mayhew (1): NFS: check if suid/sgid was cleared after a write as needed Sean Christopherson (3): KVM: guest_memfd: Pass index, not gfn, to __kvm_gmem_get_pfn() KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying KVM: VMX: Split out guts of EPT violation to common/exposed function Sharique Mohammad (1): ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Shawn Lin (2): mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Shenghao Ding (1): ASoC: tas2781: fix getting the wrong device number Shuai Xue (1): acpi,srat: Fix incorrect device handle check for Generic Initiator Shuhao Fu (1): smb: client: fix refcount leak in smb2_set_path_attr Song Liu (1): ftrace: Fix BPF fexit with livepatch Sourabh Jain (1): crash: fix crashkernel resource shrink Steven Rostedt (1): selftests/tracing: Run sample events to clear page cache events Stuart Hayhurst (1): HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL Sudeep Holla (1): pmdomain: arm: scmi: Fix genpd leak on provider registration failure Sukrit Bhatnagar (1): KVM: VMX: Fix check for valid GVA on an EPT violation Takashi Iwai (1): ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Tejas Upadhyay (1): drm/xe: Move declarations under conditional branch Tianyang Zhang (1): LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Timur Kristóf (1): drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Tristan Lobb (1): HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Trond Myklebust (4): pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS NFSv2/v3: Fix error handling in nfs_atomic_open_v23() NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Umesh Nerlige Ramappa (1): drm/i915: Fix conversion between clock ticks and nanoseconds Vicki Pfau (1): HID: nintendo: Wait longer for initial probe Vitaly Prosyak (1): drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Vladimir Oltean (1): net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Wei Fang (1): net: fec: correct rx_bytes statistic for the case SHIFT16 is set Wei Yang (1): fs/proc: fix uaf in proc_readdir_de() Xi Ruoyao (1): rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Xuan Zhuo (1): virtio-net: fix incorrect flags recording in big mode Yan Zhao (1): KVM: guest_memfd: Remove RCU-protected attribute from slot->gmem.file Yang Shi (1): arm64: kprobes: check the return value of set_memory_rox() Yang Xiuwei (1): NFS: sysfs: fix leak when nfs_client kobject add fails Ye Bin (2): ext4: introduce ITAIL helper ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Yosry Ahmed (1): KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated ZhangGuoDong (2): smb/server: fix possible memory leak in smb2_read() smb/server: fix possible refcount leak in smb2_sess_setup() Zi Yan (2): mm/huge_memory: do not change split_huge_page*() target order silently mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order Zilin Guan (3): net/handshake: Fix memory leak in tls_handshake_accept() btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() btrfs: release root after error in data_reloc_print_warning_inode() Zqiang (1): sched_ext: Fix unsafe locking in the scx_dump_state()

2 weeks, 2 days

1
1
0 0

Linux 6.6.117

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.117 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/cgroup-v2.rst | 9 MAINTAINERS | 1 Makefile | 2 arch/arc/include/asm/bitops.h | 2 arch/arm/boot/dts/broadcom/bcm47189-luxul-xap-1440.dts | 4 arch/arm/boot/dts/nvidia/tegra20-asus-tf101.dts | 5 arch/arm/boot/dts/nxp/imx/imx51-zii-rdu1.dts | 4 arch/arm/crypto/Kconfig | 2 arch/arm/mach-at91/pm_suspend.S | 8 arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 arch/arm64/boot/dts/xilinx/zynqmp-zcu106-revA.dts | 4 arch/loongarch/include/asm/hw_breakpoint.h | 4 arch/loongarch/include/asm/pgtable.h | 11 arch/loongarch/kernel/traps.c | 4 arch/mips/boot/dts/lantiq/danube.dtsi | 6 arch/mips/boot/dts/lantiq/danube_easy50712.dts | 4 arch/mips/lantiq/xway/sysctrl.c | 2 arch/powerpc/kernel/eeh_driver.c | 2 arch/riscv/kernel/cpu-hotplug.c | 1 arch/riscv/kernel/entry.S | 18 arch/riscv/kernel/setup.c | 7 arch/riscv/kernel/stacktrace.c | 27 arch/riscv/mm/ptdump.c | 2 arch/riscv/net/bpf_jit_comp64.c | 5 arch/s390/Kconfig | 1 arch/s390/include/asm/pci.h | 1 arch/s390/pci/pci_event.c | 7 arch/s390/pci/pci_irq.c | 9 arch/sparc/include/asm/elf_64.h | 1 arch/sparc/include/asm/io_64.h | 6 arch/sparc/kernel/module.c | 1 arch/um/drivers/ssl.c | 5 arch/x86/entry/vsyscall/vsyscall_64.c | 17 arch/x86/kernel/cpu/microcode/amd.c | 3 arch/x86/kernel/fpu/core.c | 3 arch/x86/kernel/kvm.c | 20 arch/x86/kvm/svm/svm.c | 4 arch/x86/net/bpf_jit_comp.c | 2 block/blk-cgroup.c | 23 drivers/accel/habanalabs/common/memory.c | 2 drivers/accel/habanalabs/gaudi/gaudi.c | 19 drivers/accel/habanalabs/gaudi2/gaudi2.c | 15 drivers/accel/habanalabs/gaudi2/gaudi2_coresight.c | 2 drivers/acpi/acpi_video.c | 4 drivers/acpi/acpica/dsmethod.c | 10 drivers/acpi/button.c | 4 drivers/acpi/cppc_acpi.c | 6 drivers/acpi/numa/hmat.c | 322 +++++-- drivers/acpi/numa/srat.c | 2 drivers/acpi/prmt.c | 19 drivers/acpi/property.c | 24 drivers/acpi/scan.c | 2 drivers/base/node.c | 18 drivers/base/regmap/regmap-slimbus.c | 6 drivers/bluetooth/btmtksdio.c | 12 drivers/bluetooth/btrtl.c | 4 drivers/bluetooth/btusb.c | 30 drivers/bluetooth/hci_bcsp.c | 3 drivers/char/misc.c | 40 drivers/clk/at91/clk-master.c | 3 drivers/clk/at91/clk-sam9x60-pll.c | 75 - drivers/clk/sunxi-ng/ccu-sun6i-rtc.c | 11 drivers/clk/ti/clk-33xx.c | 2 drivers/clocksource/timer-vf-pit.c | 22 drivers/cpufreq/longhaul.c | 3 drivers/cpufreq/tegra186-cpufreq.c | 27 drivers/cpuidle/cpuidle.c | 8 drivers/cpuidle/governors/menu.c | 73 - drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 5 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 2 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-trng.c | 1 drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 drivers/crypto/aspeed/aspeed-acry.c | 8 drivers/crypto/caam/ctrl.c | 4 drivers/crypto/hisilicon/qm.c | 2 drivers/crypto/intel/qat/qat_common/qat_uclo.c | 2 drivers/dma/dw-edma/dw-edma-core.c | 22 drivers/dma/mv_xor.c | 4 drivers/dma/sh/shdma-base.c | 25 drivers/dma/sh/shdmac.c | 17 drivers/edac/altera_edac.c | 22 drivers/extcon/extcon-adc-jack.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 66 + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 23 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 19 drivers/gpu/drm/amd/amdkfd/kfd_device.c | 10 drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 9 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 23 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 16 drivers/gpu/drm/amd/display/dc/core/dc.c | 19 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 14 drivers/gpu/drm/amd/display/dc/dc_helper.c | 5 drivers/gpu/drm/amd/display/dc/dc_stream.h | 3 drivers/gpu/drm/amd/display/dc/dm_services.h | 2 drivers/gpu/drm/amd/display/dc/dml/dcn301/dcn301_fpu.c | 20 drivers/gpu/drm/amd/display/dc/link/link_detection.c | 5 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 9 drivers/gpu/drm/amd/display/include/dal_asic_id.h | 5 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 5 drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 12 drivers/gpu/drm/bridge/display-connector.c | 3 drivers/gpu/drm/drm_gem_atomic_helper.c | 6 drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 drivers/gpu/drm/i915/gt/intel_gt_clock_utils.c | 4 drivers/gpu/drm/i915/i915_vma.c | 16 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 drivers/gpu/drm/mediatek/mtk_drm_plane.c | 24 drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 3 drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 10 drivers/gpu/drm/nouveau/nvkm/core/enum.c | 2 drivers/gpu/drm/scheduler/sched_entity.c | 37 drivers/gpu/drm/tidss/tidss_crtc.c | 7 drivers/gpu/drm/tidss/tidss_dispc.c | 16 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 drivers/hid/hid-asus.c | 6 drivers/hid/hid-ids.h | 6 drivers/hid/hid-ntrig.c | 7 drivers/hid/hid-quirks.c | 2 drivers/hid/hid-uclogic-params.c | 4 drivers/hid/i2c-hid/i2c-hid-acpi.c | 8 drivers/hid/i2c-hid/i2c-hid-core.c | 28 drivers/hid/i2c-hid/i2c-hid.h | 2 drivers/hwmon/asus-ec-sensors.c | 2 drivers/hwmon/dell-smm-hwmon.c | 7 drivers/hwmon/k10temp.c | 10 drivers/hwmon/sbtsi_temp.c | 46 - drivers/hwmon/sy7636a-hwmon.c | 1 drivers/iio/adc/imx93_adc.c | 18 drivers/iio/adc/spear_adc.c | 9 drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 11 drivers/infiniband/hw/hns/hns_roce_qp.c | 2 drivers/infiniband/hw/irdma/pble.c | 2 drivers/infiniband/hw/irdma/verbs.c | 4 drivers/infiniband/hw/irdma/verbs.h | 8 drivers/iommu/amd/init.c | 28 drivers/iommu/apple-dart.c | 5 drivers/iommu/intel/debugfs.c | 10 drivers/iommu/intel/perf.c | 10 drivers/iommu/intel/perf.h | 5 drivers/iommu/iommufd/io_pagetable.c | 12 drivers/iommu/iommufd/ioas.c | 4 drivers/irqchip/irq-gic-v2m.c | 13 drivers/irqchip/irq-loongson-pch-lpc.c | 9 drivers/irqchip/irq-riscv-intc.c | 3 drivers/irqchip/irq-sifive-plic.c | 6 drivers/isdn/hardware/mISDN/hfcsusb.c | 18 drivers/media/i2c/Kconfig | 2 drivers/media/i2c/adv7180.c | 48 - drivers/media/i2c/ir-kbd-i2c.c | 6 drivers/media/i2c/og01a1b.c | 6 drivers/media/i2c/ov08x40.c | 2 drivers/media/pci/ivtv/ivtv-alsa-pcm.c | 2 drivers/media/pci/ivtv/ivtv-driver.h | 3 drivers/media/pci/ivtv/ivtv-fileops.c | 18 drivers/media/pci/ivtv/ivtv-irq.c | 4 drivers/media/platform/amphion/vpu_v4l2.c | 7 drivers/media/platform/verisilicon/hantro_drv.c | 2 drivers/media/platform/verisilicon/hantro_v4l2.c | 6 drivers/media/rc/imon.c | 61 - drivers/media/rc/redrat3.c | 2 drivers/media/tuners/xc4000.c | 8 drivers/media/tuners/xc5000.c | 12 drivers/media/usb/uvc/uvc_driver.c | 15 drivers/memstick/core/memstick.c | 8 drivers/mfd/da9063-i2c.c | 27 drivers/mfd/madera-core.c | 4 drivers/mfd/stmpe-i2c.c | 1 drivers/mfd/stmpe.c | 3 drivers/mmc/host/renesas_sdhi_core.c | 6 drivers/mmc/host/sdhci-msm.c | 15 drivers/mmc/host/sdhci-of-dwcmshc.c | 2 drivers/mtd/nand/onenand/onenand_samsung.c | 2 drivers/net/dsa/b53/b53_common.c | 15 drivers/net/dsa/b53/b53_regs.h | 3 drivers/net/dsa/dsa_loop.c | 9 drivers/net/dsa/microchip/ksz9477.c | 98 +- drivers/net/dsa/microchip/ksz9477_reg.h | 3 drivers/net/dsa/microchip/ksz_common.c | 4 drivers/net/dsa/microchip/ksz_common.h | 2 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 4 drivers/net/ethernet/cadence/macb_main.c | 4 drivers/net/ethernet/freescale/fec_main.c | 2 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 drivers/net/ethernet/intel/fm10k/fm10k_common.c | 5 drivers/net/ethernet/intel/fm10k/fm10k_common.h | 2 drivers/net/ethernet/intel/fm10k/fm10k_pf.c | 2 drivers/net/ethernet/intel/fm10k/fm10k_vf.c | 2 drivers/net/ethernet/intel/ice/ice_main.c | 2 drivers/net/ethernet/intel/ice/ice_trace.h | 10 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 33 drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 5 drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 12 drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c | 18 drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 2 drivers/net/ethernet/microchip/lan966x/lan966x_main.h | 4 drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c | 8 drivers/net/ethernet/microchip/sparx5/Kconfig | 2 drivers/net/ethernet/realtek/Kconfig | 2 drivers/net/ethernet/realtek/r8169_main.c | 6 drivers/net/ethernet/renesas/sh_eth.c | 4 drivers/net/ethernet/sfc/mae.c | 4 drivers/net/ethernet/smsc/smsc911x.c | 14 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 23 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 drivers/net/hamradio/6pack.c | 57 - drivers/net/ipvlan/ipvlan_l3s.c | 1 drivers/net/mdio/of_mdio.c | 1 drivers/net/phy/dp83867.c | 8 drivers/net/phy/fixed_phy.c | 1 drivers/net/phy/marvell.c | 39 drivers/net/phy/mdio_bus.c | 5 drivers/net/phy/phy.c | 13 drivers/net/usb/asix_devices.c | 12 drivers/net/usb/qmi_wwan.c | 6 drivers/net/usb/usbnet.c | 2 drivers/net/virtio_net.c | 41 drivers/net/wireless/ath/ath10k/mac.c | 12 drivers/net/wireless/ath/ath10k/wmi.c | 40 drivers/net/wireless/ath/ath11k/core.c | 54 + drivers/net/wireless/ath/ath11k/wmi.c | 3 drivers/net/wireless/ath/ath12k/dp.h | 2 drivers/net/wireless/ath/ath12k/mac.c | 34 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/net/wireless/mediatek/mt76/mt7996/init.c | 1 drivers/net/wireless/realtek/rtw88/sdio.c | 4 drivers/net/wireless/virtual/mac80211_hwsim.c | 7 drivers/ntb/hw/epf/ntb_hw_epf.c | 103 +- drivers/nvme/host/core.c | 8 drivers/nvme/host/fc.c | 10 drivers/nvme/target/fc.c | 16 drivers/pci/controller/cadence/pcie-cadence-host.c | 2 drivers/pci/controller/cadence/pcie-cadence.c | 4 drivers/pci/controller/cadence/pcie-cadence.h | 6 drivers/pci/controller/dwc/pcie-designware.c | 4 drivers/pci/p2pdma.c | 2 drivers/pci/pci-driver.c | 2 drivers/pci/pci.c | 5 drivers/pci/quirks.c | 3 drivers/phy/cadence/cdns-dphy.c | 4 drivers/phy/renesas/r8a779f0-ether-serdes.c | 28 drivers/phy/rockchip/phy-rockchip-inno-csidphy.c | 5 drivers/pinctrl/pinctrl-keembay.c | 7 drivers/pinctrl/pinctrl-single.c | 4 drivers/pmdomain/apple/pmgr-pwrstate.c | 1 drivers/pmdomain/samsung/exynos-pm-domains.c | 11 drivers/power/supply/qcom_battmgr.c | 8 drivers/power/supply/sbs-charger.c | 16 drivers/ptp/ptp_clock.c | 13 drivers/regulator/fixed.c | 1 drivers/remoteproc/qcom_q6v5.c | 5 drivers/remoteproc/wkup_m3_rproc.c | 6 drivers/rtc/rtc-pcf2127.c | 19 drivers/rtc/rtc-rx8025.c | 2 drivers/scsi/libfc/fc_encode.h | 2 drivers/scsi/lpfc/lpfc_debugfs.h | 3 drivers/scsi/lpfc/lpfc_els.c | 6 drivers/scsi/lpfc/lpfc_init.c | 7 drivers/scsi/lpfc/lpfc_scsi.c | 14 drivers/scsi/mpi3mr/mpi3mr_fw.c | 10 drivers/scsi/mpt3sas/mpt3sas_transport.c | 3 drivers/scsi/pm8001/pm8001_ctl.c | 24 drivers/scsi/pm8001/pm8001_init.c | 1 drivers/scsi/pm8001/pm8001_sas.h | 4 drivers/soc/aspeed/aspeed-socinfo.c | 4 drivers/soc/qcom/smem.c | 2 drivers/soc/tegra/fuse/fuse-tegra30.c | 122 ++ drivers/spi/spi-loopback-test.c | 12 drivers/spi/spi-rpc-if.c | 2 drivers/spi/spi.c | 10 drivers/tee/tee_core.c | 2 drivers/thunderbolt/tb.c | 2 drivers/ufs/core/ufshcd-crypto.c | 34 drivers/ufs/core/ufshcd-crypto.h | 36 drivers/ufs/core/ufshcd.c | 25 drivers/ufs/host/ufs-mediatek.c | 179 +++- drivers/ufs/host/ufshcd-pci.c | 70 + drivers/usb/cdns3/cdnsp-gadget.c | 8 drivers/usb/gadget/function/f_fs.c | 8 drivers/usb/gadget/function/f_hid.c | 4 drivers/usb/gadget/function/f_ncm.c | 3 drivers/usb/host/xhci-plat.c | 1 drivers/usb/mon/mon_bin.c | 14 drivers/vfio/iova_bitmap.c | 5 drivers/vfio/vfio_main.c | 2 drivers/video/backlight/lp855x_bl.c | 2 drivers/video/fbdev/aty/atyfb_base.c | 8 drivers/video/fbdev/core/bitblit.c | 33 drivers/video/fbdev/core/fbcon.c | 19 drivers/video/fbdev/core/fbmem.c | 1 drivers/video/fbdev/pvr2fb.c | 2 drivers/video/fbdev/valkyriefb.c | 2 drivers/watchdog/s3c2410_wdt.c | 10 fs/9p/v9fs.c | 9 fs/btrfs/extent_io.c | 8 fs/btrfs/file.c | 10 fs/btrfs/scrub.c | 2 fs/btrfs/tree-log.c | 2 fs/ceph/dir.c | 3 fs/ceph/file.c | 6 fs/ceph/locks.c | 5 fs/exfat/fatent.c | 11 fs/ext4/fast_commit.c | 2 fs/ext4/xattr.c | 2 fs/f2fs/compress.c | 2 fs/f2fs/extent_cache.c | 6 fs/fuse/inode.c | 11 fs/hpfs/namei.c | 18 fs/jfs/inode.c | 8 fs/jfs/jfs_txnmgr.c | 9 fs/nfs/nfs3client.c | 15 fs/nfs/nfs4client.c | 17 fs/nfs/nfs4proc.c | 15 fs/nfs/nfs4state.c | 3 fs/nfs/pnfs_nfs.c | 34 fs/nfs/sysfs.c | 1 fs/nfs/write.c | 3 fs/nfsd/nfs4proc.c | 7 fs/nfsd/nfs4state.c | 3 fs/ntfs3/inode.c | 1 fs/open.c | 10 fs/orangefs/xattr.c | 12 fs/proc/generic.c | 12 fs/smb/client/cached_dir.c | 16 fs/smb/client/file.c | 115 ++ fs/smb/client/fs_context.c | 2 fs/smb/client/smb2inode.c | 2 fs/smb/client/smb2ops.c | 3 fs/smb/client/smb2pdu.c | 7 fs/smb/client/transport.c | 12 fs/smb/server/smb2pdu.c | 2 fs/smb/server/transport_tcp.c | 12 include/linux/blk_types.h | 11 include/linux/cgroup.h | 1 include/linux/compiler_types.h | 5 include/linux/fbcon.h | 2 include/linux/filter.h | 22 include/linux/map_benchmark.h | 1 include/linux/memcontrol.h | 8 include/linux/memory-tiers.h | 39 include/linux/netpoll.h | 1 include/linux/node.h | 26 include/linux/pci.h | 2 include/linux/shdma-base.h | 2 include/linux/swap.h | 3 include/linux/vm_event_item.h | 1 include/net/bluetooth/hci.h | 1 include/net/bluetooth/hci_core.h | 8 include/net/bluetooth/mgmt.h | 2 include/net/cls_cgroup.h | 2 include/net/gro.h | 3 include/net/nfc/nci_core.h | 2 include/net/tc_act/tc_connmark.h | 1 include/net/xdp.h | 5 include/ufs/ufs_quirks.h | 3 include/ufs/ufshcd.h | 44 + include/ufs/ufshci.h | 4 kernel/bpf/helpers.c | 2 kernel/bpf/ringbuf.c | 2 kernel/bpf/verifier.c | 6 kernel/cgroup/cgroup.c | 24 kernel/events/uprobes.c | 7 kernel/futex/syscalls.c | 106 +- kernel/gcov/gcc_4_7.c | 4 kernel/sched/fair.c | 15 kernel/trace/ftrace.c | 2 kernel/trace/trace_events_hist.c | 6 lib/crypto/Makefile | 2 mm/filemap.c | 24 mm/memcontrol.c | 290 +++--- mm/memory-tiers.c | 162 +++ mm/memory.c | 24 mm/mm_init.c | 2 mm/page_io.c | 8 mm/percpu.c | 8 mm/secretmem.c | 2 mm/truncate.c | 27 mm/vmscan.c | 3 mm/vmstat.c | 1 mm/workingset.c | 54 - mm/zswap.c | 4 net/8021q/vlan.c | 2 net/bluetooth/6lowpan.c | 97 +- net/bluetooth/hci_event.c | 18 net/bluetooth/hci_sync.c | 21 net/bluetooth/iso.c | 8 net/bluetooth/l2cap_core.c | 1 net/bluetooth/mgmt.c | 7 net/bluetooth/rfcomm/tty.c | 26 net/bluetooth/sco.c | 7 net/bridge/br.c | 5 net/bridge/br_forward.c | 5 net/bridge/br_if.c | 1 net/bridge/br_input.c | 4 net/bridge/br_mst.c | 10 net/bridge/br_private.h | 13 net/core/filter.c | 1 net/core/gro.c | 3 net/core/netpoll.c | 71 - net/core/page_pool.c | 12 net/core/skbuff.c | 10 net/core/sock.c | 15 net/dsa/dsa.c | 7 net/dsa/tag_brcm.c | 10 net/ethernet/eth.c | 5 net/handshake/tlshd.c | 1 net/hsr/hsr_device.c | 3 net/ipv4/esp4.c | 4 net/ipv4/netfilter/nf_reject_ipv4.c | 25 net/ipv4/nexthop.c | 6 net/ipv4/route.c | 5 net/ipv4/udp_tunnel_nic.c | 2 net/ipv6/addrconf.c | 4 net/ipv6/ah6.c | 50 - net/ipv6/esp6.c | 4 net/ipv6/netfilter/nf_reject_ipv6.c | 30 net/ipv6/raw.c | 2 net/ipv6/udp.c | 2 net/mac80211/iface.c | 14 net/mac80211/mlme.c | 2 net/mac80211/rx.c | 10 net/mptcp/protocol.c | 54 - net/mptcp/protocol.h | 2 net/netfilter/nf_tables_api.c | 30 net/rds/rds.h | 2 net/sched/act_bpf.c | 6 net/sched/act_connmark.c | 30 net/sched/act_ife.c | 12 net/sched/cls_bpf.c | 6 net/sched/sch_generic.c | 17 net/sctp/diag.c | 21 net/sctp/transport.c | 13 net/smc/smc_clc.c | 1 net/strparser/strparser.c | 2 net/tipc/net.c | 2 net/unix/garbage.c | 14 net/xfrm/espintcp.c | 4 security/integrity/ima/ima_appraise.c | 23 sound/drivers/serial-generic.c | 12 sound/pci/hda/patch_realtek.c | 17 sound/soc/codecs/cs4271.c | 10 sound/soc/codecs/lpass-va-macro.c | 2 sound/soc/codecs/max98090.c | 6 sound/soc/codecs/tas2781-i2c.c | 9 sound/soc/codecs/tlv320aic3x.c | 32 sound/soc/fsl/fsl_sai.c | 3 sound/soc/intel/avs/pcm.c | 2 sound/soc/meson/aiu-encoder-i2s.c | 9 sound/soc/qcom/qdsp6/q6asm.c | 2 sound/soc/qcom/sc8280xp.c | 3 sound/soc/stm/stm32_sai_sub.c | 8 sound/usb/endpoint.c | 5 sound/usb/mixer.c | 9 sound/usb/mixer_s1810c.c | 28 sound/usb/validate.c | 9 tools/bpf/bpftool/btf_dumper.c | 2 tools/bpf/bpftool/prog.c | 2 tools/include/linux/bitmap.h | 1 tools/lib/bpf/bpf_tracing.h | 2 tools/lib/thermal/Makefile | 9 tools/perf/util/symbol.c | 1 tools/power/cpupower/lib/cpuidle.c | 5 tools/power/cpupower/lib/cpupower.c | 2 tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 30 tools/testing/selftests/Makefile | 2 tools/testing/selftests/bpf/test_lirc_mode2_user.c | 2 tools/testing/selftests/bpf/test_xsk.sh | 2 tools/testing/selftests/drivers/net/netdevsim/Makefile | 21 tools/testing/selftests/drivers/net/netdevsim/settings | 1 tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 4 tools/testing/selftests/iommu/iommufd.c | 2 tools/testing/selftests/net/fcnal-test.sh | 432 +++++----- tools/testing/selftests/net/forwarding/local_termination.sh | 2 tools/testing/selftests/net/gro.c | 101 ++ tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 54 - tools/testing/selftests/net/psock_tpacket.c | 4 tools/testing/selftests/net/traceroute.sh | 13 tools/testing/selftests/user_events/perf_test.c | 2 usr/include/headers_check.pl | 2 503 files changed, 4860 insertions(+), 2077 deletions(-) Aaron Kling (1): cpufreq: tegra186: Initialize all cores to max frequencies Abdun Nihaal (4): sfc: fix potential memory leak in efx_mae_process_mport() Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2() HID: uclogic: Fix potential memory leak in error path isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Adrian Hunter (3): scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers scsi: ufs: core: Add a quirk to suppress link_startup_again scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL Akhil P Oommen (1): drm/msm/a6xx: Fix GMU firmware parser Al Viro (3): allow finish_no_open(file, ERR_PTR(-E...)) sparc64: fix prototypes of reads[bwl]() nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Albin Babu Varghese (1): fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Aleksander Jan Bajkowski (5): mips: lantiq: danube: add missing properties to cpu node mips: lantiq: danube: add model to EASY50712 dts mips: lantiq: danube: add missing device_type in pci node mips: lantiq: xway: sysctrl: rename stp clock mips: lantiq: danube: rename stp node on EASY50712 reference board Alex Deucher (4): drm/amd/display: add more cyan skillfish devices drm/amd: add more cyan skillfish PCI ids drm/amdgpu: don't enable SMU on cyan skillfish drm/amdgpu: add support for cyan skillfish gpu_info Alex Hung (1): drm/amd/display: Fix black screen with HDMI outputs Alex Mastro (1): vfio: return -ENOTTY for unsupported device feature Alexander Stein (2): mfd: stmpe: Remove IRQ domain upon removal mfd: stmpe-i2c: Add missing MODULE_LICENSE Alexander Sverdlin (1): selftests: net: local_termination: Wait for interfaces to come up Alexey Klimov (2): regmap: slimbus: fix bus_context pointer in regmap init calls ASoC: qcom: sc8280xp: explicitly set S16LE format in sc8280xp_be_hw_params_fixup() Alice Chao (2): scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO mode change scsi: ufs: host: mediatek: Fix invalid access in vccqx handling Alistair Francis (1): nvme: Use non zero KATO for persistent discovery connections Alok Tiwari (2): udp_tunnel: use netdev_warn() instead of netdev_WARN() scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() Amber Lin (1): drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption Amery Hung (1): bpf: Clear pfmemalloc flag when freeing all fragments Amirreza Zarrabi (1): tee: allow a driver to allocate a tee_device without a pool Anand Moon (1): arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Andreas Kemnade (1): hwmon: sy7636a: add alias Andrew Davis (1): remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper Andrii Nakryiko (1): libbpf: Fix powerpc's stack register definition in bpf_tracing.h André Draszik (1): pmdomain: samsung: plug potential memleak during probe Ankit Khushwaha (1): selftests/user_events: fix type cast for write_index packed member in perf_test Antheas Kapenekakis (1): HID: asus: add Z13 folio to generic group for multitouch to work Anthony Iliopoulos (1): NFSv4.1: fix mount hang after CREATE_SESSION failure Anton Blanchard (1): riscv: Improve exception and system call latency Antonino Maniscalco (1): drm/msm: make sure to not queue up recovery more than once Anubhav Singh (2): selftests/net: fix out-of-order delivery of FIN in gro:tcp test selftests/net: use destination options instead of hop-by-hop Ariel D'Alessandro (1): drm/mediatek: Disable AFBC support on Mediatek DRM driver Arkadiusz Bokowy (1): Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI frames Armin Wolf (1): hwmon: (dell-smm) Add support for Dell OptiPlex 7040 Arnd Bergmann (1): mfd: madera: Work around false-positive -Wininitialized warning Arseniy Krasnov (1): Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Ashish Kalra (1): iommu/amd: Skip enabling command/event buffers for kdump Avadhut Naik (1): hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models Baochen Qiang (1): Revert "wifi: ath10k: avoid unnecessary wait for service ready message" Bart Van Assche (1): scsi: ufs: core: Disable timestamp functionality if not supported Bartosz Golaszewski (1): pinctrl: keembay: release allocated memory in detach path Ben Copeland (1): hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex Benjamin Berg (1): wifi: mac80211: skip rate verification for not captured PSDUs Benjamin Lin (1): wifi: mt76: mt7996: Temporarily disable EPCS Biju Das (2): mmc: host: renesas_sdhi: Fix the actual clock spi: rpc-if: Add resume support for RZ/G3E Borislav Petkov (AMD) (1): x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Brahmajit Das (1): net: intel: fm10k: Fix parameter idx set but not used Breno Leitao (4): net: netpoll: Individualize the skb pool net: netpoll: flush skb pool during cleanup net: netpoll: fix incorrect refcount handling causing incorrect cleanup memcg: fix data-race KCSAN bug in rstats Bruno Thomsen (1): rtc: pcf2127: fix watchdog interrupt mask on pcf2131 Buday Csaba (1): net: mdio: fix resource leak in mdiobus_register_device() Bui Quang Minh (1): virtio-net: fix received length check in big packets Carolina Jubran (1): net/mlx5e: Don't query FEC statistics when FEC is disabled Cen Zhang (1): Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once Cezary Rojewski (1): ASoC: Intel: avs: Unprepare a stream when XRUN occurs Chandrakanth Patil (1): scsi: mpi3mr: Fix controller init failure on fault during queue creation Chang S. Bae (1): x86/fpu: Ensure XFD state on signal delivery Chao Yu (1): f2fs: fix to avoid overflow while left shift operation Charalampos Mitrodimas (1): net: ipv6: fix field-spanning memcpy warning in AH output Chelsy Ratnawat (1): media: fix uninitialized symbol warnings Chen Wang (1): PCI: cadence: Check for the existence of cdns_pcie::ops before using it Chen Yufeng (1): usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget Chen-Yu Tsai (1): clk: sunxi-ng: sun6i-rtc: Add A523 specifics Chenghao Duan (1): riscv: bpf: Fix uninitialized symbol 'retval_off' Chi Zhang (1): pinctrl: single: fix bias pull up/down handling in pin_config_set Chi Zhiling (1): exfat: limit log print for IO error Chris Lu (1): Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during reset Christian Bruel (1): irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment Christian König (1): drm/amdgpu: reject gang submissions under SRIOV Christoph Paasch (1): net: When removing nexthops, don't call synchronize_net if it is not necessary Christopher Ruehl (1): power: supply: qcom_battmgr: add OOI chemistry Chuande Chen (1): hwmon: (sbtsi_temp) AMD CPU extended temperature range support Chuang Wang (1): ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Chuck Lever (1): NFSD: Fix crash in nfsd4_read_release() ChunHao Lin (1): r8169: set EEE speed down ratio to 1 Chunyan Zhang (1): riscv: stacktrace: Disable KASAN checks for non-current tasks Clay King (1): drm/amd/display: ensure committing streams is seamless Clément Léger (1): riscv: stacktrace: fix backtracing through exceptions Coiby Xu (1): ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Colin Foster (1): smsc911x: add second read of EEPROM mac when possible corruption seen Cryolitia PukNgae (1): ALSA: usb-audio: apply quirk for MOONDROP Quark2 D. Wythe (1): net/smc: fix mismatch between CLC header and proposal Damien Le Moal (2): block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL block: make REQ_OP_ZONE_OPEN a write operation Dan Carpenter (1): mtd: onenand: Pass correct pointer to IRQ handler Daniel Lezcano (1): clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel Daniel Palmer (2): fbdev: atyfb: Check if pll_ops->init_pll failed eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP Daniel Wagner (2): nvmet-fc: avoid scheduling association deletion twice nvme-fc: use lock accessing port_state and rport state Danil Skrebenkov (1): RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Dave Jiang (8): base/node / acpi: Change 'node_hmem_attrs' to 'access_coordinates' acpi: numa: Create enum for memory_target access coordinates indexing acpi: numa: Add genport target allocation to the HMAT parsing acpi: Break out nesting for hmat_parse_locality() acpi: numa: Add setting of generic port system locality attributes base/node / ACPI: Enumerate node access class for 'struct access_coordinate' acpi/hmat: Fix lockdep warning for hmem_register_resource() ACPI: HMAT: Remove register of memory node for generic target David Ahern (2): selftests: Disable dad for ipv6 in fcnal-test.sh selftests: Replace sleep with slowwait David Francis (1): drm/amdgpu: Allow kfd CRIU with no buffer objects David Howells (1): cifs: Fix uncached read into ITER_KVEC iterator David Wei (1): netdevsim: add Makefile for selftests Dennis Beier (1): cpufreq/longhaul: handle NULL policy in longhaul_exit Devendra K Verma (1): dmaengine: dw-edma: Set status for callback_result Dmitry Baryshkov (1): drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts Domenico Cerasuolo (1): mm: memcg: add per-memcg zswap writeback stat Dragos Tatulea (2): page_pool: Clamp pool size to max 16K pages net/mlx5e: SHAMPO, Fix skb size check for 64K pages Eduard Zingerman (1): bpf: account for current allocated stack depth in widen_imprecise_scalars() Edward Adam Davis (1): cifs: client: fix memory leak in smb3_fs_context_parse_param Emanuele Ghidoli (1): net: phy: dp83867: Disable EEE support as not implemented Emil Dahl Juhl (1): tools: lib: thermal: don't preserve owner in install Eric Biggers (6): lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN scsi: ufs: core: Add UFSHCD_QUIRK_CUSTOM_CRYPTO_PROFILE scsi: ufs: core: fold ufshcd_clear_keyslot() into its caller scsi: ufs: core: Add UFSHCD_QUIRK_BROKEN_CRYPTO_ENABLE scsi: ufs: core: Add fill_crypto_prdt variant op scsi: ufs: core: Add UFSHCD_QUIRK_KEYS_IN_PRDT Eric Dumazet (7): net: call cond_resched() less often in __release_sock() ipv6: np->rxpmtu race annotation sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto net_sched: act_connmark: use RCU in tcf_connmark_dump() net_sched: limit try_bulk_dequeue_skb() batches bpf: Add bpf_prog_run_data_pointers() netpoll: remove netpoll_srcu Eric Huang (1): drm/amdkfd: fix vram allocation failure for a special case Fabien Proriol (1): power: supply: sbs-charger: Support multiple devices Farhan Ali (1): s390/pci: Restore IRQ unconditionally for the zPCI device Felix Maurer (1): hsr: Fix supervision frame sending on HSRv0 Fenglin Wu (1): power: supply: qcom_battmgr: handle charging state change notifications Filipe Manana (1): btrfs: do not update last_log_commit when logging inode due to a new name Fiona Ebner (1): smb: client: transport: avoid reconnects triggered by pending task work Florian Fuchs (1): fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS Florian Westphal (1): netfilter: nf_reject: don't reply to icmp error messages Forest Crossman (1): usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs Francisco Gutierrez (1): scsi: pm80xx: Fix race condition caused by static variables Gal Pressman (5): net/mlx5e: Use extack in get module eeprom by page callback net/mlx5e: Fix return value in case of module EEPROM read error net/mlx5e: Fix maxrate wraparound in threshold between units net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps net/mlx5e: Fix potentially misleading debug message Gaurav Jain (1): crypto: caam - double the entropy delay interval for retry Gautham R. Shenoy (3): ACPI: CPPC: Check _CPC validity for only the online CPUs ACPI: CPPC: Perform fast check switch only for online CPUs ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs Geert Uytterhoeven (1): kbuild: uapi: Strip comments before size type check Geoffrey McRae (1): drm/amdkfd: return -ENOTTY for unsupported IOCTLs Gerd Bayer (1): s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Gokul Sivakumar (1): wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Greg Kroah-Hartman (1): Linux 6.6.117 Haein Lee (1): ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Haibo Chen (1): iio: adc: imx93_adc: load calibrated values even calibration failed Han Gao (1): riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Hangbin Liu (1): net: vlan: sync VLAN features with lower device Hans de Goede (3): ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[] ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() spi: Try to get ACPI GPIO IRQ earlier Hao Yao (1): media: ov08x40: Fix the horizontal flip control Haotian Zhang (4): crypto: aspeed - fix double free caused by devm regulator: fixed: fix GPIO descriptor leak on register failure ASoC: cs4271: Fix regulator leak on probe failure ASoC: codecs: va-macro: fix resource leak in probe error path Harikrishna Shenoy (1): phy: cadence: cdns-dphy: Enable lower resolutions in dphy Hector Martin (1): iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs Heiko Carstens (1): s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP Heiner Kallweit (1): net: phy: fixed_phy: let fixed_phy_unregister free the phy_device Henrique Carvalho (3): smb: client: fix potential cfid UAF in smb2_query_info_compound smb: client: fix potential UAF in smb2_close_cached_fid() smb: client: fix cifs_pick_channel when channel needs reconnect Horatiu Vultur (1): lan966x: Fix sleeping in atomic context Hoyoung Seo (1): scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS Huacai Chen (2): LoongArch: Use correct accessor to read FWPC/MWPC LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Huang Ying (3): memory tiering: add abstract distance calculation algorithms management acpi, hmat: refactor hmat_register_target_initiators() acpi, hmat: calculate abstract distance with HMAT Ian Forbes (1): drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Ian Rogers (1): tools bitmap: Add missing asm-generic/bitsperlong.h include Ido Schimmel (2): bridge: Redirect to backup port when port is administratively down selftests: traceroute: Use require_command() Ilan Peer (1): wifi: mac80211: Fix HE capabilities element check Ilia Gavrilov (1): Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() Inochi Amaoto (1): irqchip/sifive-plic: Respect mask state when setting affinity Isaac J. Manjarres (1): mm/mm_init: fix hash table order logging in alloc_large_system_hash() Ivan Pravdin (1): Bluetooth: bcsp: receive data only if registered Jacob Moroni (3): RDMA/irdma: Fix SD index calculation RDMA/irdma: Remove unused struct irdma_cq fields RDMA/irdma: Set irdma_cq cq_num field during CQ create Jakub Kicinski (3): selftests: net: replace sleeps in fcnal-test with waits page_pool: always add GFP_NOWARN for ATOMIC allocations selftests: netdevsim: set test timeout to 10 minutes Janne Grunau (1): pmdomain: apple: Add "apple,t8103-pmgr-pwrstate" Janusz Krzysztofik (1): drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Jason Gunthorpe (2): iommufd: Make vfio_compat's unmap succeed if the range is already empty iommufd: Don't overflow during division for dirty tracking Jayesh Choudhary (1): drm/tidss: Set crtc modesetting parameters with adjusted mode Jens Kehne (1): mfd: da9063: Split chip variant reading in two bus transactions Jens Reidel (1): soc: qcom: smem: Fix endian-unaware access of num_entries Jerome Brunet (1): NTB: epf: Allow arbitrary BAR mapping Jesse.Zhang (1): drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Jiawen Wu (1): net: libwx: fix device bus LAN ID Jiayi Li (1): memstick: Add timeout to prevent indefinite waiting Jihed Chaibi (1): ARM: dts: imx51-zii-rdu1: Fix audmux node names Jijie Shao (1): net: hns3: return error code when function fails Jiri Olsa (1): uprobe: Do not emulate/sstep original instruction when ip is changed Johan Hovold (2): Bluetooth: rfcomm: fix modem control handling drm/mediatek: Fix device use-after-free on unbind Johannes Berg (1): wifi: mac80211: reject address change while connecting John Keeping (1): ALSA: serial-generic: remove shared static buffer John Smith (2): drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland John Sperbeck (1): net: netpoll: ensure skb_pool list is always initialized Jonas Gorski (4): net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx net: dsa: b53: fix resetting speed and pause on forced link net: dsa: b53: fix enabling ip multicast net: dsa: b53: stop reading ARL entries if search is done Josephine Pfeiffer (1): riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro Joshua Rogers (2): smb: client: validate change notify buffer before copy ksmbd: close accepted socket when per-IP limit rejects connection Joshua Watt (1): NFS4: Fix state renewals missing after boot Josua Mayer (1): rtc: pcf2127: clear minute/second interrupt Julian Sun (1): ext4: increase IO priority of fastcommit Junjie Cao (1): fbdev: bitblit: bound-check glyph index in bit_putcs* Junxian Huang (1): RDMA/hns: Fix wrong WQE data when QP wraps around Juraj Šarinay (1): net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms Justin Tee (3): scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup scsi: lpfc: Define size of debugfs entry for xri rebalancing Kailang Yang (1): ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again Kalesh AP (1): bnxt_en: Fix a possible memory leak in bnxt_ptp_init Karthi Kandasamy (1): drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream Karthik M (1): wifi: ath12k: free skb during idr cleanup callback Kaushlendra Kumar (4): ACPI: button: Call input_free_device() on failing input device registration tools/cpupower: fix error return value in cpupower_write_sysfs() tools/cpupower: Fix incorrect size in cpuidle_state_disable() tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage Kees Cook (1): arc: Fix __fls() const-foldability via __builtin_clzl() Kent Russell (1): drm/amdkfd: Handle lack of READ permissions in SVM mapping Kirill A. Shutemov (1): x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall Kiryl Shutsemau (2): mm/memory: do not populate page table entries beyond i_size mm/truncate: unmap large folio on split failure Koakuma (1): sparc/module: Add R_SPARC_UA64 relocation handling Konstantin Sinyuk (1): accel/habanalabs/gaudi2: read preboot status after recovering from dirty state Krishna Kurapati (1): usb: xhci: plat: Facilitate using autosuspend for xhci plat devices Krzysztof Kozlowski (4): extcon: adc-jack: Fix wakeup source leaks on device unbind drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL drm/msm/dsi/phy_7nm: Fix missing initial VCO rate extcon: adc-jack: Cleanup wakeup source only if it was enabled Kumar Kartikeya Dwivedi (1): bpf: Do not limit bpf_cgroup_from_id to current's namespace Kuniyuki Iwashima (3): net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. tipc: Fix use-after-free in tipc_mon_reinit_self(). af_unix: Initialise scc_index in unix_add_edge(). Lance Yang (1): mm/secretmem: fix use-after-free race in fault handler Laurent Pinchart (2): media: pci: ivtv: Don't create fake v4l2_fh media: amphion: Delete v4l2_fh synchronously in .release() Len Brown (2): tools/power x86_energy_perf_policy: Enhance HWP enable tools/power x86_energy_perf_policy: Prefer driver HWP limits Li RongQing (1): x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT Li Zhijian (1): mm/memory-tier: fix abstract distance calculation overflow Lijo Lazar (2): drm/amd/pm: Use cached metrics data on aldebaran drm/amd/pm: Use cached metrics data on arcturus Lizhi Xu (1): usbnet: Prevents free active kevent Loic Poulain (2): wifi: ath10k: Fix memory leak on unsupported WMI command wifi: ath10k: Fix connection after GTK rekeying Luiz Augusto von Dentz (4): Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 Bluetooth: ISO: Fix another instance of dst_type handling Bluetooth: hci_core: Fix tracking of periodic advertisement Bluetooth: SCO: Fix UAF on sco_conn_free Lukas Wunner (1): thunderbolt: Use is_pciehp instead of is_hotplug_bridge Manivannan Sadhasivam (1): scsi: ufs: core: Add a quirk for handling broken LSDBS field in controller capabilities register Marcos Del Sol Vives (1): PCI: Disable MSI on RDC PCI to PCIe bridges Mario Limonciello (2): PCI/PM: Skip resuming to D0 if device is disconnected drm/amd: Fix suspend failure with secure display TA Mario Limonciello (AMD) (3): drm/amd: Avoid evicting resources at S5 HID: i2c-hid: Resolve touchpad issues on Dell systems during S4 x86/microcode/AMD: Add more known models to entry sign checking Mark Pearson (1): wifi: ath11k: Add missing platform IDs for quirk table Martin Willi (1): wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup Masami Ichikawa (1): HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Matthias Schiffer (1): clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled Matthieu Baerts (NGI0) (3): selftests: mptcp: connect: fix fallback note due to OoO selftests: mptcp: join: rm: set backup flag selftests: mptcp: connect: trunc: read all recv data Mehdi Djait (1): media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for VIDEO_CAMERA_SENSOR Miaoqian Lin (3): net: usb: asix_devices: Check return value of usbnet_get_endpoints fbdev: valkyriefb: Fix reference count leak in valkyriefb_init crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value Michael Dege (1): phy: renesas: r8a779f0-ether-serdes: add new step added to latest datasheet Michael Riesch (1): phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0 Michael Strauss (1): drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration Michal Hocko (1): mm, percpu: do not consider sleepable allocations atomic Mike Marshall (1): orangefs: fix xattr related buffer overflow... Miklos Szeredi (1): fuse: zero initialize inode private data Ming Wang (1): irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller Miroslav Lichvar (1): ptp: Limit time setting of PTP clocks Moti Haimovski (1): accel/habanalabs: support mapping cb with vmalloc-backed coherent memory Nai-Chen Cheng (1): selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency Namjae Jeon (1): ksmbd: use sock_create_kern interface to create kernel socket Nate Karstens (1): strparser: Fix signed/unsigned mismatch bug Nathan Chancellor (1): lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC Nhat Pham (1): cachestat: do not flush stats in recency check Nick Hu (1): irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Nicolas Escande (1): wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Nicolas Ferre (2): ARM: at91: pm: save and restore ACR during PLL disable/enable clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register Niklas Cassel (1): PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify() Niklas Schnelle (2): powerpc/eeh: Use result of error_detected() in uevent s390/pci: Use pci_uevent_ers() in PCI recovery Niklas Söderlund (4): media: adv7180: Add missing lock in suspend callback media: adv7180: Do not write format to device in set_fmt media: adv7180: Only validate format in querystd net: sh_eth: Disable WoL if system can not suspend Nikolay Aleksandrov (2): net: bridge: fix use-after-free due to MST port state bypass net: bridge: fix MST static key usage Niravkumar L Rabara (2): EDAC/altera: Handle OCRAM ECC enable after warm reset EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Nithyanantham Paramasivam (1): wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256 Noorain Eqbal (1): bpf: Sync pending IRQ work before freeing ring buffer Oleg Makarenko (1): HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Oleksij Rempel (2): net: stmmac: Correctly handle Rx checksum offload errors net: phy: clear link parameters on admin link down Olga Kornievskaia (2): NFSv4: handle ERR_GRACE on delegation recalls NFSD: free copynotify stateid in nfs4_free_ol_stateid() Olivier Moysan (1): ASoC: stm32: sai: manage context in set_sysclk callback Ondrej Mosnacek (1): bpf: Do not audit capability check in do_jit() Ovidiu Panait (1): crypto: sun8i-ce - remove channel timeout field Owen Gu (1): usb: gadget: f_fs: Fix epfile null pointer access after ep enable. Pablo Neira Ayuso (1): netfilter: nf_tables: reject duplicate device on updates Pankaj Raghav (1): filemap: cap PTE range to be created to allowed zero fill in folio_map_range() Paolo Abeni (4): mptcp: drop bogus optimization in __mptcp_check_push() mptcp: restore window probe mptcp: fix MSG_PEEK stream corruption net: allow small head cache usage with large MAX_SKB_FRAGS values Paul Hsieh (1): drm/amd/display: update dpp/disp clock from smu clock table Paul Kocialkowski (1): media: verisilicon: Explicitly disable selection api ioctls for decoders Pauli Virtanen (5): Bluetooth: MGMT: cancel mesh send timer when hdev removed Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Bluetooth: L2CAP: export l2cap_chan_hold for modules Peter Oberparleiter (1): gcov: add support for GCC 15 Peter Wang (5): scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration scsi: ufs: host: mediatek: Change reset sequence for improved stability scsi: ufs: host: mediatek: Enhance recovery on resume failure scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode changes Peter Zijlstra (1): compiler_types: Move unused static inline functions warning to W=2 Petr Machata (1): net: bridge: Install FDB for bridge MAC on VLAN 0 Philipp Stanner (1): drm/sched: Fix race in drm_sched_entity_select_rq() Pierre Gondois (1): sched/fair: Use all little CPUs for CPU-bound workloads Pierre-Eric Pelloux-Prayer (1): drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb Ping-Ke Shih (1): wifi: rtw88: sdio: use indirect IO for device registers before power-on Pranav Tyagi (1): futex: Don't leak robust_list pointer on exec race Primoz Fiser (1): ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 Qendrim Maxhuni (1): net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Qianfeng Rong (3): crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof() scsi: pm8001: Use int instead of u32 to store error codes media: redrat3: use int type to store negative error codes Qingfang Deng (2): 6pack: drop redundant locking and refcounting net: stmmac: Fix accessing freed irq affinity_hint Qinxin Xia (1): dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Qu Wenruo (1): btrfs: ensure no dirty metadata is written back for an fs with errors Quan Zhou (1): wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device Quanmin Yan (1): fbcon: Set fb_display[i]->mode to NULL when the mode is released Radhey Shyam Pandey (1): arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106 Rafael J. Wysocki (3): cpuidle: governors: menu: Rearrange main loop in menu_select() cpuidle: governors: menu: Select polling state in some more cases cpuidle: Fail cpuidle device registration if there is one already Rafał Miłecki (1): ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY Randall P. Embry (2): 9p: fix /sys/fs/9p/caches overwriting itself 9p: sysfs_init: don't hardcode error to ENOMEM Ranganath V N (2): net: sched: act_connmark: initialize struct tc_ife to fix kernel leak net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Ranjan Kumar (1): scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate Raphael Pinsonneault-Thibeault (2): Bluetooth: hci_event: validate skb length for unknown CC opcode Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Ricardo B. Marlière (2): selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh Ricardo Ribalda (1): media: uvcvideo: Use heuristic to find stream entity Richard Gobert (1): selftests/net: fix GRO coalesce test and add ext header coalesce tests Robert Marko (1): net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X Rodrigo Gobbi (1): iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register Rohan G Thomas (1): net: phy: marvell: Fix 88e1510 downshift counter errata Rong Zhang (1): hwmon: (k10temp) Add device ID for Strix Halo Rosen Penev (1): dmaengine: mv_xor: match alloc_wc and free_wc Roy Vegard Ovesen (2): ALSA: usb-audio: fix control pipe direction ALSA: usb-audio: add mono main switch to Presonus S1824c Ryan Chen (1): soc: aspeed: socinfo: Add AST27xx silicon IDs Ryan Wanner (1): clk: at91: clk-master: Add check for divide by 3 Sabrina Dubroca (1): espintcp: fix skb leaks Sakari Ailus (1): ACPI: property: Return present device nodes only on fwnode interface Saket Dumbre (1): ACPICA: Update dsmethod.c to get rid of unused variable warning Sangwook Shin (1): watchdog: s3c2410_wdt: Fix max_timeout being calculated larger Sarthak Garg (1): mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card Sascha Hauer (1): tools: lib: thermal: use pkg-config to locate libnl3 Sathishkumar S (1): drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff Scott Mayhew (1): NFS: check if suid/sgid was cleared after a write as needed Seyediman Seyedarab (2): drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot() Shang song (Lenovo) (1): ACPI: PRM: Skip handlers with NULL handler_address or NULL VA Sharique Mohammad (1): ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Shaurya Rane (1): jfs: fix uninitialized waitqueue in transaction manager Shawn Lin (1): mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 Shenghao Ding (1): ASoC: tas2781: fix getting the wrong device number Shengjiu Wang (1): ASoC: fsl_sai: fix bit order for DSD format Shuai Xue (1): acpi,srat: Fix incorrect device handle check for Generic Initiator Shuhao Fu (1): smb: client: fix refcount leak in smb2_set_path_attr Shyam Prasad N (1): cifs: stop writeback extension when change of size is detected Srinivas Kandagatla (1): ASoC: qdsp6: q6asm: do not sleep while atomic Srinivasan Shanmugam (1): drm/amdgpu: Fix function header names in amdgpu_connectors.c Stefan Wahren (1): ethernet: Extend device_get_mac_address() to use NVMEM Stefan Wiehler (3): sctp: Hold RCU read lock while iterating over address list sctp: Prevent TOCTOU out-of-bounds write sctp: Hold sock lock while iterating over address list Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid handling handover twice Steven Rostedt (1): selftests/tracing: Run sample events to clear page cache events Sungho Kim (1): PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call Svyatoslav Ryhel (4): soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups ARM: tegra: transformer-20: add missing magnetometer interrupt ARM: tegra: transformer-20: fix audio-codec interrupt video: backlight: lp855x_bl: Set correct EPROM start for LP8556 Takashi Iwai (2): ALSA: usb-audio: Add validation of UAC2/UAC3 effect units ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Tetsuo Handa (3): media: imon: make send_packet() more robust ntfs3: pretend $Extend records as regular files jfs: Verify inode mode when loading from disk Thadeu Lima de Souza Cascardo (1): char: misc: restrict the dynamic range to exclude reserved minors Thomas Andreatta (1): dmaengine: sh: setup_xref error handling Thomas Weißschuh (3): spi: loopback-test: Don't use %pK through printk bpf: Don't use %pK through printk ice: Don't use %pK through printk or tracepoints Thomas Zimmermann (1): drm/sysfb: Do not dereference NULL pointer in plane reset Théo Lebrun (1): net: macb: avoid dealing with endianness in macb_set_hwaddr() Tianyang Zhang (1): LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Tiezhu Yang (1): net: stmmac: Check stmmac_hw_setup() in stmmac_resume() Timur Kristóf (4): drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2) drm/amd/display: Fix DVI-D/HDMI adapters drm/amd/display: Disable VRR on DCE 6 drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Tiwei Bie (1): um: Fix help message for ssl-non-raw Tom Stellard (1): bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21 Tomer Tayar (1): accel/habanalabs: return ENOMEM if less than requested pages were pinned Tomeu Vizoso (1): drm/etnaviv: fix flush sequence logic Tomi Valkeinen (3): drm/tidss: Use the crtc_* timings when programming the HW drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST Tristan Lobb (1): HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Tristram Ha (1): net: dsa: microchip: Fix reserved multicast address table programming Trond Myklebust (4): pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() NFS: enable nconnect for RDMA pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Tvrtko Ursulin (1): drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl Ujwal Kundur (1): rds: Fix endianness annotation for RDS_MPATH_HASH Umesh Nerlige Ramappa (1): drm/i915: Fix conversion between clock ticks and nanoseconds Uwe Kleine-König (1): crypto: aspeed-acry - Convert to platform remove callback returning void Valerio Setti (1): ASoC: meson: aiu-encoder-i2s: fix bit clock polarity Vered Yavniely (1): accel/habanalabs/gaudi2: fix BMON disable configuration Viacheslav Dubeyko (2): ceph: add checking of wait_for_completion_killable() return value ceph: refactor wake_up_bit() pattern of calling Vincent Guittot (1): sched/pelt: Avoid underestimation of task utilization Vladimir Oltean (1): net: dsa: improve shutdown sequence Vladimir Riabchun (1): ftrace: Fix softlockup in ftrace_module_enable Vladimir Zapolskiy (1): media: i2c: og01a1b: Specify monochrome media bus format instead of Bayer Wake Liu (2): selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 selftests/net: Ensure assert() triggers in psock_tpacket.c Wang Liang (2): selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing ethtool-common.sh net: fix NULL pointer dereference in l3mdev_l3_rcv Wayne Lin (1): drm/amd/display: Enable mst when it's detected but yet to be initialized Wei Fang (1): net: fec: correct rx_bytes statistic for the case SHIFT16 is set Wei Yang (1): fs/proc: fix uaf in proc_readdir_de() William Wu (1): usb: gadget: f_hid: Fix zero length packet transfer Wonkon Kim (1): scsi: ufs: core: Initialize value of an attribute returned by uic cmd Xin Hao (1): mm: memcg: add THP swap out info for anonymous reclaim Xion Wang (1): char: Use list_del_init() in misc_deregister() to reinitialize list pointer Xuan Zhuo (1): virtio-net: fix incorrect flags recording in big mode Yafang Shao (1): net/cls_cgroup: Fix task_get_classid() during qdisc run Yang Wang (1): drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() Yang Xiuwei (1): NFS: sysfs: fix leak when nfs_client kobject add fails Yifan Zhang (1): amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw Yikang Yue (1): fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink Ying Huang (1): memory tiers: use default_dram_perf_ref_source in log message Yosry Ahmed (7): KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated mm: memcg: change flush_next_time to flush_last_time mm: memcg: move vmstats structs definition above flushing code mm: memcg: make stats flushing threshold per-memcg mm: workingset: move the stats flush into workingset_test_recent() mm: memcg: restore subtree stats flushing mm: memcg: optimize parent iteration in memcg_rstat_updated() Yu Kuai (1): blk-cgroup: fix possible deadlock while configuring policy Yue Haibing (1): ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled Yuhao Jiang (1): ACPI: video: Fix use-after-free in acpi_video_switch_brightness() Yuta Hayama (1): rtc: rx8025: fix incorrect register reference ZhangGuoDong (2): smb/server: fix possible memory leak in smb2_read() smb/server: fix possible refcount leak in smb2_sess_setup() Zijun Hu (2): char: misc: Make misc_register() reentry for miscdevice who wants dynamic minor char: misc: Does not request module for miscdevice with dynamic minor Zilin Guan (3): tracing: Fix memory leaks in create_field_var() net/handshake: Fix memory leak in tls_handshake_accept() btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() austinchang (1): btrfs: mark dirty extent range for out of bound prealloc extents chuguangqing (1): fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock jingxian.li (1): Revert "perf dso: Add missed dso__put to dso__load_kcore" raub camaioni (1): usb: gadget: f_ncm: Fix MAC assignment NCM ethernet wangzijie (1): f2fs: fix infinite loop in __insert_extent_tree() wenglianfa (1): RDMA/hns: Fix the modification of max_send_sge

2 weeks, 2 days

1
1
0 0

[PATCH] NFC: Fix error handling in nfc_genl_dump_targets

by Ma Ke

nfc_genl_dump_targets() increments the device reference count via nfc_get_device() but fails to decrement it properly. nfc_get_device() calls class_find_device() which internally calls get_device() to increment the reference count. No corresponding put_device() is made to decrement the reference count. Add proper reference count decrementing using nfc_put_device() when the dump operation completes or encounters an error, ensuring balanced reference counting. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 4d12b8b129f1 ("NFC: add nfc generic netlink interface") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- net/nfc/netlink.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c index a18e2c503da6..9ae138ee91dd 100644 --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -159,6 +159,11 @@ static int nfc_genl_dump_targets(struct sk_buff *skb, cb->args[0] = i; + if (rc < 0 || i >= dev->n_targets) { + nfc_put_device(dev); + cb->args[1] = 0; + } + return skb->len; } -- 2.17.1

2 weeks, 2 days

2
2
0 0

[PATCH AUTOSEL 6.17-5.10] platform/x86: huawei-wmi: add keys for HONOR models

by Sasha Levin

From: Jia Ston <ston.jia(a)outlook.com> [ Upstream commit 5c72329716d0858621021193330594d5d26bf44d ] HONOR MagicBook X16/X14 models produced in 2025 cannot use the Print Screen and YOYO keys properly, with the system reporting them as unknown key presses (codes: 0x028b and 0x028e). To resolve this, a key_entry is added for both the HONOR Print Screen key and the HONOR YOYO key, ensuring they function correctly on these models. Signed-off-by: Ston Jia <ston.jia(a)outlook.com> Link: https://patch.msgid.link/20251029051804.220111-1-ston.jia@outlook.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ### Comprehensive Analysis 1. **Commit Message and Issue Analysis** The commit addresses a functional hardware defect on HONOR MagicBook X16/X14 laptops (2025 models). The "Print Screen" and "YOYO" keys do not generate input events, instead triggering "Unknown key pressed" warning logs with scancodes `0x028b` and `0x028e`. This means users cannot use these hardware features, which constitutes a real-world bug for owners of these devices. 2. **Code Review and Mechanism** The fix is a surgical addition to the `huawei_wmi_keymap` array in `drivers/platform/x86/huawei-wmi.c`. - **Mechanism:** The driver uses `sparse_keymap_entry_from_scancode` to translate WMI events into input events. Without these entries, the lookup fails, and the driver drops the event. - **Change:** Two lines are added: ```c { KE_KEY, 0x28b, { KEY_NOTIFICATION_CENTER } }, { KE_KEY, 0x28e, { KEY_PRINT } }, ``` - **Dependencies:** `KEY_NOTIFICATION_CENTER` was introduced in Linux 5.10. This patch is suitable for stable trees 5.10, 5.15, 6.1, and 6.6 without modification. Older LTS versions (4.19, 5.4) would require a minor adjustment (using a different keycode or backporting the definition), but the patch remains conceptually valid for them. 3. **Stable Kernel Rules Assessment** - **Exception Category:** This commit falls squarely under the **"QUIRKS and WORKAROUNDS"** and **"TRIVIAL SUBSYSTEM-SPECIFIC ADDITIONS"** exceptions defined in stable kernel rules. Adding keymap entries is functionally identical to adding PCI/USB IDs: it enables hardware that is currently present but non-functional. - **Feature vs. Fix:** While the commit says "add keys," it is fixing broken hardware support. The keys physically exist but do not work; enabling them is a fix, not a new software feature. - **New Hardware on Stable:** While the hardware is from 2025, it is common for users to run Long Term Support (LTS) kernels (e.g., Ubuntu LTS, RHEL, or community LTS kernels like 6.6.y) on new hardware. Refusing to backport hardware enablement forces these users to run bleeding-edge kernels or suffer broken functionality. 4. **Risk vs. Benefit** - **Regression Risk:** **Negligible.** The change adds data to a static array. It only affects the handling of two specific scancodes (`0x28b`, `0x28e`) which previously resulted in an error log. It cannot affect existing key mappings or other hardware. - **Benefit:** Restores functionality for the "Print Screen" key (essential for workflows) and the specific "YOYO" key on supported laptops. 5. **Conclusion** Although the commit lacks a "Cc: stable" tag, it meets all objective criteria for a stable backport. It is an obviously correct, low-risk, hardware-enabling fix that fits the "Quirks" exception. It should be included to ensure this hardware works correctly on supported LTS releases. ### TODO Items - No further investigation required. **YES** drivers/platform/x86/huawei-wmi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c index c3772df34679f..8a4c54089ace3 100644 --- a/drivers/platform/x86/huawei-wmi.c +++ b/drivers/platform/x86/huawei-wmi.c @@ -81,6 +81,10 @@ static const struct key_entry huawei_wmi_keymap[] = { { KE_KEY, 0x289, { KEY_WLAN } }, // Huawei |M| key { KE_KEY, 0x28a, { KEY_CONFIG } }, + // HONOR YOYO key + { KE_KEY, 0x28b, { KEY_NOTIFICATION_CENTER } }, + // HONOR print screen + { KE_KEY, 0x28e, { KEY_PRINT } }, // Keyboard backlit { KE_IGNORE, 0x293, { KEY_KBDILLUMTOGGLE } }, { KE_IGNORE, 0x294, { KEY_KBDILLUMUP } }, -- 2.51.0

2 weeks, 2 days

1
20
0 0

[PATCH] ksmbd: vfs: fix race on m_flags in vfs_cache

by Qianchang Zhao

ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. - Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/vfs_cache.c | 114 +++++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 27 deletions(-) diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c index dfed6fce8..b44e0d618 100644 --- a/fs/smb/server/vfs_cache.c +++ b/fs/smb/server/vfs_cache.c @@ -112,40 +112,88 @@ int ksmbd_query_inode_status(struct dentry *dentry) read_lock(&inode_hash_lock); ci = __ksmbd_inode_lookup(dentry); - if (ci) { - ret = KSMBD_INODE_STATUS_OK; - if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)) - ret = KSMBD_INODE_STATUS_PENDING_DELETE; - atomic_dec(&ci->m_count); - } read_unlock(&inode_hash_lock); + if (!ci) + return ret; + down_read(&ci->m_lock); + if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)) + ret = KSMBD_INODE_STATUS_PENDING_DELETE; + else + ret = KSMBD_INODE_STATUS_OK; + up_read(&ci->m_lock); + + atomic_dec(&ci->m_count); return ret; } bool ksmbd_inode_pending_delete(struct ksmbd_file *fp) { - return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS)); + struct ksmbd_inode *ci; + bool ret; + + if (!fp) + return false; + + ci = fp->f_ci; + if (!ci) + return false; + + down_read(&ci->m_lock); + ret = ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS); + up_read(&ci->m_lock); + + return ret; } void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp) { - fp->f_ci->m_flags |= S_DEL_PENDING; + struct ksmbd_inode *ci; + + if (!fp) + return; + + ci = fp->f_ci; + if (!ci) + return; + + down_write(&ci->m_lock); + ci->m_flags |= S_DEL_PENDING; + up_write(&ci->m_lock); } void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp) { - fp->f_ci->m_flags &= ~S_DEL_PENDING; + struct ksmbd_inode *ci; + + if (!fp) + return; + + ci = fp->f_ci; + if (!ci) + return; + + down_write(&ci->m_lock); + ci->m_flags &= ~S_DEL_PENDING; + up_write(&ci->m_lock); } -void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, - int file_info) +void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp, int file_info) { - if (ksmbd_stream_fd(fp)) { - fp->f_ci->m_flags |= S_DEL_ON_CLS_STREAM; + struct ksmbd_inode *ci; + + if (!fp) + return; + + ci = fp->f_ci; + if (!ci) return; - } - fp->f_ci->m_flags |= S_DEL_ON_CLS; + down_write(&ci->m_lock); + if (ksmbd_stream_fd(fp)) + ci->m_flags |= S_DEL_ON_CLS_STREAM; + else + ci->m_flags |= S_DEL_ON_CLS; + up_write(&ci->m_lock); } static void ksmbd_inode_hash(struct ksmbd_inode *ci) @@ -255,29 +303,41 @@ static void __ksmbd_inode_close(struct ksmbd_file *fp) struct ksmbd_inode *ci = fp->f_ci; int err; struct file *filp; + bool remove_stream_xattr = false; + bool do_unlink = false; filp = fp->filp; - if (ksmbd_stream_fd(fp) && (ci->m_flags & S_DEL_ON_CLS_STREAM)) { - ci->m_flags &= ~S_DEL_ON_CLS_STREAM; - err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp), - &filp->f_path, - fp->stream.name, - true); - if (err) - pr_err("remove xattr failed : %s\n", - fp->stream.name); + + if (ksmbd_stream_fd(fp)) { + down_write(&ci->m_lock); + if (ci->m_flags & S_DEL_ON_CLS_STREAM) { + ci->m_flags &= ~S_DEL_ON_CLS_STREAM; + remove_stream_xattr = true; + } + up_write(&ci->m_lock); + + if (remove_stream_xattr) { + err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp), + &filp->f_path, + fp->stream.name, + true); + if (err) + pr_err("remove xattr failed : %s\n", + fp->stream.name); + } } if (atomic_dec_and_test(&ci->m_count)) { down_write(&ci->m_lock); if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) { ci->m_flags &= ~(S_DEL_ON_CLS | S_DEL_PENDING); - up_write(&ci->m_lock); - ksmbd_vfs_unlink(filp); - down_write(&ci->m_lock); + do_unlink = true; } up_write(&ci->m_lock); + if (do_unlink) + ksmbd_vfs_unlink(filp); + ksmbd_inode_free(ci); } } -- 2.34.1

2 weeks, 2 days

2
1
0 0

LPO 94914 Monday, November 24, 2025 at 08:03:35 AM

by Gusikowski Inc

Dear Stable, I hope this message finds you well. I am reaching out to follow up regarding the products listed in the attached document, as I am currently gathering the necessary information to move forward with our evaluation and procurement process. Your insights and clarification will be greatly appreciated. To better understand your offerings, could you please provide more detailed information on the following: Pricing structure for each product, including any volume discounts or tiered pricing options. Availability and stock levels, especially for high-demand items or products with known lead times. Technical specifications, features, and product variations, so we can accurately assess compatibility with our needs. Current promotions, special offers, or bundled packages that may apply to this order. Shipping and logistics details, including available carriers, estimated delivery timelines, and any additional fees we should be aware of. If there are catalogs, brochures, or updated product sheets available, please feel free to include them as well. Any additional insight you can share regarding after-sales support, warranty terms, or return policies would also be helpful as we work toward a final decision. Due to the timelines of our internal review, I would greatly appreciate your prompt response at your earliest convenience. Your assistance plays a vital role in helping us move forward efficiently and confidently. Thank you again for your time, cooperation, and support. I look forward to hearing from you soon and continuing our discussion. Warm regards, Olive Bailey Head of Procurement

2 weeks, 2 days

1
0
0 0

Supply Inquiry for Mexico 2026 FIFA

by Valeria R Elena

Dear Sir, I'm one of the registered and authorized International procurement consultants of the Mexico 2026 FIFA world cup. The government of Mexico through the Mexico 2026 FIFA World Cup Local Organizing Committee has approved a massive procurement of your products for nationwide distribution to Airports facilities, offices, stadiums, Hostels, Hotels, Shops, etc as part of their national and regional sensitization programs towards the hosting of the FIFA world cup 2026. The packaging of the products will be customized with the Mexico 2026 Logo. The Local Organizing Committee is looking for a capable company to handle the supply under a bidding process. I wish to know if your company will be interested to participate in this project so that we could discuss our possible collaboration to ensure a successful bidding. More details would be provided upon hearing from you. Best regards, Best Regards, Dr. Ms Valeria R Elena Green Palms México Ltd Mexico City La Ciudad de los Palacios

2 weeks, 2 days

1
0
0 0

FAILED: patch "[PATCH] fs/proc: fix uaf in proc_readdir_de()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 895b4c0c79b092d732544011c3cecaf7322c36a1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112019-mantra-unwind-1db7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 895b4c0c79b092d732544011c3cecaf7322c36a1 Mon Sep 17 00:00:00 2001 From: Wei Yang <albinwyang(a)tencent.com> Date: Sat, 25 Oct 2025 10:42:33 +0800 Subject: [PATCH] fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2) Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com Signed-off-by: Wei Yang <albinwyang(a)tencent.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: wangzijie <wangzijie1(a)honor.com> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 176281112273..501889856461 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -698,6 +698,12 @@ void pde_put(struct proc_dir_entry *pde) } } +static void pde_erase(struct proc_dir_entry *pde, struct proc_dir_entry *parent) +{ + rb_erase(&pde->subdir_node, &parent->subdir); + RB_CLEAR_NODE(&pde->subdir_node); +} + /* * Remove a /proc entry and free it if it's not currently in use. */ @@ -720,7 +726,7 @@ void remove_proc_entry(const char *name, struct proc_dir_entry *parent) WARN(1, "removing permanent /proc entry '%s'", de->name); de = NULL; } else { - rb_erase(&de->subdir_node, &parent->subdir); + pde_erase(de, parent); if (S_ISDIR(de->mode)) parent->nlink--; } @@ -764,7 +770,7 @@ int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) root->parent->name, root->name); return -EINVAL; } - rb_erase(&root->subdir_node, &parent->subdir); + pde_erase(root, parent); de = root; while (1) { @@ -776,7 +782,7 @@ int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) next->parent->name, next->name); return -EINVAL; } - rb_erase(&next->subdir_node, &de->subdir); + pde_erase(next, de); de = next; continue; }

2 weeks, 2 days

3
2
0 0

[PATCH 5.4.y] fs/proc: fix uaf in proc_readdir_de()

by albin_yang＠163.com

From: Wei Yang <albinwyang(a)tencent.com> commit 895b4c0c79b092d732544011c3cecaf7322c36a1 upstream. Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2) Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com Signed-off-by: Wei Yang <albinwyang(a)tencent.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: wangzijie <wangzijie1(a)honor.com> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/generic.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index 372b4dad4863..c4a7d96787f3 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -671,6 +671,12 @@ void pde_put(struct proc_dir_entry *pde) } } +static void pde_erase(struct proc_dir_entry *pde, struct proc_dir_entry *parent) +{ + rb_erase(&pde->subdir_node, &parent->subdir); + RB_CLEAR_NODE(&pde->subdir_node); +} + /* * Remove a /proc entry and free it if it's not currently in use. */ @@ -689,7 +695,7 @@ void remove_proc_entry(const char *name, struct proc_dir_entry *parent) de = pde_subdir_find(parent, fn, len); if (de) { - rb_erase(&de->subdir_node, &parent->subdir); + pde_erase(de, parent); if (S_ISDIR(de->mode)) { parent->nlink--; } @@ -727,13 +733,13 @@ int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) write_unlock(&proc_subdir_lock); return -ENOENT; } - rb_erase(&root->subdir_node, &parent->subdir); + pde_erase(root, parent); de = root; while (1) { next = pde_subdir_first(de); if (next) { - rb_erase(&next->subdir_node, &de->subdir); + pde_erase(next, de); de = next; continue; } -- 2.43.7

2 weeks, 2 days

1
0
0 0

[PATCH] nvmem: apple-spmi-nvmem: wrap regmap calls to satisfy CFI

by Jens Reidel

The Apple SPMI NVMEM driver previously cast regmap_bulk_read/write to void * when assigning them to nvmem_config's reg_read/reg_write function pointers. This cast breaks the expected function signature of nvmem_reg_read_t and nvmem_reg_write_t. With CFI enabled, indirect calls through these pointers fail: CFI failure at nvmem_reg_write+0x194/0x1e4 (target: regmap_bulk_write+0x0/0x2c8; expected type: 0x83a189c3) ... Call trace: nvmem_reg_write+0x194/0x1e4 (P) __nvmem_cell_entry_write+0x298/0x2e8 nvmem_cell_write+0x24/0x34 macsmc_reboot_probe+0x1dc/0x454 [macsmc_reboot] ... Introduce thin wrapper functions with the correct nvmem function pointer types to satisfy the CFI checks. Fixes: fe91c24a551c ("nvmem: Add apple-spmi-nvmem driver") Signed-off-by: Jens Reidel <adrian(a)mainlining.org> Reported-by: Clayton Craft <craftyguy(a)postmarketos.org> Tested-by: Clayton Craft <craftyguy(a)postmarketos.org> Cc: stable(a)vger.kernel.org --- drivers/nvmem/apple-spmi-nvmem.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/apple-spmi-nvmem.c b/drivers/nvmem/apple-spmi-nvmem.c index 88614005d5ce1dc2d1cafcb89ac66d8376ffcc96..7acb0c07d6abe9e9984908f5ea2f4e2e9c10bb06 100644 --- a/drivers/nvmem/apple-spmi-nvmem.c +++ b/drivers/nvmem/apple-spmi-nvmem.c @@ -18,6 +18,22 @@ static const struct regmap_config apple_spmi_regmap_config = { .max_register = 0xffff, }; +static int apple_spmi_nvmem_read(void *priv, unsigned int offset, void *val, + size_t bytes) +{ + struct regmap *map = priv; + + return regmap_bulk_read(map, offset, val, bytes); +} + +static int apple_spmi_nvmem_write(void *priv, unsigned int offset, void *val, + size_t bytes) +{ + struct regmap *map = priv; + + return regmap_bulk_write(map, offset, val, bytes); +} + static int apple_spmi_nvmem_probe(struct spmi_device *sdev) { struct regmap *regmap; @@ -28,8 +44,8 @@ static int apple_spmi_nvmem_probe(struct spmi_device *sdev) .word_size = 1, .stride = 1, .size = 0xffff, - .reg_read = (void *)regmap_bulk_read, - .reg_write = (void *)regmap_bulk_write, + .reg_read = apple_spmi_nvmem_read, + .reg_write = apple_spmi_nvmem_write, }; regmap = devm_regmap_init_spmi_ext(sdev, &apple_spmi_regmap_config); --- base-commit: 0c1c7a6a83feaf2cf182c52983ffe330ffb50280 change-id: 20251118-apple-spmi-nvmem-cfi-6037c1abfd12 Best regards, -- Jens Reidel <adrian(a)mainlining.org>

2 weeks, 2 days

2
1
0 0

[REGRESSION] nfs: Large amounts of GETATTR calls after file renaming on v5.10.241

by Ahmed, Aaron

Hi, We have had customers report a regression on kernels versions 5.10.241 and above in which file renaming causes large amounts of GETATTR calls to made due to inode revalidation. This regression was pinpointed via bisected to commit 7378c7adf31d ("NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity") which is a backport of 36a9346c2252 (“NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity”). We were able to reproduce It with this script: REPRO_PATH=/mnt/efs/repro do_read() { for x in {1..50} do cat $1 > /dev/null done grep GETATTR /proc/self/mountstats } echo foo > $REPRO_PATH/bar echo "After create, before read:" grep GETATTR /proc/self/mountstats echo "First read:" do_read $REPRO_PATH/bar echo "Sleeping 5s, reading again (should look the same):" sleep 5 do_read $REPRO_PATH/bar mv $REPRO_PATH/bar $REPRO_PATH/baz echo "Moved file, reading again:" do_read $REPRO_PATH/baz echo "Immediately performing another set of reads:" do_read $REPRO_PATH/baz echo "Cleanup, removing test file" rm $REPRO_PATH/baz which performs a few read/writes. On kernels without the regression the number of GETATTR calls remains the same while on affected kernels the amount increases after reading renamed file. This original commit comes from a series of patches providing attribute revalidation updates [1]. However, many of these patches are missing in v.5.10.241+. Specifically, 13c0b082b6a9 (“NFS: Replace use of NFS_INO_REVAL_PAGECACHE when checking cache validity”) seems like a prerequisite patch and would help remedy the regression. #regzbot introduced: 7378c7adf31d Thanks, Aaron Ahmed [1] https://lore.kernel.org/all/20210414134353.11860-1-trondmy@kernel.org/ Signed-off-by: Aaron Ahmed <aarnhahmd(a)amazon.com>

2 weeks, 3 days

3
4
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: endpoints: longer transfer" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 6457595db9870298ee30b6d75287b8548e33fe19 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112027-clench-amazingly-fc3f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6457595db9870298ee30b6d75287b8548e33fe19 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 10 Nov 2025 19:23:42 +0100 Subject: [PATCH] selftests: mptcp: join: endpoints: longer transfer In rare cases, when the test environment is very slow, some userspace tests can fail because some expected events have not been seen. Because the tests are expecting a long on-going connection, and they are not waiting for the end of the transfer, it is fine to make the connection longer. This connection will be killed at the end, after the verifications, so making it longer doesn't change anything, apart from avoid it to end before the end of the verifications To play it safe, all endpoints tests not waiting for the end of the transfer are now sharing a longer file (128KB) at slow speed. Fixes: 69c6ce7b6eca ("selftests: mptcp: add implicit endpoint test case") Cc: stable(a)vger.kernel.org Fixes: e274f7154008 ("selftests: mptcp: add subflow limits test-cases") Fixes: b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints") Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-3-a4332c71… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 9ed9ec7202d6..97af8d89ac5c 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3943,7 +3943,7 @@ endpoint_tests() pm_nl_set_limits $ns1 2 2 pm_nl_set_limits $ns2 2 2 pm_nl_add_endpoint $ns1 10.0.2.1 flags signal - { speed=slow \ + { test_linkfail=128 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null local tests_pid=$! @@ -3970,7 +3970,7 @@ endpoint_tests() pm_nl_set_limits $ns2 0 3 pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow - { test_linkfail=4 speed=5 \ + { test_linkfail=128 speed=5 \ run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null local tests_pid=$! @@ -4048,7 +4048,7 @@ endpoint_tests() # broadcast IP: no packet for this address will be received on ns1 pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal - { test_linkfail=4 speed=5 \ + { test_linkfail=128 speed=5 \ run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null local tests_pid=$! @@ -4121,7 +4121,7 @@ endpoint_tests() # broadcast IP: no packet for this address will be received on ns1 pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow - { test_linkfail=4 speed=20 \ + { test_linkfail=128 speed=20 \ run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null local tests_pid=$!

2 weeks, 3 days

2
1
0 0

[PATCH] net: dsa: microchip: fix mdio parent bus reference leak

by Ma Ke

In ksz_mdio_register(), when of_mdio_find_bus() is called to get the parent MDIO bus, it increments the reference count of the underlying device. However, the reference are not released in error paths or during switch teardown, causing a reference leak. Add put_device() in the error path of ksz_mdio_register() and ksz_teardown() to release the parent bus. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 9afaf0eec2ab ("net: dsa: microchip: Refactor MDIO handling for side MDIO access") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/dsa/microchip/ksz_common.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c index 933ae8dc6337..49c0420a6df8 100644 --- a/drivers/net/dsa/microchip/ksz_common.c +++ b/drivers/net/dsa/microchip/ksz_common.c @@ -2795,6 +2795,11 @@ static int ksz_mdio_register(struct ksz_device *dev) } put_mdio_node: + if (ret && dev->parent_mdio_bus) { + put_device(&dev->parent_mdio_bus->dev); + dev->parent_mdio_bus = NULL; + } + of_node_put(mdio_np); of_node_put(parent_bus_node); @@ -3110,6 +3115,11 @@ static void ksz_teardown(struct dsa_switch *ds) ksz_irq_free(&dev->girq); } + if (dev->parent_mdio_bus) { + put_device(&dev->parent_mdio_bus->dev); + dev->parent_mdio_bus = NULL; + } + if (dev->dev_ops->teardown) dev->dev_ops->teardown(ds); } -- 2.17.1

2 weeks, 3 days

3
2
0 0

IAA Mobility 2025 Attendees Contacts!

by Grace Taylor

Hi, Great news — the final verified attendee list of the IAA Mobility 2025 is now available. This exclusive database includes 501,847 high-value contacts, complete with all last-minute registrations and walk-ins. For a short time, we’re offering an exclusive 30% discount, making this the perfect opportunity to strengthen your pipeline and accelerate your outreach. If you want to review the full details, simply reply “Send the Price” and I’ll send everything over immediately. Your list will be delivered within 48 hours. Don’t miss out on this limited offer — happy to assist you in getting started. Kind regards, Grace Taylor Sr. Demand Generation If you’d prefer not to receive these updates, reply “No.”

2 weeks, 3 days

1
0
0 0

[PATCH v3] powerpc, mm: Fix mprotect on book3s 32-bit

by Dave Vasilevsky

On 32-bit book3s with hash-MMUs, tlb_flush() was a no-op. This was unnoticed because all uses until recently were for unmaps, and thus handled by __tlb_remove_tlb_entry(). After commit 4a18419f71cd ("mm/mprotect: use mmu_gather") in kernel 5.19, tlb_gather_mmu() started being used for mprotect as well. This caused mprotect to simply not work on these machines: int *ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); *ptr = 1; // force HPTE to be created mprotect(ptr, 4096, PROT_READ); *ptr = 2; // should segfault, but succeeds Fixed by making tlb_flush() actually flush TLB pages. This finally agrees with the behaviour of boot3s64's tlb_flush(). Fixes: 4a18419f71cd ("mm/mprotect: use mmu_gather") Cc: stable(a)vger.kernel.org Reviewed-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Signed-off-by: Dave Vasilevsky <dave(a)vasilevsky.ca> --- Changes in v3: - Fix formatting - Link to v2: https://lore.kernel.org/r/20251111-vasi-mprotect-g3-v2-1-881c94afbc42@vasil… Changes in v2: - Flush entire TLB if full mm is requested. - Link to v1: https://lore.kernel.org/r/20251027-vasi-mprotect-g3-v1-1-3c5187085f9a@vasil… --- arch/powerpc/include/asm/book3s/32/tlbflush.h | 5 ++++- arch/powerpc/mm/book3s32/tlb.c | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/include/asm/book3s/32/tlbflush.h b/arch/powerpc/include/asm/book3s/32/tlbflush.h index e43534da5207aa3b0cb3c07b78e29b833c141f3f..4be2200a3c7e1e8307f5ce1f1d5d28047429c106 100644 --- a/arch/powerpc/include/asm/book3s/32/tlbflush.h +++ b/arch/powerpc/include/asm/book3s/32/tlbflush.h @@ -11,6 +11,7 @@ void hash__flush_tlb_mm(struct mm_struct *mm); void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr); void hash__flush_range(struct mm_struct *mm, unsigned long start, unsigned long end); +void hash__flush_gather(struct mmu_gather *tlb); #ifdef CONFIG_SMP void _tlbie(unsigned long address); @@ -29,7 +30,9 @@ void _tlbia(void); static inline void tlb_flush(struct mmu_gather *tlb) { /* 603 needs to flush the whole TLB here since it doesn't use a hash table. */ - if (!mmu_has_feature(MMU_FTR_HPTE_TABLE)) + if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) + hash__flush_gather(tlb); + else _tlbia(); } diff --git a/arch/powerpc/mm/book3s32/tlb.c b/arch/powerpc/mm/book3s32/tlb.c index 9ad6b56bfec96e989b96f027d075ad5812500854..e54a7b0112322e5818d80facd2e3c7722e6dd520 100644 --- a/arch/powerpc/mm/book3s32/tlb.c +++ b/arch/powerpc/mm/book3s32/tlb.c @@ -105,3 +105,12 @@ void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr) flush_hash_pages(mm->context.id, vmaddr, pmd_val(*pmd), 1); } EXPORT_SYMBOL(hash__flush_tlb_page); + +void hash__flush_gather(struct mmu_gather *tlb) +{ + if (tlb->fullmm || tlb->need_flush_all) + hash__flush_tlb_mm(tlb->mm); + else + hash__flush_range(tlb->mm, tlb->start, tlb->end); +} +EXPORT_SYMBOL(hash__flush_gather); --- base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 change-id: 20251027-vasi-mprotect-g3-f8f5278d4140 Best regards, -- Dave Vasilevsky <dave(a)vasilevsky.ca>

2 weeks, 3 days

2
1
0 0

[PATCH] net: dsa: Fix error handling in dsa_port_parse_of

by Ma Ke

When of_find_net_device_by_node() successfully acquires a reference to a network device but the subsequent call to dsa_port_parse_cpu() fails, dsa_port_parse_of() returns without releasing the reference count on the network device. of_find_net_device_by_node() increments the reference count of the returned structure, which should be balanced with a corresponding put_device() when the reference is no longer needed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 6ca80638b90c ("net: dsa: Use conduit and user terms") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- net/dsa/dsa.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c index 5b01a0e43ebe..632e0d716d62 100644 --- a/net/dsa/dsa.c +++ b/net/dsa/dsa.c @@ -1246,6 +1246,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) struct device_node *ethernet = of_parse_phandle(dn, "ethernet", 0); const char *name = of_get_property(dn, "label", NULL); bool link = of_property_read_bool(dn, "link"); + int err; dp->dn = dn; @@ -1259,7 +1260,13 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) return -EPROBE_DEFER; user_protocol = of_get_property(dn, "dsa-tag-protocol", NULL); - return dsa_port_parse_cpu(dp, conduit, user_protocol); + err = dsa_port_parse_cpu(dp, conduit, user_protocol); + if (err) { + put_device(conduit); + return err; + } + + return 0; } if (link) -- 2.17.1

2 weeks, 3 days

5
5
0 0

[PATCH v2] mm/memfd: fix information leak in hugetlb folios

by Deepanshu Kartikey

When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2. Folios are not marked uptodate before adding to page cache 3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache() The memfd allocation path bypasses the normal page fault handler (hugetlb_no_page) which would handle all of these initialization steps. This is problematic especially for udmabuf use cases where folios are pinned and directly accessed by userspace via DMA. Fix by matching the initialization pattern used in hugetlb_no_page(): - Zero the folio using folio_zero_user() which is optimized for huge pages - Mark it uptodate with folio_mark_uptodate() - Take hugetlb_fault_mutex before adding to page cache to prevent races The folio_zero_user() change also fixes a potential security issue where uninitialized kernel memory could be disclosed to userspace through read() or mmap() operations on the memfd. Reported-by: syzbot+f64019ba229e3a5c411b(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/all/20251112031631.2315651-1-kartikey406@gmail.com/ [v1] Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Cc: stable(a)vger.kernel.org Suggested-by: Oscar Salvador <osalvador(a)suse.de> Suggested-by: David Hildenbrand <david(a)redhat.com> Tested-by: syzbot+f64019ba229e3a5c411b(a)syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- v1 -> v2: - Use folio_zero_user() instead of folio_zero_range() (optimized for huge pages) - Add folio_mark_uptodate() before adding to page cache - Add hugetlb_fault_mutex locking around hugetlb_add_to_page_cache() - Add Fixes: tag and Cc: stable for backporting - Add Suggested-by: tags for Oscar and David --- mm/memfd.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/mm/memfd.c b/mm/memfd.c index 1d109c1acf21..d32eef58d154 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -96,9 +96,36 @@ struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx) NULL, gfp_mask); if (folio) { + u32 hash; + + /* + * Zero the folio to prevent information leaks to userspace. + * Use folio_zero_user() which is optimized for huge/gigantic + * pages. Pass 0 as addr_hint since this is not a faulting path + * and we don't have a user virtual address yet. + */ + folio_zero_user(folio, 0); + + /* + * Mark the folio uptodate before adding to page cache, + * as required by filemap.c and other hugetlb paths. + */ + __folio_mark_uptodate(folio); + + /* + * Serialize hugepage allocation and instantiation to prevent + * races with concurrent allocations, as required by all other + * callers of hugetlb_add_to_page_cache(). + */ + hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + err = hugetlb_add_to_page_cache(folio, memfd->f_mapping, idx); + + mutex_unlock(&hugetlb_fault_mutex_table[hash]); + if (err) { folio_put(folio); goto err_unresv; -- 2.43.0

2 weeks, 3 days

4
4
0 0

[tip: timers/urgent] timers: Fix NULL function pointer race in timer_shutdown_sync()

by tip-bot2 for Yipeng Zou

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: 20739af07383e6eb1ec59dcd70b72ebfa9ac362c Gitweb: https://git.kernel.org/tip/20739af07383e6eb1ec59dcd70b72ebfa9ac362c Author: Yipeng Zou <zouyipeng(a)huawei.com> AuthorDate: Sat, 22 Nov 2025 09:39:42 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Sat, 22 Nov 2025 22:55:26 +01:00 timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running. Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions") Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com --- kernel/time/timer.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel/time/timer.c b/kernel/time/timer.c index 553fa46..d5ebb1d 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c @@ -1458,10 +1458,11 @@ static int __try_to_del_timer_sync(struct timer_list *timer, bool shutdown) base = lock_timer_base(timer, &flags); - if (base->running_timer != timer) + if (base->running_timer != timer) { ret = detach_if_pending(timer, base, true); - if (shutdown) - timer->function = NULL; + if (shutdown) + timer->function = NULL; + } raw_spin_unlock_irqrestore(&base->lock, flags);

2 weeks, 3 days

1
0
0 0

Urgent Financial Management Opportunity.

by Dr. Malik

2 weeks, 4 days

1
0
0 0

MEDICA 2025 – Access to Attendee Data

by Mike Jarvis

Hi, As you have been an exhibitor at “MEDICA 2025” has successfully concluded, and the final verified attendees list is now available for your post-show outreach. It includes over 80,147 verified professionals and 4,906 exhibiting companies — Featuring medical technology manufacturers, healthcare suppliers, distributors, and service providers with complete and verified contact details. Note: All data is verified and fully GDPR compliant. If interested, share your target audience for relevant counts and pricing. Kind Regards, Mike Jarvis Sr. Demand Generation To opt out, reply “Unsubscribe.”

2 weeks, 4 days

1
0
0 0

Re: [PATCH 6.12 000/565] 6.12.58-rc1 review

by Jari Ruusu

Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> wrote: > This is the start of the stable review cycle for the 6.12.58 release. > There are 565 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. [SNIP] > Zizhi Wo <wozizhi(a)huaweicloud.com> > tty/vt: Add missing return value for VT_RESIZE in vt_ioctl() Locking seems to be messed up in backport of above mentioned patch. That patch is viewable here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/… Upstream uses guard() locking: | case VT_RESIZE: | { | .... | guard(console_lock)(); | ^^^^^^^^^^^^^^^^^^^^^-------this generates auto-unlock code | .... | ret = __vc_resize(vc_cons[i].d, cc, ll, true); | if (ret) | return ret; | ^^^^^^^^^^----------this releases console lock | .... | break; | } Older stable branches use old-school locking: | case VT_RESIZE: | { | .... | console_lock(); | .... | ret = __vc_resize(vc_cons[i].d, cc, ll, true); | if (ret) | return ret; | ^^^^^^^^^^----------this does not release console lock | .... | console_unlock(); | break; | } Backporting upstream fixes that use guard() locking to older stable branches that use old-school locking need "extra sports". Please consider dropping or fixing above mentioned patch. -- Jari Ruusu 4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD ACDF F073 3C80 8132 F189

2 weeks, 4 days

2
2
0 0

[PATCH] RDMA/irdma: fix Kconfig dependency

by Wentao Guan

Any combination of (IDPF || ICE || I40E) can register auxiliary_dev, so use '||' instead of '&&' in IRDMA config. Cc: stable(a)vger.kernel.org Fixes: 060842fed53f ("RDMA/irdma: Update Kconfig") Fixes: fa0cf568fd76 ("RDMA/irdma: Add irdma Kconfig/Makefile and remove i40iw") Signed-off-by: Wentao Guan <guanwentao(a)uniontech.com> --- PS: found in stable v6.12.58, it makes IRDMA be removed when select ICE+I40E+(!IDPF). --- --- drivers/infiniband/hw/irdma/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/irdma/Kconfig b/drivers/infiniband/hw/irdma/Kconfig index 0bd7e3fca1fbb..83a55b23c1325 100644 --- a/drivers/infiniband/hw/irdma/Kconfig +++ b/drivers/infiniband/hw/irdma/Kconfig @@ -4,7 +4,7 @@ config INFINIBAND_IRDMA depends on INET depends on IPV6 || !IPV6 depends on PCI - depends on IDPF && ICE && I40E + depends on IDPF || ICE || I40E select GENERIC_ALLOCATOR select AUXILIARY_BUS select CRC32 base-commit: 9b9e43704d2b05514aeeaea36311addba2c72408 -- 2.20.1

2 weeks, 4 days

2
2
0 0

FAILED: patch "[PATCH] kho: increase metadata bitmap size to PAGE_SIZE" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x a2fff99f92dae9c0eaf0d75de3def70ec68dad92 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112136-panama-nape-342b@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a2fff99f92dae9c0eaf0d75de3def70ec68dad92 Mon Sep 17 00:00:00 2001 From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Date: Mon, 20 Oct 2025 20:08:51 -0400 Subject: [PATCH] kho: increase metadata bitmap size to PAGE_SIZE KHO memory preservation metadata is preserved in 512 byte chunks which requires their allocation from slab allocator. Slabs are not safe to be used with KHO because of kfence, and because partial slabs may lead leaks to the next kernel. Change the size to be PAGE_SIZE. The kfence specifically may cause memory corruption, where it randomly provides slab objects that can be within the scratch area. The reason for that is that kfence allocates its objects prior to KHO scratch is marked as CMA region. While this change could potentially increase metadata overhead on systems with sparsely preserved memory, this is being mitigated by ongoing work to reduce sparseness during preservation via 1G guest pages. Furthermore, this change aligns with future work on a stateless KHO, which will also use page-sized bitmaps for its radix tree metadata. Link: https://lkml.kernel.org/r/20251021000852.2924827-3-pasha.tatashin@soleen.com Fixes: fc33e4b44b27 ("kexec: enable KHO support for memory preservation") Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: David Matlack <dmatlack(a)google.com> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Masahiro Yamada <masahiroy(a)kernel.org> Cc: Miguel Ojeda <ojeda(a)kernel.org> Cc: Randy Dunlap <rdunlap(a)infradead.org> Cc: Samiullah Khawaja <skhawaja(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c index 0bc9001e532a..9217d2fdd2d3 100644 --- a/kernel/kexec_handover.c +++ b/kernel/kexec_handover.c @@ -69,10 +69,10 @@ early_param("kho", kho_parse_enable); * Keep track of memory that is to be preserved across KHO. * * The serializing side uses two levels of xarrays to manage chunks of per-order - * 512 byte bitmaps. For instance if PAGE_SIZE = 4096, the entire 1G order of a - * 1TB system would fit inside a single 512 byte bitmap. For order 0 allocations - * each bitmap will cover 16M of address space. Thus, for 16G of memory at most - * 512K of bitmap memory will be needed for order 0. + * PAGE_SIZE byte bitmaps. For instance if PAGE_SIZE = 4096, the entire 1G order + * of a 8TB system would fit inside a single 4096 byte bitmap. For order 0 + * allocations each bitmap will cover 128M of address space. Thus, for 16G of + * memory at most 512K of bitmap memory will be needed for order 0. * * This approach is fully incremental, as the serialization progresses folios * can continue be aggregated to the tracker. The final step, immediately prior @@ -80,12 +80,14 @@ early_param("kho", kho_parse_enable); * successor kernel to parse. */ -#define PRESERVE_BITS (512 * 8) +#define PRESERVE_BITS (PAGE_SIZE * 8) struct kho_mem_phys_bits { DECLARE_BITMAP(preserve, PRESERVE_BITS); }; +static_assert(sizeof(struct kho_mem_phys_bits) == PAGE_SIZE); + struct kho_mem_phys { /* * Points to kho_mem_phys_bits, a sparse bitmap array. Each bit is sized @@ -133,19 +135,19 @@ static struct kho_out kho_out = { .finalized = false, }; -static void *xa_load_or_alloc(struct xarray *xa, unsigned long index, size_t sz) +static void *xa_load_or_alloc(struct xarray *xa, unsigned long index) { void *res = xa_load(xa, index); if (res) return res; - void *elm __free(kfree) = kzalloc(sz, GFP_KERNEL); + void *elm __free(kfree) = kzalloc(PAGE_SIZE, GFP_KERNEL); if (!elm) return ERR_PTR(-ENOMEM); - if (WARN_ON(kho_scratch_overlap(virt_to_phys(elm), sz))) + if (WARN_ON(kho_scratch_overlap(virt_to_phys(elm), PAGE_SIZE))) return ERR_PTR(-EINVAL); res = xa_cmpxchg(xa, index, NULL, elm, GFP_KERNEL); @@ -218,8 +220,7 @@ static int __kho_preserve_order(struct kho_mem_track *track, unsigned long pfn, } } - bits = xa_load_or_alloc(&physxa->phys_bits, pfn_high / PRESERVE_BITS, - sizeof(*bits)); + bits = xa_load_or_alloc(&physxa->phys_bits, pfn_high / PRESERVE_BITS); if (IS_ERR(bits)) return PTR_ERR(bits);

2 weeks, 4 days

2
3
0 0

FAILED: patch "[PATCH] kho: warn and fail on metadata or preserved memory in scratch" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x e38f65d317df1fd2dcafe614d9c537475ecf9992 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112117-pursuant-varmint-6bbc@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e38f65d317df1fd2dcafe614d9c537475ecf9992 Mon Sep 17 00:00:00 2001 From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Date: Mon, 20 Oct 2025 20:08:50 -0400 Subject: [PATCH] kho: warn and fail on metadata or preserved memory in scratch area Patch series "KHO: kfence + KHO memory corruption fix", v3. This series fixes a memory corruption bug in KHO that occurs when KFENCE is enabled. The root cause is that KHO metadata, allocated via kzalloc(), can be randomly serviced by kfence_alloc(). When a kernel boots via KHO, the early memblock allocator is restricted to a "scratch area". This forces the KFENCE pool to be allocated within this scratch area, creating a conflict. If KHO metadata is subsequently placed in this pool, it gets corrupted during the next kexec operation. Google is using KHO and have had obscure crashes due to this memory corruption, with stacks all over the place. I would prefer this fix to be properly backported to stable so we can also automatically consume it once we switch to the upstream KHO. Patch 1/3 introduces a debug-only feature (CONFIG_KEXEC_HANDOVER_DEBUG) that adds checks to detect and fail any operation that attempts to place KHO metadata or preserved memory within the scratch area. This serves as a validation and diagnostic tool to confirm the problem without affecting production builds. Patch 2/3 Increases bitmap to PAGE_SIZE, so buddy allocator can be used. Patch 3/3 Provides the fix by modifying KHO to allocate its metadata directly from the buddy allocator instead of slab. This bypasses the KFENCE interception entirely. This patch (of 3): It is invalid for KHO metadata or preserved memory regions to be located within the KHO scratch area, as this area is overwritten when the next kernel is loaded, and used early in boot by the next kernel. This can lead to memory corruption. Add checks to kho_preserve_* and KHO's internal metadata allocators (xa_load_or_alloc, new_chunk) to verify that the physical address of the memory does not overlap with any defined scratch region. If an overlap is detected, the operation will fail and a WARN_ON is triggered. To avoid performance overhead in production kernels, these checks are enabled only when CONFIG_KEXEC_HANDOVER_DEBUG is selected. [rppt(a)kernel.org: fix KEXEC_HANDOVER_DEBUG Kconfig dependency] Link: https://lkml.kernel.org/r/aQHUyyFtiNZhx8jo@kernel.org [pasha.tatashin(a)soleen.com: build fix] Link: https://lkml.kernel.org/r/CA+CK2bBnorfsTymKtv4rKvqGBHs=y=MjEMMRg_tE-RME6n-z… Link: https://lkml.kernel.org/r/20251021000852.2924827-1-pasha.tatashin@soleen.com Link: https://lkml.kernel.org/r/20251021000852.2924827-2-pasha.tatashin@soleen.com Fixes: fc33e4b44b27 ("kexec: enable KHO support for memory preservation") Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Signed-off-by: Mike Rapoport <rppt(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: David Matlack <dmatlack(a)google.com> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Masahiro Yamada <masahiroy(a)kernel.org> Cc: Miguel Ojeda <ojeda(a)kernel.org> Cc: Randy Dunlap <rdunlap(a)infradead.org> Cc: Samiullah Khawaja <skhawaja(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec index 422270d64820..54e581072617 100644 --- a/kernel/Kconfig.kexec +++ b/kernel/Kconfig.kexec @@ -109,6 +109,15 @@ config KEXEC_HANDOVER to keep data or state alive across the kexec. For this to work, both source and target kernels need to have this option enabled. +config KEXEC_HANDOVER_DEBUG + bool "Enable Kexec Handover debug checks" + depends on KEXEC_HANDOVER + help + This option enables extra sanity checks for the Kexec Handover + subsystem. Since, KHO performance is crucial in live update + scenarios and the extra code might be adding overhead it is + only optionally enabled. + config CRASH_DUMP bool "kernel crash dumps" default ARCH_DEFAULT_CRASH_DUMP diff --git a/kernel/Makefile b/kernel/Makefile index df3dd8291bb6..9fe722305c9b 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -83,6 +83,7 @@ obj-$(CONFIG_KEXEC) += kexec.o obj-$(CONFIG_KEXEC_FILE) += kexec_file.o obj-$(CONFIG_KEXEC_ELF) += kexec_elf.o obj-$(CONFIG_KEXEC_HANDOVER) += kexec_handover.o +obj-$(CONFIG_KEXEC_HANDOVER_DEBUG) += kexec_handover_debug.o obj-$(CONFIG_BACKTRACE_SELF_TEST) += backtracetest.o obj-$(CONFIG_COMPAT) += compat.o obj-$(CONFIG_CGROUPS) += cgroup/ diff --git a/kernel/kexec_handover.c b/kernel/kexec_handover.c index 76f0940fb485..0bc9001e532a 100644 --- a/kernel/kexec_handover.c +++ b/kernel/kexec_handover.c @@ -8,6 +8,7 @@ #define pr_fmt(fmt) "KHO: " fmt +#include <linux/cleanup.h> #include <linux/cma.h> #include <linux/count_zeros.h> #include <linux/debugfs.h> @@ -22,6 +23,7 @@ #include <asm/early_ioremap.h> +#include "kexec_handover_internal.h" /* * KHO is tightly coupled with mm init and needs access to some of mm * internal APIs. @@ -133,26 +135,26 @@ static struct kho_out kho_out = { static void *xa_load_or_alloc(struct xarray *xa, unsigned long index, size_t sz) { - void *elm, *res; + void *res = xa_load(xa, index); - elm = xa_load(xa, index); - if (elm) - return elm; + if (res) + return res; + + void *elm __free(kfree) = kzalloc(sz, GFP_KERNEL); - elm = kzalloc(sz, GFP_KERNEL); if (!elm) return ERR_PTR(-ENOMEM); + if (WARN_ON(kho_scratch_overlap(virt_to_phys(elm), sz))) + return ERR_PTR(-EINVAL); + res = xa_cmpxchg(xa, index, NULL, elm, GFP_KERNEL); if (xa_is_err(res)) - res = ERR_PTR(xa_err(res)); - - if (res) { - kfree(elm); + return ERR_PTR(xa_err(res)); + else if (res) return res; - } - return elm; + return no_free_ptr(elm); } static void __kho_unpreserve(struct kho_mem_track *track, unsigned long pfn, @@ -345,15 +347,19 @@ static_assert(sizeof(struct khoser_mem_chunk) == PAGE_SIZE); static struct khoser_mem_chunk *new_chunk(struct khoser_mem_chunk *cur_chunk, unsigned long order) { - struct khoser_mem_chunk *chunk; + struct khoser_mem_chunk *chunk __free(kfree) = NULL; chunk = kzalloc(PAGE_SIZE, GFP_KERNEL); if (!chunk) - return NULL; + return ERR_PTR(-ENOMEM); + + if (WARN_ON(kho_scratch_overlap(virt_to_phys(chunk), PAGE_SIZE))) + return ERR_PTR(-EINVAL); + chunk->hdr.order = order; if (cur_chunk) KHOSER_STORE_PTR(cur_chunk->hdr.next, chunk); - return chunk; + return no_free_ptr(chunk); } static void kho_mem_ser_free(struct khoser_mem_chunk *first_chunk) @@ -374,14 +380,17 @@ static int kho_mem_serialize(struct kho_serialization *ser) struct khoser_mem_chunk *chunk = NULL; struct kho_mem_phys *physxa; unsigned long order; + int err = -ENOMEM; xa_for_each(&ser->track.orders, order, physxa) { struct kho_mem_phys_bits *bits; unsigned long phys; chunk = new_chunk(chunk, order); - if (!chunk) + if (IS_ERR(chunk)) { + err = PTR_ERR(chunk); goto err_free; + } if (!first_chunk) first_chunk = chunk; @@ -391,8 +400,10 @@ static int kho_mem_serialize(struct kho_serialization *ser) if (chunk->hdr.num_elms == ARRAY_SIZE(chunk->bitmaps)) { chunk = new_chunk(chunk, order); - if (!chunk) + if (IS_ERR(chunk)) { + err = PTR_ERR(chunk); goto err_free; + } } elm = &chunk->bitmaps[chunk->hdr.num_elms]; @@ -409,7 +420,7 @@ static int kho_mem_serialize(struct kho_serialization *ser) err_free: kho_mem_ser_free(first_chunk); - return -ENOMEM; + return err; } static void __init deserialize_bitmap(unsigned int order, @@ -465,8 +476,8 @@ static void __init kho_mem_deserialize(const void *fdt) * area for early allocations that happen before page allocator is * initialized. */ -static struct kho_scratch *kho_scratch; -static unsigned int kho_scratch_cnt; +struct kho_scratch *kho_scratch; +unsigned int kho_scratch_cnt; /* * The scratch areas are scaled by default as percent of memory allocated from @@ -752,6 +763,9 @@ int kho_preserve_folio(struct folio *folio) const unsigned int order = folio_order(folio); struct kho_mem_track *track = &kho_out.ser.track; + if (WARN_ON(kho_scratch_overlap(pfn << PAGE_SHIFT, PAGE_SIZE << order))) + return -EINVAL; + return __kho_preserve_order(track, pfn, order); } EXPORT_SYMBOL_GPL(kho_preserve_folio); @@ -775,6 +789,11 @@ int kho_preserve_pages(struct page *page, unsigned int nr_pages) unsigned long failed_pfn = 0; int err = 0; + if (WARN_ON(kho_scratch_overlap(start_pfn << PAGE_SHIFT, + nr_pages << PAGE_SHIFT))) { + return -EINVAL; + } + while (pfn < end_pfn) { const unsigned int order = min(count_trailing_zeros(pfn), ilog2(end_pfn - pfn)); diff --git a/kernel/kexec_handover_debug.c b/kernel/kexec_handover_debug.c new file mode 100644 index 000000000000..6efb696f5426 --- /dev/null +++ b/kernel/kexec_handover_debug.c @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * kexec_handover_debug.c - kexec handover optional debug functionality + * Copyright (C) 2025 Google LLC, Pasha Tatashin <pasha.tatashin(a)soleen.com> + */ + +#define pr_fmt(fmt) "KHO: " fmt + +#include "kexec_handover_internal.h" + +bool kho_scratch_overlap(phys_addr_t phys, size_t size) +{ + phys_addr_t scratch_start, scratch_end; + unsigned int i; + + for (i = 0; i < kho_scratch_cnt; i++) { + scratch_start = kho_scratch[i].addr; + scratch_end = kho_scratch[i].addr + kho_scratch[i].size; + + if (phys < scratch_end && (phys + size) > scratch_start) + return true; + } + + return false; +} diff --git a/kernel/kexec_handover_internal.h b/kernel/kexec_handover_internal.h new file mode 100644 index 000000000000..3c3c7148ceed --- /dev/null +++ b/kernel/kexec_handover_internal.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef LINUX_KEXEC_HANDOVER_INTERNAL_H +#define LINUX_KEXEC_HANDOVER_INTERNAL_H + +#include <linux/kexec_handover.h> +#include <linux/types.h> + +extern struct kho_scratch *kho_scratch; +extern unsigned int kho_scratch_cnt; + +#ifdef CONFIG_KEXEC_HANDOVER_DEBUG +bool kho_scratch_overlap(phys_addr_t phys, size_t size); +#else +static inline bool kho_scratch_overlap(phys_addr_t phys, size_t size) +{ + return false; +} +#endif /* CONFIG_KEXEC_HANDOVER_DEBUG */ + +#endif /* LINUX_KEXEC_HANDOVER_INTERNAL_H */

2 weeks, 4 days

2
2
0 0

[tip: ras/core] x86/mce: Do not clear bank's poll bit in mce_poll_banks on AMD SMCA systems

by tip-bot2 for Avadhut Naik

The following commit has been merged into the ras/core branch of tip: Commit-ID: d7ac083f095d894a0b8ac0573516bfd035e6b25a Gitweb: https://git.kernel.org/tip/d7ac083f095d894a0b8ac0573516bfd035e6b25a Author: Avadhut Naik <avadhut.naik(a)amd.com> AuthorDate: Fri, 21 Nov 2025 19:04:04 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 21 Nov 2025 20:33:12 +01:00 x86/mce: Do not clear bank's poll bit in mce_poll_banks on AMD SMCA systems Currently, when a CMCI storm detected on a Machine Check bank, subsides, the bank's corresponding bit in the mce_poll_banks per-CPU variable is cleared unconditionally by cmci_storm_end(). On AMD SMCA systems, this essentially disables polling on that particular bank on that CPU. Consequently, any subsequent correctable errors or storms will not be logged. Since AMD SMCA systems allow banks to be managed by both polling and interrupts, the polling banks bitmap for a CPU, i.e., mce_poll_banks, should not be modified when a storm subsides. Fixes: 7eae17c4add5 ("x86/mce: Add per-bank CMCI storm mitigation") Signed-off-by: Avadhut Naik <avadhut.naik(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251121190542.2447913-2-avadhut.naik@amd.com --- arch/x86/kernel/cpu/mce/threshold.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/mce/threshold.c b/arch/x86/kernel/cpu/mce/threshold.c index eebaa63..f19dd5b 100644 --- a/arch/x86/kernel/cpu/mce/threshold.c +++ b/arch/x86/kernel/cpu/mce/threshold.c @@ -98,7 +98,8 @@ void cmci_storm_end(unsigned int bank) { struct mca_storm_desc *storm = this_cpu_ptr(&storm_desc); - __clear_bit(bank, this_cpu_ptr(mce_poll_banks)); + if (!mce_flags.amd_threshold) + __clear_bit(bank, this_cpu_ptr(mce_poll_banks)); storm->banks[bank].history = 0; storm->banks[bank].in_storm_mode = false;

2 weeks, 4 days

1
0
0 0

[PATCH 0/2] drm/xe: Fix and refactor CONFIG_DRM_XE_DEBUG_GUC

by Lucas De Marchi

There was a missing call to stack_depot_init() that is needed if CONFIG_DRM_XE_DEBUG_GUC is defined. That is fixed in the simplest possible way in the first patch. Second patch refactors it to try to isolate the ifdefs in specific functions related to CONFIG_DRM_XE_DEBUG and CONFIG_DRM_XE_DEBUG_GUC. Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- Lucas De Marchi (2): drm/xe/guc: Fix stack_depot usage drm/xe/guc_ct: Cleanup ifdef'ry drivers/gpu/drm/xe/xe_guc_ct.c | 204 +++++++++++++++++++++-------------------- 1 file changed, 107 insertions(+), 97 deletions(-) base-commit: b603326a067916accf680fd623f4fc3c22bba487 change-id: 20251117-fix-debug-guc-3d79bbe9dead Lucas De Marchi

2 weeks, 5 days

3
8
0 0

FAILED: patch "[PATCH] drm/amdgpu/jpeg: Add parse_cs for JPEG5_0_1" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x bbe3c115030da431c9ec843c18d5583e59482dd2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112053-unifier-drove-b0a8@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbe3c115030da431c9ec843c18d5583e59482dd2 Mon Sep 17 00:00:00 2001 From: Sathishkumar S <sathishkumar.sundararaju(a)amd.com> Date: Tue, 7 Oct 2025 13:17:51 +0530 Subject: [PATCH] drm/amdgpu/jpeg: Add parse_cs for JPEG5_0_1 enable parse_cs callback for JPEG5_0_1. Signed-off-by: Sathishkumar S <sathishkumar.sundararaju(a)amd.com> Reviewed-by: Leo Liu <leo.liu(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 547985579932c1de13f57f8bcf62cd9361b9d3d3) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c index baf097d2e1ac..ab0bf880d3d8 100644 --- a/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c +++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_1.c @@ -878,6 +878,7 @@ static const struct amdgpu_ring_funcs jpeg_v5_0_1_dec_ring_vm_funcs = { .get_rptr = jpeg_v5_0_1_dec_ring_get_rptr, .get_wptr = jpeg_v5_0_1_dec_ring_get_wptr, .set_wptr = jpeg_v5_0_1_dec_ring_set_wptr, + .parse_cs = amdgpu_jpeg_dec_parse_cs, .emit_frame_size = SOC15_FLUSH_GPU_TLB_NUM_WREG * 6 + SOC15_FLUSH_GPU_TLB_NUM_REG_WAIT * 8 +

2 weeks, 5 days

2
2
0 0

[PATCH] lib/crypto: tests: Fix KMSAN warning in test_sha256_finup_2x()

by Eric Biggers

Fully initialize *ctx, including the buf field which sha256_init() doesn't initialize, to avoid a KMSAN warning when comparing *ctx to orig_ctx. This KMSAN warning slipped in while KMSAN was not working reliably due to a stackdepot bug, which has now been fixed. Fixes: 6733968be7cb ("lib/crypto: tests: Add tests and benchmark for sha256_finup_2x()") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- lib/crypto/tests/sha256_kunit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/crypto/tests/sha256_kunit.c b/lib/crypto/tests/sha256_kunit.c index dcedfca06df6..5dccdee79693 100644 --- a/lib/crypto/tests/sha256_kunit.c +++ b/lib/crypto/tests/sha256_kunit.c @@ -66,10 +66,11 @@ static void test_sha256_finup_2x(struct kunit *test) ctx = alloc_guarded_buf(test, sizeof(*ctx)); rand_bytes(data1_buf, max_data_len); rand_bytes(data2_buf, max_data_len); rand_bytes(salt, sizeof(salt)); + memset(ctx, 0, sizeof(*ctx)); for (size_t i = 0; i < 500; i++) { size_t salt_len = rand_length(sizeof(salt)); size_t data_len = rand_length(max_data_len); const u8 *data1 = data1_buf + max_data_len - data_len; base-commit: 10a1140107e0b98bd67d37ae7af72989dd7df00b -- 2.51.2

2 weeks, 5 days

2
2
0 0

[PATCH v2] usb: phy: Initialize struct usb_phy list_head

by Diogo Ivo

As part of the registration of a new 'struct usb_phy' with the USB PHY core via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in order for the new instance x to be stored in phy_list, a static list kept internally by the core. After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") when executing either of the registration functions above it is possible that usb_add_extcon() fails, leading to either function returning before the call to list_add_tail(), leaving x->head uninitialized. Then, when a driver tries to undo the failed registration by calling usb_remove_phy(struct usb_phy *x) there will be an unconditional call to list_del(&x->head) acting on an uninitialized variable, and thus a possible NULL pointer dereference. Fix this by initializing x->head before usb_add_extcon() has a chance to fail. Note that this was not needed before 7d21114dc6a2 since list_add_phy() was executed unconditionally and it guaranteed that x->head was initialized. Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy") Cc: stable(a)vger.kernel.org Signed-off-by: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> --- Changes in v2: - Adjust Fixes: sha1 to 12 digits - Reword commit message to clarify the need to introduce INIT_LIST_HEAD() - Link to v1: https://lore.kernel.org/r/20251113-diogo-smaug_typec-v1-1-f1aa3b48620d@tecn… --- drivers/usb/phy/phy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c index e1435bc59662..5a9b9353f343 100644 --- a/drivers/usb/phy/phy.c +++ b/drivers/usb/phy/phy.c @@ -646,6 +646,8 @@ int usb_add_phy(struct usb_phy *x, enum usb_phy_type type) return -EINVAL; } + INIT_LIST_HEAD(&x->head); + usb_charger_init(x); ret = usb_add_extcon(x); if (ret) @@ -696,6 +698,8 @@ int usb_add_phy_dev(struct usb_phy *x) return -EINVAL; } + INIT_LIST_HEAD(&x->head); + usb_charger_init(x); ret = usb_add_extcon(x); if (ret) --- base-commit: b612b9a01026a268af6a191180e846ad121d1eab change-id: 20251113-diogo-smaug_typec-56b2059b892b Best regards, -- Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt>

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: connect: fix fallback note due to OoO" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 63c643aa7b7287fdbb0167063785f89ece3f000f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112058-distinct-glisten-21aa@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63c643aa7b7287fdbb0167063785f89ece3f000f Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 10 Nov 2025 19:23:40 +0100 Subject: [PATCH] selftests: mptcp: connect: fix fallback note due to OoO The "fallback due to TCP OoO" was never printed because the stat_ooo_now variable was checked twice: once in the parent if-statement, and one in the child one. The second condition was then always true then, and the 'else' branch was never taken. The idea is that when there are more ACK + MP_CAPABLE than expected, the test either fails if there was no out of order packets, or a notice is printed. Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO") Cc: stable(a)vger.kernel.org Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c71… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh index 47ecb5b3836e..9b7b93f8eb0c 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh @@ -492,7 +492,7 @@ do_transfer() "than expected (${expect_synrx})" retc=1 fi - if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ] && [ ${stat_ooo_now} -eq 0 ]; then + if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then if [ ${stat_ooo_now} -eq 0 ]; then mptcp_lib_pr_fail "lower MPC ACK rx (${stat_ackrx_now_l})" \ "than expected (${expect_ackrx})"

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: rm: set backup flag" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x aea73bae662a0e184393d6d7d0feb18d2577b9b9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112012-gliding-propose-87a0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From aea73bae662a0e184393d6d7d0feb18d2577b9b9 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 10 Nov 2025 19:23:41 +0100 Subject: [PATCH] selftests: mptcp: join: rm: set backup flag Some of these 'remove' tests rarely fail because a subflow has been reset instead of cleanly removed. This can happen when one extra subflow which has never carried data is being closed (FIN) on one side, while the other is sending data for the first time. To avoid such subflows to be used right at the end, the backup flag has been added. With that, data will be only carried on the initial subflow. Fixes: d2c4333a801c ("selftests: mptcp: add testcases for removing addrs") Cc: stable(a)vger.kernel.org Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-2-a4332c71… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 78a1aa4ecff2..9ed9ec7202d6 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -2532,7 +2532,7 @@ remove_tests() if reset "remove single subflow"; then pm_nl_set_limits $ns1 0 1 pm_nl_set_limits $ns2 0 1 - pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup addr_nr_ns2=-1 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 1 1 1 @@ -2545,8 +2545,8 @@ remove_tests() if reset "remove multiple subflows"; then pm_nl_set_limits $ns1 0 2 pm_nl_set_limits $ns2 0 2 - pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow - pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup addr_nr_ns2=-2 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 2 2 2 @@ -2557,7 +2557,7 @@ remove_tests() # single address, remove if reset "remove single address"; then pm_nl_set_limits $ns1 0 1 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup pm_nl_set_limits $ns2 1 1 addr_nr_ns1=-1 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 @@ -2570,9 +2570,9 @@ remove_tests() # subflow and signal, remove if reset "remove subflow and signal"; then pm_nl_set_limits $ns1 0 2 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup pm_nl_set_limits $ns2 1 2 - pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup addr_nr_ns1=-1 addr_nr_ns2=-1 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 2 2 2 @@ -2584,10 +2584,10 @@ remove_tests() # subflows and signal, remove if reset "remove subflows and signal"; then pm_nl_set_limits $ns1 0 3 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup pm_nl_set_limits $ns2 1 3 - pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow - pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup + pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup addr_nr_ns1=-1 addr_nr_ns2=-2 speed=10 \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 3 3 3 @@ -2599,9 +2599,9 @@ remove_tests() # addresses remove if reset "remove addresses"; then pm_nl_set_limits $ns1 3 3 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250 - pm_nl_add_endpoint $ns1 10.0.3.1 flags signal - pm_nl_add_endpoint $ns1 10.0.4.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250 + pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup + pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup pm_nl_set_limits $ns2 3 3 addr_nr_ns1=-3 speed=10 \ run_tests $ns1 $ns2 10.0.1.1 @@ -2614,10 +2614,10 @@ remove_tests() # invalid addresses remove if reset "remove invalid addresses"; then pm_nl_set_limits $ns1 3 3 - pm_nl_add_endpoint $ns1 10.0.12.1 flags signal + pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup # broadcast IP: no packet for this address will be received on ns1 - pm_nl_add_endpoint $ns1 224.0.0.1 flags signal - pm_nl_add_endpoint $ns1 10.0.3.1 flags signal + pm_nl_add_endpoint $ns1 224.0.0.1 flags signal,backup + pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup pm_nl_set_limits $ns2 2 2 addr_nr_ns1=-3 speed=10 \ run_tests $ns1 $ns2 10.0.1.1 @@ -2631,10 +2631,10 @@ remove_tests() # subflows and signal, flush if reset "flush subflows and signal"; then pm_nl_set_limits $ns1 0 3 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup pm_nl_set_limits $ns2 1 3 - pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow - pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup + pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 3 3 3 @@ -2647,9 +2647,9 @@ remove_tests() if reset "flush subflows"; then pm_nl_set_limits $ns1 3 3 pm_nl_set_limits $ns2 3 3 - pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow id 150 - pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow - pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow + pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup id 150 + pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup + pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 chk_join_nr 3 3 3 @@ -2666,9 +2666,9 @@ remove_tests() # addresses flush if reset "flush addresses"; then pm_nl_set_limits $ns1 3 3 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250 - pm_nl_add_endpoint $ns1 10.0.3.1 flags signal - pm_nl_add_endpoint $ns1 10.0.4.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250 + pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup + pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup pm_nl_set_limits $ns2 3 3 addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \ run_tests $ns1 $ns2 10.0.1.1 @@ -2681,9 +2681,9 @@ remove_tests() # invalid addresses flush if reset "flush invalid addresses"; then pm_nl_set_limits $ns1 3 3 - pm_nl_add_endpoint $ns1 10.0.12.1 flags signal - pm_nl_add_endpoint $ns1 10.0.3.1 flags signal - pm_nl_add_endpoint $ns1 10.0.14.1 flags signal + pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup + pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup + pm_nl_add_endpoint $ns1 10.0.14.1 flags signal,backup pm_nl_set_limits $ns2 3 3 addr_nr_ns1=-8 speed=slow \ run_tests $ns1 $ns2 10.0.1.1

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] selftests: mptcp: connect: fix fallback note due to OoO" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 63c643aa7b7287fdbb0167063785f89ece3f000f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112057-untapped-profile-9004@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 63c643aa7b7287fdbb0167063785f89ece3f000f Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 10 Nov 2025 19:23:40 +0100 Subject: [PATCH] selftests: mptcp: connect: fix fallback note due to OoO The "fallback due to TCP OoO" was never printed because the stat_ooo_now variable was checked twice: once in the parent if-statement, and one in the child one. The second condition was then always true then, and the 'else' branch was never taken. The idea is that when there are more ACK + MP_CAPABLE than expected, the test either fails if there was no out of order packets, or a notice is printed. Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO") Cc: stable(a)vger.kernel.org Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c71… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh index 47ecb5b3836e..9b7b93f8eb0c 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh @@ -492,7 +492,7 @@ do_transfer() "than expected (${expect_synrx})" retc=1 fi - if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ] && [ ${stat_ooo_now} -eq 0 ]; then + if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then if [ ${stat_ooo_now} -eq 0 ]; then mptcp_lib_pr_fail "lower MPC ACK rx (${stat_ackrx_now_l})" \ "than expected (${expect_ackrx})"

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: samsung: plug potential memleak during probe" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 90c82941adf1986364e0f82c35cf59f2bf5f6a1d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112034-headgear-rug-fcf9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 90c82941adf1986364e0f82c35cf59f2bf5f6a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik(a)linaro.org> Date: Thu, 16 Oct 2025 16:58:37 +0100 Subject: [PATCH] pmdomain: samsung: plug potential memleak during probe MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit of_genpd_add_provider_simple() could fail, in which case this code leaks the domain name, pd->pd.name. Use devm_kstrdup_const() to plug this leak. As a side-effect, we can simplify existing error handling. Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver") Cc: stable(a)vger.kernel.org Reviewed-by: Peter Griffin <peter.griffin(a)linaro.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Signed-off-by: André Draszik <andre.draszik(a)linaro.org> Tested-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/samsung/exynos-pm-domains.c b/drivers/pmdomain/samsung/exynos-pm-domains.c index 5d478bb37ad6..f53e1bd24798 100644 --- a/drivers/pmdomain/samsung/exynos-pm-domains.c +++ b/drivers/pmdomain/samsung/exynos-pm-domains.c @@ -92,13 +92,14 @@ static const struct of_device_id exynos_pm_domain_of_match[] = { { }, }; -static const char *exynos_get_domain_name(struct device_node *node) +static const char *exynos_get_domain_name(struct device *dev, + struct device_node *node) { const char *name; if (of_property_read_string(node, "label", &name) < 0) name = kbasename(node->full_name); - return kstrdup_const(name, GFP_KERNEL); + return devm_kstrdup_const(dev, name, GFP_KERNEL); } static int exynos_pd_probe(struct platform_device *pdev) @@ -115,15 +116,13 @@ static int exynos_pd_probe(struct platform_device *pdev) if (!pd) return -ENOMEM; - pd->pd.name = exynos_get_domain_name(np); + pd->pd.name = exynos_get_domain_name(dev, np); if (!pd->pd.name) return -ENOMEM; pd->base = of_iomap(np, 0); - if (!pd->base) { - kfree_const(pd->pd.name); + if (!pd->base) return -ENODEV; - } pd->pd.power_off = exynos_pd_power_off; pd->pd.power_on = exynos_pd_power_on;

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 7458f72cc28f9eb0de811effcb5376d0ec19094a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112055-muzzle-swimwear-7693@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7458f72cc28f9eb0de811effcb5376d0ec19094a Mon Sep 17 00:00:00 2001 From: Sudeep Holla <sudeep.holla(a)arm.com> Date: Fri, 17 Oct 2025 12:03:20 +0100 Subject: [PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Reviewed-by: Peng Fan <peng.fan(a)nxp.com> Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/arm/scmi_pm_domain.c b/drivers/pmdomain/arm/scmi_pm_domain.c index 8fe1c0a501c9..b5e2ffd5ea64 100644 --- a/drivers/pmdomain/arm/scmi_pm_domain.c +++ b/drivers/pmdomain/arm/scmi_pm_domain.c @@ -41,7 +41,7 @@ static int scmi_pd_power_off(struct generic_pm_domain *domain) static int scmi_pm_domain_probe(struct scmi_device *sdev) { - int num_domains, i; + int num_domains, i, ret; struct device *dev = &sdev->dev; struct device_node *np = dev->of_node; struct scmi_pm_domain *scmi_pd; @@ -108,9 +108,18 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) scmi_pd_data->domains = domains; scmi_pd_data->num_domains = num_domains; + ret = of_genpd_add_provider_onecell(np, scmi_pd_data); + if (ret) + goto err_rm_genpds; + dev_set_drvdata(dev, scmi_pd_data); - return of_genpd_add_provider_onecell(np, scmi_pd_data); + return 0; +err_rm_genpds: + for (i = num_domains - 1; i >= 0; i--) + pm_genpd_remove(domains[i]); + + return ret; } static void scmi_pm_domain_remove(struct scmi_device *sdev)

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112011-seltzer-flock-722f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 Mon Sep 17 00:00:00 2001 From: Miaoqian Lin <linmq006(a)gmail.com> Date: Tue, 28 Oct 2025 11:16:20 +0800 Subject: [PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not needed anymore. Add the missing of_node_put() to avoid refcount leak. Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c index 33991f3c6b55..a34b260274f7 100644 --- a/drivers/pmdomain/imx/gpc.c +++ b/drivers/pmdomain/imx/gpc.c @@ -536,6 +536,8 @@ static void imx_gpc_remove(struct platform_device *pdev) return; } } + + of_node_put(pgc_node); } static struct platform_driver imx_gpc_driver = {

2 weeks, 5 days

2
1
0 0

[PATCH 6.17 000/247] 6.17.9-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.9 release. There are 247 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 23 Nov 2025 13:01:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.9-rc1 Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Fix lan8814_config_init Abdun Nihaal <nihaal(a)cse.iitm.ac.in> isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() Sean Christopherson <seanjc(a)google.com> KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL Xin Li <xin(a)zytor.com> KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel Sean Christopherson <seanjc(a)google.com> KVM: x86: Rename local "ecx" variables to "msr" and "pmc" as appropriate Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> ASoC: da7213: Use component driver suspend/resume Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS() Carlos Llamas <cmllamas(a)google.com> scripts/decode_stacktrace.sh: fix build ID and PC source parsing Matthieu Baerts (NGI0) <matttbe(a)kernel.org> scripts/decode_stacktrace.sh: symbol: preserve alignment Matthieu Baerts (NGI0) <matttbe(a)kernel.org> scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces Kiryl Shutsemau <kas(a)kernel.org> mm/memory: do not populate page table entries beyond i_size Zi Yan <ziy(a)nvidia.com> mm/huge_memory: do not change split_huge_page*() target order silently Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: properly kill background tasks Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: userspace: longer transfer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: trunc: read all recv data Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: endpoints: longer transfer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: rm: set backup flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: fix fallback note due to OoO Marek Szyprowski <m.szyprowski(a)samsung.com> pmdomain: samsung: Rework legacy splash-screen handover workaround André Draszik <andre.draszik(a)linaro.org> pmdomain: samsung: plug potential memleak during probe Miaoqian Lin <linmq006(a)gmail.com> pmdomain: imx: Fix reference count leak in imx_gpc_remove Sudeep Holla <sudeep.holla(a)arm.com> pmdomain: arm: scmi: Fix genpd leak on provider registration failure Nitin Gote <nitin.r.gote(a)intel.com> drm/xe/xe3: Add WA_14024681466 for Xe3_LPG Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu(a)intel.com> drm/xe/xe3: Extend wa_14023061436 Nitin Gote <nitin.r.gote(a)intel.com> drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg Jani Nikula <jani.nikula(a)intel.com> drm/i915/psr: fix pipe to vblank conversion Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces Jesse.Zhang <Jesse.Zhang(a)amd.com> drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process Jonathan Kim <jonathan.kim(a)amd.com> drm/amdkfd: relax checks for over allocation of save area Zilin Guan <zilin(a)seu.edu.cn> btrfs: release root after error in data_reloc_print_warning_inode() Filipe Manana <fdmanana(a)suse.com> btrfs: do not update last_log_commit when logging inode due to a new name Zilin Guan <zilin(a)seu.edu.cn> btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix stripe width calculation Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix conventional zone capacity calculation Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Use atomic64_t for compressed_size variable Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Emit an error when image writing fails Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection Niravkumar L Rabara <niravkumarlaxmidas.rabara(a)altera.com> EDAC/altera: Handle OCRAM ECC enable after warm reset Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Consolidate max_pfn & max_low_pfn calculation Song Liu <song(a)kernel.org> ftrace: Fix BPF fexit with livepatch Jens Axboe <axboe(a)kernel.dk> io_uring/rw: ensure allocated iovec gets cleared for early failure Sami Tolvanen <samitolvanen(a)google.com> gendwarfksyms: Skip files with no exports Ankit Khushwaha <ankitkhushwaha.linux(a)gmail.com> selftests/user_events: fix type cast for write_index packed member in perf_test Mario Limonciello <mario.limonciello(a)amd.com> x86/CPU/AMD: Add additional fixed RDSEED microcode revisions Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev Hans de Goede <hansg(a)kernel.org> spi: Try to get ACPI GPIO IRQ earlier Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: fix cifs_pick_channel when channel needs reconnect Miaoqian Lin <linmq006(a)gmail.com> crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value Sourabh Jain <sourabhjain(a)linux.ibm.com> crash: fix crashkernel resource shrink Hao Ge <gehao(a)kylinos.cn> codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext Edward Adam Davis <eadavis(a)qq.com> cifs: client: fix memory leak in smb3_fs_context_parse_param Miaoqian Lin <linmq006(a)gmail.com> ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present() Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix potential overflow of PCM transfer buffer Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver Shawn Lin <shawn.lin(a)rock-chips.com> mmc: dw_mmc-rockchip: Fix wrong internal phase calculate Rakuram Eswaran <rakuram.e96(a)gmail.com> mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs Shawn Lin <shawn.lin(a)rock-chips.com> mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 Zi Yan <ziy(a)nvidia.com> mm/huge_memory: fix folio split check for anon folios in swapcache Kairui Song <kasong(a)tencent.com> mm, swap: fix potential UAF issue for VMA readahead Dev Jain <dev.jain(a)arm.com> mm/mremap: honour writable bit in mremap pte batching Kairui Song <kasong(a)tencent.com> mm/shmem: fix THP allocation and fallback loop Aleksei Nikiforov <aleksei.nikiforov(a)linux.ibm.com> mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/stat: change last_refresh_jiffies to a global variable Isaac J. Manjarres <isaacmanjarres(a)google.com> mm/mm_init: fix hash table order logging in alloc_large_system_hash() Wei Yang <albinwyang(a)tencent.com> fs/proc: fix uaf in proc_readdir_de() Zi Yan <ziy(a)nvidia.com> mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: reject address change while connecting Steven Rostedt <rostedt(a)goodmis.org> selftests/tracing: Run sample events to clear page cache events Lance Yang <lance.yang(a)linux.dev> mm/secretmem: fix use-after-free race in fault handler Breno Leitao <leitao(a)debian.org> net: netpoll: fix incorrect refcount handling causing incorrect cleanup Edward Adam Davis <eadavis(a)qq.com> nilfs2: avoid having an active sc_timer before freeing sci Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/sysfs: change next_update_jiffies to a global variable Chuang Wang <nashuiliang(a)gmail.com> ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe Tianyang Zhang <zhangtianyang(a)loongson.cn> LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Use correct accessor to read FWPC/MWPC Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Consolidate early_ioremap()/ioremap_prot() Martin Kaiser <martin(a)kaiser.cx> maple_tree: fix tracepoint string pointers Qinxin Xia <xiaqinxin(a)huawei.com> dma-mapping: benchmark: Restore padding to ensure uABI remained consistent Nate Karstens <nate.karstens(a)garmin.com> strparser: Fix signed/unsigned mismatch bug Pratyush Yadav <pratyush(a)kernel.org> kho: warn and exit when unpreserved page wasn't preserved Pasha Tatashin <pasha.tatashin(a)soleen.com> kho: allocate metadata directly from the buddy allocator Pasha Tatashin <pasha.tatashin(a)soleen.com> kho: increase metadata bitmap size to PAGE_SIZE Pasha Tatashin <pasha.tatashin(a)soleen.com> kho: warn and fail on metadata or preserved memory in scratch area Pedro Demarchi Gomes <pedrodemargomes(a)gmail.com> ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Joshua Rogers <linux(a)joshua.hu> ksmbd: close accepted socket when per-IP limit rejects connection Peter Oberparleiter <oberpar(a)linux.ibm.com> gcov: add support for GCC 15 Olga Kornievskaia <okorniev(a)redhat.com> NFSD: free copynotify stateid in nfs4_free_ol_stateid() Olga Kornievskaia <okorniev(a)redhat.com> nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes NeilBrown <neil(a)brown.name> nfsd: fix refcount leak in nfsd_set_fh_dentry() Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> KVM: VMX: Fix check for valid GVA on an EPT violation Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Fix and simplify LBR virtualization handling with nested Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() Yosry Ahmed <yosry.ahmed(a)linux.dev> KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make all 32bit ID registers fully writable Sean Christopherson <seanjc(a)google.com> KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix max supported vCPUs set with EIOINTC Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Add delay until timer interrupt injected Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Restore guest PMU if it is enabled Abdun Nihaal <nihaal(a)cse.iitm.ac.in> HID: uclogic: Fix potential memory leak in error path Abdun Nihaal <nihaal(a)cse.iitm.ac.in> HID: playstation: Fix memory leak in dualshock4_get_calibration_data() Luke Wang <ziniu.wang_1(a)nxp.com> pwm: adp5585: Correct mismatched pwm chip info Chukun Pan <amadeus(a)jmu.edu.cn> arm64: dts: rockchip: drop reset from rk3576 i2c9 node Andrey Leonchikov <andreil499(a)gmail.com> arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2 Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY Masami Ichikawa <masami256(a)gmail.com> HID: hid-ntrig: Prevent memory leak in ntrig_report_version() Frieder Schrempf <frieder.schrempf(a)kontron.de> arm64: dts: imx8mp-kontron: Fix USB OTG role switching João Paulo Gonçalves <joao.goncalves(a)toradex.com> arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: imx51-zii-rdu1: Fix audmux node names Dario Binacchi <dario.binacchi(a)amarulasolutions.com> ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic Andrey Leonchikov <andreil499(a)gmail.com> arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and Pi2 Anand Moon <linux.amoon(a)gmail.com> arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1 Ravi Bangoria <ravi.bangoria(a)amd.com> perf test: Fix lock contention test Ian Rogers <irogers(a)google.com> perf test shell lock_contention: Extra debug diagnostics Ravi Bangoria <ravi.bangoria(a)amd.com> perf lock: Fix segfault due to missing kernel map Arnaldo Carvalho de Melo <acme(a)kernel.org> perf build: Don't fail fast path feature detection when binutils-devel is not available Thomas Falcon <thomas.falcon(a)intel.com> perf header: Write bpf_prog (infos|btfs)_cnt to data file Zqiang <qiang.zhang(a)linux.dev> sched_ext: Fix unsafe locking in the scx_dump_state() Andrei Vagin <avagin(a)google.com> fs/namespace: correctly handle errors returned by grab_requested_mnt_ns Zilin Guan <zilin(a)seu.edu.cn> binfmt_misc: restore write access before closing files opened by open_exec() Alok Tiwari <alok.a.tiwari(a)oracle.com> virtio-fs: fix incorrect check for fsvq->kobj Dan Carpenter <dan.carpenter(a)linaro.org> mtd: onenand: Pass correct pointer to IRQ handler David Howells <dhowells(a)redhat.com> afs: Fix dynamic lookup to fail on cell lookup failure Hongbo Li <lihongbo22(a)huawei.com> hostfs: Fix only passing host root in boot stage with new mount Eric Biggers <ebiggers(a)kernel.org> lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN Eslam Khafagy <eslam.medhat1993(a)gmail.com> posix-timers: Plug potential memory leak in do_timer_create() Nick Hu <nick.hu(a)sifive.com> irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops Eduard Zingerman <eddyz87(a)gmail.com> bpf: account for current allocated stack depth in widen_imprecise_scalars() Eric Dumazet <edumazet(a)google.com> bpf: Add bpf_prog_run_data_pointers() Randy Dunlap <rdunlap(a)infradead.org> drm/client: fix MODULE_PARM_DESC string for "active" Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe() Dave Jiang <dave.jiang(a)intel.com> acpi/hmat: Fix lockdep warning for hmem_register_resource() Sultan Alsawaf <sultan(a)kerneltoast.com> drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO Haein Lee <lhi0729(a)kaist.ac.kr> ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd Dai Ngo <dai.ngo(a)oracle.com> NFS: Fix LTP test failures when timestamps are delegated Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() Yang Xiuwei <yangxiuwei(a)kylinos.cn> NFS: sysfs: fix leak when nfs_client kobject add fails Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv2/v3: Fix error handling in nfs_atomic_open_v23() Al Viro <viro(a)zeniv.linux.org.uk> simplify nfs_atomic_open_v23() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Check the TLS certificate fields in nfs_match_client() Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() Trond Myklebust <trond.myklebust(a)hammerspace.com> pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect() Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Flush shmem writes before mapping buffers CPU-uncached Shenghao Ding <shenghao-ding(a)ti.com> ASoC: tas2781: fix getting the wrong device number Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Restore Guest-Backed only cursor plane support Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: codecs: va-macro: fix resource leak in probe error path Haotian Zhang <vulab(a)iscas.ac.cn> ASoC: cs4271: Fix regulator leak on probe failure Haotian Zhang <vulab(a)iscas.ac.cn> regulator: fixed: fix GPIO descriptor leak on register failure Shuai Xue <xueshuai(a)linux.alibaba.com> acpi,srat: Fix incorrect device handle check for Generic Initiator Caleb Sander Mateos <csander(a)purestorage.com> io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs Andrii Melnychenko <a.melnychenko(a)vyos.io> netfilter: nft_ct: add seqadj extension for natted connections Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: export l2cap_chan_hold for modules Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Perform fast check switch only for online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Check _CPC validity for only the online CPUs Gautham R. Shenoy <gautham.shenoy(a)amd.com> ACPI: CPPC: Detect preferred core availability on online CPUs Felix Maurer <fmaurer(a)redhat.com> hsr: Follow standard for HSRv0 supervision frames Felix Maurer <fmaurer(a)redhat.com> hsr: Fix supervision frame sending on HSRv0 Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio-net: fix incorrect flags recording in big mode Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mld: always take beacon ies in link grading Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: fix beacon template/fixed rate Eric Dumazet <edumazet(a)google.com> net_sched: limit try_bulk_dequeue_skb() batches Akiva Goldberger <agoldberger(a)nvidia.com> mlx5: Fix default values in create CQ Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Prepare for using different CQ doorbells Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Store the global doorbell in mlx5_priv Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix potentially misleading debug message Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps Gal Pressman <gal(a)nvidia.com> net/mlx5e: Fix maxrate wraparound in threshold between units Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state() Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Ranganath V N <vnranganath.20(a)gmail.com> net: sched: act_connmark: initialize struct tc_ife to fix kernel leak Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix not handling PA Sync Lost event Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Initialise scc_index in unix_add_edge(). Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: skip rate verification for not captured PSDUs Buday Csaba <buday.csaba(a)prolan.hu> net: mdio: fix resource leak in mdiobus_register_device() Kuniyuki Iwashima <kuniyu(a)google.com> tipc: Fix use-after-free in tipc_mon_reinit_self(). Aksh Garg <a-garg7(a)ti.com> net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism Aksh Garg <a-garg7(a)ti.com> net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout Zilin Guan <zilin(a)seu.edu.cn> net/handshake: Fix memory leak in tls_handshake_accept() D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix mismatch between CLC header and proposal Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: tag_brcm: do not mark link local traffic as offloaded Eric Dumazet <edumazet(a)google.com> sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion Pauli Virtanen <pav(a)iki.fi> Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Raphael Pinsonneault-Thibeault <rpthibeault(a)gmail.com> Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF Pauli Virtanen <pav(a)iki.fi> Bluetooth: MGMT: cancel mesh send timer when hdev removed Chuck Lever <chuck.lever(a)oracle.com> NFSD: Skip close replay processing if XDR encoding fails Xi Ruoyao <xry111(a)xry111.site> rust: Add -fno-isolate-erroneous-paths-dereference to bindgen_skip_c_flags Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: lan8814 fix reset of the QSGMII interface Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Replace hardcoded pages with defines Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: micrel: Introduce lanphy_modify_page_reg Wei Fang <wei.fang(a)nxp.com> net: fec: correct rx_bytes statistic for the case SHIFT16 is set Alexander Sverdlin <alexander.sverdlin(a)gmail.com> selftests: net: local_termination: Wait for interfaces to come up Gao Xiang <xiang(a)kernel.org> erofs: avoid infinite loop due to incomplete zstd-compressed data Nicolas Escande <nico.escande(a)gmail.com> wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp() Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd Dawn Gardner <dawn.auroali(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx Sharique Mohammad <sharq0406(a)gmail.com> ASoC: max98090/91: fixed max98091 ALSA widget powering up/down Stuart Hayhurst <stuart.a.hayhurst(a)gmail.com> HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL ZhangGuoDong <zhangguodong(a)kylinos.cn> smb/server: fix possible refcount leak in smb2_sess_setup() ZhangGuoDong <zhangguodong(a)kylinos.cn> smb/server: fix possible memory leak in smb2_read() Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix unexpected placement on same size resizing Jaehun Gou <p22gone(a)gmail.com> exfat: fix improper check of dentry.stream.valid_size Oleg Makarenko <oleg(a)makarenk.ooo> HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel Scott Mayhew <smayhew(a)redhat.com> NFS: check if suid/sgid was cleared after a write as needed Vicki Pfau <vi(a)endrift.com> HID: nintendo: Wait longer for initial probe Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation Tristan Lobb <tristan.lobb(a)it-lobb.de> HID: quirks: avoid Cooler Master MM712 dongle wakeup bug Abhishek Tamboli <abhishektamboli9(a)gmail.com> HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's Joshua Watt <jpewhacker(a)gmail.com> NFS4: Apply delay_retrans to async operations Jonathan Kim <jonathan.kim(a)amd.com> drm/amdkfd: fix suspend/resume all calls in mes based eviction path Joshua Watt <jpewhacker(a)gmail.com> NFS4: Fix state renewals missing after boot Jesse.Zhang <Jesse.Zhang(a)amd.com> drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Christian König <christian.koenig(a)amd.com> drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Christian König <christian.koenig(a)amd.com> drm/amdgpu: remove two invalid BUG_ON()s Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Avoid unnecessary blocking in IRQ handler Andrey Albershteyn <aalbersh(a)redhat.com> fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls Han Gao <rabenda.cn(a)gmail.com> riscv: acpi: avoid errors caused by probing DT devices when ACPI is used Danil Skrebenkov <danil.skrebenkov(a)cloudbear.ru> RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid rfence errors Feng Jiang <jiangfeng(a)kylinos.cn> riscv: Build loader.bin exclusively for Canaan K210 Peter Zijlstra <peterz(a)infradead.org> compiler_types: Move unused static inline functions warning to W=2 Yang Shi <yang(a)os.amperecomputing.com> arm64: kprobes: check the return value of set_memory_rox() Timur Kristóf <timur.kristof(a)gmail.com> drm/amd: Disable ASPM on SI Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable MCLK switching on SI at high pixel clocks Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Disable fastboot on DCE 6 too Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Use pm_display_cfg in legacy DPM (v2) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Add pixel_clock to amd_pp_display_configuration Jouni Högander <jouni.hogander(a)intel.com> drm/xe: Do clean shutdown also when using flr Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Move declarations under conditional branch Balasubramani Vivekanandan <balasubramani.vivekanandan(a)intel.com> drm/xe/guc: Synchronize Dead CT worker with unbind Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Fix suspend failure with secure display TA Peter Zijlstra <peterz(a)infradead.org> futex: Optimize per-cpu reference counting Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Make vfio_compat's unmap succeed if the range is already empty Shuhao Fu <sfual(a)cse.ust.hk> smb: client: fix refcount leak in smb2_set_path_attr Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd/display: Don't stretch non-native images by default in eDP Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: set default gfx reset masks for gfx6-8 Umesh Nerlige Ramappa <umesh.nerlige.ramappa(a)intel.com> drm/i915: Fix conversion between clock ticks and nanoseconds Janusz Krzysztofik <janusz.krzysztofik(a)linux.intel.com> drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD Jason-JH Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add pm_runtime support for GCE power control Nicolin Chen <nicolinc(a)nvidia.com> iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents() ------------- Diffstat: Makefile | 4 +- .../boot/dts/broadcom/bcm47189-luxul-xap-1440.dts | 4 +- arch/arm/boot/dts/nxp/imx/imx51-zii-rdu1.dts | 4 +- .../dts/nxp/imx/imx6ull-engicam-microgea-rmm.dts | 2 +- arch/arm/crypto/Kconfig | 2 +- arch/arm64/boot/dts/freescale/imx8-ss-img.dtsi | 2 - .../boot/dts/freescale/imx8mp-kontron-bl-osm-s.dts | 24 +- .../boot/dts/rockchip/rk3566-bigtreetech-cb2.dtsi | 6 +- arch/arm64/boot/dts/rockchip/rk3568-odroid-m1.dts | 2 + arch/arm64/boot/dts/rockchip/rk3576.dtsi | 2 - arch/arm64/boot/dts/rockchip/rk3588-opp.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3588j.dtsi | 2 +- arch/arm64/kernel/probes/kprobes.c | 5 +- arch/arm64/kvm/sys_regs.c | 59 +-- arch/loongarch/include/asm/hw_breakpoint.h | 4 +- arch/loongarch/include/asm/io.h | 5 +- arch/loongarch/include/asm/pgtable.h | 11 +- arch/loongarch/kernel/mem.c | 7 +- arch/loongarch/kernel/numa.c | 23 +- arch/loongarch/kernel/setup.c | 5 +- arch/loongarch/kernel/traps.c | 4 +- arch/loongarch/kvm/intc/eiointc.c | 2 +- arch/loongarch/kvm/timer.c | 2 + arch/loongarch/kvm/vcpu.c | 5 + arch/loongarch/mm/init.c | 2 - arch/loongarch/mm/ioremap.c | 2 +- arch/riscv/Makefile | 2 +- arch/riscv/kernel/cpu-hotplug.c | 1 + arch/riscv/kernel/setup.c | 7 +- arch/x86/include/asm/kvm_host.h | 3 + arch/x86/include/uapi/asm/vmx.h | 7 +- arch/x86/kernel/acpi/cppc.c | 2 +- arch/x86/kernel/cpu/amd.c | 7 + arch/x86/kernel/cpu/microcode/amd.c | 1 + arch/x86/kvm/svm/nested.c | 20 +- arch/x86/kvm/svm/svm.c | 73 ++- arch/x86/kvm/vmx/common.h | 2 +- arch/x86/kvm/vmx/nested.c | 21 +- arch/x86/kvm/vmx/vmx.c | 29 ++ arch/x86/kvm/vmx/vmx.h | 5 + arch/x86/kvm/x86.c | 75 ++- drivers/acpi/cppc_acpi.c | 6 +- drivers/acpi/numa/hmat.c | 46 +- drivers/acpi/numa/srat.c | 2 +- drivers/bluetooth/btusb.c | 13 +- drivers/cpufreq/intel_pstate.c | 9 +- drivers/crypto/hisilicon/qm.c | 2 + drivers/edac/altera_edac.c | 22 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 + drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 12 + drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 3 + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 5 + drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 5 + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 5 + .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 73 +-- drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_pp_smu.c | 1 + .../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 2 +- drivers/gpu/drm/amd/display/dc/dm_services_types.h | 2 +- .../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 6 +- drivers/gpu/drm/amd/include/dm_pp_interface.h | 1 + drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 67 +++ drivers/gpu/drm/amd/pm/inc/amdgpu_dpm_internal.h | 2 + drivers/gpu/drm/amd/pm/legacy-dpm/kv_dpm.c | 4 +- drivers/gpu/drm/amd/pm/legacy-dpm/legacy_dpm.c | 6 +- drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 70 ++- drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 11 +- drivers/gpu/drm/clients/drm_client_setup.c | 4 +- drivers/gpu/drm/i915/display/intel_psr.c | 3 +- drivers/gpu/drm/i915/gt/intel_gt_clock_utils.c | 4 +- drivers/gpu/drm/i915/i915_vma.c | 16 +- drivers/gpu/drm/mediatek/mtk_crtc.c | 7 + drivers/gpu/drm/panthor/panthor_gem.c | 18 + drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c | 16 +- drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h | 1 + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 + drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 + drivers/gpu/drm/xe/xe_device.c | 14 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 + drivers/gpu/drm/xe/xe_wa.c | 11 + drivers/hid/hid-ids.h | 4 + drivers/hid/hid-logitech-hidpp.c | 21 + drivers/hid/hid-nintendo.c | 2 +- drivers/hid/hid-ntrig.c | 7 +- drivers/hid/hid-playstation.c | 2 + drivers/hid/hid-quirks.c | 2 + drivers/hid/hid-uclogic-params.c | 4 +- .../intel-thc-hid/intel-quickspi/pci-quickspi.c | 6 + .../intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 + drivers/infiniband/hw/mlx5/cq.c | 15 +- drivers/iommu/iommufd/io_pagetable.c | 12 +- drivers/iommu/iommufd/ioas.c | 4 + drivers/irqchip/irq-riscv-intc.c | 3 +- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +- drivers/mmc/host/dw_mmc-rockchip.c | 4 +- drivers/mmc/host/pxamci.c | 56 +-- drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +- drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 15 + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 79 ++++ drivers/net/ethernet/mellanox/mlx5/core/cq.c | 24 +- drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 + .../net/ethernet/mellanox/mlx5/core/en/params.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h | 5 +- .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 +- .../net/ethernet/mellanox/mlx5/core/en_common.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 33 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 19 +- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 8 +- .../net/ethernet/mellanox/mlx5/core/fpga/conn.c | 16 +- drivers/net/ethernet/mellanox/mlx5/core/lib/aso.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 11 +- .../mellanox/mlx5/core/steering/hws/send.c | 15 +- .../mellanox/mlx5/core/steering/sws/dr_send.c | 29 +- drivers/net/ethernet/mellanox/mlx5/core/wc.c | 4 +- drivers/net/ethernet/ti/am65-cpsw-qos.c | 53 ++- drivers/net/phy/mdio_bus.c | 5 +- drivers/net/phy/micrel.c | 515 +++++++++++++-------- drivers/net/virtio_net.c | 16 +- drivers/net/wireless/ath/ath11k/wmi.c | 3 + drivers/net/wireless/intel/iwlwifi/mld/link.c | 7 +- drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 13 +- drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 12 +- drivers/pmdomain/arm/scmi_pm_domain.c | 13 +- drivers/pmdomain/imx/gpc.c | 2 + drivers/pmdomain/samsung/exynos-pm-domains.c | 29 +- drivers/pwm/pwm-adp5585.c | 4 +- drivers/regulator/fixed.c | 1 + drivers/spi/spi.c | 10 + drivers/vdpa/mlx5/net/mlx5_vnet.c | 6 +- fs/afs/cell.c | 78 +++- fs/afs/dynroot.c | 3 +- fs/afs/internal.h | 12 +- fs/afs/mntpt.c | 3 +- fs/afs/proc.c | 3 +- fs/afs/super.c | 2 +- fs/afs/vl_alias.c | 3 +- fs/binfmt_misc.c | 4 +- fs/btrfs/inode.c | 4 +- fs/btrfs/scrub.c | 2 + fs/btrfs/tree-log.c | 2 +- fs/btrfs/zoned.c | 60 ++- fs/erofs/decompressor_zstd.c | 11 +- fs/exfat/namei.c | 6 +- fs/file_attr.c | 4 + fs/fuse/virtio_fs.c | 2 +- fs/hostfs/hostfs_kern.c | 29 +- fs/namespace.c | 32 +- fs/nfs/client.c | 8 + fs/nfs/dir.c | 23 +- fs/nfs/inode.c | 18 +- fs/nfs/nfs3client.c | 14 +- fs/nfs/nfs4client.c | 15 +- fs/nfs/nfs4proc.c | 22 +- fs/nfs/pnfs_nfs.c | 66 +-- fs/nfs/sysfs.c | 1 + fs/nfs/write.c | 3 +- fs/nfsd/nfs4state.c | 3 +- fs/nfsd/nfs4xdr.c | 3 +- fs/nfsd/nfsd.h | 1 + fs/nfsd/nfsfh.c | 6 +- fs/nilfs2/segment.c | 7 +- fs/proc/generic.c | 12 +- fs/smb/client/fs_context.c | 2 + fs/smb/client/smb2inode.c | 2 + fs/smb/client/transport.c | 2 +- fs/smb/server/smb2pdu.c | 2 + fs/smb/server/transport_tcp.c | 5 +- include/linux/compiler_types.h | 5 +- include/linux/filter.h | 20 + include/linux/gfp.h | 3 + include/linux/huge_mm.h | 55 +-- include/linux/map_benchmark.h | 1 + include/linux/mlx5/cq.h | 2 +- include/linux/mlx5/driver.h | 3 +- include/linux/nfs_xdr.h | 1 + include/net/bluetooth/hci.h | 5 + include/uapi/linux/mount.h | 2 +- io_uring/register.c | 7 - io_uring/rsrc.c | 16 +- io_uring/rw.c | 3 + kernel/Kconfig.kexec | 9 + kernel/Makefile | 1 + kernel/bpf/trampoline.c | 5 - kernel/bpf/verifier.c | 6 +- kernel/crash_core.c | 2 +- kernel/futex/core.c | 12 +- kernel/gcov/gcc_4_7.c | 4 +- kernel/kexec_handover.c | 84 ++-- kernel/kexec_handover_debug.c | 25 + kernel/kexec_handover_internal.h | 20 + kernel/power/swap.c | 17 +- kernel/sched/ext.c | 4 +- kernel/time/posix-timers.c | 12 +- kernel/trace/ftrace.c | 20 +- lib/maple_tree.c | 30 +- mm/damon/stat.c | 9 +- mm/damon/sysfs.c | 10 +- mm/filemap.c | 20 +- mm/huge_memory.c | 38 +- mm/kmsan/core.c | 3 - mm/kmsan/hooks.c | 6 +- mm/kmsan/shadow.c | 2 +- mm/ksm.c | 113 ++++- mm/memory.c | 20 +- mm/mm_init.c | 2 +- mm/mremap.c | 2 +- mm/secretmem.c | 2 +- mm/shmem.c | 9 +- mm/slub.c | 6 +- mm/swap_state.c | 13 + mm/truncate.c | 6 +- net/bluetooth/6lowpan.c | 103 +++-- net/bluetooth/hci_conn.c | 33 +- net/bluetooth/hci_event.c | 56 ++- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_core.c | 1 + net/bluetooth/mgmt.c | 1 + net/core/netpoll.c | 7 +- net/dsa/tag_brcm.c | 6 +- net/handshake/tlshd.c | 1 + net/hsr/hsr_device.c | 5 +- net/hsr/hsr_forward.c | 22 +- net/ipv4/route.c | 5 + net/mac80211/iface.c | 14 +- net/mac80211/rx.c | 10 +- net/netfilter/nft_ct.c | 5 + net/sched/act_bpf.c | 6 +- net/sched/act_connmark.c | 12 +- net/sched/act_ife.c | 12 +- net/sched/cls_bpf.c | 6 +- net/sched/sch_generic.c | 17 +- net/sctp/transport.c | 13 +- net/smc/smc_clc.c | 1 + net/strparser/strparser.c | 2 +- net/tipc/net.c | 2 + net/unix/garbage.c | 14 +- rust/Makefile | 2 +- scripts/decode_stacktrace.sh | 43 +- scripts/gendwarfksyms/gendwarfksyms.c | 3 +- scripts/gendwarfksyms/gendwarfksyms.h | 2 +- scripts/gendwarfksyms/symbols.c | 4 +- sound/hda/codecs/hdmi/nvhdmi-mcp.c | 4 +- sound/hda/codecs/realtek/alc269.c | 1 + sound/soc/codecs/cs4271.c | 10 +- sound/soc/codecs/da7213.c | 65 ++- sound/soc/codecs/da7213.h | 1 + sound/soc/codecs/lpass-va-macro.c | 2 +- sound/soc/codecs/max98090.c | 6 +- sound/soc/codecs/nau8821.c | 22 +- sound/soc/codecs/nau8821.h | 2 +- sound/soc/codecs/tas2781-i2c.c | 9 +- sound/soc/renesas/rcar/ssiu.c | 3 +- sound/soc/sdw_utils/soc_sdw_utils.c | 20 +- sound/usb/endpoint.c | 5 + sound/usb/mixer.c | 2 + tools/build/feature/Makefile | 4 +- tools/perf/Makefile.config | 5 +- tools/perf/builtin-lock.c | 2 + tools/perf/tests/shell/lock_contention.sh | 21 +- tools/perf/util/header.c | 10 +- .../ftrace/test.d/filter/event-filter-function.tc | 4 + tools/testing/selftests/iommu/iommufd.c | 2 + tools/testing/selftests/iommu/iommufd_utils.h | 4 +- .../selftests/net/forwarding/local_termination.sh | 2 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 +- tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 90 ++-- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 + tools/testing/selftests/user_events/perf_test.c | 2 +- virt/kvm/guest_memfd.c | 47 +- 282 files changed, 2607 insertions(+), 1416 deletions(-)

2 weeks, 5 days

6
254
0 0

[PATCH] usb: phy: Initialize struct usb_phy list_head

by Diogo Ivo

When executing usb_add_phy() and usb_add_phy_dev() it is possible that usb_add_extcon() fails (for example with -EPROBE_DEFER), in which case the usb_phy does not get added to phy_list via list_add_tail(&x->head, phy_list). Then, when the driver that tried to add the phy receives the error propagated from usb_add_extcon() and calls into usb_remove_phy() to undo the partial registration there will be an unconditional call to list_del(&x->head) which is notinitialized and leads to a NULL pointer dereference. Fix this by initializing x->head before usb_add_extcon() has a chance to fail. Fixes: 7d21114dc6a2d53 ("usb: phy: Introduce one extcon device into usb phy") Cc: stable(a)vger.kernel.org Signed-off-by: Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt> --- drivers/usb/phy/phy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/phy/phy.c b/drivers/usb/phy/phy.c index e1435bc59662..5a9b9353f343 100644 --- a/drivers/usb/phy/phy.c +++ b/drivers/usb/phy/phy.c @@ -646,6 +646,8 @@ int usb_add_phy(struct usb_phy *x, enum usb_phy_type type) return -EINVAL; } + INIT_LIST_HEAD(&x->head); + usb_charger_init(x); ret = usb_add_extcon(x); if (ret) @@ -696,6 +698,8 @@ int usb_add_phy_dev(struct usb_phy *x) return -EINVAL; } + INIT_LIST_HEAD(&x->head); + usb_charger_init(x); ret = usb_add_extcon(x); if (ret) --- base-commit: 35d084745b3ea4af571ed421844f2bb1a99ad6e2 change-id: 20251113-diogo-smaug_typec-56b2059b892b Best regards, -- Diogo Ivo <diogo.ivo(a)tecnico.ulisboa.pt>

2 weeks, 5 days

2
6
0 0

FAILED: patch "[PATCH] pmdomain: samsung: plug potential memleak during probe" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 90c82941adf1986364e0f82c35cf59f2bf5f6a1d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112033-oversold-exceeding-d133@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 90c82941adf1986364e0f82c35cf59f2bf5f6a1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik(a)linaro.org> Date: Thu, 16 Oct 2025 16:58:37 +0100 Subject: [PATCH] pmdomain: samsung: plug potential memleak during probe MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit of_genpd_add_provider_simple() could fail, in which case this code leaks the domain name, pd->pd.name. Use devm_kstrdup_const() to plug this leak. As a side-effect, we can simplify existing error handling. Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver") Cc: stable(a)vger.kernel.org Reviewed-by: Peter Griffin <peter.griffin(a)linaro.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Signed-off-by: André Draszik <andre.draszik(a)linaro.org> Tested-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/samsung/exynos-pm-domains.c b/drivers/pmdomain/samsung/exynos-pm-domains.c index 5d478bb37ad6..f53e1bd24798 100644 --- a/drivers/pmdomain/samsung/exynos-pm-domains.c +++ b/drivers/pmdomain/samsung/exynos-pm-domains.c @@ -92,13 +92,14 @@ static const struct of_device_id exynos_pm_domain_of_match[] = { { }, }; -static const char *exynos_get_domain_name(struct device_node *node) +static const char *exynos_get_domain_name(struct device *dev, + struct device_node *node) { const char *name; if (of_property_read_string(node, "label", &name) < 0) name = kbasename(node->full_name); - return kstrdup_const(name, GFP_KERNEL); + return devm_kstrdup_const(dev, name, GFP_KERNEL); } static int exynos_pd_probe(struct platform_device *pdev) @@ -115,15 +116,13 @@ static int exynos_pd_probe(struct platform_device *pdev) if (!pd) return -ENOMEM; - pd->pd.name = exynos_get_domain_name(np); + pd->pd.name = exynos_get_domain_name(dev, np); if (!pd->pd.name) return -ENOMEM; pd->base = of_iomap(np, 0); - if (!pd->base) { - kfree_const(pd->pd.name); + if (!pd->base) return -ENODEV; - } pd->pd.power_off = exynos_pd_power_off; pd->pd.power_on = exynos_pd_power_on;

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 7458f72cc28f9eb0de811effcb5376d0ec19094a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112054-onto-impurity-0ab2@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7458f72cc28f9eb0de811effcb5376d0ec19094a Mon Sep 17 00:00:00 2001 From: Sudeep Holla <sudeep.holla(a)arm.com> Date: Fri, 17 Oct 2025 12:03:20 +0100 Subject: [PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Reviewed-by: Peng Fan <peng.fan(a)nxp.com> Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/arm/scmi_pm_domain.c b/drivers/pmdomain/arm/scmi_pm_domain.c index 8fe1c0a501c9..b5e2ffd5ea64 100644 --- a/drivers/pmdomain/arm/scmi_pm_domain.c +++ b/drivers/pmdomain/arm/scmi_pm_domain.c @@ -41,7 +41,7 @@ static int scmi_pd_power_off(struct generic_pm_domain *domain) static int scmi_pm_domain_probe(struct scmi_device *sdev) { - int num_domains, i; + int num_domains, i, ret; struct device *dev = &sdev->dev; struct device_node *np = dev->of_node; struct scmi_pm_domain *scmi_pd; @@ -108,9 +108,18 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) scmi_pd_data->domains = domains; scmi_pd_data->num_domains = num_domains; + ret = of_genpd_add_provider_onecell(np, scmi_pd_data); + if (ret) + goto err_rm_genpds; + dev_set_drvdata(dev, scmi_pd_data); - return of_genpd_add_provider_onecell(np, scmi_pd_data); + return 0; +err_rm_genpds: + for (i = num_domains - 1; i >= 0; i--) + pm_genpd_remove(domains[i]); + + return ret; } static void scmi_pm_domain_remove(struct scmi_device *sdev)

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112010-prewashed-hatchback-7cb7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 Mon Sep 17 00:00:00 2001 From: Miaoqian Lin <linmq006(a)gmail.com> Date: Tue, 28 Oct 2025 11:16:20 +0800 Subject: [PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not needed anymore. Add the missing of_node_put() to avoid refcount leak. Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c index 33991f3c6b55..a34b260274f7 100644 --- a/drivers/pmdomain/imx/gpc.c +++ b/drivers/pmdomain/imx/gpc.c @@ -536,6 +536,8 @@ static void imx_gpc_remove(struct platform_device *pdev) return; } } + + of_node_put(pgc_node); } static struct platform_driver imx_gpc_driver = {

2 weeks, 5 days

2
1
0 0

[PATCH] mm/mmap_lock: Reset maple state on lock_vma_under_rcu() retry

by Liam R. Howlett

The retry in lock_vma_under_rcu() drops the rcu read lock before reacquiring the lock and trying again. This may cause a use-after-free if the maple node the maple state was using was freed. The maple state is protected by the rcu read lock. When the lock is dropped, the state cannot be reused as it tracks pointers to objects that may be freed during the time where the lock was not held. Any time the rcu read lock is dropped, the maple state must be invalidated. Resetting the address and state to MA_START is the safest course of action, which will result in the next operation starting from the top of the tree. Prior to commit 0b16f8bed19c ("mm: change vma_start_read() to drop RCU lock on failure"), the rcu read lock was dropped and NULL was returned, so the retry would not have happened. However, now that the read lock is dropped regardless of the return, we may use a freed maple tree node cached in the maple state on retry. Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: stable(a)vger.kernel.org Fixes: 0b16f8bed19c ("mm: change vma_start_read() to drop RCU lock on failure") Reported-by: syzbot+131f9eb2b5807573275c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=131f9eb2b5807573275c Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> --- mm/mmap_lock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c index 39f341caf32c0..f2532af6208c0 100644 --- a/mm/mmap_lock.c +++ b/mm/mmap_lock.c @@ -257,6 +257,7 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, if (PTR_ERR(vma) == -EAGAIN) { count_vm_vma_lock_event(VMA_LOCK_MISS); /* The area was replaced with another one */ + mas_set(&mas, address); goto retry; } -- 2.47.2

2 weeks, 5 days

7
18
0 0

[PATCH 2/3] memory: mtk-smi: fix device leak on larb probe

by Johan Hovold

Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind. Fixes: cc8bbe1a8312 ("memory: mediatek: Add SMI driver") Fixes: 038ae37c510f ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common") Cc: stable(a)vger.kernel.org # 4.6: 038ae37c510f Cc: Yong Wu <yong.wu(a)mediatek.com> Cc: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/memory/mtk-smi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c index dd6150d200e8..3609bfd3c64b 100644 --- a/drivers/memory/mtk-smi.c +++ b/drivers/memory/mtk-smi.c @@ -685,6 +685,7 @@ static void mtk_smi_larb_remove(struct platform_device *pdev) device_link_remove(&pdev->dev, larb->smi_common_dev); pm_runtime_disable(&pdev->dev); component_del(&pdev->dev, &mtk_smi_larb_component_ops); + put_device(larb->smi_common_dev); } static int __maybe_unused mtk_smi_larb_resume(struct device *dev) -- 2.51.2

2 weeks, 5 days

1
0
0 0

[PATCH 1/3] memory: mtk-smi: fix device leaks on common probe

by Johan Hovold

Make sure to drop the reference taken when looking up the SMI device during common probe on late probe failure (e.g. probe deferral) and on driver unbind. Fixes: 47404757702e ("memory: mtk-smi: Add device link for smi-sub-common") Fixes: 038ae37c510f ("memory: mtk-smi: add missing put_device() call in mtk_smi_device_link_common") Cc: stable(a)vger.kernel.org # 5.16: 038ae37c510f Cc: Yong Wu <yong.wu(a)mediatek.com> Cc: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/memory/mtk-smi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c index 733e22f695ab..dd6150d200e8 100644 --- a/drivers/memory/mtk-smi.c +++ b/drivers/memory/mtk-smi.c @@ -674,6 +674,7 @@ static int mtk_smi_larb_probe(struct platform_device *pdev) err_pm_disable: pm_runtime_disable(dev); device_link_remove(dev, larb->smi_common_dev); + put_device(larb->smi_common_dev); return ret; } @@ -917,6 +918,7 @@ static void mtk_smi_common_remove(struct platform_device *pdev) if (common->plat->type == MTK_SMI_GEN2_SUB_COMM) device_link_remove(&pdev->dev, common->smi_common_dev); pm_runtime_disable(&pdev->dev); + put_device(common->smi_common_dev); } static int __maybe_unused mtk_smi_common_resume(struct device *dev) -- 2.51.2

2 weeks, 5 days

1
0
0 0

[PATCH] drm/tegra: dsi: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the companion (ganged) device and its driver data during probe(). Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") Fixes: 221e3638feb8 ("drm/tegra: Fix reference leak in tegra_dsi_ganged_probe") Cc: stable(a)vger.kernel.org # 3.19: 221e3638feb8 Cc: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/tegra/dsi.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index b5089b772267..b53038eb9699 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -1549,11 +1549,9 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi) return -EPROBE_DEFER; dsi->slave = platform_get_drvdata(gangster); - - if (!dsi->slave) { - put_device(&gangster->dev); + put_device(&gangster->dev); + if (!dsi->slave) return -EPROBE_DEFER; - } dsi->slave->master = dsi; } -- 2.51.2

2 weeks, 5 days

1
0
0 0

[PATCH] clk: tegra: tegra124-emc: fix device leak on set_rate()

by Johan Hovold

Make sure to drop the reference taken when looking up the EMC device and its driver data on first set_rate(). Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") Fixes: 6d6ef58c2470 ("clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver") Cc: stable(a)vger.kernel.org # 4.2: 6d6ef58c2470 Cc: Mikko Perttunen <mperttunen(a)nvidia.com> Cc: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/clk/tegra/clk-tegra124-emc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c index 2a6db0434281..2777e70da8b9 100644 --- a/drivers/clk/tegra/clk-tegra124-emc.c +++ b/drivers/clk/tegra/clk-tegra124-emc.c @@ -197,8 +197,8 @@ static struct tegra_emc *emc_ensure_emc_driver(struct tegra_clk_emc *tegra) tegra->emc_node = NULL; tegra->emc = platform_get_drvdata(pdev); + put_device(&pdev->dev); if (!tegra->emc) { - put_device(&pdev->dev); pr_err("%s: cannot find EMC driver\n", __func__); return NULL; } -- 2.51.2

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 7458f72cc28f9eb0de811effcb5376d0ec19094a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112054-mold-femur-4b46@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7458f72cc28f9eb0de811effcb5376d0ec19094a Mon Sep 17 00:00:00 2001 From: Sudeep Holla <sudeep.holla(a)arm.com> Date: Fri, 17 Oct 2025 12:03:20 +0100 Subject: [PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Reviewed-by: Peng Fan <peng.fan(a)nxp.com> Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/arm/scmi_pm_domain.c b/drivers/pmdomain/arm/scmi_pm_domain.c index 8fe1c0a501c9..b5e2ffd5ea64 100644 --- a/drivers/pmdomain/arm/scmi_pm_domain.c +++ b/drivers/pmdomain/arm/scmi_pm_domain.c @@ -41,7 +41,7 @@ static int scmi_pd_power_off(struct generic_pm_domain *domain) static int scmi_pm_domain_probe(struct scmi_device *sdev) { - int num_domains, i; + int num_domains, i, ret; struct device *dev = &sdev->dev; struct device_node *np = dev->of_node; struct scmi_pm_domain *scmi_pd; @@ -108,9 +108,18 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) scmi_pd_data->domains = domains; scmi_pd_data->num_domains = num_domains; + ret = of_genpd_add_provider_onecell(np, scmi_pd_data); + if (ret) + goto err_rm_genpds; + dev_set_drvdata(dev, scmi_pd_data); - return of_genpd_add_provider_onecell(np, scmi_pd_data); + return 0; +err_rm_genpds: + for (i = num_domains - 1; i >= 0; i--) + pm_genpd_remove(domains[i]); + + return ret; } static void scmi_pm_domain_remove(struct scmi_device *sdev)

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112010-chop-refurbish-3f6e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 Mon Sep 17 00:00:00 2001 From: Miaoqian Lin <linmq006(a)gmail.com> Date: Tue, 28 Oct 2025 11:16:20 +0800 Subject: [PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not needed anymore. Add the missing of_node_put() to avoid refcount leak. Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c index 33991f3c6b55..a34b260274f7 100644 --- a/drivers/pmdomain/imx/gpc.c +++ b/drivers/pmdomain/imx/gpc.c @@ -536,6 +536,8 @@ static void imx_gpc_remove(struct platform_device *pdev) return; } } + + of_node_put(pgc_node); } static struct platform_driver imx_gpc_driver = {

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] drm/i915/dp_mst: Disable Panel Replay" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f2687d3cc9f905505d7b510c50970176115066a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112017-gigahertz-gravitate-93f3@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2687d3cc9f905505d7b510c50970176115066a2 Mon Sep 17 00:00:00 2001 From: Imre Deak <imre.deak(a)intel.com> Date: Fri, 7 Nov 2025 14:41:41 +0200 Subject: [PATCH] drm/i915/dp_mst: Disable Panel Replay MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disable Panel Replay on MST links until it's properly implemented. For instance the required VSC SDP is not programmed on MST and FEC is not enabled if Panel Replay is enabled. Fixes: 3257e55d3ea7 ("drm/i915/panelreplay: enable/disable panel replay") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15174 Cc: Jouni Högander <jouni.hogander(a)intel.com> Cc: Animesh Manna <animesh.manna(a)intel.com> Cc: stable(a)vger.kernel.org # v6.8+ Reviewed-by: Jouni Högander <jouni.hogander(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patch.msgid.link/20251107124141.911895-1-imre.deak@intel.com (cherry picked from commit e109f644b871df8440c886a69cdce971ed533088) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c index d5e0a1e66944..4619237f1346 100644 --- a/drivers/gpu/drm/i915/display/intel_psr.c +++ b/drivers/gpu/drm/i915/display/intel_psr.c @@ -585,6 +585,10 @@ static void _panel_replay_init_dpcd(struct intel_dp *intel_dp) struct intel_display *display = to_intel_display(intel_dp); int ret; + /* TODO: Enable Panel Replay on MST once it's properly implemented. */ + if (intel_dp->mst_detect == DRM_DP_MST) + return; + ret = drm_dp_dpcd_read_data(&intel_dp->aux, DP_PANEL_REPLAY_CAP_SUPPORT, &intel_dp->pr_dpcd, sizeof(intel_dp->pr_dpcd)); if (ret < 0)

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112009-revenge-lazily-2aa3@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 Mon Sep 17 00:00:00 2001 From: Miaoqian Lin <linmq006(a)gmail.com> Date: Tue, 28 Oct 2025 11:16:20 +0800 Subject: [PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not needed anymore. Add the missing of_node_put() to avoid refcount leak. Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c index 33991f3c6b55..a34b260274f7 100644 --- a/drivers/pmdomain/imx/gpc.c +++ b/drivers/pmdomain/imx/gpc.c @@ -536,6 +536,8 @@ static void imx_gpc_remove(struct platform_device *pdev) return; } } + + of_node_put(pgc_node); } static struct platform_driver imx_gpc_driver = {

2 weeks, 5 days

2
1
0 0

Re: stable 6.6: commit "sched/cpufreq: Rework schedutil governor performance estimation' causes a regression

by Vincent Guittot

On Fri, 21 Nov 2025 at 04:55, Sergey Senozhatsky <senozhatsky(a)chromium.org> wrote: > > Hi Christian, > > On (25/11/20 10:15), Christian Loehle wrote: > > On 11/20/25 04:45, Sergey Senozhatsky wrote: > > > Hi, > > > > > > We are observing a performance regression on one of our arm64 boards. > > > We tracked it down to the linux-6.6.y commit ada8d7fa0ad4 ("sched/cpufreq: You mentioned that you tracked down to linux-6.6.y but which kernel are you using ? > > > Rework schedutil governor performance estimation"). > > > > > > UI speedometer benchmark: > > > w/commit: 395 +/-38 > > > w/o commit: 439 +/-14 > > > > > > > Hi Sergey, > > Would be nice to get some details. What board? > > It's an MT8196 chromebook. > > > What do the OPPs look like? > > How do I find that out? In /sys/kernel/debug/opp/cpu*/ or /sys/devices/system/cpu/cpufreq/policy*/scaling_available_frequencies with related_cpus > > > Does this system use uclamp during the benchmark? How? > > How do I find that out? it can be set per cgroup /sys/fs/cgroup/system.slice/<name>/cpu.uclam.min|max or per task with sched_setattr() You most probably use it because it's the main reason for ada8d7fa0ad4 to remove wrong overestimate of OPP > > > Given how large the stddev given by speedometer (version 3?) itself is, can we get the > > stats of a few runs? > > v2.1 > > w/o patch w/ patch > 440 +/-30 406 +/-11 > 440 +/-14 413 +/-16 > 444 +/-12 403 +/-14 > 442 +/-12 412 +/-15 > > > Maybe traces of cpu_frequency for both w/ and w/o? > > trace-cmd record -e power:cpu_frequency attached. > > "base" is with ada8d7fa0ad4 > "revert" is ada8d7fa0ad4 reverted.

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7458f72cc28f9eb0de811effcb5376d0ec19094a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112052-bulldozer-hatbox-e9df@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7458f72cc28f9eb0de811effcb5376d0ec19094a Mon Sep 17 00:00:00 2001 From: Sudeep Holla <sudeep.holla(a)arm.com> Date: Fri, 17 Oct 2025 12:03:20 +0100 Subject: [PATCH] pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Reviewed-by: Peng Fan <peng.fan(a)nxp.com> Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/arm/scmi_pm_domain.c b/drivers/pmdomain/arm/scmi_pm_domain.c index 8fe1c0a501c9..b5e2ffd5ea64 100644 --- a/drivers/pmdomain/arm/scmi_pm_domain.c +++ b/drivers/pmdomain/arm/scmi_pm_domain.c @@ -41,7 +41,7 @@ static int scmi_pd_power_off(struct generic_pm_domain *domain) static int scmi_pm_domain_probe(struct scmi_device *sdev) { - int num_domains, i; + int num_domains, i, ret; struct device *dev = &sdev->dev; struct device_node *np = dev->of_node; struct scmi_pm_domain *scmi_pd; @@ -108,9 +108,18 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) scmi_pd_data->domains = domains; scmi_pd_data->num_domains = num_domains; + ret = of_genpd_add_provider_onecell(np, scmi_pd_data); + if (ret) + goto err_rm_genpds; + dev_set_drvdata(dev, scmi_pd_data); - return of_genpd_add_provider_onecell(np, scmi_pd_data); + return 0; +err_rm_genpds: + for (i = num_domains - 1; i >= 0; i--) + pm_genpd_remove(domains[i]); + + return ret; } static void scmi_pm_domain_remove(struct scmi_device *sdev)

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112009-appliance-symptom-7a59@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 Mon Sep 17 00:00:00 2001 From: Miaoqian Lin <linmq006(a)gmail.com> Date: Tue, 28 Oct 2025 11:16:20 +0800 Subject: [PATCH] pmdomain: imx: Fix reference count leak in imx_gpc_remove of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not needed anymore. Add the missing of_node_put() to avoid refcount leak. Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c index 33991f3c6b55..a34b260274f7 100644 --- a/drivers/pmdomain/imx/gpc.c +++ b/drivers/pmdomain/imx/gpc.c @@ -536,6 +536,8 @@ static void imx_gpc_remove(struct platform_device *pdev) return; } } + + of_node_put(pgc_node); } static struct platform_driver imx_gpc_driver = {

2 weeks, 5 days

2
2
0 0

FAILED: patch "[PATCH] drm/i915/dp_mst: Disable Panel Replay" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x f2687d3cc9f905505d7b510c50970176115066a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112017-voter-absentee-5ffd@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2687d3cc9f905505d7b510c50970176115066a2 Mon Sep 17 00:00:00 2001 From: Imre Deak <imre.deak(a)intel.com> Date: Fri, 7 Nov 2025 14:41:41 +0200 Subject: [PATCH] drm/i915/dp_mst: Disable Panel Replay MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Disable Panel Replay on MST links until it's properly implemented. For instance the required VSC SDP is not programmed on MST and FEC is not enabled if Panel Replay is enabled. Fixes: 3257e55d3ea7 ("drm/i915/panelreplay: enable/disable panel replay") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15174 Cc: Jouni Högander <jouni.hogander(a)intel.com> Cc: Animesh Manna <animesh.manna(a)intel.com> Cc: stable(a)vger.kernel.org # v6.8+ Reviewed-by: Jouni Högander <jouni.hogander(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> Link: https://patch.msgid.link/20251107124141.911895-1-imre.deak@intel.com (cherry picked from commit e109f644b871df8440c886a69cdce971ed533088) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c index d5e0a1e66944..4619237f1346 100644 --- a/drivers/gpu/drm/i915/display/intel_psr.c +++ b/drivers/gpu/drm/i915/display/intel_psr.c @@ -585,6 +585,10 @@ static void _panel_replay_init_dpcd(struct intel_dp *intel_dp) struct intel_display *display = to_intel_display(intel_dp); int ret; + /* TODO: Enable Panel Replay on MST once it's properly implemented. */ + if (intel_dp->mst_detect == DRM_DP_MST) + return; + ret = drm_dp_dpcd_read_data(&intel_dp->aux, DP_PANEL_REPLAY_CAP_SUPPORT, &intel_dp->pr_dpcd, sizeof(intel_dp->pr_dpcd)); if (ret < 0)

2 weeks, 5 days

2
2
0 0

FAILED: patch "[PATCH] ftrace: Fix BPF fexit with livepatch" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 56b3c85e153b84f27e6cff39623ba40a1ad299d3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112016-arrogance-recast-439f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56b3c85e153b84f27e6cff39623ba40a1ad299d3 Mon Sep 17 00:00:00 2001 From: Song Liu <song(a)kernel.org> Date: Mon, 27 Oct 2025 10:50:21 -0700 Subject: [PATCH] ftrace: Fix BPF fexit with livepatch When livepatch is attached to the same function as bpf trampoline with a fexit program, bpf trampoline code calls register_ftrace_direct() twice. The first time will fail with -EAGAIN, and the second time it will succeed. This requires register_ftrace_direct() to unregister the address on the first attempt. Otherwise, the bpf trampoline cannot attach. Here is an easy way to reproduce this issue: insmod samples/livepatch/livepatch-sample.ko bpftrace -e 'fexit:cmdline_proc_show {}' ERROR: Unable to attach probe: fexit:vmlinux:cmdline_proc_show... Fix this by cleaning up the hash when register_ftrace_function_nolock hits errors. Also, move the code that resets ops->func and ops->trampoline to the error path of register_ftrace_direct(); and add a helper function reset_direct() in register_ftrace_direct() and unregister_ftrace_direct(). Fixes: d05cb470663a ("ftrace: Fix modification of direct_function hash while in use") Cc: stable(a)vger.kernel.org # v6.6+ Reported-by: Andrey Grodzovsky <andrey.grodzovsky(a)crowdstrike.com> Closes: https://lore.kernel.org/live-patching/c5058315a39d4615b333e485893345be@crow… Cc: Steven Rostedt (Google) <rostedt(a)goodmis.org> Cc: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Acked-and-tested-by: Andrey Grodzovsky <andrey.grodzovsky(a)crowdstrike.com> Signed-off-by: Song Liu <song(a)kernel.org> Reviewed-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lore.kernel.org/r/20251027175023.1521602-2-song@kernel.org Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c index 5949095e51c3..f2cb0b097093 100644 --- a/kernel/bpf/trampoline.c +++ b/kernel/bpf/trampoline.c @@ -479,11 +479,6 @@ static int bpf_trampoline_update(struct bpf_trampoline *tr, bool lock_direct_mut * BPF_TRAMP_F_SHARE_IPMODIFY is set, we can generate the * trampoline again, and retry register. */ - /* reset fops->func and fops->trampoline for re-register */ - tr->fops->func = NULL; - tr->fops->trampoline = 0; - - /* free im memory and reallocate later */ bpf_tramp_image_free(im); goto again; } diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 42bd2ba68a82..cbeb7e833131 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -5953,6 +5953,17 @@ static void register_ftrace_direct_cb(struct rcu_head *rhp) free_ftrace_hash(fhp); } +static void reset_direct(struct ftrace_ops *ops, unsigned long addr) +{ + struct ftrace_hash *hash = ops->func_hash->filter_hash; + + remove_direct_functions_hash(hash, addr); + + /* cleanup for possible another register call */ + ops->func = NULL; + ops->trampoline = 0; +} + /** * register_ftrace_direct - Call a custom trampoline directly * for multiple functions registered in @ops @@ -6048,6 +6059,8 @@ int register_ftrace_direct(struct ftrace_ops *ops, unsigned long addr) ops->direct_call = addr; err = register_ftrace_function_nolock(ops); + if (err) + reset_direct(ops, addr); out_unlock: mutex_unlock(&direct_mutex); @@ -6080,7 +6093,6 @@ EXPORT_SYMBOL_GPL(register_ftrace_direct); int unregister_ftrace_direct(struct ftrace_ops *ops, unsigned long addr, bool free_filters) { - struct ftrace_hash *hash = ops->func_hash->filter_hash; int err; if (check_direct_multi(ops)) @@ -6090,13 +6102,9 @@ int unregister_ftrace_direct(struct ftrace_ops *ops, unsigned long addr, mutex_lock(&direct_mutex); err = unregister_ftrace_function(ops); - remove_direct_functions_hash(hash, addr); + reset_direct(ops, addr); mutex_unlock(&direct_mutex); - /* cleanup for possible another register call */ - ops->func = NULL; - ops->trampoline = 0; - if (free_filters) ftrace_free_filter(ops); return err;

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] KVM: nSVM: Always recalculate LBR MSR intercepts in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x fbe5e5f030c22ae717ee422aaab0e00ea84fab5e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112046-confider-smelting-6296@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fbe5e5f030c22ae717ee422aaab0e00ea84fab5e Mon Sep 17 00:00:00 2001 From: Yosry Ahmed <yosry.ahmed(a)linux.dev> Date: Sat, 8 Nov 2025 00:45:20 +0000 Subject: [PATCH] KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() svm_update_lbrv() is called when MSR_IA32_DEBUGCTLMSR is updated, and on nested transitions where LBRV is used. It checks whether LBRV enablement needs to be changed in the current VMCB, and if it does, it also recalculate intercepts to LBR MSRs. However, there are cases where intercepts need to be updated even when LBRV enablement doesn't. Example scenario: - L1 has MSR_IA32_DEBUGCTLMSR cleared. - L1 runs L2 without LBR_CTL_ENABLE (no LBRV). - L2 sets DEBUGCTLMSR_LBR in MSR_IA32_DEBUGCTLMSR, svm_update_lbrv() sets LBR_CTL_ENABLE in VMCB02 and disables intercepts to LBR MSRs. - L2 exits to L1, svm_update_lbrv() is not called on this transition. - L1 clears MSR_IA32_DEBUGCTLMSR, svm_update_lbrv() finds that LBR_CTL_ENABLE is already cleared in VMCB01 and does nothing. - Intercepts remain disabled, L1 reads to LBR MSRs read the host MSRs. Fix it by always recalculating intercepts in svm_update_lbrv(). Fixes: 1d5a1b5860ed ("KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running") Cc: stable(a)vger.kernel.org Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> Link: https://patch.msgid.link/20251108004524.1600006-3-yosry.ahmed@linux.dev Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 39538098002b..53201f13a43c 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -806,25 +806,29 @@ void svm_copy_lbrs(struct vmcb *to_vmcb, struct vmcb *from_vmcb) vmcb_mark_dirty(to_vmcb, VMCB_LBR); } -void svm_enable_lbrv(struct kvm_vcpu *vcpu) +static void __svm_enable_lbrv(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK; - svm_recalc_lbr_msr_intercepts(vcpu); /* Move the LBR msrs to the vmcb02 so that the guest can see them. */ if (is_guest_mode(vcpu)) svm_copy_lbrs(svm->vmcb, svm->vmcb01.ptr); } -static void svm_disable_lbrv(struct kvm_vcpu *vcpu) +void svm_enable_lbrv(struct kvm_vcpu *vcpu) +{ + __svm_enable_lbrv(vcpu); + svm_recalc_lbr_msr_intercepts(vcpu); +} + +static void __svm_disable_lbrv(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); KVM_BUG_ON(sev_es_guest(vcpu->kvm), vcpu->kvm); svm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK; - svm_recalc_lbr_msr_intercepts(vcpu); /* * Move the LBR msrs back to the vmcb01 to avoid copying them @@ -853,13 +857,18 @@ void svm_update_lbrv(struct kvm_vcpu *vcpu) (is_guest_mode(vcpu) && guest_cpu_cap_has(vcpu, X86_FEATURE_LBRV) && (svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK)); - if (enable_lbrv == current_enable_lbrv) - return; + if (enable_lbrv && !current_enable_lbrv) + __svm_enable_lbrv(vcpu); + else if (!enable_lbrv && current_enable_lbrv) + __svm_disable_lbrv(vcpu); - if (enable_lbrv) - svm_enable_lbrv(vcpu); - else - svm_disable_lbrv(vcpu); + /* + * During nested transitions, it is possible that the current VMCB has + * LBR_CTL set, but the previous LBR_CTL had it cleared (or vice versa). + * In this case, even though LBR_CTL does not need an update, intercepts + * do, so always recalculate the intercepts here. + */ + svm_recalc_lbr_msr_intercepts(vcpu); } void disable_nmi_singlestep(struct vcpu_svm *svm)

2 weeks, 5 days

3
8
0 0

FAILED: patch "[PATCH] ALSA: usb-audio: Fix potential overflow of PCM transfer" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112036-clever-sponsor-bfdf@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf Mon Sep 17 00:00:00 2001 From: Takashi Iwai <tiwai(a)suse.de> Date: Sun, 9 Nov 2025 10:12:07 +0100 Subject: [PATCH] ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0]. Reported-by: syzbot+bfd77469c8966de076f7(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7 Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com Cc: Lizhi Xu <lizhi.xu(a)windriver.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c index 880f5afcce60..cc15624ecaff 100644 --- a/sound/usb/endpoint.c +++ b/sound/usb/endpoint.c @@ -1362,6 +1362,11 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ep->sample_rem = ep->cur_rate % ep->pps; ep->packsize[0] = ep->cur_rate / ep->pps; ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps; + if (ep->packsize[1] > ep->maxpacksize) { + usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n", + ep->maxpacksize, ep->cur_rate, ep->pps); + return -EINVAL; + } /* calculate the frequency in 16.16 format */ ep->freqm = ep->freqn;

2 weeks, 5 days

2
1
0 0

[PATCH v4 04/22] reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime

by Tommaso Merciai

The driver was disabling the USB2 PHY clock immediately after register initialization in probe() and after each reset operation. This left the PHY unclocked even though it must remain active for USB functionality. The behavior appeared to work only when another driver (e.g., USB controller) had already enabled the clock, making operation unreliable and hardware-dependent. In configurations where this driver is the sole clock user, USB functionality would fail. Fix this by: - Enabling the clock once in probe() via pm_runtime_resume_and_get() - Removing all pm_runtime_put() calls from assert/deassert/status - Registering a devm cleanup action to release the clock at removal - Removed rzv2h_usbphy_assert_helper() and its call in rzv2h_usb2phy_reset_probe() This ensures the PHY clock remains enabled for the entire device lifetime, preventing instability and aligning with hardware requirements. Cc: stable(a)vger.kernel.org Fixes: e3911d7f865b ("reset: Add USB2PHY port reset driver for Renesas RZ/V2H(P)") Signed-off-by: Tommaso Merciai <tommaso.merciai.xr(a)bp.renesas.com> --- v3->v4: - No changes. v2->v3: - Added missing Cc: stable(a)vger.kernel.org - Improved commit body describing the removal of rzv2h_usbphy_assert_helper() from rzv2h_usb2phy_reset_probe(). v1->v2: - Improve commit body and commit msg - Added Fixes tag - Dropped unnecessary rzv2h_usbphy_assert_helper() function drivers/reset/reset-rzv2h-usb2phy.c | 64 ++++++++--------------------- 1 file changed, 18 insertions(+), 46 deletions(-) diff --git a/drivers/reset/reset-rzv2h-usb2phy.c b/drivers/reset/reset-rzv2h-usb2phy.c index ae643575b067..5bdd39274612 100644 --- a/drivers/reset/reset-rzv2h-usb2phy.c +++ b/drivers/reset/reset-rzv2h-usb2phy.c @@ -49,9 +49,10 @@ static inline struct rzv2h_usb2phy_reset_priv return container_of(rcdev, struct rzv2h_usb2phy_reset_priv, rcdev); } -/* This function must be called only after pm_runtime_resume_and_get() has been called */ -static void rzv2h_usbphy_assert_helper(struct rzv2h_usb2phy_reset_priv *priv) +static int rzv2h_usbphy_reset_assert(struct reset_controller_dev *rcdev, + unsigned long id) { + struct rzv2h_usb2phy_reset_priv *priv = rzv2h_usbphy_rcdev_to_priv(rcdev); const struct rzv2h_usb2phy_reset_of_data *data = priv->data; scoped_guard(spinlock, &priv->lock) { @@ -60,24 +61,6 @@ static void rzv2h_usbphy_assert_helper(struct rzv2h_usb2phy_reset_priv *priv) } usleep_range(11, 20); -} - -static int rzv2h_usbphy_reset_assert(struct reset_controller_dev *rcdev, - unsigned long id) -{ - struct rzv2h_usb2phy_reset_priv *priv = rzv2h_usbphy_rcdev_to_priv(rcdev); - struct device *dev = priv->dev; - int ret; - - ret = pm_runtime_resume_and_get(dev); - if (ret) { - dev_err(dev, "pm_runtime_resume_and_get failed\n"); - return ret; - } - - rzv2h_usbphy_assert_helper(priv); - - pm_runtime_put(dev); return 0; } @@ -87,14 +70,6 @@ static int rzv2h_usbphy_reset_deassert(struct reset_controller_dev *rcdev, { struct rzv2h_usb2phy_reset_priv *priv = rzv2h_usbphy_rcdev_to_priv(rcdev); const struct rzv2h_usb2phy_reset_of_data *data = priv->data; - struct device *dev = priv->dev; - int ret; - - ret = pm_runtime_resume_and_get(dev); - if (ret) { - dev_err(dev, "pm_runtime_resume_and_get failed\n"); - return ret; - } scoped_guard(spinlock, &priv->lock) { writel(data->reset_deassert_val, priv->base + data->reset_reg); @@ -102,8 +77,6 @@ static int rzv2h_usbphy_reset_deassert(struct reset_controller_dev *rcdev, writel(data->reset_release_val, priv->base + data->reset_reg); } - pm_runtime_put(dev); - return 0; } @@ -111,20 +84,10 @@ static int rzv2h_usbphy_reset_status(struct reset_controller_dev *rcdev, unsigned long id) { struct rzv2h_usb2phy_reset_priv *priv = rzv2h_usbphy_rcdev_to_priv(rcdev); - struct device *dev = priv->dev; - int ret; u32 reg; - ret = pm_runtime_resume_and_get(dev); - if (ret) { - dev_err(dev, "pm_runtime_resume_and_get failed\n"); - return ret; - } - reg = readl(priv->base + priv->data->reset_reg); - pm_runtime_put(dev); - return (reg & priv->data->reset_status_bits) == priv->data->reset_status_bits; } @@ -141,6 +104,11 @@ static int rzv2h_usb2phy_reset_of_xlate(struct reset_controller_dev *rcdev, return 0; } +static void rzv2h_usb2phy_reset_pm_runtime_put(void *data) +{ + pm_runtime_put(data); +} + static int rzv2h_usb2phy_reset_probe(struct platform_device *pdev) { const struct rzv2h_usb2phy_reset_of_data *data; @@ -175,14 +143,14 @@ static int rzv2h_usb2phy_reset_probe(struct platform_device *pdev) if (error) return dev_err_probe(dev, error, "pm_runtime_resume_and_get failed\n"); + error = devm_add_action_or_reset(dev, rzv2h_usb2phy_reset_pm_runtime_put, + dev); + if (error) + return dev_err_probe(dev, error, "unable to register cleanup action\n"); + for (unsigned int i = 0; i < data->init_val_count; i++) writel(data->init_vals[i].val, priv->base + data->init_vals[i].reg); - /* keep usb2phy in asserted state */ - rzv2h_usbphy_assert_helper(priv); - - pm_runtime_put(dev); - priv->rcdev.ops = &rzv2h_usbphy_reset_ops; priv->rcdev.of_reset_n_cells = 0; priv->rcdev.nr_resets = 1; @@ -190,7 +158,11 @@ static int rzv2h_usb2phy_reset_probe(struct platform_device *pdev) priv->rcdev.of_node = dev->of_node; priv->rcdev.dev = dev; - return devm_reset_controller_register(dev, &priv->rcdev); + error = devm_reset_controller_register(dev, &priv->rcdev); + if (error) + return dev_err_probe(dev, error, "could not register reset controller\n"); + + return 0; } /* -- 2.43.0

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] crash: fix crashkernel resource shrink" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 00fbff75c5acb4755f06f08bd1071879c63940c5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112029-arrogance-bondless-6a5b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 00fbff75c5acb4755f06f08bd1071879c63940c5 Mon Sep 17 00:00:00 2001 From: Sourabh Jain <sourabhjain(a)linux.ibm.com> Date: Sun, 2 Nov 2025 01:07:41 +0530 Subject: [PATCH] crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI <snip...> Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 <snip...> This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory. Link: https://lkml.kernel.org/r/20251101193741.289252-1-sourabhjain@linux.ibm.com Fixes: 16c6006af4d4 ("kexec: enable kexec_crash_size to support two crash kernel regions") Signed-off-by: Sourabh Jain <sourabhjain(a)linux.ibm.com> Acked-by: Baoquan He <bhe(a)redhat.com> Cc: Zhen Lei <thunder.leizhen(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/kernel/crash_core.c b/kernel/crash_core.c index 3b1c43382eec..99dac1aa972a 100644 --- a/kernel/crash_core.c +++ b/kernel/crash_core.c @@ -373,7 +373,7 @@ static int __crash_shrink_memory(struct resource *old_res, old_res->start = 0; old_res->end = 0; } else { - crashk_res.end = ram_res->start - 1; + old_res->end = ram_res->start - 1; } crash_free_reserved_phys_range(ram_res->start, ram_res->end);

2 weeks, 5 days

3
2
0 0

[PATCH] platform/x86: intel: chtwc_int33fe: don't dereference swnode args

by Bartosz Golaszewski

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Members of struct software_node_ref_args should not be dereferenced directly but set using the provided macros. Commit d7cdbbc93c56 ("software node: allow referencing firmware nodes") changed the name of the software node member and caused a build failure. Remove all direct dereferences of the ref struct as a fix. However, this driver also seems to abuse the software node interface by waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear in the system before setting up the reference for the I2C device, while the actual software node already exists in the intel-xhci-usb-role-switch module and should be used to set up a static reference. Add a FIXME for a future improvement. Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes") Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties") Cc: stable(a)vger.kernel.org Reported-by: Stephen Rothwell <sfr(a)canb.auug.org.au> Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/ Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- This should go into the reset tree as a fix to the regression introduced by the reset-gpio driver rework. --- drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/drivers/platform/x86/intel/chtwc_int33fe.c b/drivers/platform/x86/intel/chtwc_int33fe.c index 29e8b5432f4c9eea7dc45b83d94c0e00373f901b..d183aa53c318ba8d57c7124c38506e6956b3ee36 100644 --- a/drivers/platform/x86/intel/chtwc_int33fe.c +++ b/drivers/platform/x86/intel/chtwc_int33fe.c @@ -77,7 +77,7 @@ static const struct software_node max17047_node = { * software node. */ static struct software_node_ref_args fusb302_mux_refs[] = { - { .node = NULL }, + SOFTWARE_NODE_REFERENCE(NULL), }; static const struct property_entry fusb302_properties[] = { @@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(struct cht_int33fe_data *data) { software_node_unregister_node_group(node_group); - if (fusb302_mux_refs[0].node) { - fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node)); - fusb302_mux_refs[0].node = NULL; - } - if (data->dp) { data->dp->secondary = NULL; fwnode_handle_put(data->dp); @@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(struct cht_int33fe_data *data) } } -static int cht_int33fe_add_nodes(struct cht_int33fe_data *data) +static void cht_int33fe_put_swnode(void *data) +{ + struct fwnode_handle *fwnode = data; + + fwnode_handle_put(fwnode); + fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL); +} + +static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data) { const struct software_node *mux_ref_node; int ret; @@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct cht_int33fe_data *data) * until the mux driver has created software node for the mux device. * It means we depend on the mux driver. This function will return * -EPROBE_DEFER until the mux device is registered. + * + * FIXME: the relevant software node exists in intel-xhci-usb-role-switch + * and - if exported - could be used to set up a static reference. */ mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw"); if (!mux_ref_node) return -EPROBE_DEFER; + ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode, + software_node_fwnode(mux_ref_node)); + if (ret) + return ret; + /* * Update node used in "usb-role-switch" property. Note that we * rely on software_node_register_node_group() to use the original * instance of properties instead of copying them. */ - fusb302_mux_refs[0].node = mux_ref_node; + fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node); ret = software_node_register_node_group(node_group); if (ret) @@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struct platform_device *pdev) return fusb302_irq; } - ret = cht_int33fe_add_nodes(data); + ret = cht_int33fe_add_nodes(dev, data); if (ret) return ret; --- base-commit: cba510406ba76569782ead6007a0e4eb5d34a7ab change-id: 20251121-int33fe-swnode-fix-e896da458560 Best regards, -- Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org>

2 weeks, 5 days

4
5
0 0

patch "iio: adc: ad4080: fix chip identification" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad4080: fix chip identification to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From b66cddc8be7278fd14650ff9182f3794397f8b31 Mon Sep 17 00:00:00 2001 From: Antoniu Miclaus <antoniu.miclaus(a)analog.com> Date: Tue, 7 Oct 2025 11:15:20 +0000 Subject: iio: adc: ad4080: fix chip identification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix AD4080 chip identification by using the correct 16-bit product ID (0x0050) instead of GENMASK(2, 0). Update the chip reading logic to use regmap_bulk_read to read both PRODUCT_ID_L and PRODUCT_ID_H registers and combine them into a 16-bit value. The original implementation was incorrectly reading only 3 bits, which would not correctly identify the AD4080 chip. Fixes: 6b31ba1811b6 ("iio: adc: ad4080: add driver support") Signed-off-by: Antoniu Miclaus <antoniu.miclaus(a)analog.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad4080.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad4080.c b/drivers/iio/adc/ad4080.c index 6e61787ed321..e15310fcd21a 100644 --- a/drivers/iio/adc/ad4080.c +++ b/drivers/iio/adc/ad4080.c @@ -125,7 +125,7 @@ /* Miscellaneous Definitions */ #define AD4080_SPI_READ BIT(7) -#define AD4080_CHIP_ID GENMASK(2, 0) +#define AD4080_CHIP_ID 0x0050 #define AD4080_LVDS_CNV_CLK_CNT_MAX 7 @@ -445,7 +445,8 @@ static int ad4080_setup(struct iio_dev *indio_dev) { struct ad4080_state *st = iio_priv(indio_dev); struct device *dev = regmap_get_device(st->regmap); - unsigned int id; + __le16 id_le; + u16 id; int ret; ret = regmap_write(st->regmap, AD4080_REG_INTERFACE_CONFIG_A, @@ -458,10 +459,12 @@ static int ad4080_setup(struct iio_dev *indio_dev) if (ret) return ret; - ret = regmap_read(st->regmap, AD4080_REG_CHIP_TYPE, &id); + ret = regmap_bulk_read(st->regmap, AD4080_REG_PRODUCT_ID_L, &id_le, + sizeof(id_le)); if (ret) return ret; + id = le16_to_cpu(id_le); if (id != AD4080_CHIP_ID) dev_info(dev, "Unrecognized CHIP_ID 0x%X\n", id); -- 2.52.0

2 weeks, 5 days

1
0
0 0

patch "iio: adc: ad4080: fix chip identification" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad4080: fix chip identification to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From b66cddc8be7278fd14650ff9182f3794397f8b31 Mon Sep 17 00:00:00 2001 From: Antoniu Miclaus <antoniu.miclaus(a)analog.com> Date: Tue, 7 Oct 2025 11:15:20 +0000 Subject: iio: adc: ad4080: fix chip identification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix AD4080 chip identification by using the correct 16-bit product ID (0x0050) instead of GENMASK(2, 0). Update the chip reading logic to use regmap_bulk_read to read both PRODUCT_ID_L and PRODUCT_ID_H registers and combine them into a 16-bit value. The original implementation was incorrectly reading only 3 bits, which would not correctly identify the AD4080 chip. Fixes: 6b31ba1811b6 ("iio: adc: ad4080: add driver support") Signed-off-by: Antoniu Miclaus <antoniu.miclaus(a)analog.com> Reviewed-by: Nuno Sá <nuno.sa(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad4080.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ad4080.c b/drivers/iio/adc/ad4080.c index 6e61787ed321..e15310fcd21a 100644 --- a/drivers/iio/adc/ad4080.c +++ b/drivers/iio/adc/ad4080.c @@ -125,7 +125,7 @@ /* Miscellaneous Definitions */ #define AD4080_SPI_READ BIT(7) -#define AD4080_CHIP_ID GENMASK(2, 0) +#define AD4080_CHIP_ID 0x0050 #define AD4080_LVDS_CNV_CLK_CNT_MAX 7 @@ -445,7 +445,8 @@ static int ad4080_setup(struct iio_dev *indio_dev) { struct ad4080_state *st = iio_priv(indio_dev); struct device *dev = regmap_get_device(st->regmap); - unsigned int id; + __le16 id_le; + u16 id; int ret; ret = regmap_write(st->regmap, AD4080_REG_INTERFACE_CONFIG_A, @@ -458,10 +459,12 @@ static int ad4080_setup(struct iio_dev *indio_dev) if (ret) return ret; - ret = regmap_read(st->regmap, AD4080_REG_CHIP_TYPE, &id); + ret = regmap_bulk_read(st->regmap, AD4080_REG_PRODUCT_ID_L, &id_le, + sizeof(id_le)); if (ret) return ret; + id = le16_to_cpu(id_le); if (id != AD4080_CHIP_ID) dev_info(dev, "Unrecognized CHIP_ID 0x%X\n", id); -- 2.52.0

2 weeks, 5 days

1
0
0 0

[PATCH v2] USB: ohci-nxp: Fix error handling in ohci-hcd-nxp driver

by Ma Ke

When obtaining the ISP1301 I2C client through the device tree, the driver does not release the device reference in the probe failure path or in the remove function. This could cause a reference count leak, which may prevent the device from being properly unbound or freed, leading to resource leakage. Fix this by storing whether the client was obtained via device tree and only releasing the reference in that case. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - only released the device reference when the ISP1301 client was obtained through device tree, not in the non-DT case where the global variable is used; - removed unnecessary NULL checks as suggested by reviewer. --- drivers/usb/host/ohci-nxp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/host/ohci-nxp.c b/drivers/usb/host/ohci-nxp.c index 24d5a1dc5056..081b8c7f21a0 100644 --- a/drivers/usb/host/ohci-nxp.c +++ b/drivers/usb/host/ohci-nxp.c @@ -50,6 +50,7 @@ static const char hcd_name[] = "ohci-nxp"; static struct hc_driver __read_mostly ohci_nxp_hc_driver; static struct i2c_client *isp1301_i2c_client; +static bool isp1301_using_dt; static void isp1301_configure_lpc32xx(void) { @@ -161,6 +162,7 @@ static int ohci_hcd_nxp_probe(struct platform_device *pdev) } else { isp1301_node = NULL; } + isp1301_using_dt = (isp1301_node != NULL); isp1301_i2c_client = isp1301_get_client(isp1301_node); of_node_put(isp1301_node); @@ -223,6 +225,8 @@ static int ohci_hcd_nxp_probe(struct platform_device *pdev) fail_resource: usb_put_hcd(hcd); fail_disable: + if (isp1301_using_dt) + put_device(&isp1301_i2c_client->dev); isp1301_i2c_client = NULL; return ret; } @@ -234,6 +238,8 @@ static void ohci_hcd_nxp_remove(struct platform_device *pdev) usb_remove_hcd(hcd); ohci_nxp_stop_hc(); usb_put_hcd(hcd); + if (isp1301_using_dt) + put_device(&isp1301_i2c_client->dev); isp1301_i2c_client = NULL; } -- 2.17.1

2 weeks, 5 days

5
5
0 0

[PATCH] USB: Fix error handling in gadget driver

by Ma Ke

lpc32xx_udc_probe() acquires an i2c_client reference through isp1301_get_client() but fails to release it in both error handling paths and the normal removal path. This could result in a reference count leak for the I2C device, preventing proper cleanup and potentially leading to resource exhaustion. Add put_device() to release the reference in the probe failure path and in the remove function. Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() -> i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode() says, 'The user must call put_device(&client->dev) once done with the i2c client.' Found by code review. Cc: stable(a)vger.kernel.org Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/usb/gadget/udc/lpc32xx_udc.c | 35 +++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c index 1a7d3c4f652f..b6fddfff712d 100644 --- a/drivers/usb/gadget/udc/lpc32xx_udc.c +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c @@ -2986,6 +2986,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) int retval, i; dma_addr_t dma_handle; struct device_node *isp1301_node; + bool isp1301_acquired = false; udc = devm_kmemdup(dev, &controller_template, sizeof(*udc), GFP_KERNEL); if (!udc) @@ -3013,6 +3014,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) if (!udc->isp1301_i2c_client) { return -EPROBE_DEFER; } + isp1301_acquired = true; dev_info(udc->dev, "ISP1301 I2C device at address 0x%x\n", udc->isp1301_i2c_client->addr); @@ -3020,7 +3022,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) pdev->dev.dma_mask = &lpc32xx_usbd_dmamask; retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); if (retval) - return retval; + goto i2c_fail; udc->board = &lpc32xx_usbddata; @@ -3038,28 +3040,32 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) /* Get IRQs */ for (i = 0; i < 4; i++) { udc->udp_irq[i] = platform_get_irq(pdev, i); - if (udc->udp_irq[i] < 0) - return udc->udp_irq[i]; + if (udc->udp_irq[i] < 0) { + retval = udc->udp_irq[i]; + goto i2c_fail; + } } udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0); if (IS_ERR(udc->udp_baseaddr)) { dev_err(udc->dev, "IO map failure\n"); - return PTR_ERR(udc->udp_baseaddr); + retval = PTR_ERR(udc->udp_baseaddr); + goto i2c_fail; } /* Get USB device clock */ udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL); if (IS_ERR(udc->usb_slv_clk)) { dev_err(udc->dev, "failed to acquire USB device clock\n"); - return PTR_ERR(udc->usb_slv_clk); + retval = PTR_ERR(udc->usb_slv_clk); + goto i2c_fail; } /* Enable USB device clock */ retval = clk_prepare_enable(udc->usb_slv_clk); if (retval < 0) { dev_err(udc->dev, "failed to start USB device clock\n"); - return retval; + goto i2c_fail; } /* Setup deferred workqueue data */ @@ -3161,6 +3167,8 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, udc->udca_v_base, udc->udca_p_base); i2c_fail: + if (isp1301_acquired && udc->isp1301_i2c_client) + put_device(&udc->isp1301_i2c_client->dev); clk_disable_unprepare(udc->usb_slv_clk); dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval); @@ -3170,6 +3178,18 @@ static int lpc32xx_udc_probe(struct platform_device *pdev) static void lpc32xx_udc_remove(struct platform_device *pdev) { struct lpc32xx_udc *udc = platform_get_drvdata(pdev); + struct device *dev = &pdev->dev; + struct device_node *isp1301_node; + bool isp1301_acquired = false; + + /* Check if we acquired isp1301 via device tree */ + if (dev->of_node) { + isp1301_node = of_parse_phandle(dev->of_node, "transceiver", 0); + if (isp1301_node) { + isp1301_acquired = true; + of_node_put(isp1301_node); + } + } usb_del_gadget_udc(&udc->gadget); if (udc->driver) { @@ -3189,6 +3209,9 @@ static void lpc32xx_udc_remove(struct platform_device *pdev) dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE, udc->udca_v_base, udc->udca_p_base); + if (isp1301_acquired && udc->isp1301_i2c_client) + put_device(&udc->isp1301_i2c_client->dev); + clk_disable_unprepare(udc->usb_slv_clk); } -- 2.17.1

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] mm/truncate: unmap large folio on split failure" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x fa04f5b60fda62c98a53a60de3a1e763f11feb41 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112039-theatrics-moodiness-1de3@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fa04f5b60fda62c98a53a60de3a1e763f11feb41 Mon Sep 17 00:00:00 2001 From: Kiryl Shutsemau <kas(a)kernel.org> Date: Mon, 27 Oct 2025 11:56:36 +0000 Subject: [PATCH] mm/truncate: unmap large folio on split failure Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are supposed to generate SIGBUS. This behavior might not be respected on truncation. During truncation, the kernel splits a large folio in order to reclaim memory. As a side effect, it unmaps the folio and destroys PMD mappings of the folio. The folio will be refaulted as PTEs and SIGBUS semantics are preserved. However, if the split fails, PMD mappings are preserved and the user will not receive SIGBUS on any accesses within the PMD. Unmap the folio on split failure. It will lead to refault as PTEs and preserve SIGBUS semantics. Make an exception for shmem/tmpfs that for long time intentionally mapped with PMDs across i_size. Link: https://lkml.kernel.org/r/20251027115636.82382-3-kirill@shutemov.name Fixes: b9a8a4195c7d ("truncate,shmem: Handle truncates that split large folios") Signed-off-by: Kiryl Shutsemau <kas(a)kernel.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: "Darrick J. Wong" <djwong(a)kernel.org> Cc: Dave Chinner <david(a)fromorbit.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/truncate.c b/mm/truncate.c index 9210cf808f5c..3c5a50ae3274 100644 --- a/mm/truncate.c +++ b/mm/truncate.c @@ -177,6 +177,32 @@ int truncate_inode_folio(struct address_space *mapping, struct folio *folio) return 0; } +static int try_folio_split_or_unmap(struct folio *folio, struct page *split_at, + unsigned long min_order) +{ + enum ttu_flags ttu_flags = + TTU_SYNC | + TTU_SPLIT_HUGE_PMD | + TTU_IGNORE_MLOCK; + int ret; + + ret = try_folio_split_to_order(folio, split_at, min_order); + + /* + * If the split fails, unmap the folio, so it will be refaulted + * with PTEs to respect SIGBUS semantics. + * + * Make an exception for shmem/tmpfs that for long time + * intentionally mapped with PMDs across i_size. + */ + if (ret && !shmem_mapping(folio->mapping)) { + try_to_unmap(folio, ttu_flags); + WARN_ON(folio_mapped(folio)); + } + + return ret; +} + /* * Handle partial folios. The folio may be entirely within the * range if a split has raced with us. If not, we zero the part of the @@ -226,7 +252,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) min_order = mapping_min_folio_order(folio->mapping); split_at = folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE); - if (!try_folio_split_to_order(folio, split_at, min_order)) { + if (!try_folio_split_or_unmap(folio, split_at, min_order)) { /* * try to split at offset + length to make sure folios within * the range can be dropped, especially to avoid memory waste @@ -250,13 +276,10 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) if (!folio_trylock(folio2)) goto out; - /* - * make sure folio2 is large and does not change its mapping. - * Its split result does not matter here. - */ + /* make sure folio2 is large and does not change its mapping */ if (folio_test_large(folio2) && folio2->mapping == folio->mapping) - try_folio_split_to_order(folio2, split_at2, min_order); + try_folio_split_or_unmap(folio2, split_at2, min_order); folio_unlock(folio2); out:

2 weeks, 5 days

2
1
0 0

[PATCH v2] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator

by Siddharth Vadapalli

The SoC pin Y1 is incorrectly defined in the WKUP Pinmux device-tree node (pinctrl@4301c000) leading to the following silent failure: pinctrl-single 4301c000.pinctrl: mux offset out of range: 0x1dc (0x178) According to the datasheet for the J721E SoC [0], the pin Y1 belongs to the MAIN Pinmux device-tree node (pinctrl@11c000). This is confirmed by the address of the pinmux register for it on page 142 of the datasheet which is 0x00011C1DC. Hence fix it. [0]: https://www.ti.com/lit/ds/symlink/tda4vm.pdf Fixes: 97b67cc102dc ("arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators") Cc: <stable(a)vger.kernel.org> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> Reviewed-by: Yemike Abhilash Chandra <y-abhilashchandra(a)ti.com> --- Hello, This patch is based on commit 8b690556d8fe Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm of Mainline Linux. v1 of this patch is at: https://lore.kernel.org/r/20251118114954.1838514-1-s-vadapalli@ti.com/ Changes since v1: - Collected Reviewed-by tag. - Updated commit message and $subject based on feedback from Vignesh at: https://lore.kernel.org/r/6d6a1eeb-503d-48be-81bb-df53942b321c@ti.com/ Regards, Siddharth. arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts index 5e5784ef6f85..77dcc160eda3 100644 --- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts +++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts @@ -474,6 +474,12 @@ rpi_header_gpio1_pins_default: rpi-header-gpio1-default-pins { J721E_IOPAD(0x234, PIN_INPUT, 7) /* (U3) EXT_REFCLK1.GPIO1_12 */ >; }; + + vdd_sd_dv_pins_default: vdd-sd-dv-default-pins { + pinctrl-single,pins = < + J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */ + >; + }; }; &wkup_pmx0 { @@ -536,12 +542,6 @@ J721E_WKUP_IOPAD(0xd4, PIN_OUTPUT, 7) /* (G26) WKUP_GPIO0_9 */ >; }; - vdd_sd_dv_pins_default: vdd-sd-dv-default-pins { - pinctrl-single,pins = < - J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */ - >; - }; - wkup_uart0_pins_default: wkup-uart0-default-pins { pinctrl-single,pins = < J721E_WKUP_IOPAD(0xa0, PIN_INPUT, 0) /* (J29) WKUP_UART0_RXD */ -- 2.51.1

2 weeks, 5 days

2
1
0 0

[PATCH] dvb-usb: dtv5100: rewrite i2c message usb_control send/recv

by Nalivayko Sergey

syzbot reports a WARNING issue as below: usb 1-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 WARNING: CPU: 0 PID: 5833 at drivers/usb/core/urb.c:413 usb_submit_urb+0x1112/0x1870 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 UID: 0 PID: 5833 Comm: syz-executor411 Not tainted 6.15.0-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> usb_start_wait_urb+0x114/0x4c0 drivers/usb/core/message.c:59 usb_internal_control_msg drivers/usb/core/message.c:103 [inline] usb_control_msg+0x232/0x3e0 drivers/usb/core/message.c:154 dtv5100_i2c_msg+0x250/0x330 drivers/media/usb/dvb-usb/dtv5100.c:60 dtv5100_i2c_xfer+0x1a4/0x3c0 drivers/media/usb/dvb-usb/dtv5100.c:86 __i2c_transfer+0x871/0x2170 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x25b/0x3a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x105/0x190 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x112/0x1b0 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev include/linux/uio.h:-1 [inline] vfs_writev+0x4a5/0x9a0 fs/read_write.c:1057 do_writev+0x14d/0x2d0 fs/read_write.c:1101 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The issue occurs due to insufficient validation of data passed to the USB API. In the current implementation, the case where the operation type is read but the read length is zero is not handled properly, which makes no sense. When usb_control_msg() is called with a PIPEOUT type and a read length of zero, a mismatch error occurs between the operation type and the expected transfer direction in function usb_submit_urb. This is the trigger for warning. Replace usb_control_msg() with usb_control_msg_recv() and usb_control_msg_send() to rely on the USB API for proper validation and prevent inconsistencies in the future. Reported-by: syzbot+0335df380edd9bd3ff70(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0335df380edd9bd3ff70 Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- drivers/media/usb/dvb-usb/dtv5100.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dtv5100.c b/drivers/media/usb/dvb-usb/dtv5100.c index 3d85c6f7f6ec..05860f5d5053 100644 --- a/drivers/media/usb/dvb-usb/dtv5100.c +++ b/drivers/media/usb/dvb-usb/dtv5100.c @@ -26,40 +26,37 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr, u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen) { struct dtv5100_state *st = d->priv; - unsigned int pipe; u8 request; u8 type; u16 value; u16 index; + index = (addr << 8) + wbuf[0]; + + memcpy(st->data, rbuf, rlen); + msleep(1); /* avoid I2C errors */ + switch (wlen) { case 1: /* write { reg }, read { value } */ - pipe = usb_rcvctrlpipe(d->udev, 0); request = (addr == DTV5100_DEMOD_ADDR ? DTV5100_DEMOD_READ : DTV5100_TUNER_READ); type = USB_TYPE_VENDOR | USB_DIR_IN; value = 0; - break; + return usb_control_msg_recv(d->udev, 0, request, type, value, index, + st->data, rlen, DTV5100_USB_TIMEOUT, GFP_KERNEL); case 2: /* write { reg, value } */ - pipe = usb_sndctrlpipe(d->udev, 0); request = (addr == DTV5100_DEMOD_ADDR ? DTV5100_DEMOD_WRITE : DTV5100_TUNER_WRITE); type = USB_TYPE_VENDOR | USB_DIR_OUT; value = wbuf[1]; - break; + return usb_control_msg_send(d->udev, 0, request, type, value, index, + st->data, rlen, DTV5100_USB_TIMEOUT, GFP_KERNEL); default: warn("wlen = %x, aborting.", wlen); return -EINVAL; } - index = (addr << 8) + wbuf[0]; - - memcpy(st->data, rbuf, rlen); - msleep(1); /* avoid I2C errors */ - return usb_control_msg(d->udev, pipe, request, - type, value, index, st->data, rlen, - DTV5100_USB_TIMEOUT); } /* I2C */ -- 2.39.5

2 weeks, 5 days

4
3
0 0

[PATCH v3] iommu/amd: Relay __modify_irte_ga() error in modify_irte_ga()

by Jinhui Guo

The return type of __modify_irte_ga() is int, but modify_irte_ga() treats it as a bool. Casting the int to bool discards the error code. To fix the issue, change the type of ret to int in modify_irte_ga(). Fixes: 57cdb720eaa5 ("iommu/amd: Do not flush IRTE when only updating isRun and destination fields") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> Reviewed-by: Ankit Soni <Ankit.Soni(a)amd.com> Reviewed-by: Vasant Hegde <vasant.hede(a)amd.com> --- v1: https://lore.kernel.org/all/20251120154725.435-1-guojinhui.liam@bytedance.c… v2: https://lore.kernel.org/all/20251121052139.550-1-guojinhui.liam@bytedance.c… Changelog in v1 -> v2 (suggested by Ankit Soni) - Trim subject line to the recommanded length Changelog in v2 -> v3 - Add Reviewed-by Vasant Hegde; no code changes drivers/iommu/amd/iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 2e1865daa1ce..a38304f1a8df 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -3354,7 +3354,7 @@ static int __modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index, static int modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index, struct irte_ga *irte) { - bool ret; + int ret; ret = __modify_irte_ga(iommu, devid, index, irte); if (ret) -- 2.20.1

2 weeks, 5 days

1
0
0 0

Funding Proposal

by Luis Alves

2 weeks, 5 days

1
0
0 0

[PATCH] i2c: amd-mp2: fix device leak on probe()

by Johan Hovold

Make sure to drop the reference taken to the PCI device when looking up its driver data during probe of the platform device. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller") Cc: stable(a)vger.kernel.org # 5.2 Cc: Elie Morisse <syniurge(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/i2c/busses/i2c-amd-mp2-pci.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-amd-mp2-pci.c b/drivers/i2c/busses/i2c-amd-mp2-pci.c index ef7370d3dbea..5b41d18b62d3 100644 --- a/drivers/i2c/busses/i2c-amd-mp2-pci.c +++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c @@ -456,6 +456,7 @@ module_pci_driver(amd_mp2_pci_driver); struct amd_mp2_dev *amd_mp2_find_device(void) { + struct amd_mp2_dev *privdata; struct device *dev; struct pci_dev *pci_dev; @@ -464,7 +465,11 @@ struct amd_mp2_dev *amd_mp2_find_device(void) return NULL; pci_dev = to_pci_dev(dev); - return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); + privdata = pci_get_drvdata(pci_dev); + + put_device(dev); + + return privdata; } EXPORT_SYMBOL_GPL(amd_mp2_find_device); -- 2.51.2

2 weeks, 5 days

1
0
0 0

[PATCH v2] intel_th: fix device leak on output open()

by Johan Hovold

Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") Cc: stable(a)vger.kernel.org # 4.4 Cc: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- Hit send too soon... Changes in v2: - drop reference also on the last error path drivers/hwtracing/intel_th/core.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c index 47d9e6c3bac0..bc38814e6802 100644 --- a/drivers/hwtracing/intel_th/core.c +++ b/drivers/hwtracing/intel_th/core.c @@ -810,13 +810,20 @@ static int intel_th_output_open(struct inode *inode, struct file *file) int err; dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); - if (!dev || !dev->driver) + if (!dev) return -ENODEV; + if (!dev->driver) { + err = -ENODEV; + goto err_put_dev; + } + thdrv = to_intel_th_driver(dev->driver); fops = fops_get(thdrv->fops); - if (!fops) - return -ENODEV; + if (!fops) { + err = -ENODEV; + goto err_put_dev; + } replace_fops(file, fops); @@ -824,14 +831,29 @@ static int intel_th_output_open(struct inode *inode, struct file *file) if (file->f_op->open) { err = file->f_op->open(inode, file); - return err; + goto err_put_dev; } + return 0; + +err_put_dev: + put_device(dev); + + return err; +} + +static int intel_th_output_release(struct inode *inode, struct file *file) +{ + struct intel_th_device *thdev = file->private_data; + + put_device(&thdev->dev); + return 0; } static const struct file_operations intel_th_output_fops = { .open = intel_th_output_open, + .release = intel_th_output_release, .llseek = noop_llseek, }; -- 2.51.2

2 weeks, 5 days

1
0
0 0

[PATCH] intel_th: fix device leak on output open()

by Johan Hovold

Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") Cc: stable(a)vger.kernel.org # 4.4 Cc: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/hwtracing/intel_th/core.c | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c index 47d9e6c3bac0..ddc51de2d775 100644 --- a/drivers/hwtracing/intel_th/core.c +++ b/drivers/hwtracing/intel_th/core.c @@ -810,13 +810,20 @@ static int intel_th_output_open(struct inode *inode, struct file *file) int err; dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); - if (!dev || !dev->driver) + if (!dev) return -ENODEV; + if (!dev->driver) { + err = -ENODEV; + goto err_put_dev; + } + thdrv = to_intel_th_driver(dev->driver); fops = fops_get(thdrv->fops); - if (!fops) - return -ENODEV; + if (!fops) { + err = -ENODEV; + goto err_put_dev; + } replace_fops(file, fops); @@ -827,11 +834,26 @@ static int intel_th_output_open(struct inode *inode, struct file *file) return err; } + return 0; + +err_put_dev: + put_device(dev); + + return err; +} + +static int intel_th_output_release(struct inode *inode, struct file *file) +{ + struct intel_th_device *thdev = file->private_data; + + put_device(&thdev->dev); + return 0; } static const struct file_operations intel_th_output_fops = { .open = intel_th_output_open, + .release = intel_th_output_release, .llseek = noop_llseek, }; -- 2.51.2

2 weeks, 5 days

1
0
0 0

Great Original Shirts

by Spencer

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] scripts/decode_stacktrace.sh: fix build ID and PC source" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 7d9f7d390f6af3a29614e81e802e2b9c238eb7b2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112031-catalyze-sleep-ba6e@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d9f7d390f6af3a29614e81e802e2b9c238eb7b2 Mon Sep 17 00:00:00 2001 From: Carlos Llamas <cmllamas(a)google.com> Date: Thu, 30 Oct 2025 01:03:33 +0000 Subject: [PATCH] scripts/decode_stacktrace.sh: fix build ID and PC source parsing Support for parsing PC source info in stacktraces (e.g. '(P)') was added in commit 2bff77c665ed ("scripts/decode_stacktrace.sh: fix decoding of lines with an additional info"). However, this logic was placed after the build ID processing. This incorrect order fails to parse lines containing both elements, e.g.: drm_gem_mmap_obj+0x114/0x200 [drm 03d0564e0529947d67bb2008c3548be77279fd27] (P) This patch fixes the problem by extracting the PC source info first and then processing the module build ID. With this change, the line above is now properly parsed as such: drm_gem_mmap_obj (./include/linux/mmap_lock.h:212 ./include/linux/mm.h:811 drivers/gpu/drm/drm_gem.c:1177) drm (P) While here, also add a brief explanation the build ID section. Link: https://lkml.kernel.org/r/20251030010347.2731925-1-cmllamas@google.com Fixes: 2bff77c665ed ("scripts/decode_stacktrace.sh: fix decoding of lines with an additional info") Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Reviewed-by: Luca Ceresoli <luca.ceresoli(a)bootlin.com> Cc: Breno Leitao <leitao(a)debian.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Marc Rutland <mark.rutland(a)arm.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Matthieu Baerts <matttbe(a)kernel.org> Cc: Miroslav Benes <mbenes(a)suse.cz> Cc: Puranjay Mohan <puranjay(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh index c73cb802a0a3..8d01b741de62 100755 --- a/scripts/decode_stacktrace.sh +++ b/scripts/decode_stacktrace.sh @@ -277,12 +277,6 @@ handle_line() { fi done - if [[ ${words[$last]} =~ ^[0-9a-f]+\] ]]; then - words[$last-1]="${words[$last-1]} ${words[$last]}" - unset words[$last] spaces[$last] - last=$(( $last - 1 )) - fi - # Extract info after the symbol if present. E.g.: # func_name+0x54/0x80 (P) # ^^^ @@ -295,6 +289,14 @@ handle_line() { last=$(( $last - 1 )) fi + # Join module name with its build id if present, as these were + # split during tokenization (e.g. "[module" and "modbuildid]"). + if [[ ${words[$last]} =~ ^[0-9a-f]+\] ]]; then + words[$last-1]="${words[$last-1]} ${words[$last]}" + unset words[$last] spaces[$last] + last=$(( $last - 1 )) + fi + if [[ ${words[$last]} =~ \[([^]]+)\] ]]; then module=${words[$last]} # some traces format is "(%pS)", which like "(foo+0x0/0x1 [bar])"

2 weeks, 5 days

3
2
0 0

[PATCH] x86/mce: Handle AMD threshold interrupt storms

by Avadhut Naik

From: Smita Koralahalli <Smita.KoralahalliChannabasappa(a)amd.com> Extend the logic of handling CMCI storms to AMD threshold interrupts. Rely on the similar approach as of Intel's CMCI to mitigate storms per CPU and per bank. But, unlike CMCI, do not set thresholds and reduce interrupt rate on a storm. Rather, disable the interrupt on the corresponding CPU and bank. Re-enable back the interrupts if enough consecutive polls of the bank show no corrected errors (30, as programmed by Intel). Turning off the threshold interrupts would be a better solution on AMD systems as other error severities will still be handled even if the threshold interrupts are disabled. Also, AMD systems currently allow banks to be managed by both polling and interrupts. So don't modify the polling banks set after a storm ends. [Tony: Small tweak because mce_handle_storm() isn't a pointer now] [Yazen: Rebase and simplify] Stable backport notes: 1. Currently, when a Machine check interrupt storm is detected, the bank's corresponding bit in mce_poll_banks per-CPU variable is cleared by cmci_storm_end(). As a result, on AMD's SMCA systems, errors injected or encountered after the storm subsides are not logged since polling on that bank has been disabled. Polling banks set on AMD systems should not be modified when a storm subsides. 2. This patch is a snippet from the CMCI storm handling patch (link below) that has been accepted into tip for v6.19. While backporting the patch would have been the preferred way, the same cannot be undertaken since its part of a larger set. As such, this fix will be temporary. When the original patch and its set is integrated into stable, this patch should be reverted. Signed-off-by: Smita Koralahalli <Smita.KoralahalliChannabasappa(a)amd.com> Signed-off-by: Tony Luck <tony.luck(a)intel.com> Signed-off-by: Yazen Ghannam <yazen.ghannam(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Link: https://lore.kernel.org/20251104-wip-mca-updates-v8-0-66c8eacf67b9@amd.com Signed-off-by: Avadhut Naik <avadhut.naik(a)amd.com> --- This is somewhat of a new scenario for me. Not really sure about the procedure. Hence, haven't modified the commit message and removed the tags. If required, will rework both. Also, while this issue can be encountered on AMD systems using v6.8 and later stable kernels, we would specifically prefer for this fix to be backported to v6.12 since its LTS. --- arch/x86/kernel/cpu/mce/threshold.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/mce/threshold.c b/arch/x86/kernel/cpu/mce/threshold.c index f4a007616468..61eaa1774931 100644 --- a/arch/x86/kernel/cpu/mce/threshold.c +++ b/arch/x86/kernel/cpu/mce/threshold.c @@ -85,7 +85,8 @@ void cmci_storm_end(unsigned int bank) { struct mca_storm_desc *storm = this_cpu_ptr(&storm_desc); - __clear_bit(bank, this_cpu_ptr(mce_poll_banks)); + if (!mce_flags.amd_threshold) + __clear_bit(bank, this_cpu_ptr(mce_poll_banks)); storm->banks[bank].history = 0; storm->banks[bank].in_storm_mode = false; base-commit: 8b690556d8fe074b4f9835075050fba3fb180e93 -- 2.43.0

2 weeks, 5 days

5
8
0 0

FAILED: patch "[PATCH] eventpoll: Replace rwlock with spinlock" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0c43094f8cc9d3d99d835c0ac9c4fe1ccc62babd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101616-causal-numerator-0c1e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0c43094f8cc9d3d99d835c0ac9c4fe1ccc62babd Mon Sep 17 00:00:00 2001 From: Nam Cao <namcao(a)linutronix.de> Date: Tue, 15 Jul 2025 14:46:34 +0200 Subject: [PATCH] eventpoll: Replace rwlock with spinlock The ready event list of an epoll object is protected by read-write semaphore: - The consumer (waiter) acquires the write lock and takes items. - the producer (waker) takes the read lock and adds items. The point of this design is enabling epoll to scale well with large number of producers, as multiple producers can hold the read lock at the same time. Unfortunately, this implementation may cause scheduling priority inversion problem. Suppose the consumer has higher scheduling priority than the producer. The consumer needs to acquire the write lock, but may be blocked by the producer holding the read lock. Since read-write semaphore does not support priority-boosting for the readers (even with CONFIG_PREEMPT_RT=y), we have a case of priority inversion: a higher priority consumer is blocked by a lower priority producer. This problem was reported in [1]. Furthermore, this could also cause stall problem, as described in [2]. Fix this problem by replacing rwlock with spinlock. This reduces the event bandwidth, as the producers now have to contend with each other for the spinlock. According to the benchmark from https://github.com/rouming/test-tools/blob/master/stress-epoll.c: On 12 x86 CPUs: Before After Diff threads events/ms events/ms 8 7162 4956 -31% 16 8733 5383 -38% 32 7968 5572 -30% 64 10652 5739 -46% 128 11236 5931 -47% On 4 riscv CPUs: Before After Diff threads events/ms events/ms 8 2958 2833 -4% 16 3323 3097 -7% 32 3451 3240 -6% 64 3554 3178 -11% 128 3601 3235 -10% Although the numbers look bad, it should be noted that this benchmark creates multiple threads who do nothing except constantly generating new epoll events, thus contention on the spinlock is high. For real workload, the event rate is likely much lower, and the performance drop is not as bad. Using another benchmark (perf bench epoll wait) where spinlock contention is lower, improvement is even observed on x86: On 12 x86 CPUs: Before: Averaged 110279 operations/sec (+- 1.09%), total secs = 8 After: Averaged 114577 operations/sec (+- 2.25%), total secs = 8 On 4 riscv CPUs: Before: Averaged 175767 operations/sec (+- 0.62%), total secs = 8 After: Averaged 167396 operations/sec (+- 0.23%), total secs = 8 In conclusion, no one is likely to be upset over this change. After all, spinlock was used originally for years, and the commit which converted to rwlock didn't mention a real workload, just that the benchmark numbers are nice. This patch is not exactly the revert of commit a218cc491420 ("epoll: use rwlock in order to reduce ep_poll_callback() contention"), because git revert conflicts in some places which are not obvious on the resolution. This patch is intended to be backported, therefore go with the obvious approach: - Replace rwlock_t with spinlock_t one to one - Delete list_add_tail_lockless() and chain_epi_lockless(). These were introduced to allow producers to concurrently add items to the list. But now that spinlock no longer allows producers to touch the event list concurrently, these two functions are not necessary anymore. Fixes: a218cc491420 ("epoll: use rwlock in order to reduce ep_poll_callback() contention") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Link: https://lore.kernel.org/ec92458ea357ec503c737ead0f10b2c6e4c37d47.1752581388… Tested-by: K Prateek Nayak <kprateek.nayak(a)amd.com> Cc: stable(a)vger.kernel.org Reported-by: Frederic Weisbecker <frederic(a)kernel.org> Closes: https://lore.kernel.org/linux-rt-users/20210825132754.GA895675@lothringen/ [1] Reported-by: Valentin Schneider <vschneid(a)redhat.com> Closes: https://lore.kernel.org/linux-rt-users/xhsmhttqvnall.mognet@vschneid.remote… [2] Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/eventpoll.c b/fs/eventpoll.c index b22d6f819f78..ee7c4b683ec3 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -46,10 +46,10 @@ * * 1) epnested_mutex (mutex) * 2) ep->mtx (mutex) - * 3) ep->lock (rwlock) + * 3) ep->lock (spinlock) * * The acquire order is the one listed above, from 1 to 3. - * We need a rwlock (ep->lock) because we manipulate objects + * We need a spinlock (ep->lock) because we manipulate objects * from inside the poll callback, that might be triggered from * a wake_up() that in turn might be called from IRQ context. * So we can't sleep inside the poll callback and hence we need @@ -195,7 +195,7 @@ struct eventpoll { struct list_head rdllist; /* Lock which protects rdllist and ovflist */ - rwlock_t lock; + spinlock_t lock; /* RB tree root used to store monitored fd structs */ struct rb_root_cached rbr; @@ -741,10 +741,10 @@ static void ep_start_scan(struct eventpoll *ep, struct list_head *txlist) * in a lockless way. */ lockdep_assert_irqs_enabled(); - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); list_splice_init(&ep->rdllist, txlist); WRITE_ONCE(ep->ovflist, NULL); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } static void ep_done_scan(struct eventpoll *ep, @@ -752,7 +752,7 @@ static void ep_done_scan(struct eventpoll *ep, { struct epitem *epi, *nepi; - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* * During the time we spent inside the "sproc" callback, some * other events might have been queued by the poll callback. @@ -793,7 +793,7 @@ static void ep_done_scan(struct eventpoll *ep, wake_up(&ep->wq); } - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } static void ep_get(struct eventpoll *ep) @@ -868,10 +868,10 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force) rb_erase_cached(&epi->rbn, &ep->rbr); - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); if (ep_is_linked(epi)) list_del_init(&epi->rdllink); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); wakeup_source_unregister(ep_wakeup_source(epi)); /* @@ -1152,7 +1152,7 @@ static int ep_alloc(struct eventpoll **pep) return -ENOMEM; mutex_init(&ep->mtx); - rwlock_init(&ep->lock); + spin_lock_init(&ep->lock); init_waitqueue_head(&ep->wq); init_waitqueue_head(&ep->poll_wait); INIT_LIST_HEAD(&ep->rdllist); @@ -1239,100 +1239,10 @@ struct file *get_epoll_tfile_raw_ptr(struct file *file, int tfd, } #endif /* CONFIG_KCMP */ -/* - * Adds a new entry to the tail of the list in a lockless way, i.e. - * multiple CPUs are allowed to call this function concurrently. - * - * Beware: it is necessary to prevent any other modifications of the - * existing list until all changes are completed, in other words - * concurrent list_add_tail_lockless() calls should be protected - * with a read lock, where write lock acts as a barrier which - * makes sure all list_add_tail_lockless() calls are fully - * completed. - * - * Also an element can be locklessly added to the list only in one - * direction i.e. either to the tail or to the head, otherwise - * concurrent access will corrupt the list. - * - * Return: %false if element has been already added to the list, %true - * otherwise. - */ -static inline bool list_add_tail_lockless(struct list_head *new, - struct list_head *head) -{ - struct list_head *prev; - - /* - * This is simple 'new->next = head' operation, but cmpxchg() - * is used in order to detect that same element has been just - * added to the list from another CPU: the winner observes - * new->next == new. - */ - if (!try_cmpxchg(&new->next, &new, head)) - return false; - - /* - * Initially ->next of a new element must be updated with the head - * (we are inserting to the tail) and only then pointers are atomically - * exchanged. XCHG guarantees memory ordering, thus ->next should be - * updated before pointers are actually swapped and pointers are - * swapped before prev->next is updated. - */ - - prev = xchg(&head->prev, new); - - /* - * It is safe to modify prev->next and new->prev, because a new element - * is added only to the tail and new->next is updated before XCHG. - */ - - prev->next = new; - new->prev = prev; - - return true; -} - -/* - * Chains a new epi entry to the tail of the ep->ovflist in a lockless way, - * i.e. multiple CPUs are allowed to call this function concurrently. - * - * Return: %false if epi element has been already chained, %true otherwise. - */ -static inline bool chain_epi_lockless(struct epitem *epi) -{ - struct eventpoll *ep = epi->ep; - - /* Fast preliminary check */ - if (epi->next != EP_UNACTIVE_PTR) - return false; - - /* Check that the same epi has not been just chained from another CPU */ - if (cmpxchg(&epi->next, EP_UNACTIVE_PTR, NULL) != EP_UNACTIVE_PTR) - return false; - - /* Atomically exchange tail */ - epi->next = xchg(&ep->ovflist, epi); - - return true; -} - /* * This is the callback that is passed to the wait queue wakeup * mechanism. It is called by the stored file descriptors when they * have events to report. - * - * This callback takes a read lock in order not to contend with concurrent - * events from another file descriptor, thus all modifications to ->rdllist - * or ->ovflist are lockless. Read lock is paired with the write lock from - * ep_start/done_scan(), which stops all list modifications and guarantees - * that lists state is seen correctly. - * - * Another thing worth to mention is that ep_poll_callback() can be called - * concurrently for the same @epi from different CPUs if poll table was inited - * with several wait queues entries. Plural wakeup from different CPUs of a - * single wait queue is serialized by wq.lock, but the case when multiple wait - * queues are used should be detected accordingly. This is detected using - * cmpxchg() operation. */ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, void *key) { @@ -1343,7 +1253,7 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v unsigned long flags; int ewake = 0; - read_lock_irqsave(&ep->lock, flags); + spin_lock_irqsave(&ep->lock, flags); ep_set_busy_poll_napi_id(epi); @@ -1372,12 +1282,15 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v * chained in ep->ovflist and requeued later on. */ if (READ_ONCE(ep->ovflist) != EP_UNACTIVE_PTR) { - if (chain_epi_lockless(epi)) + if (epi->next == EP_UNACTIVE_PTR) { + epi->next = READ_ONCE(ep->ovflist); + WRITE_ONCE(ep->ovflist, epi); ep_pm_stay_awake_rcu(epi); + } } else if (!ep_is_linked(epi)) { /* In the usual case, add event to ready list. */ - if (list_add_tail_lockless(&epi->rdllink, &ep->rdllist)) - ep_pm_stay_awake_rcu(epi); + list_add_tail(&epi->rdllink, &ep->rdllist); + ep_pm_stay_awake_rcu(epi); } /* @@ -1410,7 +1323,7 @@ static int ep_poll_callback(wait_queue_entry_t *wait, unsigned mode, int sync, v pwake++; out_unlock: - read_unlock_irqrestore(&ep->lock, flags); + spin_unlock_irqrestore(&ep->lock, flags); /* We have to call this outside the lock */ if (pwake) @@ -1745,7 +1658,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, } /* We have to drop the new item inside our item list to keep track of it */ - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* record NAPI ID of new item if present */ ep_set_busy_poll_napi_id(epi); @@ -1762,7 +1675,7 @@ static int ep_insert(struct eventpoll *ep, const struct epoll_event *event, pwake++; } - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); /* We have to call this outside the lock */ if (pwake) @@ -1826,7 +1739,7 @@ static int ep_modify(struct eventpoll *ep, struct epitem *epi, * list, push it inside. */ if (ep_item_poll(epi, &pt, 1)) { - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); if (!ep_is_linked(epi)) { list_add_tail(&epi->rdllink, &ep->rdllist); ep_pm_stay_awake(epi); @@ -1837,7 +1750,7 @@ static int ep_modify(struct eventpoll *ep, struct epitem *epi, if (waitqueue_active(&ep->poll_wait)) pwake++; } - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } /* We have to call this outside the lock */ @@ -2089,7 +2002,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, init_wait(&wait); wait.func = ep_autoremove_wake_function; - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* * Barrierless variant, waitqueue_active() is called under * the same lock on wakeup ep_poll_callback() side, so it @@ -2108,7 +2021,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, if (!eavail) __add_wait_queue_exclusive(&ep->wq, &wait); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); if (!eavail) timed_out = !ep_schedule_timeout(to) || @@ -2124,7 +2037,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, eavail = 1; if (!list_empty_careful(&wait.entry)) { - write_lock_irq(&ep->lock); + spin_lock_irq(&ep->lock); /* * If the thread timed out and is not on the wait queue, * it means that the thread was woken up after its @@ -2135,7 +2048,7 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, if (timed_out) eavail = list_empty(&wait.entry); __remove_wait_queue(&ep->wq, &wait); - write_unlock_irq(&ep->lock); + spin_unlock_irq(&ep->lock); } } }

2 weeks, 5 days

2
1
0 0

Re: stable 6.6: commit "sched/cpufreq: Rework schedutil governor performance estimation' causes a regression

by Sergey Senozhatsky

On (25/11/21 12:55), Sergey Senozhatsky wrote: > Hi Christian, > > On (25/11/20 10:15), Christian Loehle wrote: > > On 11/20/25 04:45, Sergey Senozhatsky wrote: > > > Hi, > > > > > > We are observing a performance regression on one of our arm64 boards. > > > We tracked it down to the linux-6.6.y commit ada8d7fa0ad4 ("sched/cpufreq: > > > Rework schedutil governor performance estimation"). > > > > > > UI speedometer benchmark: > > > w/commit: 395 +/-38 > > > w/o commit: 439 +/-14 > > > > > > > Hi Sergey, > > Would be nice to get some details. What board? > > It's an MT8196 chromebook. > > > What do the OPPs look like? > > How do I find that out? > > > Does this system use uclamp during the benchmark? How? > > How do I find that out? > > > Given how large the stddev given by speedometer (version 3?) itself is, can we get the > > stats of a few runs? > > v2.1 > > w/o patch w/ patch > 440 +/-30 406 +/-11 > 440 +/-14 413 +/-16 > 444 +/-12 403 +/-14 > 442 +/-12 412 +/-15 > > > Maybe traces of cpu_frequency for both w/ and w/o? > > trace-cmd record -e power:cpu_frequency attached. > > "base" is with ada8d7fa0ad4 > "revert" is ada8d7fa0ad4 reverted. Am getting failed delivery notifications. I guess attaching those as text files wasn't a good idea after all. Vincent, Christian, did you receive that email?

2 weeks, 5 days

2
1
0 0

[PATCH] drm/amdgpu: Fix error handling in amdgpu_atpx_detect

by Ma Ke

amdgpu_atpx_detect() uses pci_get_class() in two while loops to iterate through VGA and OTHER display class PCI devices. Each call to pci_get_class() increments the reference count of the returned PCI device. However, after the loops complete, there are no corresponding pci_dev_put() to decrement these reference counts. Add pci_dev_put() after each while loop to release reference counts held by the last devices found in each class. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 5d30ed3c2c74 ("Revert "drm/amdgpu: simplify ATPX detection"") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c index 3893e6fc2f03..9eb776a2e8bb 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c @@ -617,6 +617,9 @@ static bool amdgpu_atpx_detect(void) amdgpu_atpx_get_quirks(pdev); } + pci_dev_put(pdev); + pdev = NULL; + while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) { vga_count++; @@ -627,6 +630,8 @@ static bool amdgpu_atpx_detect(void) amdgpu_atpx_get_quirks(pdev); } + pci_dev_put(pdev); + if (has_atpx && vga_count == 2) { acpi_get_name(amdgpu_atpx_priv.atpx.handle, ACPI_FULL_PATHNAME, &buffer); pr_info("vga_switcheroo: detected switching method %s handle\n", -- 2.17.1

2 weeks, 5 days

2
1
0 0

Cost-effective PCB

by sales09＠found-pcb.com

Dear Manager, I am Windy from Found Printed circuits board, which is a professional PCB manufacturer in China. Learned that you are specializing in PCB, you might want to get some supplier sources from China and we would be one of your good options. Please find our profile highlights as following: 1. Products range PCB up to 14 layers, Aluminum PCB, High Frequency Board, Carbon Board, Rigid-flex Board…… Material range: FR-4 (130TG-180TG), CEM1, Rogers, Aluminum Based…… Technology Capability: Min. 3mil/3mil Trace/space, 4 mil Smallest Drill Size…… 2. Qualified System ISO 9001 ISO 14001 TS 16949 UL：E361831 3. Excellent customer service and quick response. We can send you quotes and inquiry responses in two hours or less. If you want to know more details, pls feel free to contact me. Kindly send us gerber for quotation. Thanks for your time! Best Regards Windy Shenzhen Found Printed Circuit Board Co., Ltd TEL:+86-0755-36521149 FAX:+86-0755-29603824 Website: www.found-pcb.com

2 weeks, 5 days

1
0
0 0

[PATCH 6.6.y] net: stmmac: Fix accessing freed irq affinity_hint

by Rajani Kantha

From: Qingfang Deng <dqfext(a)gmail.com> [ Upstream commit c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef ] The cpumask should not be a local variable, since its pointer is saved to irq_desc and may be accessed from procfs. To fix it, use the persistent mask cpumask_of(cpu#). Cc: stable(a)vger.kernel.org Fixes: 8deec94c6040 ("net: stmmac: set IRQ affinity hint for multi MSI vectors") Signed-off-by: Qingfang Deng <dqfext(a)gmail.com> Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/20250318032424.112067-1-dqfext@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Rajani Kantha <681739313(a)139.com> --- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c index f3155d69a013..aded4fb61345 100644 --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -3516,7 +3516,6 @@ static int stmmac_request_irq_multi_msi(struct net_device *dev) { struct stmmac_priv *priv = netdev_priv(dev); enum request_irq_err irq_err; - cpumask_t cpu_mask; int irq_idx = 0; char *int_name; int ret; @@ -3628,9 +3627,8 @@ static int stmmac_request_irq_multi_msi(struct net_device *dev) irq_idx = i; goto irq_error; } - cpumask_clear(&cpu_mask); - cpumask_set_cpu(i % num_online_cpus(), &cpu_mask); - irq_set_affinity_hint(priv->rx_irq[i], &cpu_mask); + irq_set_affinity_hint(priv->rx_irq[i], + cpumask_of(i % num_online_cpus())); } /* Request Tx MSI irq */ @@ -3653,9 +3651,8 @@ static int stmmac_request_irq_multi_msi(struct net_device *dev) irq_idx = i; goto irq_error; } - cpumask_clear(&cpu_mask); - cpumask_set_cpu(i % num_online_cpus(), &cpu_mask); - irq_set_affinity_hint(priv->tx_irq[i], &cpu_mask); + irq_set_affinity_hint(priv->tx_irq[i], + cpumask_of(i % num_online_cpus())); } return 0; -- 2.17.1

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] KVM: VMX: Fix check for valid GVA on an EPT violation" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x d0164c161923ac303bd843e04ebe95cfd03c6e19 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112016-chatter-plutonium-baf8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d0164c161923ac303bd843e04ebe95cfd03c6e19 Mon Sep 17 00:00:00 2001 From: Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> Date: Thu, 6 Nov 2025 14:28:51 +0900 Subject: [PATCH] KVM: VMX: Fix check for valid GVA on an EPT violation On an EPT violation, bit 7 of the exit qualification is set if the guest linear-address is valid. The derived page fault error code should not be checked for this bit. Fixes: f3009482512e ("KVM: VMX: Set PFERR_GUEST_{FINAL,PAGE}_MASK if and only if the GVA is valid") Cc: stable(a)vger.kernel.org Signed-off-by: Sukrit Bhatnagar <Sukrit.Bhatnagar(a)sony.com> Reviewed-by: Xiaoyao Li <xiaoyao.li(a)intel.com> Link: https://patch.msgid.link/20251106052853.3071088-1-Sukrit.Bhatnagar@sony.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/common.h b/arch/x86/kvm/vmx/common.h index bc5ece76533a..412d0829d7a2 100644 --- a/arch/x86/kvm/vmx/common.h +++ b/arch/x86/kvm/vmx/common.h @@ -98,7 +98,7 @@ static inline int __vmx_handle_ept_violation(struct kvm_vcpu *vcpu, gpa_t gpa, error_code |= (exit_qualification & EPT_VIOLATION_PROT_MASK) ? PFERR_PRESENT_MASK : 0; - if (error_code & EPT_VIOLATION_GVA_IS_VALID) + if (exit_qualification & EPT_VIOLATION_GVA_IS_VALID) error_code |= (exit_qualification & EPT_VIOLATION_GVA_TRANSLATED) ? PFERR_GUEST_FINAL_MASK : PFERR_GUEST_PAGE_MASK;

2 weeks, 5 days

3
3
0 0

Bounce probe for stable@vger.kernel.org (no action required)

by stable+owner＠vger.kernel.org

Greetings! This is the mlmmj program managing the <stable(a)vger.kernel.org> mailing list. Your mail host rejected some of the messages we tried to deliver. This usually happens if we have accepted a spam message, but your mail server refused to take it from us (because it's spam). This automated probe is just a test to make sure that there are no other problems with mail delivery to your account. No action is required on your part -- if you are seeing this message, that means everything is normal. (In fact, you can add "Subject: Bounce probe" to your filters to avoid seeing this message in the future.) For internal tracking purposes, here is the list of bounced messages: - 195455 - 195456

2 weeks, 5 days

1
0
0 0

[PATCH 6.6.y] f2fs: fix to avoid overflow while left shift operation

by Rajani Kantha

From: Chao Yu <chao(a)kernel.org> [ Upstream commit 0fe1c6bec54ea68ed8c987b3890f2296364e77bb ] Should cast type of folio->index from pgoff_t to loff_t to avoid overflow while left shift operation. Fixes: 3265d3db1f16 ("f2fs: support partial truncation on compressed inode") Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [ Modification: Using rpages[i]->index instead of folio->index due to it was changed since commit:1cda5bc0b2fe ("f2fs: Use a folio in f2fs_truncate_partial_cluster()") on 6.14 ] Signed-off-by: Rajani Kantha <681739313(a)139.com> --- fs/f2fs/compress.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c index e962de4ecaa2..c3b2f78ca4e3 100644 --- a/fs/f2fs/compress.c +++ b/fs/f2fs/compress.c @@ -1209,7 +1209,7 @@ int f2fs_truncate_partial_cluster(struct inode *inode, u64 from, bool lock) int i; for (i = cluster_size - 1; i >= 0; i--) { - loff_t start = rpages[i]->index << PAGE_SHIFT; + loff_t start = (loff_t)rpages[i]->index << PAGE_SHIFT; if (from <= start) { zero_user_segment(rpages[i], 0, PAGE_SIZE); -- 2.17.1

2 weeks, 5 days

1
0
0 0

stable 6.6: commit "sched/cpufreq: Rework schedutil governor performance estimation' causes a regression

by Sergey Senozhatsky

Hi, We are observing a performance regression on one of our arm64 boards. We tracked it down to the linux-6.6.y commit ada8d7fa0ad4 ("sched/cpufreq: Rework schedutil governor performance estimation"). UI speedometer benchmark: w/commit: 395 +/-38 w/o commit: 439 +/-14

2 weeks, 5 days

3
3
0 0

FAILED: patch "[PATCH] net: netpoll: fix incorrect refcount handling causing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112011-candied-surrogate-885f@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 7 Nov 2025 06:03:37 -0800 Subject: [PATCH] net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. Cc: <stable(a)vger.kernel.org> # 3.17.x Cc: Jay Vosburgh <jv(a)jvosburgh.net> Fixes: efa95b01da18 ("netpoll: fix use after free") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@deb… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/core/netpoll.c b/net/core/netpoll.c index c85f740065fc..331764845e8f 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -811,6 +811,10 @@ static void __netpoll_cleanup(struct netpoll *np) if (!npinfo) return; + /* At this point, there is a single npinfo instance per netdevice, and + * its refcnt tracks how many netpoll structures are linked to it. We + * only perform npinfo cleanup when the refcnt decrements to zero. + */ if (refcount_dec_and_test(&npinfo->refcnt)) { const struct net_device_ops *ops; @@ -820,8 +824,7 @@ static void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); - } else - RCU_INIT_POINTER(np->dev->npinfo, NULL); + } skb_pool_flush(np); }

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: da7213: Use component driver suspend/resume" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 249d96b492efb7a773296ab2c62179918301c146 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112057-rubble-coleslaw-6ad1@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 249d96b492efb7a773296ab2c62179918301c146 Mon Sep 17 00:00:00 2001 From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Date: Tue, 4 Nov 2025 13:49:14 +0200 Subject: [PATCH] ASoC: da7213: Use component driver suspend/resume Since snd_soc_suspend() is invoked through snd_soc_pm_ops->suspend(), and snd_soc_pm_ops is associated with the soc_driver (defined in sound/soc/soc-core.c), and there is no parent-child relationship between the soc_driver and the DA7213 codec driver, the power management subsystem does not enforce a specific suspend/resume order between the DA7213 driver and the soc_driver. Because of this, the different codec component functionalities, called from snd_soc_resume() to reconfigure various functions, can race with the DA7213 struct dev_pm_ops::resume function, leading to misapplied configuration. This occasionally results in clipped sound. Fix this by dropping the struct dev_pm_ops::{suspend, resume} and use instead struct snd_soc_component_driver::{suspend, resume}. This ensures the proper configuration sequence is handled by the ASoC subsystem. Cc: stable(a)vger.kernel.org Fixes: 431e040065c8 ("ASoC: da7213: Add suspend to RAM support") Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Link: https://patch.msgid.link/20251104114914.2060603-1-claudiu.beznea.uj@bp.rene… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/codecs/da7213.c b/sound/soc/codecs/da7213.c index ae89260ca215..3420011da444 100644 --- a/sound/soc/codecs/da7213.c +++ b/sound/soc/codecs/da7213.c @@ -2124,11 +2124,50 @@ static int da7213_probe(struct snd_soc_component *component) return 0; } +static int da7213_runtime_suspend(struct device *dev) +{ + struct da7213_priv *da7213 = dev_get_drvdata(dev); + + regcache_cache_only(da7213->regmap, true); + regcache_mark_dirty(da7213->regmap); + regulator_bulk_disable(DA7213_NUM_SUPPLIES, da7213->supplies); + + return 0; +} + +static int da7213_runtime_resume(struct device *dev) +{ + struct da7213_priv *da7213 = dev_get_drvdata(dev); + int ret; + + ret = regulator_bulk_enable(DA7213_NUM_SUPPLIES, da7213->supplies); + if (ret < 0) + return ret; + regcache_cache_only(da7213->regmap, false); + return regcache_sync(da7213->regmap); +} + +static int da7213_suspend(struct snd_soc_component *component) +{ + struct da7213_priv *da7213 = snd_soc_component_get_drvdata(component); + + return da7213_runtime_suspend(da7213->dev); +} + +static int da7213_resume(struct snd_soc_component *component) +{ + struct da7213_priv *da7213 = snd_soc_component_get_drvdata(component); + + return da7213_runtime_resume(da7213->dev); +} + static const struct snd_soc_component_driver soc_component_dev_da7213 = { .probe = da7213_probe, .set_bias_level = da7213_set_bias_level, .controls = da7213_snd_controls, .num_controls = ARRAY_SIZE(da7213_snd_controls), + .suspend = da7213_suspend, + .resume = da7213_resume, .dapm_widgets = da7213_dapm_widgets, .num_dapm_widgets = ARRAY_SIZE(da7213_dapm_widgets), .dapm_routes = da7213_audio_map, @@ -2175,6 +2214,8 @@ static int da7213_i2c_probe(struct i2c_client *i2c) if (!da7213->fin_min_rate) return -EINVAL; + da7213->dev = &i2c->dev; + i2c_set_clientdata(i2c, da7213); /* Get required supplies */ @@ -2224,31 +2265,9 @@ static void da7213_i2c_remove(struct i2c_client *i2c) pm_runtime_disable(&i2c->dev); } -static int da7213_runtime_suspend(struct device *dev) -{ - struct da7213_priv *da7213 = dev_get_drvdata(dev); - - regcache_cache_only(da7213->regmap, true); - regcache_mark_dirty(da7213->regmap); - regulator_bulk_disable(DA7213_NUM_SUPPLIES, da7213->supplies); - - return 0; -} - -static int da7213_runtime_resume(struct device *dev) -{ - struct da7213_priv *da7213 = dev_get_drvdata(dev); - int ret; - - ret = regulator_bulk_enable(DA7213_NUM_SUPPLIES, da7213->supplies); - if (ret < 0) - return ret; - regcache_cache_only(da7213->regmap, false); - return regcache_sync(da7213->regmap); -} - -static DEFINE_RUNTIME_DEV_PM_OPS(da7213_pm, da7213_runtime_suspend, - da7213_runtime_resume, NULL); +static const struct dev_pm_ops da7213_pm = { + RUNTIME_PM_OPS(da7213_runtime_suspend, da7213_runtime_resume, NULL) +}; static const struct i2c_device_id da7213_i2c_id[] = { { "da7213" }, diff --git a/sound/soc/codecs/da7213.h b/sound/soc/codecs/da7213.h index b9ab791d6b88..29cbf0eb6124 100644 --- a/sound/soc/codecs/da7213.h +++ b/sound/soc/codecs/da7213.h @@ -595,6 +595,7 @@ enum da7213_supplies { /* Codec private data */ struct da7213_priv { struct regmap *regmap; + struct device *dev; struct mutex ctrl_lock; struct regulator_bulk_data supplies[DA7213_NUM_SUPPLIES]; struct clk *mclk;

2 weeks, 5 days

2
2
0 0

FAILED: patch "[PATCH] net: netpoll: fix incorrect refcount handling causing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112010-elm-hardwired-dce7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 7 Nov 2025 06:03:37 -0800 Subject: [PATCH] net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. Cc: <stable(a)vger.kernel.org> # 3.17.x Cc: Jay Vosburgh <jv(a)jvosburgh.net> Fixes: efa95b01da18 ("netpoll: fix use after free") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@deb… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/core/netpoll.c b/net/core/netpoll.c index c85f740065fc..331764845e8f 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -811,6 +811,10 @@ static void __netpoll_cleanup(struct netpoll *np) if (!npinfo) return; + /* At this point, there is a single npinfo instance per netdevice, and + * its refcnt tracks how many netpoll structures are linked to it. We + * only perform npinfo cleanup when the refcnt decrements to zero. + */ if (refcount_dec_and_test(&npinfo->refcnt)) { const struct net_device_ops *ops; @@ -820,8 +824,7 @@ static void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); - } else - RCU_INIT_POINTER(np->dev->npinfo, NULL); + } skb_pool_flush(np); }

2 weeks, 5 days

2
1
0 0

【要確認】本人確認が必要な状況が発生しています

by サポートセンター

━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Amazon.co.jp カスタマーサービス ━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 【重要】アカウント利用に関する確認のお願い平素より Amazon.co.jp サービスをご利用いただき、誠にありがとうございます。お客様のアカウントにおいて、通常とは異なる操作が検出されました。安全のため、本人確認が必要な状況となっております。確認が完了するまで、一部のサービスが制限される場合があります。 ◆ 確認が必要となった理由 ※最近のアカウントアクセスに不審な操作が検出されました。 ※不正利用防止および取引保護のため、本人確認が必要です。 ◆ 手続きの流れ下記リンクより本人確認ページを開いてください。指示に従い、必要事項をご入力ください。完了後、制限されていた機能が通常通りご利用いただけます。 ▼ 本人確認はこちら https://zombie-pc.com/wpiaqhkf8 ◆ ご注意事項 ※確認が行われない場合、アカウントの一時制限が継続されます。 ※セキュリティ向上のため、パスワード変更や二段階認証の設定を推奨します。 ※身に覚えのない取引や不審な操作がある場合は、速やかにカスタマーサービスへご連絡ください。このメールはアカウント保護を目的として自動送信されています。ご返信いただいてもお答えできませんのでご了承ください。 ※ 2025 Amazon Japan G.K. / Amazon.co.jp ━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] net: netpoll: fix incorrect refcount handling causing" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112008-harddisk-preseason-c83e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 7 Nov 2025 06:03:37 -0800 Subject: [PATCH] net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. Cc: <stable(a)vger.kernel.org> # 3.17.x Cc: Jay Vosburgh <jv(a)jvosburgh.net> Fixes: efa95b01da18 ("netpoll: fix use after free") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@deb… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/core/netpoll.c b/net/core/netpoll.c index c85f740065fc..331764845e8f 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -811,6 +811,10 @@ static void __netpoll_cleanup(struct netpoll *np) if (!npinfo) return; + /* At this point, there is a single npinfo instance per netdevice, and + * its refcnt tracks how many netpoll structures are linked to it. We + * only perform npinfo cleanup when the refcnt decrements to zero. + */ if (refcount_dec_and_test(&npinfo->refcnt)) { const struct net_device_ops *ops; @@ -820,8 +824,7 @@ static void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); - } else - RCU_INIT_POINTER(np->dev->npinfo, NULL); + } skb_pool_flush(np); }

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a28352cf2d2f8380e7aca8cb61682396dca7a991 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112055-suspense-expiring-db69@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a28352cf2d2f8380e7aca8cb61682396dca7a991 Mon Sep 17 00:00:00 2001 From: Shawn Lin <shawn.lin(a)rock-chips.com> Date: Mon, 20 Oct 2025 09:49:41 +0800 Subject: [PATCH] mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 strbin signal delay under 0x8 configuration is not stable after massive test. The recommandation of it should be 0x4. Signed-off-by: Shawn Lin <shawn.lin(a)rock-chips.com> Tested-by: Alexey Charkov <alchark(a)gmail.com> Tested-by: Hugh Cole-Baker <sigmaris(a)gmail.com> Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support") Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/sdhci-of-dwcmshc.c b/drivers/mmc/host/sdhci-of-dwcmshc.c index eebd45389956..5b61401a7f3d 100644 --- a/drivers/mmc/host/sdhci-of-dwcmshc.c +++ b/drivers/mmc/host/sdhci-of-dwcmshc.c @@ -94,7 +94,7 @@ #define DLL_TXCLK_TAPNUM_DEFAULT 0x10 #define DLL_TXCLK_TAPNUM_90_DEGREES 0xA #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24) -#define DLL_STRBIN_TAPNUM_DEFAULT 0x8 +#define DLL_STRBIN_TAPNUM_DEFAULT 0x4 #define DLL_STRBIN_TAPNUM_FROM_SW BIT(24) #define DLL_STRBIN_DELAY_NUM_SEL BIT(26) #define DLL_STRBIN_DELAY_NUM_OFFSET 16

2 weeks, 5 days

2
1
0 0

FAILED: patch "[PATCH] net: netpoll: fix incorrect refcount handling causing" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112007-gyration-fifty-ac52@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 7 Nov 2025 06:03:37 -0800 Subject: [PATCH] net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. Cc: <stable(a)vger.kernel.org> # 3.17.x Cc: Jay Vosburgh <jv(a)jvosburgh.net> Fixes: efa95b01da18 ("netpoll: fix use after free") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@deb… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/core/netpoll.c b/net/core/netpoll.c index c85f740065fc..331764845e8f 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -811,6 +811,10 @@ static void __netpoll_cleanup(struct netpoll *np) if (!npinfo) return; + /* At this point, there is a single npinfo instance per netdevice, and + * its refcnt tracks how many netpoll structures are linked to it. We + * only perform npinfo cleanup when the refcnt decrements to zero. + */ if (refcount_dec_and_test(&npinfo->refcnt)) { const struct net_device_ops *ops; @@ -820,8 +824,7 @@ static void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); - } else - RCU_INIT_POINTER(np->dev->npinfo, NULL); + } skb_pool_flush(np); }

2 weeks, 5 days

2
1
0 0

[PATCH 1/2] drm/xe: Silence allocation warnings for sync arrays

by Shuicheng Lin

args->num_syncs comes from userspace and may be large or fuzzed. When kcalloc() attempts a large allocation, the allocator may emit warning like below, even though the driver already returns -ENOMEM safely. Suppress it by using __GFP_NOWARN when allocating the sync array. " WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " Reported-by: Koen Koning <koen.koning(a)intel.com> Reported-by: Peter Senna Tschudin <peter.senna(a)linux.intel.com> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6450 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: <stable(a)vger.kernel.org> # v6.12+ Cc: Matthew Brost <matthew.brost(a)intel.com> Signed-off-by: Shuicheng Lin <shuicheng.lin(a)intel.com> --- drivers/gpu/drm/xe/xe_exec.c | 3 ++- drivers/gpu/drm/xe/xe_vm.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_exec.c b/drivers/gpu/drm/xe/xe_exec.c index 4d81210e41f5..7ef78a94e168 100644 --- a/drivers/gpu/drm/xe/xe_exec.c +++ b/drivers/gpu/drm/xe/xe_exec.c @@ -162,7 +162,8 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file) } if (args->num_syncs) { - syncs = kcalloc(args->num_syncs, sizeof(*syncs), GFP_KERNEL); + syncs = kcalloc(args->num_syncs, sizeof(*syncs), + GFP_KERNEL | __GFP_NOWARN); if (!syncs) { err = -ENOMEM; goto err_exec_queue; diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index f9989a7a710c..8cebf7285640 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -3640,7 +3640,8 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file) } if (args->num_syncs) { - syncs = kcalloc(args->num_syncs, sizeof(*syncs), GFP_KERNEL); + syncs = kcalloc(args->num_syncs, sizeof(*syncs), + GFP_KERNEL | __GFP_NOWARN); if (!syncs) { err = -ENOMEM; goto put_obj; -- 2.49.0

2 weeks, 5 days

1
0
0 0

[for-next][PATCH 04/16] rtla/timerlat_bpf: Stop tracing on user latency

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> rtla-timerlat allows a *thread* latency threshold to be set via the -T/--thread option. However, the timerlat tracer calls this *total* latency (stop_tracing_total_us), and stops tracing also when the return-to-user latency is over the threshold. Change the behavior of the timerlat BPF program to reflect what the timerlat tracer is doing, to avoid discrepancy between stopping collecting data in the BPF program and stopping tracing in the timerlat tracer. Cc: stable(a)vger.kernel.org Fixes: e34293ddcebd ("rtla/timerlat: Add BPF skeleton to collect samples") Reviewed-by: Wander Lairson Costa <wander(a)redhat.com> Link: https://lore.kernel.org/r/20251006143100.137255-1-tglozar@redhat.com Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> --- tools/tracing/rtla/src/timerlat.bpf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/tracing/rtla/src/timerlat.bpf.c b/tools/tracing/rtla/src/timerlat.bpf.c index 084cd10c21fc..e2265b5d6491 100644 --- a/tools/tracing/rtla/src/timerlat.bpf.c +++ b/tools/tracing/rtla/src/timerlat.bpf.c @@ -148,6 +148,9 @@ int handle_timerlat_sample(struct trace_event_raw_timerlat_sample *tp_args) } else { update_main_hist(&hist_user, bucket); update_summary(&summary_user, latency, bucket); + + if (thread_threshold != 0 && latency_us >= thread_threshold) + set_stop_tracing(); } return 0; -- 2.51.0

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x dc55b3c3f61246e483e50c85d8d5366f9567e188 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112036-abdominal-envelope-7ca0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From dc55b3c3f61246e483e50c85d8d5366f9567e188 Mon Sep 17 00:00:00 2001 From: Yosry Ahmed <yosry.ahmed(a)linux.dev> Date: Sat, 8 Nov 2025 00:45:19 +0000 Subject: [PATCH] KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated The APM lists the DbgCtlMsr field as being tracked by the VMCB_LBR clean bit. Always clear the bit when MSR_IA32_DEBUGCTLMSR is updated. The history is complicated, it was correctly cleared for L1 before commit 1d5a1b5860ed ("KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running"). At that point svm_set_msr() started to rely on svm_update_lbrv() to clear the bit, but when nested virtualization is enabled the latter does not always clear it even if MSR_IA32_DEBUGCTLMSR changed. Go back to clearing it directly in svm_set_msr(). Fixes: 1d5a1b5860ed ("KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running") Reported-by: Matteo Rizzo <matteorizzo(a)google.com> Reported-by: evn(a)google.com Co-developed-by: Jim Mattson <jmattson(a)google.com> Signed-off-by: Jim Mattson <jmattson(a)google.com> Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> Link: https://patch.msgid.link/20251108004524.1600006-2-yosry.ahmed@linux.dev Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 76055c0ba177..39538098002b 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -3004,7 +3004,11 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) if (data & DEBUGCTL_RESERVED_BITS) return 1; + if (svm_get_lbr_vmcb(svm)->save.dbgctl == data) + break; + svm_get_lbr_vmcb(svm)->save.dbgctl = data; + vmcb_mark_dirty(svm->vmcb, VMCB_LBR); svm_update_lbrv(vcpu); break; case MSR_VM_HSAVE_PA:

2 weeks, 5 days

3
2
0 0

Re,

by Ms Jacq.

Please view the attached Microsoft word to read your email. Regards Ms Jacq.

2 weeks, 5 days

1
0
0 0

FAILED: patch "[PATCH] net: netpoll: fix incorrect refcount handling causing" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112006-author-harmony-d5f7@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 7 Nov 2025 06:03:37 -0800 Subject: [PATCH] net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. Cc: <stable(a)vger.kernel.org> # 3.17.x Cc: Jay Vosburgh <jv(a)jvosburgh.net> Fixes: efa95b01da18 ("netpoll: fix use after free") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@deb… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/core/netpoll.c b/net/core/netpoll.c index c85f740065fc..331764845e8f 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -811,6 +811,10 @@ static void __netpoll_cleanup(struct netpoll *np) if (!npinfo) return; + /* At this point, there is a single npinfo instance per netdevice, and + * its refcnt tracks how many netpoll structures are linked to it. We + * only perform npinfo cleanup when the refcnt decrements to zero. + */ if (refcount_dec_and_test(&npinfo->refcnt)) { const struct net_device_ops *ops; @@ -820,8 +824,7 @@ static void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); - } else - RCU_INIT_POINTER(np->dev->npinfo, NULL); + } skb_pool_flush(np); }

2 weeks, 6 days

2
4
0 0

FAILED: patch "[PATCH] mm/huge_memory: preserve PG_has_hwpoisoned if a folio is" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x fa5a061700364bc28ee1cb1095372f8033645dcb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112056-isolating-punisher-7be9@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fa5a061700364bc28ee1cb1095372f8033645dcb Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Wed, 22 Oct 2025 23:05:21 -0400 Subject: [PATCH] mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order folio split clears PG_has_hwpoisoned, but the flag should be preserved in after-split folios containing pages with PG_hwpoisoned flag if the folio is split to >0 order folios. Scan all pages in a to-be-split folio to determine which after-split folios need the flag. An alternatives is to change PG_has_hwpoisoned to PG_maybe_hwpoisoned to avoid the scan and set it on all after-split folios, but resulting false positive has undesirable negative impact. To remove false positive, caller of folio_test_has_hwpoisoned() and folio_contain_hwpoisoned_page() needs to do the scan. That might be causing a hassle for current and future callers and more costly than doing the scan in the split code. More details are discussed in [1]. This issue can be exposed via: 1. splitting a has_hwpoisoned folio to >0 order from debugfs interface; 2. truncating part of a has_hwpoisoned folio in truncate_inode_partial_folio(). And later accesses to a hwpoisoned page could be possible due to the missing has_hwpoisoned folio flag. This will lead to MCE errors. Link: https://lore.kernel.org/all/CAHbLzkoOZm0PXxE9qwtF4gKR=cpRXrSrJ9V9Pm2DJexs98… [1] Link: https://lkml.kernel.org/r/20251023030521.473097-1-ziy@nvidia.com Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Lance Yang <lance.yang(a)linux.dev> Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com> Reviewed-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Pankaj Raghav <kernel(a)pankajraghav.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Luis Chamberalin <mcgrof(a)kernel.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Nico Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index feac4aef7dfb..b4ff49d96501 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3263,6 +3263,14 @@ bool can_split_folio(struct folio *folio, int caller_pins, int *pextra_pins) caller_pins; } +static bool page_range_has_hwpoisoned(struct page *page, long nr_pages) +{ + for (; nr_pages; page++, nr_pages--) + if (PageHWPoison(page)) + return true; + return false; +} + /* * It splits @folio into @new_order folios and copies the @folio metadata to * all the resulting folios. @@ -3270,17 +3278,24 @@ bool can_split_folio(struct folio *folio, int caller_pins, int *pextra_pins) static void __split_folio_to_order(struct folio *folio, int old_order, int new_order) { + /* Scan poisoned pages when split a poisoned folio to large folios */ + const bool handle_hwpoison = folio_test_has_hwpoisoned(folio) && new_order; long new_nr_pages = 1 << new_order; long nr_pages = 1 << old_order; long i; + folio_clear_has_hwpoisoned(folio); + + /* Check first new_nr_pages since the loop below skips them */ + if (handle_hwpoison && + page_range_has_hwpoisoned(folio_page(folio, 0), new_nr_pages)) + folio_set_has_hwpoisoned(folio); /* * Skip the first new_nr_pages, since the new folio from them have all * the flags from the original folio. */ for (i = new_nr_pages; i < nr_pages; i += new_nr_pages) { struct page *new_head = &folio->page + i; - /* * Careful: new_folio is not a "real" folio before we cleared PageTail. * Don't pass it around before clear_compound_head(). @@ -3322,6 +3337,10 @@ static void __split_folio_to_order(struct folio *folio, int old_order, (1L << PG_dirty) | LRU_GEN_MASK | LRU_REFS_MASK)); + if (handle_hwpoison && + page_range_has_hwpoisoned(new_head, new_nr_pages)) + folio_set_has_hwpoisoned(new_folio); + new_folio->mapping = folio->mapping; new_folio->index = folio->index + i; @@ -3422,8 +3441,6 @@ static int __split_unmapped_folio(struct folio *folio, int new_order, if (folio_test_anon(folio)) mod_mthp_stat(order, MTHP_STAT_NR_ANON, -1); - folio_clear_has_hwpoisoned(folio); - /* * split to new_order one order at a time. For uniform split, * folio is split to new_order directly.

2 weeks, 6 days

2
1
0 0

FAILED: patch "[PATCH] net: netpoll: fix incorrect refcount handling causing" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112005-polio-gratify-8d3b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Fri, 7 Nov 2025 06:03:37 -0800 Subject: [PATCH] net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. Cc: <stable(a)vger.kernel.org> # 3.17.x Cc: Jay Vosburgh <jv(a)jvosburgh.net> Fixes: efa95b01da18 ("netpoll: fix use after free") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@deb… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/core/netpoll.c b/net/core/netpoll.c index c85f740065fc..331764845e8f 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -811,6 +811,10 @@ static void __netpoll_cleanup(struct netpoll *np) if (!npinfo) return; + /* At this point, there is a single npinfo instance per netdevice, and + * its refcnt tracks how many netpoll structures are linked to it. We + * only perform npinfo cleanup when the refcnt decrements to zero. + */ if (refcount_dec_and_test(&npinfo->refcnt)) { const struct net_device_ops *ops; @@ -820,8 +824,7 @@ static void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); - } else - RCU_INIT_POINTER(np->dev->npinfo, NULL); + } skb_pool_flush(np); }

2 weeks, 6 days

2
3
0 0

FAILED: patch "[PATCH] mm/huge_memory: do not change split_huge_page*() target order" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 77008e1b2ef73249bceb078a321a3ff6bc087afb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112015-revolving-professed-8d2d@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 77008e1b2ef73249bceb078a321a3ff6bc087afb Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Thu, 16 Oct 2025 21:36:30 -0400 Subject: [PATCH] mm/huge_memory: do not change split_huge_page*() target order silently Page cache folios from a file system that support large block size (LBS) can have minimal folio order greater than 0, thus a high order folio might not be able to be split down to order-0. Commit e220917fa507 ("mm: split a folio in minimum folio order chunks") bumps the target order of split_huge_page*() to the minimum allowed order when splitting a LBS folio. This causes confusion for some split_huge_page*() callers like memory failure handling code, since they expect after-split folios all have order-0 when split succeeds but in reality get min_order_for_split() order folios and give warnings. Fix it by failing a split if the folio cannot be split to the target order. Rename try_folio_split() to try_folio_split_to_order() to reflect the added new_order parameter. Remove its unused list parameter. [The test poisons LBS folios, which cannot be split to order-0 folios, and also tries to poison all memory. The non split LBS folios take more memory than the test anticipated, leading to OOM. The patch fixed the kernel warning and the test needs some change to avoid OOM.] Link: https://lkml.kernel.org/r/20251017013630.139907-1-ziy@nvidia.com Fixes: e220917fa507 ("mm: split a folio in minimum folio order chunks") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: syzbot+e6367ea2fdab6ed46056(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68d2c943.a70a0220.1b52b.02b3.GAE@google.com/ Reviewed-by: Luis Chamberlain <mcgrof(a)kernel.org> Reviewed-by: Pankaj Raghav <p.raghav(a)samsung.com> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Lance Yang <lance.yang(a)linux.dev> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h index f327d62fc985..71ac78b9f834 100644 --- a/include/linux/huge_mm.h +++ b/include/linux/huge_mm.h @@ -376,45 +376,30 @@ bool non_uniform_split_supported(struct folio *folio, unsigned int new_order, int folio_split(struct folio *folio, unsigned int new_order, struct page *page, struct list_head *list); /* - * try_folio_split - try to split a @folio at @page using non uniform split. + * try_folio_split_to_order - try to split a @folio at @page to @new_order using + * non uniform split. * @folio: folio to be split - * @page: split to order-0 at the given page - * @list: store the after-split folios + * @page: split to @new_order at the given page + * @new_order: the target split order * - * Try to split a @folio at @page using non uniform split to order-0, if - * non uniform split is not supported, fall back to uniform split. + * Try to split a @folio at @page using non uniform split to @new_order, if + * non uniform split is not supported, fall back to uniform split. After-split + * folios are put back to LRU list. Use min_order_for_split() to get the lower + * bound of @new_order. * * Return: 0: split is successful, otherwise split failed. */ -static inline int try_folio_split(struct folio *folio, struct page *page, - struct list_head *list) +static inline int try_folio_split_to_order(struct folio *folio, + struct page *page, unsigned int new_order) { - int ret = min_order_for_split(folio); - - if (ret < 0) - return ret; - - if (!non_uniform_split_supported(folio, 0, false)) - return split_huge_page_to_list_to_order(&folio->page, list, - ret); - return folio_split(folio, ret, page, list); + if (!non_uniform_split_supported(folio, new_order, /* warns= */ false)) + return split_huge_page_to_list_to_order(&folio->page, NULL, + new_order); + return folio_split(folio, new_order, page, NULL); } static inline int split_huge_page(struct page *page) { - struct folio *folio = page_folio(page); - int ret = min_order_for_split(folio); - - if (ret < 0) - return ret; - - /* - * split_huge_page() locks the page before splitting and - * expects the same page that has been split to be locked when - * returned. split_folio(page_folio(page)) cannot be used here - * because it converts the page to folio and passes the head - * page to be split. - */ - return split_huge_page_to_list_to_order(page, NULL, ret); + return split_huge_page_to_list_to_order(page, NULL, 0); } void deferred_split_folio(struct folio *folio, bool partially_mapped); @@ -597,14 +582,20 @@ static inline int split_huge_page(struct page *page) return -EINVAL; } +static inline int min_order_for_split(struct folio *folio) +{ + VM_WARN_ON_ONCE_FOLIO(1, folio); + return -EINVAL; +} + static inline int split_folio_to_list(struct folio *folio, struct list_head *list) { VM_WARN_ON_ONCE_FOLIO(1, folio); return -EINVAL; } -static inline int try_folio_split(struct folio *folio, struct page *page, - struct list_head *list) +static inline int try_folio_split_to_order(struct folio *folio, + struct page *page, unsigned int new_order) { VM_WARN_ON_ONCE_FOLIO(1, folio); return -EINVAL; diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 1d1b74950332..feac4aef7dfb 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3653,8 +3653,6 @@ static int __folio_split(struct folio *folio, unsigned int new_order, min_order = mapping_min_folio_order(folio->mapping); if (new_order < min_order) { - VM_WARN_ONCE(1, "Cannot split mapped folio below min-order: %u", - min_order); ret = -EINVAL; goto out; } @@ -3986,12 +3984,7 @@ int min_order_for_split(struct folio *folio) int split_folio_to_list(struct folio *folio, struct list_head *list) { - int ret = min_order_for_split(folio); - - if (ret < 0) - return ret; - - return split_huge_page_to_list_to_order(&folio->page, list, ret); + return split_huge_page_to_list_to_order(&folio->page, list, 0); } /* diff --git a/mm/truncate.c b/mm/truncate.c index 91eb92a5ce4f..9210cf808f5c 100644 --- a/mm/truncate.c +++ b/mm/truncate.c @@ -194,6 +194,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) size_t size = folio_size(folio); unsigned int offset, length; struct page *split_at, *split_at2; + unsigned int min_order; if (pos < start) offset = start - pos; @@ -223,8 +224,9 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) if (!folio_test_large(folio)) return true; + min_order = mapping_min_folio_order(folio->mapping); split_at = folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE); - if (!try_folio_split(folio, split_at, NULL)) { + if (!try_folio_split_to_order(folio, split_at, min_order)) { /* * try to split at offset + length to make sure folios within * the range can be dropped, especially to avoid memory waste @@ -254,7 +256,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) */ if (folio_test_large(folio2) && folio2->mapping == folio->mapping) - try_folio_split(folio2, split_at2, NULL); + try_folio_split_to_order(folio2, split_at2, min_order); folio_unlock(folio2); out:

2 weeks, 6 days

2
1
0 0

Vendor Registration Request 2025/2026

by Etihad Aviation Group

Attn: Sir/Madam, We are interested in your services and invite your company to register for Vendor/Contractor Partnership with Etihad Aviation Group for our 2025/2026 projects. If you wish to participate, please confirm your interest, and we will send the Vendor Questionnaire and EOI. Thank you. Kind Regards, Engr, Tami Hassan, Vendor Procurement & Contracts Shared Services Center Etihad Aviation Group PJSC

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] mm/secretmem: fix use-after-free race in fault handler" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 6f86d0534fddfbd08687fa0f01479d4226bc3c3d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112020-buddy-bobbed-3c5d@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6f86d0534fddfbd08687fa0f01479d4226bc3c3d Mon Sep 17 00:00:00 2001 From: Lance Yang <lance.yang(a)linux.dev> Date: Fri, 31 Oct 2025 20:09:55 +0800 Subject: [PATCH] mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. Link: https://lkml.kernel.org/r/20251031120955.92116-1-lance.yang@linux.dev Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Google Big Sleep <big-sleep-vuln-reports(a)google.com> Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWK… Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/secretmem.c b/mm/secretmem.c index 60137305bc20..b59350daffe3 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -82,13 +82,13 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf) __folio_mark_uptodate(folio); err = filemap_add_folio(mapping, folio, offset, gfp); if (unlikely(err)) { - folio_put(folio); /* * If a split of large page was required, it * already happened when we marked the page invalid * which guarantees that this call won't fail */ set_direct_map_default_noflush(folio_page(folio, 0)); + folio_put(folio); if (err == -EEXIST) goto retry;

2 weeks, 6 days

2
1
0 0

FAILED: patch "[PATCH] mm/secretmem: fix use-after-free race in fault handler" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 6f86d0534fddfbd08687fa0f01479d4226bc3c3d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112021-swept-idealness-9ecb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6f86d0534fddfbd08687fa0f01479d4226bc3c3d Mon Sep 17 00:00:00 2001 From: Lance Yang <lance.yang(a)linux.dev> Date: Fri, 31 Oct 2025 20:09:55 +0800 Subject: [PATCH] mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. Link: https://lkml.kernel.org/r/20251031120955.92116-1-lance.yang@linux.dev Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Google Big Sleep <big-sleep-vuln-reports(a)google.com> Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWK… Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/secretmem.c b/mm/secretmem.c index 60137305bc20..b59350daffe3 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -82,13 +82,13 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf) __folio_mark_uptodate(folio); err = filemap_add_folio(mapping, folio, offset, gfp); if (unlikely(err)) { - folio_put(folio); /* * If a split of large page was required, it * already happened when we marked the page invalid * which guarantees that this call won't fail */ set_direct_map_default_noflush(folio_page(folio, 0)); + folio_put(folio); if (err == -EEXIST) goto retry;

2 weeks, 6 days

2
1
0 0

FAILED: patch "[PATCH] mm/secretmem: fix use-after-free race in fault handler" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6f86d0534fddfbd08687fa0f01479d4226bc3c3d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112022-curtly-unexpired-adae@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6f86d0534fddfbd08687fa0f01479d4226bc3c3d Mon Sep 17 00:00:00 2001 From: Lance Yang <lance.yang(a)linux.dev> Date: Fri, 31 Oct 2025 20:09:55 +0800 Subject: [PATCH] mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. Link: https://lkml.kernel.org/r/20251031120955.92116-1-lance.yang@linux.dev Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Google Big Sleep <big-sleep-vuln-reports(a)google.com> Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWK… Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/secretmem.c b/mm/secretmem.c index 60137305bc20..b59350daffe3 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -82,13 +82,13 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf) __folio_mark_uptodate(folio); err = filemap_add_folio(mapping, folio, offset, gfp); if (unlikely(err)) { - folio_put(folio); /* * If a split of large page was required, it * already happened when we marked the page invalid * which guarantees that this call won't fail */ set_direct_map_default_noflush(folio_page(folio, 0)); + folio_put(folio); if (err == -EEXIST) goto retry;

2 weeks, 6 days

2
1
0 0

FAILED: patch "[PATCH] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 9d7dfb95da2cb5c1287df2f3468bcb70d8b31087 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025112027-ranch-retool-efaa@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9d7dfb95da2cb5c1287df2f3468bcb70d8b31087 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Thu, 16 Oct 2025 11:21:47 -0700 Subject: [PATCH] KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add VMX exit handlers for SEAMCALL and TDCALL to inject a #UD if a non-TD guest attempts to execute SEAMCALL or TDCALL. Neither SEAMCALL nor TDCALL is gated by any software enablement other than VMXON, and so will generate a VM-Exit instead of e.g. a native #UD when executed from the guest kernel. Note! No unprivileged DoS of the L1 kernel is possible as TDCALL and SEAMCALL #GP at CPL > 0, and the CPL check is performed prior to the VMX non-root (VM-Exit) check, i.e. userspace can't crash the VM. And for a nested guest, KVM forwards unknown exits to L1, i.e. an L2 kernel can crash itself, but not L1. Note #2! The Intel® Trust Domain CPU Architectural Extensions spec's pseudocode shows the CPL > 0 check for SEAMCALL coming _after_ the VM-Exit, but that appears to be a documentation bug (likely because the CPL > 0 check was incorrectly bundled with other lower-priority #GP checks). Testing on SPR and EMR shows that the CPL > 0 check is performed before the VMX non-root check, i.e. SEAMCALL #GPs when executed in usermode. Note #3! The aforementioned Trust Domain spec uses confusing pseudocode that says that SEAMCALL will #UD if executed "inSEAM", but "inSEAM" specifically means in SEAM Root Mode, i.e. in the TDX-Module. The long- form description explicitly states that SEAMCALL generates an exit when executed in "SEAM VMX non-root operation". But that's a moot point as the TDX-Module injects #UD if the guest attempts to execute SEAMCALL, as documented in the "Unconditionally Blocked Instructions" section of the TDX-Module base specification. Cc: stable(a)vger.kernel.org Cc: Kai Huang <kai.huang(a)intel.com> Cc: Xiaoyao Li <xiaoyao.li(a)intel.com> Cc: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Binbin Wu <binbin.wu(a)linux.intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Binbin Wu <binbin.wu(a)linux.intel.com> Reviewed-by: Xiaoyao Li <xiaoyao.li(a)intel.com> Link: https://lore.kernel.org/r/20251016182148.69085-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h index 9792e329343e..1baa86dfe029 100644 --- a/arch/x86/include/uapi/asm/vmx.h +++ b/arch/x86/include/uapi/asm/vmx.h @@ -93,6 +93,7 @@ #define EXIT_REASON_TPAUSE 68 #define EXIT_REASON_BUS_LOCK 74 #define EXIT_REASON_NOTIFY 75 +#define EXIT_REASON_SEAMCALL 76 #define EXIT_REASON_TDCALL 77 #define EXIT_REASON_MSR_READ_IMM 84 #define EXIT_REASON_MSR_WRITE_IMM 85 diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 76271962cb70..bcea087b642f 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -6728,6 +6728,14 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu, case EXIT_REASON_NOTIFY: /* Notify VM exit is not exposed to L1 */ return false; + case EXIT_REASON_SEAMCALL: + case EXIT_REASON_TDCALL: + /* + * SEAMCALL and TDCALL unconditionally VM-Exit, but aren't + * virtualized by KVM for L1 hypervisors, i.e. L1 should + * never want or expect such an exit. + */ + return false; default: return true; } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index f87c216d976d..91b6f2f3edc2 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -6032,6 +6032,12 @@ static int handle_vmx_instruction(struct kvm_vcpu *vcpu) return 1; } +static int handle_tdx_instruction(struct kvm_vcpu *vcpu) +{ + kvm_queue_exception(vcpu, UD_VECTOR); + return 1; +} + #ifndef CONFIG_X86_SGX_KVM static int handle_encls(struct kvm_vcpu *vcpu) { @@ -6157,6 +6163,8 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = { [EXIT_REASON_ENCLS] = handle_encls, [EXIT_REASON_BUS_LOCK] = handle_bus_lock_vmexit, [EXIT_REASON_NOTIFY] = handle_notify, + [EXIT_REASON_SEAMCALL] = handle_tdx_instruction, + [EXIT_REASON_TDCALL] = handle_tdx_instruction, [EXIT_REASON_MSR_READ_IMM] = handle_rdmsr_imm, [EXIT_REASON_MSR_WRITE_IMM] = handle_wrmsr_imm, };

2 weeks, 6 days

2
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror