- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 404b739e895522838f1abdc340c554654d671dde # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111118-underfoot-footrest-44b3@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 404b739e895522838f1abdc340c554654d671dde Mon Sep 17 00:00:00 2001 From: Umang Jain <umang.jain(a)ideasonboard.com> Date: Wed, 16 Oct 2024 18:32:24 +0530 Subject: [PATCH] staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation The struct vchiq_arm_state 'platform_state' is currently allocated dynamically using kzalloc(). Unfortunately, it is never freed and is subjected to memory leaks in the error handling paths of the probe() function. To address the issue, use device resource management helper devm_kzalloc(), to ensure cleanup after its allocation. Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver") Cc: stable(a)vger.kernel.org Signed-off-by: Umang Jain <umang.jain(a)ideasonboard.com> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/20241016130225.61024-2-umang.jain@ideasonboard.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index 3dbeffc650d3..0d8d5555e8af 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -593,7 +593,7 @@ vchiq_platform_init_state(struct vchiq_state *state) { struct vchiq_arm_state *platform_state; - platform_state = kzalloc(sizeof(*platform_state), GFP_KERNEL); + platform_state = devm_kzalloc(state->dev, sizeof(*platform_state), GFP_KERNEL); if (!platform_state) return -ENOMEM;

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: resolve faulty mmap_region() error path behaviour" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 5de195060b2e251a835f622759550e6202167641 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111146-dictator-subscript-3ec4@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5de195060b2e251a835f622759550e6202167641 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:48 +0000 Subject: [PATCH] mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Link: https://lkml.kernel.org/r/6e0becb36d2f5472053ac5d544c0edfe9b899e25.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Tested-by: Mark Brown <broonie(a)kernel.org> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/mmap.c b/mm/mmap.c index aee5fa08ae5d..79d541f1502b 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1358,20 +1358,18 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len, return do_vmi_munmap(&vmi, mm, start, len, uf, false); } -unsigned long mmap_region(struct file *file, unsigned long addr, +static unsigned long __mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, struct list_head *uf) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; pgoff_t pglen = PHYS_PFN(len); - struct vm_area_struct *merge; unsigned long charged = 0; struct vma_munmap_struct vms; struct ma_state mas_detach; struct maple_tree mt_detach; unsigned long end = addr + len; - bool writable_file_mapping = false; int error; VMA_ITERATOR(vmi, mm, addr); VMG_STATE(vmg, mm, &vmi, addr, end, vm_flags, pgoff); @@ -1445,28 +1443,26 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vm_flags_init(vma, vm_flags); vma->vm_page_prot = vm_get_page_prot(vm_flags); + if (vma_iter_prealloc(&vmi, vma)) { + error = -ENOMEM; + goto free_vma; + } + if (file) { vma->vm_file = get_file(file); error = mmap_file(file, vma); if (error) - goto unmap_and_free_vma; - - if (vma_is_shared_maywrite(vma)) { - error = mapping_map_writable(file->f_mapping); - if (error) - goto close_and_free_vma; - - writable_file_mapping = true; - } + goto unmap_and_free_file_vma; + /* Drivers cannot alter the address of the VMA. */ + WARN_ON_ONCE(addr != vma->vm_start); /* - * Expansion is handled above, merging is handled below. - * Drivers should not alter the address of the VMA. + * Drivers should not permit writability when previously it was + * disallowed. */ - if (WARN_ON((addr != vma->vm_start))) { - error = -EINVAL; - goto close_and_free_vma; - } + VM_WARN_ON_ONCE(vm_flags != vma->vm_flags && + !(vm_flags & VM_MAYWRITE) && + (vma->vm_flags & VM_MAYWRITE)); vma_iter_config(&vmi, addr, end); /* @@ -1474,6 +1470,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) { + struct vm_area_struct *merge; + vmg.flags = vma->vm_flags; /* If this fails, state is reset ready for a reattempt. */ merge = vma_merge_new_range(&vmg); @@ -1491,7 +1489,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma = merge; /* Update vm_flags to pick up the change. */ vm_flags = vma->vm_flags; - goto unmap_writable; + goto file_expanded; } vma_iter_config(&vmi, addr, end); } @@ -1500,26 +1498,15 @@ unsigned long mmap_region(struct file *file, unsigned long addr, } else if (vm_flags & VM_SHARED) { error = shmem_zero_setup(vma); if (error) - goto free_vma; + goto free_iter_vma; } else { vma_set_anonymous(vma); } - if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { - error = -EACCES; - goto close_and_free_vma; - } - - /* Allow architectures to sanity-check the vm_flags */ - if (!arch_validate_flags(vma->vm_flags)) { - error = -EINVAL; - goto close_and_free_vma; - } - - if (vma_iter_prealloc(&vmi, vma)) { - error = -ENOMEM; - goto close_and_free_vma; - } +#ifdef CONFIG_SPARC64 + /* TODO: Fix SPARC ADI! */ + WARN_ON_ONCE(!arch_validate_flags(vm_flags)); +#endif /* Lock the VMA since it is modified after insertion into VMA tree */ vma_start_write(vma); @@ -1533,10 +1520,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, */ khugepaged_enter_vma(vma, vma->vm_flags); - /* Once vma denies write, undo our temporary denial count */ -unmap_writable: - if (writable_file_mapping) - mapping_unmap_writable(file->f_mapping); +file_expanded: file = vma->vm_file; ksm_add_vma(vma); expanded: @@ -1569,23 +1553,17 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma_set_page_prot(vma); - validate_mm(mm); return addr; -close_and_free_vma: - vma_close(vma); +unmap_and_free_file_vma: + fput(vma->vm_file); + vma->vm_file = NULL; - if (file || vma->vm_file) { -unmap_and_free_vma: - fput(vma->vm_file); - vma->vm_file = NULL; - - vma_iter_set(&vmi, vma->vm_end); - /* Undo any partial mapping done by a device driver. */ - unmap_region(&vmi.mas, vma, vmg.prev, vmg.next); - } - if (writable_file_mapping) - mapping_unmap_writable(file->f_mapping); + vma_iter_set(&vmi, vma->vm_end); + /* Undo any partial mapping done by a device driver. */ + unmap_region(&vmi.mas, vma, vmg.prev, vmg.next); +free_iter_vma: + vma_iter_free(&vmi); free_vma: vm_area_free(vma); unacct_error: @@ -1595,10 +1573,43 @@ unsigned long mmap_region(struct file *file, unsigned long addr, abort_munmap: vms_abort_munmap_vmas(&vms, &mas_detach); gather_failed: - validate_mm(mm); return error; } +unsigned long mmap_region(struct file *file, unsigned long addr, + unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, + struct list_head *uf) +{ + unsigned long ret; + bool writable_file_mapping = false; + + /* Check to see if MDWE is applicable. */ + if (map_deny_write_exec(vm_flags, vm_flags)) + return -EACCES; + + /* Allow architectures to sanity-check the vm_flags. */ + if (!arch_validate_flags(vm_flags)) + return -EINVAL; + + /* Map writable and ensure this isn't a sealed memfd. */ + if (file && is_shared_maywrite(vm_flags)) { + int error = mapping_map_writable(file->f_mapping); + + if (error) + return error; + writable_file_mapping = true; + } + + ret = __mmap_region(file, addr, len, vm_flags, pgoff, uf); + + /* Clear our write mapping regardless of error. */ + if (writable_file_mapping) + mapping_unmap_writable(file->f_mapping); + + validate_mm(current->mm); + return ret; +} + static int __vm_munmap(unsigned long start, size_t len, bool unlock) { int ret;

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 5baf8b037debf4ec60108ccfeccb8636d1dbad81 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111135-thumb-pretended-bad3@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5baf8b037debf4ec60108ccfeccb8636d1dbad81 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:47 +0000 Subject: [PATCH] mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Currently MTE is permitted in two circumstances (desiring to use MTE having been specified by the VM_MTE flag) - where MAP_ANONYMOUS is specified, as checked by arch_calc_vm_flag_bits() and actualised by setting the VM_MTE_ALLOWED flag, or if the file backing the mapping is shmem, in which case we set VM_MTE_ALLOWED in shmem_mmap() when the mmap hook is activated in mmap_region(). The function that checks that, if VM_MTE is set, VM_MTE_ALLOWED is also set is the arm64 implementation of arch_validate_flags(). Unfortunately, we intend to refactor mmap_region() to perform this check earlier, meaning that in the case of a shmem backing we will not have invoked shmem_mmap() yet, causing the mapping to fail spuriously. It is inappropriate to set this architecture-specific flag in general mm code anyway, so a sensible resolution of this issue is to instead move the check somewhere else. We resolve this by setting VM_MTE_ALLOWED much earlier in do_mmap(), via the arch_calc_vm_flag_bits() call. This is an appropriate place to do this as we already check for the MAP_ANONYMOUS case here, and the shmem file case is simply a variant of the same idea - we permit RAM-backed memory. This requires a modification to the arch_calc_vm_flag_bits() signature to pass in a pointer to the struct file associated with the mapping, however this is not too egregious as this is only used by two architectures anyway - arm64 and parisc. So this patch performs this adjustment and removes the unnecessary assignment of VM_MTE_ALLOWED in shmem_mmap(). [akpm(a)linux-foundation.org: fix whitespace, per Catalin] Link: https://lkml.kernel.org/r/ec251b20ba1964fb64cf1607d2ad80c47f3873df.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Suggested-by: Catalin Marinas <catalin.marinas(a)arm.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/arch/arm64/include/asm/mman.h b/arch/arm64/include/asm/mman.h index 9e39217b4afb..798d965760d4 100644 --- a/arch/arm64/include/asm/mman.h +++ b/arch/arm64/include/asm/mman.h @@ -6,6 +6,8 @@ #ifndef BUILD_VDSO #include <linux/compiler.h> +#include <linux/fs.h> +#include <linux/shmem_fs.h> #include <linux/types.h> static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot, @@ -31,19 +33,21 @@ static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot, } #define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey) -static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) +static inline unsigned long arch_calc_vm_flag_bits(struct file *file, + unsigned long flags) { /* * Only allow MTE on anonymous mappings as these are guaranteed to be * backed by tags-capable memory. The vm_flags may be overridden by a * filesystem supporting MTE (RAM-based). */ - if (system_supports_mte() && (flags & MAP_ANONYMOUS)) + if (system_supports_mte() && + ((flags & MAP_ANONYMOUS) || shmem_file(file))) return VM_MTE_ALLOWED; return 0; } -#define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) +#define arch_calc_vm_flag_bits(file, flags) arch_calc_vm_flag_bits(file, flags) static inline bool arch_validate_prot(unsigned long prot, unsigned long addr __always_unused) diff --git a/arch/parisc/include/asm/mman.h b/arch/parisc/include/asm/mman.h index 89b6beeda0b8..663f587dc789 100644 --- a/arch/parisc/include/asm/mman.h +++ b/arch/parisc/include/asm/mman.h @@ -2,6 +2,7 @@ #ifndef __ASM_MMAN_H__ #define __ASM_MMAN_H__ +#include <linux/fs.h> #include <uapi/asm/mman.h> /* PARISC cannot allow mdwe as it needs writable stacks */ @@ -11,7 +12,7 @@ static inline bool arch_memory_deny_write_exec_supported(void) } #define arch_memory_deny_write_exec_supported arch_memory_deny_write_exec_supported -static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) +static inline unsigned long arch_calc_vm_flag_bits(struct file *file, unsigned long flags) { /* * The stack on parisc grows upwards, so if userspace requests memory @@ -23,6 +24,6 @@ static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags) return 0; } -#define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags) +#define arch_calc_vm_flag_bits(file, flags) arch_calc_vm_flag_bits(file, flags) #endif /* __ASM_MMAN_H__ */ diff --git a/include/linux/mman.h b/include/linux/mman.h index 8ddca62d6460..a842783ffa62 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -2,6 +2,7 @@ #ifndef _LINUX_MMAN_H #define _LINUX_MMAN_H +#include <linux/fs.h> #include <linux/mm.h> #include <linux/percpu_counter.h> @@ -94,7 +95,7 @@ static inline void vm_unacct_memory(long pages) #endif #ifndef arch_calc_vm_flag_bits -#define arch_calc_vm_flag_bits(flags) 0 +#define arch_calc_vm_flag_bits(file, flags) 0 #endif #ifndef arch_validate_prot @@ -151,13 +152,13 @@ calc_vm_prot_bits(unsigned long prot, unsigned long pkey) * Combine the mmap "flags" argument into "vm_flags" used internally. */ static inline unsigned long -calc_vm_flag_bits(unsigned long flags) +calc_vm_flag_bits(struct file *file, unsigned long flags) { return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) | - arch_calc_vm_flag_bits(flags); + arch_calc_vm_flag_bits(file, flags); } unsigned long vm_commit_limit(void); diff --git a/mm/mmap.c b/mm/mmap.c index ab71d4c3464c..aee5fa08ae5d 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -344,7 +344,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, * to. we assume access permissions have been handled by the open * of the memory object, so we don't do any here. */ - vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) | + vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(file, flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC; /* Obtain the address to map to. we verify (or select) it and ensure diff --git a/mm/nommu.c b/mm/nommu.c index 635d028d647b..e9b5f527ab5b 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -842,7 +842,7 @@ static unsigned long determine_vm_flags(struct file *file, { unsigned long vm_flags; - vm_flags = calc_vm_prot_bits(prot, 0) | calc_vm_flag_bits(flags); + vm_flags = calc_vm_prot_bits(prot, 0) | calc_vm_flag_bits(file, flags); if (!file) { /* diff --git a/mm/shmem.c b/mm/shmem.c index 4ba1d00fabda..e87f5d6799a7 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2733,9 +2733,6 @@ static int shmem_mmap(struct file *file, struct vm_area_struct *vma) if (ret) return ret; - /* arm64 - allow memory tagging on RAM-based files */ - vm_flags_set(vma, VM_MTE_ALLOWED); - file_accessed(file); /* This is anonymous shared memory if it is unlinked at the time of mmap */ if (inode->i_nlink)

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: refactor map_deny_write_exec()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111112-headless-facelift-4a02@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:46 +0000 Subject: [PATCH] mm: refactor map_deny_write_exec() Refactor the map_deny_write_exec() to not unnecessarily require a VMA parameter but rather to accept VMA flags parameters, which allows us to use this function early in mmap_region() in a subsequent commit. While we're here, we refactor the function to be more readable and add some additional documentation. Link: https://lkml.kernel.org/r/6be8bb59cd7c68006ebb006eb9d8dc27104b1f70.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mman.h b/include/linux/mman.h index bcb201ab7a41..8ddca62d6460 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -188,16 +188,31 @@ static inline bool arch_memory_deny_write_exec_supported(void) * * d) mmap(PROT_READ | PROT_EXEC) * mmap(PROT_READ | PROT_EXEC | PROT_BTI) + * + * This is only applicable if the user has set the Memory-Deny-Write-Execute + * (MDWE) protection mask for the current process. + * + * @old specifies the VMA flags the VMA originally possessed, and @new the ones + * we propose to set. + * + * Return: false if proposed change is OK, true if not ok and should be denied. */ -static inline bool map_deny_write_exec(struct vm_area_struct *vma, unsigned long vm_flags) +static inline bool map_deny_write_exec(unsigned long old, unsigned long new) { + /* If MDWE is disabled, we have nothing to deny. */ if (!test_bit(MMF_HAS_MDWE, &current->mm->flags)) return false; - if ((vm_flags & VM_EXEC) && (vm_flags & VM_WRITE)) + /* If the new VMA is not executable, we have nothing to deny. */ + if (!(new & VM_EXEC)) + return false; + + /* Under MDWE we do not accept newly writably executable VMAs... */ + if (new & VM_WRITE) return true; - if (!(vma->vm_flags & VM_EXEC) && (vm_flags & VM_EXEC)) + /* ...nor previously non-executable VMAs becoming executable. */ + if (!(old & VM_EXEC)) return true; return false; diff --git a/mm/mmap.c b/mm/mmap.c index ac0604f146f6..ab71d4c3464c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1505,7 +1505,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma_set_anonymous(vma); } - if (map_deny_write_exec(vma, vma->vm_flags)) { + if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { error = -EACCES; goto close_and_free_vma; } diff --git a/mm/mprotect.c b/mm/mprotect.c index 0c5d6d06107d..6f450af3252e 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -810,7 +810,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, break; } - if (map_deny_write_exec(vma, newflags)) { + if (map_deny_write_exec(vma->vm_flags, newflags)) { error = -EACCES; break; } diff --git a/mm/vma.h b/mm/vma.h index 75558b5e9c8c..d58068c0ff2e 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -42,7 +42,7 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - /* 1 byte hole */ + /* 2 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ unsigned long nr_accounted; /* Number of VM_ACCOUNT pages */

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: refactor map_deny_write_exec()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111111-pellet-mummify-1558@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:46 +0000 Subject: [PATCH] mm: refactor map_deny_write_exec() Refactor the map_deny_write_exec() to not unnecessarily require a VMA parameter but rather to accept VMA flags parameters, which allows us to use this function early in mmap_region() in a subsequent commit. While we're here, we refactor the function to be more readable and add some additional documentation. Link: https://lkml.kernel.org/r/6be8bb59cd7c68006ebb006eb9d8dc27104b1f70.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mman.h b/include/linux/mman.h index bcb201ab7a41..8ddca62d6460 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -188,16 +188,31 @@ static inline bool arch_memory_deny_write_exec_supported(void) * * d) mmap(PROT_READ | PROT_EXEC) * mmap(PROT_READ | PROT_EXEC | PROT_BTI) + * + * This is only applicable if the user has set the Memory-Deny-Write-Execute + * (MDWE) protection mask for the current process. + * + * @old specifies the VMA flags the VMA originally possessed, and @new the ones + * we propose to set. + * + * Return: false if proposed change is OK, true if not ok and should be denied. */ -static inline bool map_deny_write_exec(struct vm_area_struct *vma, unsigned long vm_flags) +static inline bool map_deny_write_exec(unsigned long old, unsigned long new) { + /* If MDWE is disabled, we have nothing to deny. */ if (!test_bit(MMF_HAS_MDWE, &current->mm->flags)) return false; - if ((vm_flags & VM_EXEC) && (vm_flags & VM_WRITE)) + /* If the new VMA is not executable, we have nothing to deny. */ + if (!(new & VM_EXEC)) + return false; + + /* Under MDWE we do not accept newly writably executable VMAs... */ + if (new & VM_WRITE) return true; - if (!(vma->vm_flags & VM_EXEC) && (vm_flags & VM_EXEC)) + /* ...nor previously non-executable VMAs becoming executable. */ + if (!(old & VM_EXEC)) return true; return false; diff --git a/mm/mmap.c b/mm/mmap.c index ac0604f146f6..ab71d4c3464c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1505,7 +1505,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma_set_anonymous(vma); } - if (map_deny_write_exec(vma, vma->vm_flags)) { + if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { error = -EACCES; goto close_and_free_vma; } diff --git a/mm/mprotect.c b/mm/mprotect.c index 0c5d6d06107d..6f450af3252e 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -810,7 +810,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, break; } - if (map_deny_write_exec(vma, newflags)) { + if (map_deny_write_exec(vma->vm_flags, newflags)) { error = -EACCES; break; } diff --git a/mm/vma.h b/mm/vma.h index 75558b5e9c8c..d58068c0ff2e 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -42,7 +42,7 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - /* 1 byte hole */ + /* 2 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ unsigned long nr_accounted; /* Number of VM_ACCOUNT pages */

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: refactor map_deny_write_exec()" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111109-deck-cranial-851e@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:46 +0000 Subject: [PATCH] mm: refactor map_deny_write_exec() Refactor the map_deny_write_exec() to not unnecessarily require a VMA parameter but rather to accept VMA flags parameters, which allows us to use this function early in mmap_region() in a subsequent commit. While we're here, we refactor the function to be more readable and add some additional documentation. Link: https://lkml.kernel.org/r/6be8bb59cd7c68006ebb006eb9d8dc27104b1f70.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mman.h b/include/linux/mman.h index bcb201ab7a41..8ddca62d6460 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -188,16 +188,31 @@ static inline bool arch_memory_deny_write_exec_supported(void) * * d) mmap(PROT_READ | PROT_EXEC) * mmap(PROT_READ | PROT_EXEC | PROT_BTI) + * + * This is only applicable if the user has set the Memory-Deny-Write-Execute + * (MDWE) protection mask for the current process. + * + * @old specifies the VMA flags the VMA originally possessed, and @new the ones + * we propose to set. + * + * Return: false if proposed change is OK, true if not ok and should be denied. */ -static inline bool map_deny_write_exec(struct vm_area_struct *vma, unsigned long vm_flags) +static inline bool map_deny_write_exec(unsigned long old, unsigned long new) { + /* If MDWE is disabled, we have nothing to deny. */ if (!test_bit(MMF_HAS_MDWE, &current->mm->flags)) return false; - if ((vm_flags & VM_EXEC) && (vm_flags & VM_WRITE)) + /* If the new VMA is not executable, we have nothing to deny. */ + if (!(new & VM_EXEC)) + return false; + + /* Under MDWE we do not accept newly writably executable VMAs... */ + if (new & VM_WRITE) return true; - if (!(vma->vm_flags & VM_EXEC) && (vm_flags & VM_EXEC)) + /* ...nor previously non-executable VMAs becoming executable. */ + if (!(old & VM_EXEC)) return true; return false; diff --git a/mm/mmap.c b/mm/mmap.c index ac0604f146f6..ab71d4c3464c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1505,7 +1505,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma_set_anonymous(vma); } - if (map_deny_write_exec(vma, vma->vm_flags)) { + if (map_deny_write_exec(vma->vm_flags, vma->vm_flags)) { error = -EACCES; goto close_and_free_vma; } diff --git a/mm/mprotect.c b/mm/mprotect.c index 0c5d6d06107d..6f450af3252e 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -810,7 +810,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, break; } - if (map_deny_write_exec(vma, newflags)) { + if (map_deny_write_exec(vma->vm_flags, newflags)) { error = -EACCES; break; } diff --git a/mm/vma.h b/mm/vma.h index 75558b5e9c8c..d58068c0ff2e 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -42,7 +42,7 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - /* 1 byte hole */ + /* 2 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ unsigned long nr_accounted; /* Number of VM_ACCOUNT pages */

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: unconditionally close VMAs on error" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 4080ef1579b2413435413988d14ac8c68e4d42c8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111154-upwind-corroding-eca2@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4080ef1579b2413435413988d14ac8c68e4d42c8 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:45 +0000 Subject: [PATCH] mm: unconditionally close VMAs on error Incorrect invocation of VMA callbacks when the VMA is no longer in a consistent state is bug prone and risky to perform. With regards to the important vm_ops->close() callback We have gone to great lengths to try to track whether or not we ought to close VMAs. Rather than doing so and risking making a mistake somewhere, instead unconditionally close and reset vma->vm_ops to an empty dummy operations set with a NULL .close operator. We introduce a new function to do so - vma_close() - and simplify existing vms logic which tracked whether we needed to close or not. This simplifies the logic, avoids incorrect double-calling of the .close() callback and allows us to update error paths to simply call vma_close() unconditionally - making VMA closure idempotent. Link: https://lkml.kernel.org/r/28e89dda96f68c505cb6f8e9fc9b57c3e9f74b42.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/internal.h b/mm/internal.h index 4eab2961e69c..64c2eb0b160e 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -135,6 +135,24 @@ static inline int mmap_file(struct file *file, struct vm_area_struct *vma) return err; } +/* + * If the VMA has a close hook then close it, and since closing it might leave + * it in an inconsistent state which makes the use of any hooks suspect, clear + * them down by installing dummy empty hooks. + */ +static inline void vma_close(struct vm_area_struct *vma) +{ + if (vma->vm_ops && vma->vm_ops->close) { + vma->vm_ops->close(vma); + + /* + * The mapping is in an inconsistent state, and no further hooks + * may be invoked upon it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + } +} + #ifdef CONFIG_MMU /* Flags for folio_pte_batch(). */ diff --git a/mm/mmap.c b/mm/mmap.c index 6e3b25f7728f..ac0604f146f6 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1573,8 +1573,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return addr; close_and_free_vma: - if (file && !vms.closed_vm_ops && vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (file || vma->vm_file) { unmap_and_free_vma: @@ -1934,7 +1933,7 @@ void exit_mmap(struct mm_struct *mm) do { if (vma->vm_flags & VM_ACCOUNT) nr_accounted += vma_pages(vma); - remove_vma(vma, /* unreachable = */ true, /* closed = */ false); + remove_vma(vma, /* unreachable = */ true); count++; cond_resched(); vma = vma_next(&vmi); diff --git a/mm/nommu.c b/mm/nommu.c index f9ccc02458ec..635d028d647b 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -589,8 +589,7 @@ static int delete_vma_from_mm(struct vm_area_struct *vma) */ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma) { - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); put_nommu_region(vma->vm_region); diff --git a/mm/vma.c b/mm/vma.c index b21ffec33f8e..7621384d64cf 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -323,11 +323,10 @@ static bool can_vma_merge_right(struct vma_merge_struct *vmg, /* * Close a vm structure and free it. */ -void remove_vma(struct vm_area_struct *vma, bool unreachable, bool closed) +void remove_vma(struct vm_area_struct *vma, bool unreachable) { might_sleep(); - if (!closed && vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); + vma_close(vma); if (vma->vm_file) fput(vma->vm_file); mpol_put(vma_policy(vma)); @@ -1115,9 +1114,7 @@ void vms_clean_up_area(struct vma_munmap_struct *vms, vms_clear_ptes(vms, mas_detach, true); mas_set(mas_detach, 0); mas_for_each(mas_detach, vma, ULONG_MAX) - if (vma->vm_ops && vma->vm_ops->close) - vma->vm_ops->close(vma); - vms->closed_vm_ops = true; + vma_close(vma); } /* @@ -1160,7 +1157,7 @@ void vms_complete_munmap_vmas(struct vma_munmap_struct *vms, /* Remove and clean up vmas */ mas_set(mas_detach, 0); mas_for_each(mas_detach, vma, ULONG_MAX) - remove_vma(vma, /* = */ false, vms->closed_vm_ops); + remove_vma(vma, /* unreachable = */ false); vm_unacct_memory(vms->nr_accounted); validate_mm(mm); @@ -1684,8 +1681,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, return new_vma; out_vma_link: - if (new_vma->vm_ops && new_vma->vm_ops->close) - new_vma->vm_ops->close(new_vma); + vma_close(new_vma); if (new_vma->vm_file) fput(new_vma->vm_file); diff --git a/mm/vma.h b/mm/vma.h index 55457cb68200..75558b5e9c8c 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -42,7 +42,6 @@ struct vma_munmap_struct { int vma_count; /* Number of vmas that will be removed */ bool unlock; /* Unlock after the munmap */ bool clear_ptes; /* If there are outstanding PTE to be cleared */ - bool closed_vm_ops; /* call_mmap() was encountered, so vmas may be closed */ /* 1 byte hole */ unsigned long nr_pages; /* Number of pages being removed */ unsigned long locked_vm; /* Number of locked pages */ @@ -198,7 +197,6 @@ static inline void init_vma_munmap(struct vma_munmap_struct *vms, vms->unmap_start = FIRST_USER_ADDRESS; vms->unmap_end = USER_PGTABLES_CEILING; vms->clear_ptes = false; - vms->closed_vm_ops = false; } #endif @@ -269,7 +267,7 @@ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, unsigned long start, size_t len, struct list_head *uf, bool unlock); -void remove_vma(struct vm_area_struct *vma, bool unreachable, bool closed); +void remove_vma(struct vm_area_struct *vma, bool unreachable); void unmap_region(struct ma_state *mas, struct vm_area_struct *vma, struct vm_area_struct *prev, struct vm_area_struct *next);

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: avoid unsafe VMA hook invocation when error arises on" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 3dd6ed34ce1f2356a77fb88edafb5ec96784e3cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111140-democrat-landmass-2df5@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3dd6ed34ce1f2356a77fb88edafb5ec96784e3cf Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Date: Tue, 29 Oct 2024 18:11:44 +0000 Subject: [PATCH] mm: avoid unsafe VMA hook invocation when error arises on mmap hook Patch series "fix error handling in mmap_region() and refactor (hotfixes)", v4. mmap_region() is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. This series goes to great lengths to simplify how mmap_region() works and to avoid unwinding errors late on in the process of setting up the VMA for the new mapping, and equally avoids such operations occurring while the VMA is in an inconsistent state. The patches in this series comprise the minimal changes required to resolve existing issues in mmap_region() error handling, in order that they can be hotfixed and backported. There is additionally a follow up series which goes further, separated out from the v1 series and sent and updated separately. This patch (of 5): After an attempted mmap() fails, we are no longer in a situation where we can safely interact with VMA hooks. This is currently not enforced, meaning that we need complicated handling to ensure we do not incorrectly call these hooks. We can avoid the whole issue by treating the VMA as suspect the moment that the file->f_ops->mmap() function reports an error by replacing whatever VMA operations were installed with a dummy empty set of VMA operations. We do so through a new helper function internal to mm - mmap_file() - which is both more logically named than the existing call_mmap() function and correctly isolates handling of the vm_op reassignment to mm. All the existing invocations of call_mmap() outside of mm are ultimately nested within the call_mmap() from mm, which we now replace. It is therefore safe to leave call_mmap() in place as a convenience function (and to avoid churn). The invokers are: ovl_file_operations -> mmap -> ovl_mmap() -> backing_file_mmap() coda_file_operations -> mmap -> coda_file_mmap() shm_file_operations -> shm_mmap() shm_file_operations_huge -> shm_mmap() dma_buf_fops -> dma_buf_mmap_internal -> i915_dmabuf_ops -> i915_gem_dmabuf_mmap() None of these callers interact with vm_ops or mappings in a problematic way on error, quickly exiting out. Link: https://lkml.kernel.org/r/cover.1730224667.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/d41fd763496fd0048a962f3fd9407dc72dd4fd86.17302246… Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: Jann Horn <jannh(a)google.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Jann Horn <jannh(a)google.com> Cc: Andreas Larsson <andreas(a)gaisler.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: David S. Miller <davem(a)davemloft.net> Cc: Helge Deller <deller(a)gmx.de> Cc: James E.J. Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/internal.h b/mm/internal.h index 16c1f3cd599e..4eab2961e69c 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -108,6 +108,33 @@ static inline void *folio_raw_mapping(const struct folio *folio) return (void *)(mapping & ~PAGE_MAPPING_FLAGS); } +/* + * This is a file-backed mapping, and is about to be memory mapped - invoke its + * mmap hook and safely handle error conditions. On error, VMA hooks will be + * mutated. + * + * @file: File which backs the mapping. + * @vma: VMA which we are mapping. + * + * Returns: 0 if success, error otherwise. + */ +static inline int mmap_file(struct file *file, struct vm_area_struct *vma) +{ + int err = call_mmap(file, vma); + + if (likely(!err)) + return 0; + + /* + * OK, we tried to call the file hook for mmap(), but an error + * arose. The mapping is in an inconsistent state and we most not invoke + * any further hooks on it. + */ + vma->vm_ops = &vma_dummy_vm_ops; + + return err; +} + #ifdef CONFIG_MMU /* Flags for folio_pte_batch(). */ diff --git a/mm/mmap.c b/mm/mmap.c index 9841b41e3c76..6e3b25f7728f 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1422,7 +1422,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, /* * clear PTEs while the vma is still in the tree so that rmap * cannot race with the freeing later in the truncate scenario. - * This is also needed for call_mmap(), which is why vm_ops + * This is also needed for mmap_file(), which is why vm_ops * close function is called. */ vms_clean_up_area(&vms, &mas_detach); @@ -1447,7 +1447,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, if (file) { vma->vm_file = get_file(file); - error = call_mmap(file, vma); + error = mmap_file(file, vma); if (error) goto unmap_and_free_vma; @@ -1470,7 +1470,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma_iter_config(&vmi, addr, end); /* - * If vm_flags changed after call_mmap(), we should try merge + * If vm_flags changed after mmap_file(), we should try merge * vma again as we may succeed this time. */ if (unlikely(vm_flags != vma->vm_flags && vmg.prev)) { diff --git a/mm/nommu.c b/mm/nommu.c index 385b0c15add8..f9ccc02458ec 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -885,7 +885,7 @@ static int do_mmap_shared_file(struct vm_area_struct *vma) { int ret; - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); if (ret == 0) { vma->vm_region->vm_top = vma->vm_region->vm_end; return 0; @@ -918,7 +918,7 @@ static int do_mmap_private(struct vm_area_struct *vma, * happy. */ if (capabilities & NOMMU_MAP_DIRECT) { - ret = call_mmap(vma->vm_file, vma); + ret = mmap_file(vma->vm_file, vma); /* shouldn't return success if we're not sharing */ if (WARN_ON_ONCE(!is_nommu_shared_mapping(vma->vm_flags))) ret = -ENOSYS;

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm/thp: fix deferred split unqueue naming and locking" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f8f931bba0f92052cf842b7e30917b1afcc77d5a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111131-haziness-slum-8f5e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f8f931bba0f92052cf842b7e30917b1afcc77d5a Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Sun, 27 Oct 2024 13:02:13 -0700 Subject: [PATCH] mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases. Link: https://lkml.kernel.org/r/8dc111ae-f6db-2da7-b25c-7a20b1effe3b@google.com Fixes: 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware") Fixes: dafff3f4c850 ("mm: split underused THPs") Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Usama Arif <usamaarif642(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index a1d345f1680c..03fd4bc39ea1 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3588,10 +3588,27 @@ int split_folio_to_list(struct folio *folio, struct list_head *list) return split_huge_page_to_list_to_order(&folio->page, list, ret); } -void __folio_undo_large_rmappable(struct folio *folio) +/* + * __folio_unqueue_deferred_split() is not to be called directly: + * the folio_unqueue_deferred_split() inline wrapper in mm/internal.h + * limits its calls to those folios which may have a _deferred_list for + * queueing THP splits, and that list is (racily observed to be) non-empty. + * + * It is unsafe to call folio_unqueue_deferred_split() until folio refcount is + * zero: because even when split_queue_lock is held, a non-empty _deferred_list + * might be in use on deferred_split_scan()'s unlocked on-stack list. + * + * If memory cgroups are enabled, split_queue_lock is in the mem_cgroup: it is + * therefore important to unqueue deferred split before changing folio memcg. + */ +bool __folio_unqueue_deferred_split(struct folio *folio) { struct deferred_split *ds_queue; unsigned long flags; + bool unqueued = false; + + WARN_ON_ONCE(folio_ref_count(folio)); + WARN_ON_ONCE(!mem_cgroup_disabled() && !folio_memcg(folio)); ds_queue = get_deferred_split_queue(folio); spin_lock_irqsave(&ds_queue->split_queue_lock, flags); @@ -3603,8 +3620,11 @@ void __folio_undo_large_rmappable(struct folio *folio) MTHP_STAT_NR_ANON_PARTIALLY_MAPPED, -1); } list_del_init(&folio->_deferred_list); + unqueued = true; } spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags); + + return unqueued; /* useful for debug warnings */ } /* partially_mapped=false won't clear PG_partially_mapped folio flag */ @@ -3627,14 +3647,11 @@ void deferred_split_folio(struct folio *folio, bool partially_mapped) return; /* - * The try_to_unmap() in page reclaim path might reach here too, - * this may cause a race condition to corrupt deferred split queue. - * And, if page reclaim is already handling the same folio, it is - * unnecessary to handle it again in shrinker. - * - * Check the swapcache flag to determine if the folio is being - * handled by page reclaim since THP swap would add the folio into - * swap cache before calling try_to_unmap(). + * Exclude swapcache: originally to avoid a corrupt deferred split + * queue. Nowadays that is fully prevented by mem_cgroup_swapout(); + * but if page reclaim is already handling the same folio, it is + * unnecessary to handle it again in the shrinker, so excluding + * swapcache here may still be a useful optimization. */ if (folio_test_swapcache(folio)) return; diff --git a/mm/internal.h b/mm/internal.h index 93083bbeeefa..16c1f3cd599e 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -639,11 +639,11 @@ static inline void folio_set_order(struct folio *folio, unsigned int order) #endif } -void __folio_undo_large_rmappable(struct folio *folio); -static inline void folio_undo_large_rmappable(struct folio *folio) +bool __folio_unqueue_deferred_split(struct folio *folio); +static inline bool folio_unqueue_deferred_split(struct folio *folio) { if (folio_order(folio) <= 1 || !folio_test_large_rmappable(folio)) - return; + return false; /* * At this point, there is no one trying to add the folio to @@ -651,9 +651,9 @@ static inline void folio_undo_large_rmappable(struct folio *folio) * to check without acquiring the split_queue_lock. */ if (data_race(list_empty(&folio->_deferred_list))) - return; + return false; - __folio_undo_large_rmappable(folio); + return __folio_unqueue_deferred_split(folio); } static inline struct folio *page_rmappable_folio(struct page *page) diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 81d8819f13cd..f8744f5630bb 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -848,6 +848,8 @@ static int mem_cgroup_move_account(struct folio *folio, css_get(&to->css); css_put(&from->css); + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = (unsigned long)to; __folio_memcg_unlock(from); @@ -1217,7 +1219,9 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, enum mc_target_type target_type; union mc_target target; struct folio *folio; + bool tried_split_before = false; +retry_pmd: ptl = pmd_trans_huge_lock(pmd, vma); if (ptl) { if (mc.precharge < HPAGE_PMD_NR) { @@ -1227,6 +1231,27 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, target_type = get_mctgt_type_thp(vma, addr, *pmd, &target); if (target_type == MC_TARGET_PAGE) { folio = target.folio; + /* + * Deferred split queue locking depends on memcg, + * and unqueue is unsafe unless folio refcount is 0: + * split or skip if on the queue? first try to split. + */ + if (!list_empty(&folio->_deferred_list)) { + spin_unlock(ptl); + if (!tried_split_before) + split_folio(folio); + folio_unlock(folio); + folio_put(folio); + if (tried_split_before) + return 0; + tried_split_before = true; + goto retry_pmd; + } + /* + * So long as that pmd lock is held, the folio cannot + * be racily added to the _deferred_list, because + * __folio_remove_rmap() will find !partially_mapped. + */ if (folio_isolate_lru(folio)) { if (!mem_cgroup_move_account(folio, true, mc.from, mc.to)) { diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 2703227cce88..06df2af97415 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4629,9 +4629,6 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) struct obj_cgroup *objcg; VM_BUG_ON_FOLIO(folio_test_lru(folio), folio); - VM_BUG_ON_FOLIO(folio_order(folio) > 1 && - !folio_test_hugetlb(folio) && - !list_empty(&folio->_deferred_list), folio); /* * Nobody should be changing or seriously looking at @@ -4678,6 +4675,7 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) ug->nr_memory += nr_pages; ug->pgpgout++; + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = 0; } @@ -4789,6 +4787,9 @@ void mem_cgroup_migrate(struct folio *old, struct folio *new) /* Transfer the charge and the css ref */ commit_charge(new, memcg); + + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(old)); old->memcg_data = 0; } @@ -4975,6 +4976,7 @@ void mem_cgroup_swapout(struct folio *folio, swp_entry_t entry) VM_BUG_ON_FOLIO(oldid, folio); mod_memcg_state(swap_memcg, MEMCG_SWAP, nr_entries); + folio_unqueue_deferred_split(folio); folio->memcg_data = 0; if (!mem_cgroup_is_root(memcg)) diff --git a/mm/migrate.c b/mm/migrate.c index fab84a776088..dfa24e41e8f9 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -490,7 +490,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, folio_test_large_rmappable(folio)) { if (!folio_ref_freeze(folio, expected_count)) return -EAGAIN; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); folio_ref_unfreeze(folio, expected_count); } @@ -515,7 +515,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, } /* Take off deferred split queue while frozen and memcg set */ - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); /* * Now we know that no one else is looking at the folio: diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 5e108ae755cc..8ad38cd5e574 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -2681,7 +2681,6 @@ void free_unref_folios(struct folio_batch *folios) unsigned long pfn = folio_pfn(folio); unsigned int order = folio_order(folio); - folio_undo_large_rmappable(folio); if (!free_pages_prepare(&folio->page, order)) continue; /* diff --git a/mm/swap.c b/mm/swap.c index 835bdf324b76..b8e3259ea2c4 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -121,7 +121,7 @@ void __folio_put(struct folio *folio) } page_cache_release(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); mem_cgroup_uncharge(folio); free_unref_page(&folio->page, folio_order(folio)); } @@ -988,7 +988,7 @@ void folios_put_refs(struct folio_batch *folios, unsigned int *refs) free_huge_folio(folio); continue; } - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); __page_cache_release(folio, &lruvec, &flags); if (j != i) diff --git a/mm/vmscan.c b/mm/vmscan.c index ddaaff67642e..28ba2b06fc7d 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1476,7 +1476,7 @@ static unsigned int shrink_folio_list(struct list_head *folio_list, */ nr_reclaimed += nr_pages; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { mem_cgroup_uncharge_folios(&free_folios); try_to_unmap_flush(); @@ -1864,7 +1864,7 @@ static unsigned int move_folios_to_lru(struct lruvec *lruvec, if (unlikely(folio_put_testzero(folio))) { __folio_clear_lru_flags(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { spin_unlock_irq(&lruvec->lru_lock); mem_cgroup_uncharge_folios(&free_folios);

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm/thp: fix deferred split unqueue naming and locking" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f8f931bba0f92052cf842b7e30917b1afcc77d5a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111118-stove-huddling-7076@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f8f931bba0f92052cf842b7e30917b1afcc77d5a Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Sun, 27 Oct 2024 13:02:13 -0700 Subject: [PATCH] mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases. Link: https://lkml.kernel.org/r/8dc111ae-f6db-2da7-b25c-7a20b1effe3b@google.com Fixes: 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware") Fixes: dafff3f4c850 ("mm: split underused THPs") Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Usama Arif <usamaarif642(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index a1d345f1680c..03fd4bc39ea1 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3588,10 +3588,27 @@ int split_folio_to_list(struct folio *folio, struct list_head *list) return split_huge_page_to_list_to_order(&folio->page, list, ret); } -void __folio_undo_large_rmappable(struct folio *folio) +/* + * __folio_unqueue_deferred_split() is not to be called directly: + * the folio_unqueue_deferred_split() inline wrapper in mm/internal.h + * limits its calls to those folios which may have a _deferred_list for + * queueing THP splits, and that list is (racily observed to be) non-empty. + * + * It is unsafe to call folio_unqueue_deferred_split() until folio refcount is + * zero: because even when split_queue_lock is held, a non-empty _deferred_list + * might be in use on deferred_split_scan()'s unlocked on-stack list. + * + * If memory cgroups are enabled, split_queue_lock is in the mem_cgroup: it is + * therefore important to unqueue deferred split before changing folio memcg. + */ +bool __folio_unqueue_deferred_split(struct folio *folio) { struct deferred_split *ds_queue; unsigned long flags; + bool unqueued = false; + + WARN_ON_ONCE(folio_ref_count(folio)); + WARN_ON_ONCE(!mem_cgroup_disabled() && !folio_memcg(folio)); ds_queue = get_deferred_split_queue(folio); spin_lock_irqsave(&ds_queue->split_queue_lock, flags); @@ -3603,8 +3620,11 @@ void __folio_undo_large_rmappable(struct folio *folio) MTHP_STAT_NR_ANON_PARTIALLY_MAPPED, -1); } list_del_init(&folio->_deferred_list); + unqueued = true; } spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags); + + return unqueued; /* useful for debug warnings */ } /* partially_mapped=false won't clear PG_partially_mapped folio flag */ @@ -3627,14 +3647,11 @@ void deferred_split_folio(struct folio *folio, bool partially_mapped) return; /* - * The try_to_unmap() in page reclaim path might reach here too, - * this may cause a race condition to corrupt deferred split queue. - * And, if page reclaim is already handling the same folio, it is - * unnecessary to handle it again in shrinker. - * - * Check the swapcache flag to determine if the folio is being - * handled by page reclaim since THP swap would add the folio into - * swap cache before calling try_to_unmap(). + * Exclude swapcache: originally to avoid a corrupt deferred split + * queue. Nowadays that is fully prevented by mem_cgroup_swapout(); + * but if page reclaim is already handling the same folio, it is + * unnecessary to handle it again in the shrinker, so excluding + * swapcache here may still be a useful optimization. */ if (folio_test_swapcache(folio)) return; diff --git a/mm/internal.h b/mm/internal.h index 93083bbeeefa..16c1f3cd599e 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -639,11 +639,11 @@ static inline void folio_set_order(struct folio *folio, unsigned int order) #endif } -void __folio_undo_large_rmappable(struct folio *folio); -static inline void folio_undo_large_rmappable(struct folio *folio) +bool __folio_unqueue_deferred_split(struct folio *folio); +static inline bool folio_unqueue_deferred_split(struct folio *folio) { if (folio_order(folio) <= 1 || !folio_test_large_rmappable(folio)) - return; + return false; /* * At this point, there is no one trying to add the folio to @@ -651,9 +651,9 @@ static inline void folio_undo_large_rmappable(struct folio *folio) * to check without acquiring the split_queue_lock. */ if (data_race(list_empty(&folio->_deferred_list))) - return; + return false; - __folio_undo_large_rmappable(folio); + return __folio_unqueue_deferred_split(folio); } static inline struct folio *page_rmappable_folio(struct page *page) diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 81d8819f13cd..f8744f5630bb 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -848,6 +848,8 @@ static int mem_cgroup_move_account(struct folio *folio, css_get(&to->css); css_put(&from->css); + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = (unsigned long)to; __folio_memcg_unlock(from); @@ -1217,7 +1219,9 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, enum mc_target_type target_type; union mc_target target; struct folio *folio; + bool tried_split_before = false; +retry_pmd: ptl = pmd_trans_huge_lock(pmd, vma); if (ptl) { if (mc.precharge < HPAGE_PMD_NR) { @@ -1227,6 +1231,27 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, target_type = get_mctgt_type_thp(vma, addr, *pmd, &target); if (target_type == MC_TARGET_PAGE) { folio = target.folio; + /* + * Deferred split queue locking depends on memcg, + * and unqueue is unsafe unless folio refcount is 0: + * split or skip if on the queue? first try to split. + */ + if (!list_empty(&folio->_deferred_list)) { + spin_unlock(ptl); + if (!tried_split_before) + split_folio(folio); + folio_unlock(folio); + folio_put(folio); + if (tried_split_before) + return 0; + tried_split_before = true; + goto retry_pmd; + } + /* + * So long as that pmd lock is held, the folio cannot + * be racily added to the _deferred_list, because + * __folio_remove_rmap() will find !partially_mapped. + */ if (folio_isolate_lru(folio)) { if (!mem_cgroup_move_account(folio, true, mc.from, mc.to)) { diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 2703227cce88..06df2af97415 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4629,9 +4629,6 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) struct obj_cgroup *objcg; VM_BUG_ON_FOLIO(folio_test_lru(folio), folio); - VM_BUG_ON_FOLIO(folio_order(folio) > 1 && - !folio_test_hugetlb(folio) && - !list_empty(&folio->_deferred_list), folio); /* * Nobody should be changing or seriously looking at @@ -4678,6 +4675,7 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) ug->nr_memory += nr_pages; ug->pgpgout++; + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = 0; } @@ -4789,6 +4787,9 @@ void mem_cgroup_migrate(struct folio *old, struct folio *new) /* Transfer the charge and the css ref */ commit_charge(new, memcg); + + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(old)); old->memcg_data = 0; } @@ -4975,6 +4976,7 @@ void mem_cgroup_swapout(struct folio *folio, swp_entry_t entry) VM_BUG_ON_FOLIO(oldid, folio); mod_memcg_state(swap_memcg, MEMCG_SWAP, nr_entries); + folio_unqueue_deferred_split(folio); folio->memcg_data = 0; if (!mem_cgroup_is_root(memcg)) diff --git a/mm/migrate.c b/mm/migrate.c index fab84a776088..dfa24e41e8f9 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -490,7 +490,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, folio_test_large_rmappable(folio)) { if (!folio_ref_freeze(folio, expected_count)) return -EAGAIN; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); folio_ref_unfreeze(folio, expected_count); } @@ -515,7 +515,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, } /* Take off deferred split queue while frozen and memcg set */ - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); /* * Now we know that no one else is looking at the folio: diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 5e108ae755cc..8ad38cd5e574 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -2681,7 +2681,6 @@ void free_unref_folios(struct folio_batch *folios) unsigned long pfn = folio_pfn(folio); unsigned int order = folio_order(folio); - folio_undo_large_rmappable(folio); if (!free_pages_prepare(&folio->page, order)) continue; /* diff --git a/mm/swap.c b/mm/swap.c index 835bdf324b76..b8e3259ea2c4 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -121,7 +121,7 @@ void __folio_put(struct folio *folio) } page_cache_release(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); mem_cgroup_uncharge(folio); free_unref_page(&folio->page, folio_order(folio)); } @@ -988,7 +988,7 @@ void folios_put_refs(struct folio_batch *folios, unsigned int *refs) free_huge_folio(folio); continue; } - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); __page_cache_release(folio, &lruvec, &flags); if (j != i) diff --git a/mm/vmscan.c b/mm/vmscan.c index ddaaff67642e..28ba2b06fc7d 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1476,7 +1476,7 @@ static unsigned int shrink_folio_list(struct list_head *folio_list, */ nr_reclaimed += nr_pages; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { mem_cgroup_uncharge_folios(&free_folios); try_to_unmap_flush(); @@ -1864,7 +1864,7 @@ static unsigned int move_folios_to_lru(struct lruvec *lruvec, if (unlikely(folio_put_testzero(folio))) { __folio_clear_lru_flags(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { spin_unlock_irq(&lruvec->lru_lock); mem_cgroup_uncharge_folios(&free_folios);

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm/thp: fix deferred split unqueue naming and locking" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f8f931bba0f92052cf842b7e30917b1afcc77d5a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111110-silencer-chitchat-1dc6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f8f931bba0f92052cf842b7e30917b1afcc77d5a Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Sun, 27 Oct 2024 13:02:13 -0700 Subject: [PATCH] mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases. Link: https://lkml.kernel.org/r/8dc111ae-f6db-2da7-b25c-7a20b1effe3b@google.com Fixes: 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware") Fixes: dafff3f4c850 ("mm: split underused THPs") Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Usama Arif <usamaarif642(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index a1d345f1680c..03fd4bc39ea1 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3588,10 +3588,27 @@ int split_folio_to_list(struct folio *folio, struct list_head *list) return split_huge_page_to_list_to_order(&folio->page, list, ret); } -void __folio_undo_large_rmappable(struct folio *folio) +/* + * __folio_unqueue_deferred_split() is not to be called directly: + * the folio_unqueue_deferred_split() inline wrapper in mm/internal.h + * limits its calls to those folios which may have a _deferred_list for + * queueing THP splits, and that list is (racily observed to be) non-empty. + * + * It is unsafe to call folio_unqueue_deferred_split() until folio refcount is + * zero: because even when split_queue_lock is held, a non-empty _deferred_list + * might be in use on deferred_split_scan()'s unlocked on-stack list. + * + * If memory cgroups are enabled, split_queue_lock is in the mem_cgroup: it is + * therefore important to unqueue deferred split before changing folio memcg. + */ +bool __folio_unqueue_deferred_split(struct folio *folio) { struct deferred_split *ds_queue; unsigned long flags; + bool unqueued = false; + + WARN_ON_ONCE(folio_ref_count(folio)); + WARN_ON_ONCE(!mem_cgroup_disabled() && !folio_memcg(folio)); ds_queue = get_deferred_split_queue(folio); spin_lock_irqsave(&ds_queue->split_queue_lock, flags); @@ -3603,8 +3620,11 @@ void __folio_undo_large_rmappable(struct folio *folio) MTHP_STAT_NR_ANON_PARTIALLY_MAPPED, -1); } list_del_init(&folio->_deferred_list); + unqueued = true; } spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags); + + return unqueued; /* useful for debug warnings */ } /* partially_mapped=false won't clear PG_partially_mapped folio flag */ @@ -3627,14 +3647,11 @@ void deferred_split_folio(struct folio *folio, bool partially_mapped) return; /* - * The try_to_unmap() in page reclaim path might reach here too, - * this may cause a race condition to corrupt deferred split queue. - * And, if page reclaim is already handling the same folio, it is - * unnecessary to handle it again in shrinker. - * - * Check the swapcache flag to determine if the folio is being - * handled by page reclaim since THP swap would add the folio into - * swap cache before calling try_to_unmap(). + * Exclude swapcache: originally to avoid a corrupt deferred split + * queue. Nowadays that is fully prevented by mem_cgroup_swapout(); + * but if page reclaim is already handling the same folio, it is + * unnecessary to handle it again in the shrinker, so excluding + * swapcache here may still be a useful optimization. */ if (folio_test_swapcache(folio)) return; diff --git a/mm/internal.h b/mm/internal.h index 93083bbeeefa..16c1f3cd599e 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -639,11 +639,11 @@ static inline void folio_set_order(struct folio *folio, unsigned int order) #endif } -void __folio_undo_large_rmappable(struct folio *folio); -static inline void folio_undo_large_rmappable(struct folio *folio) +bool __folio_unqueue_deferred_split(struct folio *folio); +static inline bool folio_unqueue_deferred_split(struct folio *folio) { if (folio_order(folio) <= 1 || !folio_test_large_rmappable(folio)) - return; + return false; /* * At this point, there is no one trying to add the folio to @@ -651,9 +651,9 @@ static inline void folio_undo_large_rmappable(struct folio *folio) * to check without acquiring the split_queue_lock. */ if (data_race(list_empty(&folio->_deferred_list))) - return; + return false; - __folio_undo_large_rmappable(folio); + return __folio_unqueue_deferred_split(folio); } static inline struct folio *page_rmappable_folio(struct page *page) diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 81d8819f13cd..f8744f5630bb 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -848,6 +848,8 @@ static int mem_cgroup_move_account(struct folio *folio, css_get(&to->css); css_put(&from->css); + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = (unsigned long)to; __folio_memcg_unlock(from); @@ -1217,7 +1219,9 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, enum mc_target_type target_type; union mc_target target; struct folio *folio; + bool tried_split_before = false; +retry_pmd: ptl = pmd_trans_huge_lock(pmd, vma); if (ptl) { if (mc.precharge < HPAGE_PMD_NR) { @@ -1227,6 +1231,27 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, target_type = get_mctgt_type_thp(vma, addr, *pmd, &target); if (target_type == MC_TARGET_PAGE) { folio = target.folio; + /* + * Deferred split queue locking depends on memcg, + * and unqueue is unsafe unless folio refcount is 0: + * split or skip if on the queue? first try to split. + */ + if (!list_empty(&folio->_deferred_list)) { + spin_unlock(ptl); + if (!tried_split_before) + split_folio(folio); + folio_unlock(folio); + folio_put(folio); + if (tried_split_before) + return 0; + tried_split_before = true; + goto retry_pmd; + } + /* + * So long as that pmd lock is held, the folio cannot + * be racily added to the _deferred_list, because + * __folio_remove_rmap() will find !partially_mapped. + */ if (folio_isolate_lru(folio)) { if (!mem_cgroup_move_account(folio, true, mc.from, mc.to)) { diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 2703227cce88..06df2af97415 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4629,9 +4629,6 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) struct obj_cgroup *objcg; VM_BUG_ON_FOLIO(folio_test_lru(folio), folio); - VM_BUG_ON_FOLIO(folio_order(folio) > 1 && - !folio_test_hugetlb(folio) && - !list_empty(&folio->_deferred_list), folio); /* * Nobody should be changing or seriously looking at @@ -4678,6 +4675,7 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) ug->nr_memory += nr_pages; ug->pgpgout++; + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = 0; } @@ -4789,6 +4787,9 @@ void mem_cgroup_migrate(struct folio *old, struct folio *new) /* Transfer the charge and the css ref */ commit_charge(new, memcg); + + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(old)); old->memcg_data = 0; } @@ -4975,6 +4976,7 @@ void mem_cgroup_swapout(struct folio *folio, swp_entry_t entry) VM_BUG_ON_FOLIO(oldid, folio); mod_memcg_state(swap_memcg, MEMCG_SWAP, nr_entries); + folio_unqueue_deferred_split(folio); folio->memcg_data = 0; if (!mem_cgroup_is_root(memcg)) diff --git a/mm/migrate.c b/mm/migrate.c index fab84a776088..dfa24e41e8f9 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -490,7 +490,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, folio_test_large_rmappable(folio)) { if (!folio_ref_freeze(folio, expected_count)) return -EAGAIN; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); folio_ref_unfreeze(folio, expected_count); } @@ -515,7 +515,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, } /* Take off deferred split queue while frozen and memcg set */ - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); /* * Now we know that no one else is looking at the folio: diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 5e108ae755cc..8ad38cd5e574 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -2681,7 +2681,6 @@ void free_unref_folios(struct folio_batch *folios) unsigned long pfn = folio_pfn(folio); unsigned int order = folio_order(folio); - folio_undo_large_rmappable(folio); if (!free_pages_prepare(&folio->page, order)) continue; /* diff --git a/mm/swap.c b/mm/swap.c index 835bdf324b76..b8e3259ea2c4 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -121,7 +121,7 @@ void __folio_put(struct folio *folio) } page_cache_release(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); mem_cgroup_uncharge(folio); free_unref_page(&folio->page, folio_order(folio)); } @@ -988,7 +988,7 @@ void folios_put_refs(struct folio_batch *folios, unsigned int *refs) free_huge_folio(folio); continue; } - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); __page_cache_release(folio, &lruvec, &flags); if (j != i) diff --git a/mm/vmscan.c b/mm/vmscan.c index ddaaff67642e..28ba2b06fc7d 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1476,7 +1476,7 @@ static unsigned int shrink_folio_list(struct list_head *folio_list, */ nr_reclaimed += nr_pages; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { mem_cgroup_uncharge_folios(&free_folios); try_to_unmap_flush(); @@ -1864,7 +1864,7 @@ static unsigned int move_folios_to_lru(struct lruvec *lruvec, if (unlikely(folio_put_testzero(folio))) { __folio_clear_lru_flags(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { spin_unlock_irq(&lruvec->lru_lock); mem_cgroup_uncharge_folios(&free_folios);

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm/thp: fix deferred split unqueue naming and locking" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f8f931bba0f92052cf842b7e30917b1afcc77d5a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111108-kangaroo-press-8c50@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f8f931bba0f92052cf842b7e30917b1afcc77d5a Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Sun, 27 Oct 2024 13:02:13 -0700 Subject: [PATCH] mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases. Link: https://lkml.kernel.org/r/8dc111ae-f6db-2da7-b25c-7a20b1effe3b@google.com Fixes: 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware") Fixes: dafff3f4c850 ("mm: split underused THPs") Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: Usama Arif <usamaarif642(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index a1d345f1680c..03fd4bc39ea1 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3588,10 +3588,27 @@ int split_folio_to_list(struct folio *folio, struct list_head *list) return split_huge_page_to_list_to_order(&folio->page, list, ret); } -void __folio_undo_large_rmappable(struct folio *folio) +/* + * __folio_unqueue_deferred_split() is not to be called directly: + * the folio_unqueue_deferred_split() inline wrapper in mm/internal.h + * limits its calls to those folios which may have a _deferred_list for + * queueing THP splits, and that list is (racily observed to be) non-empty. + * + * It is unsafe to call folio_unqueue_deferred_split() until folio refcount is + * zero: because even when split_queue_lock is held, a non-empty _deferred_list + * might be in use on deferred_split_scan()'s unlocked on-stack list. + * + * If memory cgroups are enabled, split_queue_lock is in the mem_cgroup: it is + * therefore important to unqueue deferred split before changing folio memcg. + */ +bool __folio_unqueue_deferred_split(struct folio *folio) { struct deferred_split *ds_queue; unsigned long flags; + bool unqueued = false; + + WARN_ON_ONCE(folio_ref_count(folio)); + WARN_ON_ONCE(!mem_cgroup_disabled() && !folio_memcg(folio)); ds_queue = get_deferred_split_queue(folio); spin_lock_irqsave(&ds_queue->split_queue_lock, flags); @@ -3603,8 +3620,11 @@ void __folio_undo_large_rmappable(struct folio *folio) MTHP_STAT_NR_ANON_PARTIALLY_MAPPED, -1); } list_del_init(&folio->_deferred_list); + unqueued = true; } spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags); + + return unqueued; /* useful for debug warnings */ } /* partially_mapped=false won't clear PG_partially_mapped folio flag */ @@ -3627,14 +3647,11 @@ void deferred_split_folio(struct folio *folio, bool partially_mapped) return; /* - * The try_to_unmap() in page reclaim path might reach here too, - * this may cause a race condition to corrupt deferred split queue. - * And, if page reclaim is already handling the same folio, it is - * unnecessary to handle it again in shrinker. - * - * Check the swapcache flag to determine if the folio is being - * handled by page reclaim since THP swap would add the folio into - * swap cache before calling try_to_unmap(). + * Exclude swapcache: originally to avoid a corrupt deferred split + * queue. Nowadays that is fully prevented by mem_cgroup_swapout(); + * but if page reclaim is already handling the same folio, it is + * unnecessary to handle it again in the shrinker, so excluding + * swapcache here may still be a useful optimization. */ if (folio_test_swapcache(folio)) return; diff --git a/mm/internal.h b/mm/internal.h index 93083bbeeefa..16c1f3cd599e 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -639,11 +639,11 @@ static inline void folio_set_order(struct folio *folio, unsigned int order) #endif } -void __folio_undo_large_rmappable(struct folio *folio); -static inline void folio_undo_large_rmappable(struct folio *folio) +bool __folio_unqueue_deferred_split(struct folio *folio); +static inline bool folio_unqueue_deferred_split(struct folio *folio) { if (folio_order(folio) <= 1 || !folio_test_large_rmappable(folio)) - return; + return false; /* * At this point, there is no one trying to add the folio to @@ -651,9 +651,9 @@ static inline void folio_undo_large_rmappable(struct folio *folio) * to check without acquiring the split_queue_lock. */ if (data_race(list_empty(&folio->_deferred_list))) - return; + return false; - __folio_undo_large_rmappable(folio); + return __folio_unqueue_deferred_split(folio); } static inline struct folio *page_rmappable_folio(struct page *page) diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 81d8819f13cd..f8744f5630bb 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -848,6 +848,8 @@ static int mem_cgroup_move_account(struct folio *folio, css_get(&to->css); css_put(&from->css); + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = (unsigned long)to; __folio_memcg_unlock(from); @@ -1217,7 +1219,9 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, enum mc_target_type target_type; union mc_target target; struct folio *folio; + bool tried_split_before = false; +retry_pmd: ptl = pmd_trans_huge_lock(pmd, vma); if (ptl) { if (mc.precharge < HPAGE_PMD_NR) { @@ -1227,6 +1231,27 @@ static int mem_cgroup_move_charge_pte_range(pmd_t *pmd, target_type = get_mctgt_type_thp(vma, addr, *pmd, &target); if (target_type == MC_TARGET_PAGE) { folio = target.folio; + /* + * Deferred split queue locking depends on memcg, + * and unqueue is unsafe unless folio refcount is 0: + * split or skip if on the queue? first try to split. + */ + if (!list_empty(&folio->_deferred_list)) { + spin_unlock(ptl); + if (!tried_split_before) + split_folio(folio); + folio_unlock(folio); + folio_put(folio); + if (tried_split_before) + return 0; + tried_split_before = true; + goto retry_pmd; + } + /* + * So long as that pmd lock is held, the folio cannot + * be racily added to the _deferred_list, because + * __folio_remove_rmap() will find !partially_mapped. + */ if (folio_isolate_lru(folio)) { if (!mem_cgroup_move_account(folio, true, mc.from, mc.to)) { diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 2703227cce88..06df2af97415 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4629,9 +4629,6 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) struct obj_cgroup *objcg; VM_BUG_ON_FOLIO(folio_test_lru(folio), folio); - VM_BUG_ON_FOLIO(folio_order(folio) > 1 && - !folio_test_hugetlb(folio) && - !list_empty(&folio->_deferred_list), folio); /* * Nobody should be changing or seriously looking at @@ -4678,6 +4675,7 @@ static void uncharge_folio(struct folio *folio, struct uncharge_gather *ug) ug->nr_memory += nr_pages; ug->pgpgout++; + WARN_ON_ONCE(folio_unqueue_deferred_split(folio)); folio->memcg_data = 0; } @@ -4789,6 +4787,9 @@ void mem_cgroup_migrate(struct folio *old, struct folio *new) /* Transfer the charge and the css ref */ commit_charge(new, memcg); + + /* Warning should never happen, so don't worry about refcount non-0 */ + WARN_ON_ONCE(folio_unqueue_deferred_split(old)); old->memcg_data = 0; } @@ -4975,6 +4976,7 @@ void mem_cgroup_swapout(struct folio *folio, swp_entry_t entry) VM_BUG_ON_FOLIO(oldid, folio); mod_memcg_state(swap_memcg, MEMCG_SWAP, nr_entries); + folio_unqueue_deferred_split(folio); folio->memcg_data = 0; if (!mem_cgroup_is_root(memcg)) diff --git a/mm/migrate.c b/mm/migrate.c index fab84a776088..dfa24e41e8f9 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -490,7 +490,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, folio_test_large_rmappable(folio)) { if (!folio_ref_freeze(folio, expected_count)) return -EAGAIN; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); folio_ref_unfreeze(folio, expected_count); } @@ -515,7 +515,7 @@ static int __folio_migrate_mapping(struct address_space *mapping, } /* Take off deferred split queue while frozen and memcg set */ - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); /* * Now we know that no one else is looking at the folio: diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 5e108ae755cc..8ad38cd5e574 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -2681,7 +2681,6 @@ void free_unref_folios(struct folio_batch *folios) unsigned long pfn = folio_pfn(folio); unsigned int order = folio_order(folio); - folio_undo_large_rmappable(folio); if (!free_pages_prepare(&folio->page, order)) continue; /* diff --git a/mm/swap.c b/mm/swap.c index 835bdf324b76..b8e3259ea2c4 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -121,7 +121,7 @@ void __folio_put(struct folio *folio) } page_cache_release(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); mem_cgroup_uncharge(folio); free_unref_page(&folio->page, folio_order(folio)); } @@ -988,7 +988,7 @@ void folios_put_refs(struct folio_batch *folios, unsigned int *refs) free_huge_folio(folio); continue; } - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); __page_cache_release(folio, &lruvec, &flags); if (j != i) diff --git a/mm/vmscan.c b/mm/vmscan.c index ddaaff67642e..28ba2b06fc7d 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1476,7 +1476,7 @@ static unsigned int shrink_folio_list(struct list_head *folio_list, */ nr_reclaimed += nr_pages; - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { mem_cgroup_uncharge_folios(&free_folios); try_to_unmap_flush(); @@ -1864,7 +1864,7 @@ static unsigned int move_folios_to_lru(struct lruvec *lruvec, if (unlikely(folio_put_testzero(folio))) { __folio_clear_lru_flags(folio); - folio_undo_large_rmappable(folio); + folio_unqueue_deferred_split(folio); if (folio_batch_add(&free_folios, folio) == 0) { spin_unlock_irq(&lruvec->lru_lock); mem_cgroup_uncharge_folios(&free_folios);

7 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] signal: restore the override_rlimit logic" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111159-repaying-whole-1063@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed Mon Sep 17 00:00:00 2001 From: Roman Gushchin <roman.gushchin(a)linux.dev> Date: Mon, 4 Nov 2024 19:54:19 +0000 Subject: [PATCH] signal: restore the override_rlimit logic Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of signals. However now it's enforced unconditionally, even if override_rlimit is set. This behavior change caused production issues. For example, if the limit is reached and a process receives a SIGSEGV signal, sigqueue_alloc fails to allocate the necessary resources for the signal delivery, preventing the signal from being delivered with siginfo. This prevents the process from correctly identifying the fault address and handling the error. From the user-space perspective, applications are unaware that the limit has been reached and that the siginfo is effectively 'corrupted'. This can lead to unpredictable behavior and crashes, as we observed with java applications. Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip the comparison to max there if override_rlimit is set. This effectively restores the old behavior. Link: https://lkml.kernel.org/r/20241104195419.3962584-1-roman.gushchin@linux.dev Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Co-developed-by: Andrei Vagin <avagin(a)google.com> Signed-off-by: Andrei Vagin <avagin(a)google.com> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Acked-by: Alexey Gladkov <legion(a)kernel.org> Cc: Kees Cook <kees(a)kernel.org> Cc: "Eric W. Biederman" <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index 3625096d5f85..7183e5aca282 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h @@ -141,7 +141,8 @@ static inline long get_rlimit_value(struct ucounts *ucounts, enum rlimit_type ty long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); -long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type); +long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, + bool override_rlimit); void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type); bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max); diff --git a/kernel/signal.c b/kernel/signal.c index 4344860ffcac..cbabb2d05e0a 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -419,7 +419,8 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t gfp_flags, */ rcu_read_lock(); ucounts = task_ucounts(t); - sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING); + sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, + override_rlimit); rcu_read_unlock(); if (!sigpending) return NULL; diff --git a/kernel/ucount.c b/kernel/ucount.c index 9469102c5ac0..696406939be5 100644 --- a/kernel/ucount.c +++ b/kernel/ucount.c @@ -307,7 +307,8 @@ void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type) do_dec_rlimit_put_ucounts(ucounts, NULL, type); } -long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type) +long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, + bool override_rlimit) { /* Caller must hold a reference to ucounts */ struct ucounts *iter; @@ -320,7 +321,8 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type) goto dec_unwind; if (iter == ucounts) ret = new; - max = get_userns_rlimit_max(iter->ns, type); + if (!override_rlimit) + max = get_userns_rlimit_max(iter->ns, type); /* * Grab an extra ucount reference for the caller when * the rlimit count was previously 0.

7 months, 1 week

1
0
0 0

[PATCH v2 06/25] ASoC: sh: rz-ssi: Terminate all the DMA transactions

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> In case of full duplex the 1st closed stream doesn't benefit from the dmaengine_terminate_async(). Call it after the companion stream is closed. Fixes: 26ac471c5354 ("ASoC: sh: rz-ssi: Add SSI DMAC support") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- Changes in v2: - none sound/soc/renesas/rz-ssi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sound/soc/renesas/rz-ssi.c b/sound/soc/renesas/rz-ssi.c index 6efd017aaa7f..2d8721156099 100644 --- a/sound/soc/renesas/rz-ssi.c +++ b/sound/soc/renesas/rz-ssi.c @@ -415,8 +415,12 @@ static int rz_ssi_stop(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm) rz_ssi_reg_mask_setl(ssi, SSICR, SSICR_TEN | SSICR_REN, 0); /* Cancel all remaining DMA transactions */ - if (rz_ssi_is_dma_enabled(ssi)) - dmaengine_terminate_async(strm->dma_ch); + if (rz_ssi_is_dma_enabled(ssi)) { + if (ssi->playback.dma_ch) + dmaengine_terminate_async(ssi->playback.dma_ch); + if (ssi->capture.dma_ch) + dmaengine_terminate_async(ssi->capture.dma_ch); + } rz_ssi_set_idle(ssi); -- 2.39.2

7 months, 1 week

4
4
0 0

[PATCH v2] drm/xe: improve hibernation on igpu

by Matthew Auld

The GGTT looks to be stored inside stolen memory on igpu which is not treated as normal RAM. The core kernel skips this memory range when creating the hibernation image, therefore when coming back from hibernation the GGTT programming is lost. This seems to cause issues with broken resume where GuC FW fails to load: [drm] *ERROR* GT0: load failed: status = 0x400000A0, time = 10ms, freq = 1250MHz (req 1300MHz), done = -1 [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01 [drm] *ERROR* GT0: firmware signature verification failed [drm] *ERROR* CRITICAL: Xe has declared device 0000:00:02.0 as wedged. Current GGTT users are kernel internal and tracked as pinned, so it should be possible to hook into the existing save/restore logic that we use for dgpu, where the actual evict is skipped but on restore we importantly restore the GGTT programming. This has been confirmed to fix hibernation on at least ADL and MTL, though likely all igpu platforms are affected. This also means we have a hole in our testing, where the existing s4 tests only really test the driver hooks, and don't go as far as actually rebooting and restoring from the hibernation image and in turn powering down RAM (and therefore losing the contents of stolen). v2 (Brost) - Remove extra newline and drop unnecessary parentheses. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3275 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Matthew Brost <matthew.brost(a)intel.com> --- drivers/gpu/drm/xe/xe_bo.c | 37 ++++++++++++++------------------ drivers/gpu/drm/xe/xe_bo_evict.c | 6 ------ 2 files changed, 16 insertions(+), 27 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index 8286cbc23721..549866da5cd1 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -952,7 +952,10 @@ int xe_bo_restore_pinned(struct xe_bo *bo) if (WARN_ON(!xe_bo_is_pinned(bo))) return -EINVAL; - if (WARN_ON(xe_bo_is_vram(bo) || !bo->ttm.ttm)) + if (WARN_ON(xe_bo_is_vram(bo))) + return -EINVAL; + + if (WARN_ON(!bo->ttm.ttm && !xe_bo_is_stolen(bo))) return -EINVAL; if (!mem_type_is_vram(place->mem_type)) @@ -1774,6 +1777,7 @@ int xe_bo_pin_external(struct xe_bo *bo) int xe_bo_pin(struct xe_bo *bo) { + struct ttm_place *place = &bo->placements[0]; struct xe_device *xe = xe_bo_device(bo); int err; @@ -1804,8 +1808,6 @@ int xe_bo_pin(struct xe_bo *bo) */ if (IS_DGFX(xe) && !(IS_ENABLED(CONFIG_DRM_XE_DEBUG) && bo->flags & XE_BO_FLAG_INTERNAL_TEST)) { - struct ttm_place *place = &(bo->placements[0]); - if (mem_type_is_vram(place->mem_type)) { xe_assert(xe, place->flags & TTM_PL_FLAG_CONTIGUOUS); @@ -1813,13 +1815,12 @@ int xe_bo_pin(struct xe_bo *bo) vram_region_gpu_offset(bo->ttm.resource)) >> PAGE_SHIFT; place->lpfn = place->fpfn + (bo->size >> PAGE_SHIFT); } + } - if (mem_type_is_vram(place->mem_type) || - bo->flags & XE_BO_FLAG_GGTT) { - spin_lock(&xe->pinned.lock); - list_add_tail(&bo->pinned_link, &xe->pinned.kernel_bo_present); - spin_unlock(&xe->pinned.lock); - } + if (mem_type_is_vram(place->mem_type) || bo->flags & XE_BO_FLAG_GGTT) { + spin_lock(&xe->pinned.lock); + list_add_tail(&bo->pinned_link, &xe->pinned.kernel_bo_present); + spin_unlock(&xe->pinned.lock); } ttm_bo_pin(&bo->ttm); @@ -1867,24 +1868,18 @@ void xe_bo_unpin_external(struct xe_bo *bo) void xe_bo_unpin(struct xe_bo *bo) { + struct ttm_place *place = &bo->placements[0]; struct xe_device *xe = xe_bo_device(bo); xe_assert(xe, !bo->ttm.base.import_attach); xe_assert(xe, xe_bo_is_pinned(bo)); - if (IS_DGFX(xe) && !(IS_ENABLED(CONFIG_DRM_XE_DEBUG) && - bo->flags & XE_BO_FLAG_INTERNAL_TEST)) { - struct ttm_place *place = &(bo->placements[0]); - - if (mem_type_is_vram(place->mem_type) || - bo->flags & XE_BO_FLAG_GGTT) { - spin_lock(&xe->pinned.lock); - xe_assert(xe, !list_empty(&bo->pinned_link)); - list_del_init(&bo->pinned_link); - spin_unlock(&xe->pinned.lock); - } + if (mem_type_is_vram(place->mem_type) || bo->flags & XE_BO_FLAG_GGTT) { + spin_lock(&xe->pinned.lock); + xe_assert(xe, !list_empty(&bo->pinned_link)); + list_del_init(&bo->pinned_link); + spin_unlock(&xe->pinned.lock); } - ttm_bo_unpin(&bo->ttm); } diff --git a/drivers/gpu/drm/xe/xe_bo_evict.c b/drivers/gpu/drm/xe/xe_bo_evict.c index 32043e1e5a86..b01bc20eb90b 100644 --- a/drivers/gpu/drm/xe/xe_bo_evict.c +++ b/drivers/gpu/drm/xe/xe_bo_evict.c @@ -34,9 +34,6 @@ int xe_bo_evict_all(struct xe_device *xe) u8 id; int ret; - if (!IS_DGFX(xe)) - return 0; - /* User memory */ for (mem_type = XE_PL_VRAM0; mem_type <= XE_PL_VRAM1; ++mem_type) { struct ttm_resource_manager *man = @@ -125,9 +122,6 @@ int xe_bo_restore_kernel(struct xe_device *xe) struct xe_bo *bo; int ret; - if (!IS_DGFX(xe)) - return 0; - spin_lock(&xe->pinned.lock); for (;;) { bo = list_first_entry_or_null(&xe->pinned.evicted, -- 2.47.0

7 months, 1 week

4
10
0 0

[PATCH v3 0/3] Fix bugs in qla2xxx driver

by Anastasia Kovaleva

This series of patches contains 3 separate changes that fix some bugs in the qla2xxx driver. --- v3: - Fix build issue in patch 1 v2: - Change a spinlock wrap to a WRITE_ONCE() in patch 1 - Add Reviewed-by tags on patches 2 and 3 --- Anastasia Kovaleva (3): scsi: qla2xxx: Drop starvation counter on success scsi: qla2xxx: Make target send correct LOGO scsi: qla2xxx: Remove incorrect trap drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++++ drivers/scsi/qla2xxx/qla_isr.c | 4 ++++ drivers/scsi/qla2xxx/qla_target.c | 16 +++++++--------- 3 files changed, 22 insertions(+), 9 deletions(-) -- 2.40.1

7 months, 1 week

2
6
0 0

[PATCH v2 0/2] usb: typec: ucsi: glink: fix and improve orientation handling

by Dmitry Baryshkov

Fix an off-by-one issue which resulted in USB-C connector #2 orientation being reported as unknown. While we are at it, correct the way we set orientation_aware flag for the USB-C connectors. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- Changes in v2: - Added cc:stable to the first patch (Greg's bot) - Expanded the commit message for the second patch. - Link to v1: https://lore.kernel.org/r/20241106-ucsi-glue-fixes-v1-0-d0183d78c522@linaro… --- Dmitry Baryshkov (2): usb: typec: ucsi: glink: fix off-by-one in connector_status usb: typec: ucsi: glink: be more precise on orientation-aware ports drivers/usb/typec/ucsi/ucsi_glink.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- base-commit: 0a2598971f04649933bd38f5db241b3bf23c04ec change-id: 20241106-ucsi-glue-fixes-a20e2b2a0e3a Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

7 months, 1 week

2
2
0 0

[PATCH 3/6] arm64/kvm: Configure HYP TCR.PS/DS based on host stage1

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> When the host stage1 is configured for LPA2, the value currently being programmed into TCR_EL2.T0SZ may be invalid unless LPA2 is configured at HYP as well. This means kvm_lpa2_is_enabled() is not the right condition to test when setting TCR_EL2.DS, as it will return false if LPA2 is only available for stage 1 but not for stage 2. Similary, programming TCR_EL2.PS based on a limited IPA range due to lack of stage2 LPA2 support could potentially result in problems. So use lpa2_is_enabled() instead, and set the PS field according to the host's IPS, which is capped at 48 bits if LPA2 support is absent or disabled. Whether or not we can make meaningful use of such a configuration is a different question. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- arch/arm64/kvm/arm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index a0d01c46e408..1d20d86bb9f5 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -2005,8 +2005,7 @@ static int kvm_init_vector_slots(void) static void __init cpu_prepare_hyp_mode(int cpu, u32 hyp_va_bits) { struct kvm_nvhe_init_params *params = per_cpu_ptr_nvhe_sym(kvm_init_params, cpu); - u64 mmfr0 = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1); - unsigned long tcr; + unsigned long tcr, ips; /* * Calculate the raw per-cpu offset without a translation from the @@ -2020,6 +2019,7 @@ static void __init cpu_prepare_hyp_mode(int cpu, u32 hyp_va_bits) params->mair_el2 = read_sysreg(mair_el1); tcr = read_sysreg(tcr_el1); + ips = FIELD_GET(TCR_IPS_MASK, tcr); if (cpus_have_final_cap(ARM64_KVM_HVHE)) { tcr |= TCR_EPD1_MASK; } else { @@ -2029,8 +2029,8 @@ static void __init cpu_prepare_hyp_mode(int cpu, u32 hyp_va_bits) tcr &= ~TCR_T0SZ_MASK; tcr |= TCR_T0SZ(hyp_va_bits); tcr &= ~TCR_EL2_PS_MASK; - tcr |= FIELD_PREP(TCR_EL2_PS_MASK, kvm_get_parange(mmfr0)); - if (kvm_lpa2_is_enabled()) + tcr |= FIELD_PREP(TCR_EL2_PS_MASK, ips); + if (lpa2_is_enabled()) tcr |= TCR_EL2_DS; params->tcr_el2 = tcr; -- 2.47.0.277.g8800431eea-goog

7 months, 1 week

1
0
0 0

[merged mm-stable] maple_tree-refine-mas_store_root-on-storing-null.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: maple_tree: refine mas_store_root() on storing NULL has been removed from the -mm tree. Its filename was maple_tree-refine-mas_store_root-on-storing-null.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: maple_tree: refine mas_store_root() on storing NULL Date: Thu, 31 Oct 2024 23:16:26 +0000 Currently, when storing NULL on mas_store_root(), the behavior could be improved. Storing NULLs over the entire tree may result in a node being used to store a single range. Further stores of NULL may cause the node and tree to be corrupt and cause incorrect behaviour. Fixing the store to the root null fixes the issue by ensuring that a range of 0 - ULONG_MAX results in an empty tree. Users of the tree may experience incorrect values returned if the tree was expanded to store values, then overwritten by all NULLS, then continued to store NULLs over the empty area. For example possible cases are: * store NULL at any range result a new node * store NULL at range [m, n] where m > 0 to a single entry tree result a new node with range [m, n] set to NULL * store NULL at range [m, n] where m > 0 to an empty tree result consecutive NULL slot * it allows for multiple NULL entries by expanding root to store NULLs to an empty tree This patch tries to improve in: * memory efficient by setting to empty tree instead of using a node * remove the possibility of consecutive NULL slot which will prohibit extended null in later operation Link: https://lkml.kernel.org/r/20241031231627.14316-5-richard.weiyang@gmail.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- a/lib/maple_tree.c~maple_tree-refine-mas_store_root-on-storing-null +++ a/lib/maple_tree.c @@ -3447,9 +3447,20 @@ static inline void mas_root_expand(struc return; } +/* + * mas_store_root() - Storing value into root. + * @mas: The maple state + * @entry: The entry to store. + * + * There is no root node now and we are storing a value into the root - this + * function either assigns the pointer or expands into a node. + */ static inline void mas_store_root(struct ma_state *mas, void *entry) { - if (likely((mas->last != 0) || (mas->index != 0))) + if (!entry) { + if (!mas->index) + rcu_assign_pointer(mas->tree->ma_root, NULL); + } else if (likely((mas->last != 0) || (mas->index != 0))) mas_root_expand(mas, entry); else if (((unsigned long) (entry) & 3) == 2) mas_root_expand(mas, entry); _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are

7 months, 1 week

1
0
0 0

[PATCH] drm/amdgpu: Fix UVD contiguous CS mapping problem

by Arunpravin Paneer Selvam

When starting the mpv player, Radeon R9 users are observing the below error in dmesg. [drm:amdgpu_uvd_cs_pass2 [amdgpu]] *ERROR* msg/fb buffer ff00f7c000-ff00f7e000 out of 256MB segment! The patch tries to set the TTM_PL_FLAG_CONTIGUOUS for both user flag(AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS) set and not set cases. Closes:https://gitlab.freedesktop.org/drm/amd/-/issues/3599 Closes:https://gitlab.freedesktop.org/drm/amd/-/issues/3501 Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c index d891ab779ca7..9f73f821054b 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c @@ -1801,13 +1801,17 @@ int amdgpu_cs_find_mapping(struct amdgpu_cs_parser *parser, if (dma_resv_locking_ctx((*bo)->tbo.base.resv) != &parser->exec.ticket) return -EINVAL; - (*bo)->flags |= AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS; - amdgpu_bo_placement_from_domain(*bo, (*bo)->allowed_domains); - for (i = 0; i < (*bo)->placement.num_placement; i++) - (*bo)->placements[i].flags |= TTM_PL_FLAG_CONTIGUOUS; - r = ttm_bo_validate(&(*bo)->tbo, &(*bo)->placement, &ctx); - if (r) - return r; + if ((*bo)->flags & AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS) { + (*bo)->placements[0].flags |= TTM_PL_FLAG_CONTIGUOUS; + } else { + (*bo)->flags |= AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS; + amdgpu_bo_placement_from_domain(*bo, (*bo)->allowed_domains); + for (i = 0; i < (*bo)->placement.num_placement; i++) + (*bo)->placements[i].flags |= TTM_PL_FLAG_CONTIGUOUS; + r = ttm_bo_validate(&(*bo)->tbo, &(*bo)->placement, &ctx); + if (r) + return r; + } return amdgpu_ttm_alloc_gart(&(*bo)->tbo); } -- 2.25.1

7 months, 1 week

1
0
0 0

+ selftests-hugetlb_dio-fixup-check-for-initial-conditions-to-skip-in-the-start.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftests: hugetlb_dio: fixup check for initial conditions to skip in the start has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftests-hugetlb_dio-fixup-check-for-initial-conditions-to-skip-in-the-start.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Donet Tom <donettom(a)linux.ibm.com> Subject: selftests: hugetlb_dio: fixup check for initial conditions to skip in the start Date: Sun, 10 Nov 2024 00:49:03 -0600 This test verifies that a hugepage, used as a user buffer for DIO operations, is correctly freed upon unmapping. To test this, we read the count of free hugepages before and after the mmap, DIO, and munmap operations, then check if the free hugepage count is the same. Reading free hugepages before the test was removed by commit 0268d4579901 ('selftests: hugetlb_dio: check for initial conditions to skip at the start'), causing the test to always fail. This patch adds back reading the free hugepages before starting the test. With this patch, the tests are now passing. Test results without this patch: ./tools/testing/selftests/mm/hugetlb_dio TAP version 13 1..4 # No. Free pages before allocation : 0 # No. Free pages after munmap : 100 not ok 1 : Huge pages not freed! # No. Free pages before allocation : 0 # No. Free pages after munmap : 100 not ok 2 : Huge pages not freed! # No. Free pages before allocation : 0 # No. Free pages after munmap : 100 not ok 3 : Huge pages not freed! # No. Free pages before allocation : 0 # No. Free pages after munmap : 100 not ok 4 : Huge pages not freed! # Totals: pass:0 fail:4 xfail:0 xpass:0 skip:0 error:0 Test results with this patch: /tools/testing/selftests/mm/hugetlb_dio TAP version 13 1..4 # No. Free pages before allocation : 100 # No. Free pages after munmap : 100 ok 1 : Huge pages freed successfully ! # No. Free pages before allocation : 100 # No. Free pages after munmap : 100 ok 2 : Huge pages freed successfully ! # No. Free pages before allocation : 100 # No. Free pages after munmap : 100 ok 3 : Huge pages freed successfully ! # No. Free pages before allocation : 100 # No. Free pages after munmap : 100 ok 4 : Huge pages freed successfully ! # Totals: pass:4 fail:0 xfail:0 xpass:0 skip:0 error:0 Link: https://lkml.kernel.org/r/20241110064903.23626-1-donettom@linux.ibm.com Fixes: 0268d4579901 ("selftests: hugetlb_dio: check for initial conditions to skip in the start") Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/hugetlb_dio.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/tools/testing/selftests/mm/hugetlb_dio.c~selftests-hugetlb_dio-fixup-check-for-initial-conditions-to-skip-in-the-start +++ a/tools/testing/selftests/mm/hugetlb_dio.c @@ -44,6 +44,13 @@ void run_dio_using_hugetlb(unsigned int if (fd < 0) ksft_exit_fail_perror("Error opening file\n"); + /* Get the free huge pages before allocation */ + free_hpage_b = get_free_hugepages(); + if (free_hpage_b == 0) { + close(fd); + ksft_exit_skip("No free hugepage, exiting!\n"); + } + /* Allocate a hugetlb page */ orig_buffer = mmap(NULL, h_pagesize, mmap_prot, mmap_flags, -1, 0); if (orig_buffer == MAP_FAILED) { _ Patches currently in -mm which might be from donettom(a)linux.ibm.com are selftests-hugetlb_dio-fixup-check-for-initial-conditions-to-skip-in-the-start.patch

7 months, 1 week

1
0
0 0

[PATCH] watchdog: rti: of: honor timeout-sec property

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Currently "timeout-sec" Device Tree property is being silently ignored: even though watchdog_init_timeout() is being used, the driver always passes "heartbeat" == DEFAULT_HEARTBEAT == 60 as argument. Fix this by setting struct watchdog_device::timeout to DEFAULT_HEARTBEAT and passing real module parameter value to watchdog_init_timeout() (which may now be 0 if not specified). Cc: stable(a)vger.kernel.org Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- drivers/watchdog/rti_wdt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/watchdog/rti_wdt.c b/drivers/watchdog/rti_wdt.c index f410b6e39fb6f..58c9445c0f885 100644 --- a/drivers/watchdog/rti_wdt.c +++ b/drivers/watchdog/rti_wdt.c @@ -61,7 +61,7 @@ #define MAX_HW_ERROR 250 -static int heartbeat = DEFAULT_HEARTBEAT; +static int heartbeat; /* * struct to hold data for each WDT device @@ -252,6 +252,7 @@ static int rti_wdt_probe(struct platform_device *pdev) wdd->min_timeout = 1; wdd->max_hw_heartbeat_ms = (WDT_PRELOAD_MAX << WDT_PRELOAD_SHIFT) / wdt->freq * 1000; + wdd->timeout = DEFAULT_HEARTBEAT; wdd->parent = dev; watchdog_set_drvdata(wdd, wdt); -- 2.47.0

7 months, 1 week

3
2
0 0

[PATCH V7 1/2] cpufreq: scmi: Fix cleanup path when boost enablement fails

by Sibi Sankar

Include free_cpufreq_table in the cleanup path when boost enablement fails. cc: stable(a)vger.kernel.org Fixes: a8e949d41c72 ("cpufreq: scmi: Enable boost support") Signed-off-by: Sibi Sankar <quic_sibis(a)quicinc.com> --- drivers/cpufreq/scmi-cpufreq.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c index 5892c73e129d..07d6f9a9b7c8 100644 --- a/drivers/cpufreq/scmi-cpufreq.c +++ b/drivers/cpufreq/scmi-cpufreq.c @@ -287,7 +287,7 @@ static int scmi_cpufreq_init(struct cpufreq_policy *policy) ret = cpufreq_enable_boost_support(); if (ret) { dev_warn(cpu_dev, "failed to enable boost: %d\n", ret); - goto out_free_opp; + goto out_free_table; } else { scmi_cpufreq_hw_attr[1] = &cpufreq_freq_attr_scaling_boost_freqs; scmi_cpufreq_driver.boost_enabled = true; @@ -296,6 +296,8 @@ static int scmi_cpufreq_init(struct cpufreq_policy *policy) return 0; +out_free_table: + dev_pm_opp_free_cpufreq_table(cpu_dev, &freq_table); out_free_opp: dev_pm_opp_remove_all_dynamic(cpu_dev); -- 2.34.1

7 months, 1 week

2
1
0 0

[PATCH 6.6 00/28] fix CVE-2024-46701

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> Fix patch is patch 27, relied patches are from: - patches from set [1] to add helpers to maple_tree, the last patch to improve fork() performance is not backported; - patches from set [2] to change maple_tree, and follow up fixes; - patches from set [3] to convert offset_ctx from xarray to maple_tree; Please notice that I'm not an expert in this area, and I'm afraid to make manual changes. That's why patch 16 revert the commit that is different from mainline and will cause conflict backporting new patches. patch 28 pick the original mainline patch again. (And this is what we did to fix the CVE in downstream kernels). [1] https://lore.kernel.org/all/20231027033845.90608-1-zhangpeng.00@bytedance.c… [2] https://lore.kernel.org/all/20231101171629.3612299-2-Liam.Howlett@oracle.co… [3] https://lore.kernel.org/all/170820083431.6328.16233178852085891453.stgit@91… Andrew Morton (1): lib/maple_tree.c: fix build error due to hotfix alteration Chuck Lever (5): libfs: Re-arrange locking in offset_iterate_dir() libfs: Define a minimum directory offset libfs: Add simple_offset_empty() maple_tree: Add mtree_alloc_cyclic() libfs: Convert simple directory offsets to use a Maple Tree Liam R. Howlett (12): maple_tree: remove unnecessary default labels from switch statements maple_tree: make mas_erase() more robust maple_tree: move debug check to __mas_set_range() maple_tree: add end of node tracking to the maple state maple_tree: use cached node end in mas_next() maple_tree: use cached node end in mas_destroy() maple_tree: clean up inlines for some functions maple_tree: separate ma_state node from status maple_tree: remove mas_searchable() maple_tree: use maple state end for write operations maple_tree: don't find node end in mtree_lookup_walk() maple_tree: mtree_range_walk() clean up Lorenzo Stoakes (1): maple_tree: correct tree corruption on spanning store Peng Zhang (7): maple_tree: add mt_free_one() and mt_attr() helpers maple_tree: introduce {mtree,mas}_lock_nested() maple_tree: introduce interfaces __mt_dup() and mtree_dup() maple_tree: skip other tests when BENCH is enabled maple_tree: preserve the tree attributes when destroying maple tree maple_tree: add test for mtree_dup() maple_tree: avoid checking other gaps after getting the largest gap Yu Kuai (1): Revert "maple_tree: correct tree corruption on spanning store" yangerkun (1): libfs: fix infinite directory reads for offset dir fs/libfs.c | 129 ++- include/linux/fs.h | 6 +- include/linux/maple_tree.h | 356 +++--- include/linux/mm_types.h | 3 +- lib/maple_tree.c | 1096 +++++++++++++------ lib/test_maple_tree.c | 218 ++-- mm/internal.h | 10 +- mm/shmem.c | 4 +- tools/include/linux/spinlock.h | 1 + tools/testing/radix-tree/linux/maple_tree.h | 2 +- tools/testing/radix-tree/maple.c | 390 ++++++- 11 files changed, 1564 insertions(+), 651 deletions(-) -- 2.39.2

7 months, 1 week

7
46
0 0

[PATCH net] gve: Flow steering trigger reset only for timeout error

by Jeroen de Borst

From: Ziwei Xiao <ziweixiao(a)google.com> When configuring flow steering rules, the driver is currently going through a reset for all errors from the device. Instead, the driver should only reset when there's a timeout error from the device. Fixes: 57718b60df9b ("gve: Add flow steering adminq commands") Cc: stable(a)vger.kernel.org Signed-off-by: Ziwei Xiao <ziweixiao(a)google.com> Reviewed-by: Harshitha Ramamurthy <hramamurthy(a)google.com> --- drivers/net/ethernet/google/gve/gve_adminq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c index e44e8b139633..060e0e674938 100644 --- a/drivers/net/ethernet/google/gve/gve_adminq.c +++ b/drivers/net/ethernet/google/gve/gve_adminq.c @@ -1248,10 +1248,10 @@ gve_adminq_configure_flow_rule(struct gve_priv *priv, sizeof(struct gve_adminq_configure_flow_rule), flow_rule_cmd); - if (err) { + if (err == -ETIME) { dev_err(&priv->pdev->dev, "Timeout to configure the flow rule, trigger reset"); gve_reset(priv, true); - } else { + } else if (!err) { priv->flow_rules_cache.rules_cache_synced = false; } -- 2.47.0.277.g8800431eea-goog

7 months, 1 week

2
1
0 0

[PATCH 5.10.y 0/2] Fixed perf abort when taken branch stack sampling enabled

by Shuai Xue

On x86 platform, kernel v5.10.228, perf-report command aborts due to "free(): invalid pointer" when perf-record command is run with taken branch stack sampling enabled. This regression can be reproduced with the following steps: - sudo perf record -b - sudo perf report The root cause is that bi[i].to.ms.maps does not always point to thread->maps, which is a buffer dynamically allocated by maps_new(). Instead, it may point to &machine->kmaps, while kmaps is not a pointer but a variable. The original upstream commit c1149037f65b ("perf hist: Add missing puts to hist__account_cycles") worked well because machine->kmaps had been refactored to a pointer by the previous commit 1a97cee604dc ("perf maps: Use a pointer for kmaps"). The memory leak issue, which the reverted patch intended to fix, has been solved by commit cf96b8e45a9b ("perf session: Add missing evlist__delete when deleting a session"). The root cause is that the evlist is not being deleted on exit in perf-report, perf-script, and perf-data. Consequently, the reference count of the thread increased by thread__get() in hist_entry__init() is not decremented in hist_entry__delete(). As a result, thread->maps is not properly freed. To this end, - PATCH 1/2 reverts commit a83fc293acd5c5050a4828eced4a71d2b2fffdd3 to fix the abort regression. - PATCH 2/2 backports cf96b8e45a9b ("perf session: Add missing evlist__delete when deleting a session") to fix memory leak issue. Riccardo Mancini (1): perf session: Add missing evlist__delete when deleting a session Shuai Xue (1): Revert "perf hist: Add missing puts to hist__account_cycles" tools/perf/util/hist.c | 10 +++------- tools/perf/util/session.c | 5 ++++- 2 files changed, 7 insertions(+), 8 deletions(-) -- 2.39.3

7 months, 1 week

2
4
0 0

[PATCH] arm64: dts: allwinner: pinephone: Add mount matrix to accelerometer

by Dragan Simic

The way InvenSense MPU-6050 accelerometer is mounted on the user-facing side of the Pine64 PinePhone mainboard, which makes it rotated 90 degrees counter- clockwise, [1] requires the accelerometer's x- and y-axis to be swapped, and the direction of the accelerometer's y-axis to be inverted. Rectify this by adding a mount-matrix to the accelerometer definition in the Pine64 PinePhone dtsi file. [1] https://files.pine64.org/doc/PinePhone/PinePhone%20mainboard%20bottom%20pla… Fixes: 91f480d40942 ("arm64: dts: allwinner: Add initial support for Pine64 PinePhone") Cc: stable(a)vger.kernel.org Helped-by: Ondrej Jirman <megi(a)xff.cz> Helped-by: Andrey Skvortsov <andrej.skvortzov(a)gmail.com> Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> --- Notes: See also the linux-sunxi thread [2] that has led to this patch, which provides a rather detailed analysis with additional details and pictures. This patch effectively replaces the patch submitted in that thread. [2] https://lore.kernel.org/linux-sunxi/20240916204521.2033218-1-andrej.skvortz… arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi index 6eab61a12cd8..b844759f52c0 100644 --- a/arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi +++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-pinephone.dtsi @@ -212,6 +212,9 @@ accelerometer@68 { interrupts = <7 5 IRQ_TYPE_EDGE_RISING>; /* PH5 */ vdd-supply = <&reg_dldo1>; vddio-supply = <&reg_dldo1>; + mount-matrix = "0", "1", "0", + "-1", "0", "0", + "0", "0", "1"; }; };

7 months, 1 week

4
8
0 0

+ mm-readahead-fix-large-folio-support-in-async-readahead.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/readahead: fix large folio support in async readahead has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-readahead-fix-large-folio-support-in-async-readahead.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Yafang Shao <laoar.shao(a)gmail.com> Subject: mm/readahead: fix large folio support in async readahead Date: Fri, 8 Nov 2024 22:17:10 +0800 When testing large folio support with XFS on our servers, we observed that only a few large folios are mapped when reading large files via mmap. After a thorough analysis, I identified it was caused by the `/sys/block/*/queue/read_ahead_kb` setting. On our test servers, this parameter is set to 128KB. After I tune it to 2MB, the large folio can work as expected. However, I believe the large folio behavior should not be dependent on the value of read_ahead_kb. It would be more robust if the kernel can automatically adopt to it. With /sys/block/*/queue/read_ahead_kb set to 128KB and performing a sequential read on a 1GB file using MADV_HUGEPAGE, the differences in /proc/meminfo are as follows: - before this patch FileHugePages: 18432 kB FilePmdMapped: 4096 kB - after this patch FileHugePages: 1067008 kB FilePmdMapped: 1048576 kB This shows that after applying the patch, the entire 1GB file is mapped to huge pages. The stable list is CCed, as without this patch, large folios don't function optimally in the readahead path. It's worth noting that if read_ahead_kb is set to a larger value that isn't aligned with huge page sizes (e.g., 4MB + 128KB), it may still fail to map to hugepages. Link: https://lkml.kernel.org/r/20241108141710.9721-1-laoar.shao@gmail.com Fixes: 4687fdbb805a ("mm/filemap: Support VM_HUGEPAGE for file mappings") Suggested-by: Matthew Wilcox <willy(a)infradead.org> Signed-off-by: Yafang Shao <laoar.shao(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/readahead.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/readahead.c~mm-readahead-fix-large-folio-support-in-async-readahead +++ a/mm/readahead.c @@ -385,6 +385,8 @@ static unsigned long get_next_ra_size(st return 4 * cur; if (cur <= max / 2) return 2 * cur; + if (cur > max) + return cur; return max; } _ Patches currently in -mm which might be from laoar.shao(a)gmail.com are mm-readahead-fix-large-folio-support-in-async-readahead.patch

7 months, 1 week

1
0
0 0

+ nommu-pass-null-argument-to-vma_iter_prealloc.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nommu: pass NULL argument to vma_iter_prealloc() has been added to the -mm mm-hotfixes-unstable branch. Its filename is nommu-pass-null-argument-to-vma_iter_prealloc.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hajime Tazaki <thehajime(a)gmail.com> Subject: nommu: pass NULL argument to vma_iter_prealloc() Date: Sat, 9 Nov 2024 07:28:34 +0900 When deleting a vma entry from a maple tree, it has to pass NULL to vma_iter_prealloc() in order to calculate internal state of the tree, but it passed a wrong argument. As a result, nommu kernels crashed upon accessing a vma iterator, such as acct_collect() reading the size of vma entries after do_munmap(). This commit fixes this issue by passing a right argument to the preallocation call. Link: https://lkml.kernel.org/r/20241108222834.3625217-1-thehajime@gmail.com Fixes: b5df09226450 ("mm: set up vma iterator for vma_iter_prealloc() calls") Signed-off-by: Hajime Tazaki <thehajime(a)gmail.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/nommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/nommu.c~nommu-pass-null-argument-to-vma_iter_prealloc +++ a/mm/nommu.c @@ -573,7 +573,7 @@ static int delete_vma_from_mm(struct vm_ VMA_ITERATOR(vmi, vma->vm_mm, vma->vm_start); vma_iter_config(&vmi, vma->vm_start, vma->vm_end); - if (vma_iter_prealloc(&vmi, vma)) { + if (vma_iter_prealloc(&vmi, NULL)) { pr_warn("Allocation of vma tree for process %d failed\n", current->pid); return -ENOMEM; _ Patches currently in -mm which might be from thehajime(a)gmail.com are nommu-pass-null-argument-to-vma_iter_prealloc.patch

7 months, 1 week

1
0
0 0

[PATCH stable 6.11.y] netfs: reset subreq->iov_iter before netfs_clear_unread() tail clean

by Christian Ebner

Fixes file corruption issues when reading contents via ceph client. Call netfs_reset_subreq_iter() to align subreq->io_iter before calling netfs_clear_unread() to clear tail, as subreq->io_iter count and subreq->transferred might not be aligned after incomplete I/O, having the subreq's NETFS_SREQ_CLEAR_TAIL set. Based on ee4cdf7b ("netfs: Speed up buffered reading"), which introduces a fix for the issue in mainline. Fixes: 92b6cc5d ("netfs: Add iov_iters to (sub)requests to describe various buffers") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219237 Signed-off-by: Christian Ebner <c.ebner(a)proxmox.com> --- Sending this patch in an attempt to backport the fix introduced by commit ee4cdf7b ("netfs: Speed up buffered reading"), which however can not be cherry picked for older kernels, as the patch is not independent from other commits and touches a lot of unrelated (to the fix) code. fs/netfs/io.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/netfs/io.c b/fs/netfs/io.c index d6ada4eba744..500119285346 100644 --- a/fs/netfs/io.c +++ b/fs/netfs/io.c @@ -528,6 +528,7 @@ void netfs_subreq_terminated(struct netfs_io_subrequest *subreq, incomplete: if (test_bit(NETFS_SREQ_CLEAR_TAIL, &subreq->flags)) { + netfs_reset_subreq_iter(rreq, subreq); netfs_clear_unread(subreq); subreq->transferred = subreq->len; goto complete; -- 2.39.5

7 months, 1 week

2
5
0 0

[PATCH] spi: Fix deadlock when adding SPI controllers on SPI buses

by Hardik Gohil

From: Mark Brown <broonie(a)kernel.org> [ Upstream commit 6098475d4cb48d821bdf453c61118c56e26294f0 ] Currently we have a global spi_add_lock which we take when adding new devices so that we can check that we're not trying to reuse a chip select that's already controlled. This means that if the SPI device is itself a SPI controller and triggers the instantiation of further SPI devices we trigger a deadlock as we try to register and instantiate those devices while in the process of doing so for the parent controller and hence already holding the global spi_add_lock. Since we only care about concurrency within a single SPI bus move the lock to be per controller, avoiding the deadlock. This can be easily triggered in the case of spi-mux. Reported-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Hardik Gohil <hgohil(a)mvista.com> --- This fix was not backported to v5.4 and 5.10 Along with this fix please also apply this fix on top of this spi: fix use-after-free of the add_lock mutex commit 6c53b45c71b4920b5e62f0ea8079a1da382b9434 upstream. Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") introduced a per-controller mutex. But mutex_unlock() of said lock is called after the controller is already freed: drivers/spi/spi.c | 15 +++++---------- include/linux/spi/spi.h | 3 +++ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 0f9410e..58f1947 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -472,12 +472,6 @@ static LIST_HEAD(spi_controller_list); */ static DEFINE_MUTEX(board_lock); -/* - * Prevents addition of devices with same chip select and - * addition of devices below an unregistering controller. - */ -static DEFINE_MUTEX(spi_add_lock); - /** * spi_alloc_device - Allocate a new SPI device * @ctlr: Controller to which device is connected @@ -580,7 +574,7 @@ int spi_add_device(struct spi_device *spi) * chipselect **BEFORE** we call setup(), else we'll trash * its configuration. Lock against concurrent add() calls. */ - mutex_lock(&spi_add_lock); + mutex_lock(&ctlr->add_lock); status = bus_for_each_dev(&spi_bus_type, NULL, spi, spi_dev_check); if (status) { @@ -624,7 +618,7 @@ int spi_add_device(struct spi_device *spi) } done: - mutex_unlock(&spi_add_lock); + mutex_unlock(&ctlr->add_lock); return status; } EXPORT_SYMBOL_GPL(spi_add_device); @@ -2512,6 +2506,7 @@ int spi_register_controller(struct spi_controller *ctlr) spin_lock_init(&ctlr->bus_lock_spinlock); mutex_init(&ctlr->bus_lock_mutex); mutex_init(&ctlr->io_mutex); + mutex_init(&ctlr->add_lock); ctlr->bus_lock_flag = 0; init_completion(&ctlr->xfer_completion); if (!ctlr->max_dma_len) @@ -2657,7 +2652,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) /* Prevent addition of new devices, unregister existing ones */ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_lock(&spi_add_lock); + mutex_lock(&ctlr->add_lock); device_for_each_child(&ctlr->dev, NULL, __unregister); @@ -2688,7 +2683,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) mutex_unlock(&board_lock); if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_unlock(&spi_add_lock); + mutex_unlock(&ctlr->add_lock); } EXPORT_SYMBOL_GPL(spi_unregister_controller); diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index ca39b33..1b9cb90 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -483,6 +483,9 @@ struct spi_controller { /* I/O mutex */ struct mutex io_mutex; + /* Used to avoid adding the same CS twice */ + struct mutex add_lock; + /* lock and mutex for SPI bus locking */ spinlock_t bus_lock_spinlock; struct mutex bus_lock_mutex; -- 2.7.4

7 months, 1 week

2
1
0 0

[PATCH] drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()

by Thomas Zimmermann

The code for detecting and updating the connector status in cdn_dp_pd_event_work() has a number of problems. - It does not aquire the locks to call the detect helper and update the connector status. These are struct drm_mode_config.connection_mutex and struct drm_mode_config.mutex. - It does not use drm_helper_probe_detect(), which helps with the details of locking and detection. - It uses the connector's status field to determine a change to the connector status. The epoch_counter field is the correct one. The field signals a change even if the connector status' value did not change. Replace the code with a call to drm_connector_helper_hpd_irq_event(), which fixes all these problems. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 81632df69772 ("drm/rockchip: cdn-dp: do not use drm_helper_hpd_irq_event") Cc: Chris Zhong <zyw(a)rock-chips.com> Cc: Guenter Roeck <groeck(a)chromium.org> Cc: Sandy Huang <hjc(a)rock-chips.com> Cc: "Heiko Stübner" <heiko(a)sntech.de> Cc: Andy Yan <andy.yan(a)rock-chips.com> Cc: dri-devel(a)lists.freedesktop.org Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-rockchip(a)lists.infradead.org Cc: <stable(a)vger.kernel.org> # v4.11+ --- drivers/gpu/drm/rockchip/cdn-dp-core.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c index b04538907f95..f576b1aa86d1 100644 --- a/drivers/gpu/drm/rockchip/cdn-dp-core.c +++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c @@ -947,9 +947,6 @@ static void cdn_dp_pd_event_work(struct work_struct *work) { struct cdn_dp_device *dp = container_of(work, struct cdn_dp_device, event_work); - struct drm_connector *connector = &dp->connector; - enum drm_connector_status old_status; - int ret; mutex_lock(&dp->lock); @@ -1009,11 +1006,7 @@ static void cdn_dp_pd_event_work(struct work_struct *work) out: mutex_unlock(&dp->lock); - - old_status = connector->status; - connector->status = connector->funcs->detect(connector, false); - if (old_status != connector->status) - drm_kms_helper_hotplug_event(dp->drm_dev); + drm_connector_helper_hpd_irq_event(&dp->connector); } static int cdn_dp_pd_event(struct notifier_block *nb, -- 2.47.0

7 months, 1 week

2
1
0 0

[PATCH 6.1] Revert "wifi: mac80211: fix RCU list iterations"

by Fedor Pchelkin

This reverts commit b0b2dc1eaa7ec509e07a78c9974097168ae565b7 which is commit ac35180032fbc5d80b29af00ba4881815ceefcb6 upstream. The reverted commit is based heavily on wiphy locking changes made by the "wifi: cfg80211/mac80211: locking cleanups" series [1] introduced since 6.7 kernel and not supposed to be backported to old stable branches. It breaks locking rules in the context of old stables leading e.g. to the following lockdep splat there - ieee80211_get_max_required_bw() is actually called under RCU reader lock in 6.1/6.6, not the wiphy mutex. WARNING: CPU: 3 PID: 8711 at net/mac80211/chan.c:248 ieee80211_get_max_required_bw+0x423/0x4e0 net/mac80211/chan.c:248 Modules linked in: CPU: 3 PID: 8711 Comm: kworker/u8:6 Not tainted 6.1.113-syzkaller-00105-g9859ec205cfa #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: phy155 ieee80211_iface_work RIP: 0010:ieee80211_get_max_required_bw+0x423/0x4e0 net/mac80211/chan.c:248 Call Trace: <TASK> ieee80211_get_chanctx_vif_max_required_bw net/mac80211/chan.c:294 [inline] ieee80211_get_chanctx_max_required_bw net/mac80211/chan.c:336 [inline] _ieee80211_recalc_chanctx_min_def+0x5e6/0xf30 net/mac80211/chan.c:381 ieee80211_recalc_chanctx_min_def+0x21/0x80 net/mac80211/chan.c:462 ieee80211_recalc_min_chandef+0x17a/0x590 net/mac80211/util.c:2908 sta_info_move_state+0x748/0x8c0 net/mac80211/sta_info.c:2301 ieee80211_assoc_success net/mac80211/mlme.c:5001 [inline] ieee80211_rx_mgmt_assoc_resp.cold+0x1335/0x69ec net/mac80211/mlme.c:5201 ieee80211_sta_rx_queued_mgmt+0x40f/0x2270 net/mac80211/mlme.c:5831 ieee80211_iface_process_skb net/mac80211/iface.c:1665 [inline] ieee80211_iface_work+0xa31/0xd30 net/mac80211/iface.c:1722 process_one_work+0xa72/0x1590 kernel/workqueue.c:2292 worker_thread+0x632/0x1240 kernel/workqueue.c:2439 kthread+0x2e1/0x3a0 kernel/kthread.c:376 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:295 [1]: https://lore.kernel.org/linux-wireless/20230828115927.116700-41-johannes@si… Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Cc: Johannes Berg <johannes(a)sipsolutions.net> Cc: Miriam Rachel Korenblit <miriam.rachel.korenblit(a)intel.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- net/mac80211/chan.c | 4 +--- net/mac80211/mlme.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/util.c | 4 +--- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index 807bea1a7d3c..f07e34bed8f3 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -245,9 +245,7 @@ ieee80211_get_max_required_bw(struct ieee80211_sub_if_data *sdata, enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT; struct sta_info *sta; - lockdep_assert_wiphy(sdata->local->hw.wiphy); - - list_for_each_entry(sta, &sdata->local->sta_list, list) { + list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) { if (sdata != sta->sdata && !(sta->sdata->bss && sta->sdata->bss == sdata->bss)) continue; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index ee9ec74b9553..9a5530ca2f6b 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -660,7 +660,7 @@ static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata, bool disable_mu_mimo = false; struct ieee80211_sub_if_data *other; - list_for_each_entry(other, &local->interfaces, list) { + list_for_each_entry_rcu(other, &local->interfaces, list) { if (other->vif.bss_conf.mu_mimo_owner) { disable_mu_mimo = true; break; diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index edbf468e0bea..f1147d156c1f 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -501,7 +501,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted) * the scan was in progress; if there was none this will * just be a no-op for the particular interface. */ - list_for_each_entry(sdata, &local->interfaces, list) { + list_for_each_entry_rcu(sdata, &local->interfaces, list) { if (ieee80211_sdata_running(sdata)) ieee80211_queue_work(&sdata->local->hw, &sdata->work); } diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 3fe15089b24f..738f1f139a90 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -767,9 +767,7 @@ static void __iterate_interfaces(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata; bool active_only = iter_flags & IEEE80211_IFACE_ITER_ACTIVE; - list_for_each_entry_rcu(sdata, &local->interfaces, list, - lockdep_is_held(&local->iflist_mtx) || - lockdep_is_held(&local->hw.wiphy->mtx)) { + list_for_each_entry_rcu(sdata, &local->interfaces, list) { switch (sdata->vif.type) { case NL80211_IFTYPE_MONITOR: if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE)) -- 2.39.5

7 months, 1 week

1
0
0 0

[PATCH 6.6] Revert "wifi: mac80211: fix RCU list iterations"

by Fedor Pchelkin

This reverts commit f37319609335d3eb2f7edfec4bad7996668a4d29 which is commit ac35180032fbc5d80b29af00ba4881815ceefcb6 upstream. The reverted commit is based heavily on wiphy locking changes made by the "wifi: cfg80211/mac80211: locking cleanups" series [1] introduced since 6.7 kernel and not supposed to be backported to old stable branches. It breaks locking rules in the context of old stables leading e.g. to the following lockdep splat there - ieee80211_get_max_required_bw() is actually called under RCU reader lock in 6.1/6.6, not the wiphy mutex. WARNING: CPU: 3 PID: 8711 at net/mac80211/chan.c:248 ieee80211_get_max_required_bw+0x423/0x4e0 net/mac80211/chan.c:248 Modules linked in: CPU: 3 PID: 8711 Comm: kworker/u8:6 Not tainted 6.1.113-syzkaller-00105-g9859ec205cfa #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: phy155 ieee80211_iface_work RIP: 0010:ieee80211_get_max_required_bw+0x423/0x4e0 net/mac80211/chan.c:248 Call Trace: <TASK> ieee80211_get_chanctx_vif_max_required_bw net/mac80211/chan.c:294 [inline] ieee80211_get_chanctx_max_required_bw net/mac80211/chan.c:336 [inline] _ieee80211_recalc_chanctx_min_def+0x5e6/0xf30 net/mac80211/chan.c:381 ieee80211_recalc_chanctx_min_def+0x21/0x80 net/mac80211/chan.c:462 ieee80211_recalc_min_chandef+0x17a/0x590 net/mac80211/util.c:2908 sta_info_move_state+0x748/0x8c0 net/mac80211/sta_info.c:2301 ieee80211_assoc_success net/mac80211/mlme.c:5001 [inline] ieee80211_rx_mgmt_assoc_resp.cold+0x1335/0x69ec net/mac80211/mlme.c:5201 ieee80211_sta_rx_queued_mgmt+0x40f/0x2270 net/mac80211/mlme.c:5831 ieee80211_iface_process_skb net/mac80211/iface.c:1665 [inline] ieee80211_iface_work+0xa31/0xd30 net/mac80211/iface.c:1722 process_one_work+0xa72/0x1590 kernel/workqueue.c:2292 worker_thread+0x632/0x1240 kernel/workqueue.c:2439 kthread+0x2e1/0x3a0 kernel/kthread.c:376 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:295 [1]: https://lore.kernel.org/linux-wireless/20230828115927.116700-41-johannes@si… Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Cc: Johannes Berg <johannes(a)sipsolutions.net> Cc: Miriam Rachel Korenblit <miriam.rachel.korenblit(a)intel.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- net/mac80211/chan.c | 4 +--- net/mac80211/mlme.c | 2 +- net/mac80211/scan.c | 2 +- net/mac80211/util.c | 4 +--- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index c09aed6a3cfc..68952752b599 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -245,9 +245,7 @@ ieee80211_get_max_required_bw(struct ieee80211_sub_if_data *sdata, enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT; struct sta_info *sta; - lockdep_assert_wiphy(sdata->local->hw.wiphy); - - list_for_each_entry(sta, &sdata->local->sta_list, list) { + list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) { if (sdata != sta->sdata && !(sta->sdata->bss && sta->sdata->bss == sdata->bss)) continue; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index b14c809bcdea..42e2c84ed248 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -732,7 +732,7 @@ static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata, bool disable_mu_mimo = false; struct ieee80211_sub_if_data *other; - list_for_each_entry(other, &local->interfaces, list) { + list_for_each_entry_rcu(other, &local->interfaces, list) { if (other->vif.bss_conf.mu_mimo_owner) { disable_mu_mimo = true; break; diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index d4a032f34577..1726e3221d3c 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -490,7 +490,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted) * the scan was in progress; if there was none this will * just be a no-op for the particular interface. */ - list_for_each_entry(sdata, &local->interfaces, list) { + list_for_each_entry_rcu(sdata, &local->interfaces, list) { if (ieee80211_sdata_running(sdata)) wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work); } diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 02b5aaad2a15..d682c32821a1 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -745,9 +745,7 @@ static void __iterate_interfaces(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata; bool active_only = iter_flags & IEEE80211_IFACE_ITER_ACTIVE; - list_for_each_entry_rcu(sdata, &local->interfaces, list, - lockdep_is_held(&local->iflist_mtx) || - lockdep_is_held(&local->hw.wiphy->mtx)) { + list_for_each_entry_rcu(sdata, &local->interfaces, list) { switch (sdata->vif.type) { case NL80211_IFTYPE_MONITOR: if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE)) -- 2.39.5

7 months, 1 week

1
0
0 0

AMD PMF on 6.11.y

by Mario Limonciello

Hi, 6.11 already supports most functionality of AMD family 0x1a model 0x60, but the amd-pmf driver doesn't load due to a missing device ID. The device ID was added in 6.12 with: commit 8ca8d07857c69 ("platform/x86/amd/pmf: Add SMU metrics table support for 1Ah family 60h model") Can this please come back to 6.11.y to enable it more widely? Thanks!

7 months, 2 weeks

2
3
0 0

[PATCH 6.6 000/151] 6.6.60-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.60 release. There are 151 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 08 Nov 2024 12:02:47 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.60-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.60-rc1 Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Sequential field availability check in mi_enum_attr() Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-control: Add support for ALSA enum control Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-control: Add support for ALSA switch control Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: SOF: ipc4-topology: Add definition for generic switch/enum control Chuck Lever <chuck.lever(a)oracle.com> SUNRPC: Remove BUG_ON call sites Michael Walle <mwalle(a)kernel.org> mtd: spi-nor: winbond: fix w25q128 regression David Hildenbrand <david(a)redhat.com> mm: don't install PMD mappings when THPs are disabled by the hw/process/vma Kefeng Wang <wangkefeng.wang(a)huawei.com> mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: fix 6 GHz scan construction Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of checked flag Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: mac80211: fix NULL dereference at band check in starting tx ba session Pavel Begunkov <asml.silence(a)gmail.com> io_uring: always lock __io_cqring_overflow_flush Haibo Chen <haibo.chen(a)nxp.com> arm64: dts: imx8ulp: correct the flexspi compatible string Gregory Price <gourry(a)gourry.net> vmscan,migrate: fix page count imbalance on node stats when demoting pages Jens Axboe <axboe(a)kernel.dk> io_uring/rw: fix missing NOWAIT check for O_DIRECT start write Andrey Konovalov <andreyknvl(a)gmail.com> kasan: remove vmalloc_percpu test Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> nvmet-auth: assign dh_key to NULL after kfree_sensitive Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 Christoph Hellwig <hch(a)lst.de> xfs: fix finding a last resort AG in xfs_filestream_pick_ag Matt Johnston <matt(a)codeconstruct.com.au> mctp i2c: handle NULL header address Edward Adam Davis <eadavis(a)qq.com> ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Sabyrzhan Tasbolatov <snovitoll(a)gmail.com> x86/traps: move kmsan check after instrumentation_begin Gatlin Newhouse <gatlin.newhouse(a)gmail.com> x86/traps: Enable UBSAN traps on x86 Matt Fleming <mfleming(a)cloudflare.com> mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Alexander Usyskin <alexander.usyskin(a)intel.com> mei: use kvmalloc for read buffer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: init: protect sched with rcu_read_lock Hugh Dickins <hughd(a)google.com> iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP Shawn Wang <shawnwang(a)linux.alibaba.com> sched/numa: Fix the potential null pointer dereference in task_numa_work() Dan Williams <dan.j.williams(a)intel.com> cxl/acpi: Ensure ports ready at cxl_acpi_probe() return Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove duplicated GET_RM Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove unused GENERATING_ASM_OFFSETS WangYuli <wangyuli(a)uniontech.com> riscv: Use '%u' to format the output of 'cpu' Heinrich Schuchardt <heinrich.schuchardt(a)canonical.com> riscv: efi: Set NX compat flag in PE/COFF header Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Limit internal Mic boost on Dell platform Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: edt-ft5x06 - fix regmap leak when probe fails Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: vdso: Prevent the compiler from inserting calls to memset() Frank Li <Frank.Li(a)nxp.com> spi: spi-fsl-dspi: Fix crash when not using GPIO chip select Richard Zhu <hongxing.zhu(a)nxp.com> phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check Chen Ridong <chenridong(a)huawei.com> cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction Xinyu Zhang <xizhang(a)purestorage.com> block: fix sanity checks in blk_rq_map_user_bvec Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix use-after-free, permit out-of-order decoder shutdown Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Honor TMU requirements in the domain when setting TMU mode Wladislav Wiebe <wladislav.kw(a)gmail.com> tools/mm: -Werror fixes in page-types/slabinfo Jeongjun Park <aha310510(a)gmail.com> mm: shmem: fix data-race in shmem_getattr() Yunhui Cui <cuiyunhui(a)bytedance.com> RISC-V: ACPI: fix early_ioremap to early_memremap Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential deadlock with newly created symlinks Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix microlux value calculation Jinjie Ruan <ruanjinjie(a)huawei.com> iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() Jinjie Ruan <ruanjinjie(a)huawei.com> iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() Zicheng Qu <quzicheng(a)huawei.com> iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Zicheng Qu <quzicheng(a)huawei.com> staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Ville Syrjälä <ville.syrjala(a)linux.intel.com> wifi: iwlegacy: Clear stale interrupts before resuming device Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: clear wdev->cqm_config pointer on free Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> wifi: ath10k: Fix memory leak in management tx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Edward Liaw <edliaw(a)google.com> Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" Edward Liaw <edliaw(a)google.com> Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "driver core: Fix uevent_show() vs driver detach race" Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Use pm_runtime_get to prevent RPM on unsupported systems Faisal Hassan <quic_faisalh(a)quicinc.com> xhci: Fix Link TRB DMA in command ring stopped completion event Johan Hovold <johan+linaro(a)kernel.org> phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend Johan Hovold <johan+linaro(a)kernel.org> phy: qcom: qmp-usb: fix NULL-deref on runtime suspend Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Zijun Hu <quic_zijuhu(a)quicinc.com> usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou <zhouzongmin(a)kylinos.cn> usbip: tools: Fix detach_port() invalid port error path Jan Schär <jan(a)jschaer.ch> ALSA: usb-audio: Add quirks for Dell WD19 dock Zqiang <qiang.zhang1211(a)gmail.com> rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Initialize data to eliminate RCU-tasks/do_exit() deadlocks Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Add data to eliminate RCU-tasks/do_exit() deadlocks Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Pull sampling of ->percpu_dequeue_lim out of loop Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix "task hung" problem Andrey Konovalov <andreyknvl(a)gmail.com> usb: gadget: dummy_hcd: execute hrtimer callback in softirq context Marcello Sylvester Bauer <sylv(a)sylv.io> usb: gadget: dummy_hcd: Set transfer interval to 1 microframe Marcello Sylvester Bauer <sylv(a)sylv.io> usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler Dimitri Sivanich <sivanich(a)hpe.com> misc: sgi-gru: Don't disable preemption in GRU driver Dai Ngo <dai.ngo(a)oracle.com> NFS: remove revoked delegation from server's delegation list Daniel Palmer <daniel(a)0x0f.com> net: amd: mvme147: Fix probe banner message Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Add MMIO RAPL PL4 support Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support Pali Rohár <pali(a)kernel.org> cifs: Fix creating native symlinks pointing to current or parent directory Pali Rohár <pali(a)kernel.org> cifs: Improve creating native symlinks pointing to directory Benjamin Marzinski <bmarzins(a)redhat.com> scsi: scsi_transport_fc: Allow setting rport state to current state Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Additional check in ntfs_file_release Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix general protection fault in run_is_mapped_full Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Additional check in ni_clear() Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix possible deadlock in mi_read Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Add rough attr alloc_size check Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Stale inode instead of bad Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Andrew Ballance <andrewjballance(a)gmail.com> fs/ntfs3: Check if more than chunk-size bytes are written lei lu <llfamsec(a)gmail.com> ntfs3: Add bounds checking to mi_enum_attr() Shiju Jose <shiju.jose(a)huawei.com> cxl/events: Fix Trace DRAM Event Record Paulo Alcantara <pc(a)manguebit.com> smb: client: set correct device number on nfs reparse points Paulo Alcantara <pc(a)manguebit.com> smb: client: fix parsing of device numbers Pierre Gondois <pierre.gondois(a)arm.com> ACPI: CPPC: Make rmw_lock a raw_spin_lock David Howells <dhowells(a)redhat.com> afs: Fix missing subdir edit when renamed between parent dirs David Howells <dhowells(a)redhat.com> afs: Automatically generate trace tag enums Xiongfeng Wang <wangxiongfeng2(a)huawei.com> firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Marco Elver <elver(a)google.com> kasan: Fix Software Tag-Based KASAN with GCC Christoph Hellwig <hch(a)lst.de> iomap: turn iomap_want_unshare_iter into an inline function Darrick J. Wong <djwong(a)kernel.org> fsdax: dax_unshare_iter needs to copy entire blocks Darrick J. Wong <djwong(a)kernel.org> fsdax: remove zeroing code from dax_unshare_iter Darrick J. Wong <djwong(a)kernel.org> iomap: share iomap_unshare_iter predicate code with fsdax Darrick J. Wong <djwong(a)kernel.org> iomap: don't bother unsharing delalloc extents Christoph Hellwig <hch(a)lst.de> iomap: improve shared block detection in iomap_unshare_iter Toke Høiland-Jørgensen <toke(a)redhat.com> bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address Amit Cohen <amcohen(a)nvidia.com> mlxsw: spectrum_ptp: Add missing verification before pushing Tx header Benoît Monin <benoit.monin(a)gmx.fr> net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Sungwoo Kim <iam(a)sung-woo.kim> Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() Dong Chenchen <dongchenchen2(a)huawei.com> netfilter: Fix use-after-free in get_info() Wang Liang <wangliang74(a)huawei.com> net: fix crash when config small gso_max_size/gso_ipv4_max_size Byeonguk Jeong <jungbu2855(a)gmail.com> bpf: Fix out-of-bounds write in trie_get_next_key() Zichen Xie <zichenxie0106(a)gmail.com> netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Eduard Zingerman <eddyz87(a)gmail.com> bpf: Force checkpoint when jmp history is too long Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Add bpf_percpu_obj_{new,drop}() macro in bpf_experimental.h Pedro Tammela <pctammela(a)mojatatu.com> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pablo Neira Ayuso <pablo(a)netfilter.org> gtp: allow -1 to be specified as file description from userspace Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Wander Lairson Costa <wander(a)redhat.com> igb: Disable threaded IRQ for igb_msix_other Furong Xu <0x1207(a)gmail.com> net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Ley Foon Tan <leyfoon.tan(a)starfivetech.com> net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values Jianbo Liu <jianbol(a)nvidia.com> macsec: Fix use-after-free while sending the offloading packet Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't add default link in fw restart flow Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: synchronize the qp-handle table array Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix the usage of control path spin locks Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Leon Romanovsky <leon(a)kernel.org> RDMA/cxgb4: Dump vendor specific QP details Geert Uytterhoeven <geert(a)linux-m68k.org> wifi: brcm80211: BRCM_TRACING should depend on TRACING Remi Pommarel <repk(a)triplefau.lt> wifi: ath11k: Fix invalid ring usage in full monitor mode Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Geert Uytterhoeven <geert(a)linux-m68k.org> mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Ben Hutchings <ben(a)decadent.org.uk> wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Georgi Djakov <djakov(a)kernel.org> spi: geni-qcom: Fix boot warning related to pm_runtime and devres Xiu Jianfeng <xiujianfeng(a)huawei.com> cgroup: Fix potential overflow issue when checking max_depth Stefan Kerkmann <s.kerkmann(a)pengutronix.de> Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller Brenton Simpson <appsforartists(a)google.com> Input: xpad - sort xpad_device by vendor and product ID Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: core: Free tzp copy along with the thermal zone Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: core: Rework thermal zone availability check Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: core: Make thermal_zone_device_unregister() return after freeing the zone ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8ulp.dtsi | 2 +- arch/riscv/kernel/acpi.c | 4 +- arch/riscv/kernel/asm-offsets.c | 2 - arch/riscv/kernel/cpu-hotplug.c | 2 +- arch/riscv/kernel/efi-header.S | 2 +- arch/riscv/kernel/traps_misaligned.c | 2 - arch/riscv/kernel/vdso/Makefile | 1 + arch/x86/include/asm/bug.h | 12 ++ arch/x86/kernel/traps.c | 71 +++++- block/blk-map.c | 4 +- drivers/acpi/cppc_acpi.c | 9 +- drivers/base/core.c | 48 ++++- drivers/base/module.c | 4 - drivers/cxl/acpi.c | 7 + drivers/cxl/core/hdm.c | 50 ++++- drivers/cxl/core/port.c | 13 +- drivers/cxl/core/region.c | 48 ++--- drivers/cxl/core/trace.h | 17 +- drivers/cxl/cxl.h | 3 +- drivers/firmware/arm_sdei.c | 2 +- drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 + drivers/iio/adc/ad7124.c | 2 +- drivers/iio/industrialio-gts-helper.c | 4 +- drivers/iio/light/veml6030.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 38 ++-- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 + drivers/infiniband/hw/cxgb4/provider.c | 1 + drivers/infiniband/hw/mlx5/qp.c | 4 +- drivers/input/joystick/xpad.c | 12 +- drivers/input/touchscreen/edt-ft5x06.c | 19 +- drivers/misc/mei/client.c | 4 +- drivers/misc/sgi-gru/grukservices.c | 2 - drivers/misc/sgi-gru/grumain.c | 4 - drivers/misc/sgi-gru/grutlbpurge.c | 2 - drivers/mmc/host/sdhci-pci-gli.c | 38 ++-- drivers/mtd/spi-nor/winbond.c | 7 +- drivers/net/ethernet/amd/mvme147.c | 7 +- drivers/net/ethernet/intel/igb/igb_main.c | 2 +- .../net/ethernet/mellanox/mlxsw/spectrum_ipip.c | 26 ++- drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c | 7 + drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 8 + drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h | 2 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 +- drivers/net/gtp.c | 22 +- drivers/net/macsec.c | 3 +- drivers/net/mctp/mctp-i2c.c | 3 + drivers/net/netdevsim/fib.c | 4 +- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 + drivers/net/wireless/ath/ath11k/dp_rx.c | 7 +- drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 + drivers/net/wireless/intel/iwlegacy/common.c | 15 +- drivers/net/wireless/intel/iwlegacy/common.h | 12 ++ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +- .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 24 ++- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 3 +- drivers/nvme/target/auth.c | 1 + drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 10 +- drivers/phy/qualcomm/phy-qcom-qmp-usb-legacy.c | 1 + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 1 + drivers/scsi/scsi_transport_fc.c | 4 +- drivers/spi/spi-fsl-dspi.c | 6 +- drivers/spi/spi-geni-qcom.c | 8 +- drivers/staging/iio/frequency/ad9832.c | 7 +- .../intel/int340x_thermal/processor_thermal_rapl.c | 70 +++--- drivers/thermal/thermal_core.c | 25 ++- drivers/thunderbolt/tb.c | 48 ++++- drivers/usb/gadget/udc/dummy_hcd.c | 57 +++-- drivers/usb/host/xhci-pci.c | 6 +- drivers/usb/host/xhci-ring.c | 16 +- drivers/usb/phy/phy.c | 2 +- drivers/usb/typec/class.c | 1 + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 4 +- fs/afs/dir.c | 25 +++ fs/afs/dir_edit.c | 91 +++++++- fs/afs/internal.h | 2 + fs/dax.c | 49 +++-- fs/iomap/buffered-io.c | 7 +- fs/nfs/delegation.c | 5 + fs/nilfs2/namei.c | 3 + fs/nilfs2/page.c | 1 + fs/ntfs3/file.c | 9 +- fs/ntfs3/frecord.c | 4 +- fs/ntfs3/inode.c | 15 +- fs/ntfs3/lznt.c | 3 + fs/ntfs3/namei.c | 2 +- fs/ntfs3/ntfs_fs.h | 2 +- fs/ntfs3/record.c | 31 ++- fs/ocfs2/file.c | 8 + fs/smb/client/cifs_unicode.c | 17 +- fs/smb/client/reparse.c | 174 ++++++++++++++- fs/smb/client/reparse.h | 9 +- fs/smb/client/smb2inode.c | 3 +- fs/smb/client/smb2proto.h | 1 + fs/xfs/xfs_filestream.c | 23 +- fs/xfs/xfs_trace.h | 15 +- include/acpi/cppc_acpi.h | 2 +- include/linux/compiler-gcc.h | 4 + include/linux/device.h | 3 + include/linux/huge_mm.h | 18 ++ include/linux/iomap.h | 19 ++ include/linux/sched.h | 2 + include/linux/thermal.h | 2 + include/linux/ubsan.h | 5 + include/net/ip_tunnels.h | 2 +- include/trace/events/afs.h | 240 +++------------------ init/init_task.c | 1 + io_uring/io_uring.c | 13 +- io_uring/rw.c | 23 +- kernel/bpf/cgroup.c | 19 +- kernel/bpf/lpm_trie.c | 2 +- kernel/bpf/verifier.c | 9 +- kernel/cgroup/cgroup.c | 4 +- kernel/fork.c | 1 + kernel/rcu/tasks.h | 90 +++++--- kernel/sched/fair.c | 4 +- lib/Kconfig.ubsan | 4 +- lib/iov_iter.c | 6 +- mm/huge_memory.c | 13 +- mm/kasan/kasan_test.c | 27 --- mm/memory.c | 9 + mm/migrate.c | 2 +- mm/page_alloc.c | 10 +- mm/shmem.c | 2 + net/bluetooth/hci_sync.c | 18 +- net/bpf/test_run.c | 1 + net/core/dev.c | 4 + net/core/rtnetlink.c | 4 +- net/ipv6/netfilter/nf_reject_ipv6.c | 15 +- net/mac80211/Kconfig | 2 +- net/mac80211/agg-tx.c | 4 +- net/mac80211/cfg.c | 3 +- net/mac80211/key.c | 42 ++-- net/mptcp/protocol.c | 2 + net/netfilter/nft_payload.c | 3 + net/netfilter/x_tables.c | 2 +- net/sched/sch_api.c | 2 +- net/sunrpc/svc.c | 9 +- net/wireless/core.c | 1 + sound/pci/hda/patch_realtek.c | 23 +- sound/soc/codecs/cs42l51.c | 7 +- sound/soc/sof/ipc4-control.c | 175 ++++++++++++++- sound/soc/sof/ipc4-topology.c | 49 ++++- sound/soc/sof/ipc4-topology.h | 19 +- sound/usb/mixer_quirks.c | 3 + tools/mm/page-types.c | 9 +- tools/mm/slabinfo.c | 4 +- tools/testing/cxl/test/cxl.c | 14 +- tools/testing/selftests/bpf/bpf_experimental.h | 31 +++ tools/testing/selftests/mm/uffd-common.c | 5 +- tools/testing/selftests/mm/uffd-common.h | 3 +- tools/testing/selftests/mm/uffd-unit-tests.c | 21 +- tools/usb/usbip/src/usbip_detach.c | 1 + 155 files changed, 1657 insertions(+), 775 deletions(-)

7 months, 2 weeks

12
162
0 0

[PATCH 5.4 000/461] 5.4.285-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.285 release. There are 461 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 09 Nov 2024 06:32:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.285-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.285-rc2 Qun-Wei Lin <qun-wei.lin(a)mediatek.com> mm: krealloc: Fix MTE false alarm in __do_krealloc Johannes Berg <johannes.berg(a)intel.com> mac80211: always have ieee80211_sta_restart() Jeongjun Park <aha310510(a)gmail.com> vt: prevent kernel-infoleak in con_font_get() Jason-JH.Lin <jason-jh.lin(a)mediatek.com> Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Jeongjun Park <aha310510(a)gmail.com> mm: shmem: fix data-race in shmem_getattr() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of checked flag Edward Adam Davis <eadavis(a)qq.com> ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove unused GENERATING_ASM_OFFSETS Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential deadlock with newly created symlinks Zicheng Qu <quzicheng(a)huawei.com> staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Ville Syrjälä <ville.syrjala(a)linux.intel.com> wifi: iwlegacy: Clear stale interrupts before resuming device Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> wifi: ath10k: Fix memory leak in management tx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "driver core: Fix uevent_show() vs driver detach race" Faisal Hassan <quic_faisalh(a)quicinc.com> xhci: Fix Link TRB DMA in command ring stopped completion event Zijun Hu <quic_zijuhu(a)quicinc.com> usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou <zhouzongmin(a)kylinos.cn> usbip: tools: Fix detach_port() invalid port error path Dimitri Sivanich <sivanich(a)hpe.com> misc: sgi-gru: Don't disable preemption in GRU driver Daniel Palmer <daniel(a)0x0f.com> net: amd: mvme147: Fix probe banner message Xiongfeng Wang <wangxiongfeng2(a)huawei.com> firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() zhong jiang <zhongjiang(a)huawei.com> drivers/misc: ti-st: Remove unneeded variable in st_tty_open Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Benoît Monin <benoit.monin(a)gmx.fr> net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Xin Long <lucien.xin(a)gmail.com> net: support ip generic csum processing in skb_csum_hwoffload_help Byeonguk Jeong <jungbu2855(a)gmail.com> bpf: Fix out-of-bounds write in trie_get_next_key() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pablo Neira Ayuso <pablo(a)netfilter.org> gtp: allow -1 to be specified as file description from userspace Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> gtp: simplify error handling code in 'gtp_encap_enable()' Wander Lairson Costa <wander(a)redhat.com> igb: Disable threaded IRQ for igb_msix_other Maciej Falkowski <m.falkowski(a)samsung.com> dt-bindings: gpu: Convert Samsung Image Rotator to dt-schema Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Youghandhar Chintala <youghand(a)codeaurora.org> mac80211: Add support to trigger sta disconnect on hardware restart Johannes Berg <johannes.berg(a)intel.com> mac80211: do drv_reconfig_complete() before restarting all Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Xiu Jianfeng <xiujianfeng(a)huawei.com> cgroup: Fix potential overflow issue when checking max_depth Sabrina Dubroca <sd(a)queasysnail.net> xfrm: validate new SA's prefixlen using SA family when sel.family is unset junhua huang <huang.junhua(a)zte.com.cn> arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Paul Moore <paul(a)paul-moore.com> selinux: improve error checking in sel_write_load() Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event José Relvas <josemonsantorelvas(a)gmail.com> ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Christian Heusel <christian(a)heusel.eu> ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Andrey Shumilin <shum.sdl(a)nppct.ru> ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: avoid unsolicited interrupts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: fix use-after-free in taprio_change() Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Biju Das <biju.das(a)bp.renesas.com> dt-bindings: power: Add r8a774b1 SYSC power domain definitions Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Leo Yan <leo.yan(a)arm.com> tracing: Consider the NULL character when validating the event length Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Gianfranco Trad <gianf.trad(a)gmail.com> udf: fix uninit-value use in udf_get_fileshortad Hans de Goede <hdegoede(a)redhat.com> drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Cleanup access to guest pages Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor access address range check Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor gpa and length calculation Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels junhua huang <huang.junhua(a)zte.com.cn> arm64:uprobe fix the uprobe SWBP_INSN in big-endian Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOBs when building SMB2_IOCTL request Eric Dumazet <edumazet(a)google.com> genetlink: hold RCU in genlmsg_mcast() Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Xin Long <lucien.xin(a)gmail.com> ipv4: give an IPv4 dev to blackhole_netdev Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Florian Klink <flokli(a)flokli.de> ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> mac80211: Fix NULL ptr deref for injected rate info Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: fix lz4 inplace decompression Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Nathan Chancellor <nathan(a)kernel.org> x86/resctrl: Annotate get_mem_config() functions as __init Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Omar Sandoval <osandov(a)fb.com> blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Breno Leitao <leitao(a)debian.org> KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix potential key use-after-free Liu Shixin <liushixin2(a)huawei.com> mm/swapfile: skip HugeTLB pages for unuse_vma OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable WangYuli <wangyuli(a)uniontech.com> PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Andrii Nakryiko <andrii(a)kernel.org> tracing/kprobes: Fix symbol counting logic by looking at modules as well Francis Laniel <flaniel(a)linux.microsoft.com> tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Yonatan Maman <Ymaman(a)Nvidia.com> nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Anastasia Kovaleva <a.kovaleva(a)yadro.com> net: Fix an unsafe loop on the list SurajSonawane2415 <surajsonawane0215(a)gmail.com> hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma Icenowy Zheng <uwu(a)icenowy.me> usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Jose Alberto Reguero <jose.alberto.reguero(a)gmail.com> usb: xhci: Fix problem with xhci resume from suspend Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: core: Stop processing of pending events if controller is halted Oliver Neukum <oneukum(a)suse.com> Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" Wade Wang <wade.wang(a)hp.com> HID: plantronics: Workaround for an unexcepted opposite volume key Oliver Neukum <oneukum(a)suse.com> CDC-NCM: avoid overflow in sanity checking Huang Ying <ying.huang(a)intel.com> resource: fix region_intersects() vs add_memory_driver_managed() Zhiguo Niu <zhiguo.niu(a)unisoc.com> lockdep: fix deadlock issue between lockdep and rcu Waiman Long <longman(a)redhat.com> locking/lockdep: Avoid potential access of invalid memory in lock_class Peter Zijlstra <peterz(a)infradead.org> locking/lockdep: Rework lockdep_lock Peter Zijlstra <peterz(a)infradead.org> locking/lockdep: Fix bad recursion pattern Eric Dumazet <edumazet(a)google.com> slip: make slhc_remember() more robust against malicious packets Eric Dumazet <edumazet(a)google.com> ppp: fix ppp_async_encode() illegal access Xin Long <lucien.xin(a)gmail.com> sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start Eric Dumazet <edumazet(a)google.com> net: annotate lockless accesses to sk->sk_max_ack_backlog Eric Dumazet <edumazet(a)google.com> net: annotate lockless accesses to sk->sk_ack_backlog Rosen Penev <rosenp(a)gmail.com> net: ibm: emac: mal: fix wrong goto Eric Dumazet <edumazet(a)google.com> net/sched: accept TCA_STAB only for root qdisc Mohamed Khalfella <mkhalfella(a)purestorage.com> igb: Do not bring the device up after non-fatal error Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Use devm_clk api to manage clock source Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Add the flush write to ensure the write complete. Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Andy Roulin <aroulin(a)nvidia.com> netfilter: br_netfilter: fix panic with metadata_dst skb Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe Neal Cardwell <ncardwell(a)google.com> tcp: fix to allow timestamp undo if no retransmits were sent Dan Carpenter <dan.carpenter(a)linaro.org> SUNRPC: Fix integer overflow in decode_rc_list() Dave Ertman <david.m.ertman(a)intel.com> ice: fix VLAN replay after reset Bob Pearson <rpearsonhpe(a)gmail.com> RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt Andrey Shumilin <shum.sdl(a)nppct.ru> fbdev: sisfb: Fix strbuf array overflow Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/iio: Add memory allocation failure check for trigger_name Philip Chen <philipchen(a)chromium.org> virtio_pmem: Check device status before requesting flush Shawn Shao <shawn.shao(a)jaguarmicro.com> usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: udc: enable suspend interrupt after usb reset Yunke Cao <yunkec(a)chromium.org> media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Kaixin Wang <kxwang23(a)m.fudan.edu.cn> ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition Alex Williamson <alex.williamson(a)redhat.com> PCI: Mark Creative Labs EMU20k2 INTx masking as broken Hans de Goede <hdegoede(a)redhat.com> i2c: i801: Use a different adapter-name for IDF adapters Subramanian Ananthanarayanan <quic_skananth(a)quicinc.com> PCI: Add ACS quirk for Qualcomm SA8775P Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> clk: bcm: bcm53573: fix OF node leak in init Daniel Jordan <daniel.m.jordan(a)oracle.com> ktest.pl: Avoid false positives with grub2 skip regex Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_sf: Remove WARN_ON_ONCE statements Wojciech Gładysz <wojciech.gladysz(a)infogain.com> ext4: nested locking for xattr inode Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Add cond_resched() to cmm_alloc/free_pages() Heiko Carstens <hca(a)linux.ibm.com> s390/facility: Disable compile time optimization for decompressor code Tao Chen <chen.dylane(a)gmail.com> bpf: Check percpu map value size first Mathias Krause <minipli(a)grsecurity.net> Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Michael S. Tsirkin <mst(a)redhat.com> virtio_console: fix misc probe bugs Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Have saved_cmdlines arrays all in one allocation Rob Clark <robdclark(a)chromium.org> drm/crtc: fix uninitialized variable use even harder Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Remove precision vsnprintf() check from print event Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Drop TSO support Gabriel Krisman Bertazi <krisman(a)suse.de> unicode: Don't special case ignorable code points zhanchengbin <zhanchengbin1(a)huawei.com> ext4: fix inode tree inconsistency caused by ENOMEM Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Heiner Kallweit <hkallweit1(a)gmail.com> r8169: add tally counter fields added with RTL8125 Colin Ian King <colin.i.king(a)gmail.com> r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Mike Tipton <quic_mdtipton(a)quicinc.com> clk: qcom: clk-rpmh: Fix overflow in BCM vote Stephen Boyd <sboyd(a)kernel.org> clk: qcom: rpmh: Simplify clk_rpmh_bcm_send_cmd() NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Arnd Bergmann <arnd(a)arndb.de> nfsd: use ktime_get_seconds() for timestamps Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Anshuman Khandual <anshuman.khandual(a)arm.com> arm64: Add Cortex-715 CPU part definition Jinjie Ruan <ruanjinjie(a)huawei.com> i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Stephen Boyd <swboyd(a)chromium.org> i2c: qcom-geni: Grow a dev pointer to simplify code Stephen Boyd <swboyd(a)chromium.org> i2c: qcom-geni: Let firmware specify irq trigger flags Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Qu Wenruo <wqu(a)suse.com> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> media: sun4i_csi: Implement link validate for sun4i_csi subdev Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Danilo Krummrich <dakr(a)kernel.org> mm: krealloc: consider spare memory for __GFP_ZERO Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Ma Ke <make24(a)iscas.ac.cn> drm: omapdrm: Add missing check for alloc_ordered_workqueue Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Helge Deller <deller(a)gmx.de> parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Thomas Zimmermann <tzimmermann(a)suse.de> drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Marek Vasut <marex(a)denx.de> i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Alex Hung <alex.hung(a)amd.com> drm/amd/display: Initialize get_bytes_per_element's default to 1 Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Kees Cook <kees(a)kernel.org> x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Thomas Gleixner <tglx(a)linutronix.de> signal: Replace BUG_ON()s Jinjie Ruan <ruanjinjie(a)huawei.com> nfp: Use IRQF_NO_AUTOEN flag in request_irq() Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Adrian Ratiu <adrian.ratiu(a)collabora.com> proc: add config & param to block forcing mem writes Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw88: select WANT_DEV_COREDUMP Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: consistently use rcu_replace_pointer() in taprio_change() Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Aleksandr Mishin <amishin(a)t-argos.ru> ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Jann Horn <jannh(a)google.com> f2fs: Require FMODE_WRITE for atomic write ioctls Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Oder Chiou <oder_chiou(a)realtek.com> ALSA: hda/realtek: Fix the push button function for the ALC257 Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Jinjie Ruan <ruanjinjie(a)huawei.com> Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Abhishek Pandit-Subedi <abhishekpandit(a)chromium.org> Bluetooth: btmrvl_sdio: Refactor irq wakeup Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Jinjie Ruan <ruanjinjie(a)huawei.com> net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Mohamed Khalfella <mkhalfella(a)purestorage.com> net/mlx5: Added cond_resched() to crdump collection Jinjie Ruan <ruanjinjie(a)huawei.com> ieee802154: Fix build error Krzysztof Kozlowski <krzk(a)kernel.org> drivers: net: Fix Kconfig indentation, continued rd.dunlab(a)gmail.com <rd.dunlab(a)gmail.com> Minor fixes to the CAIF Transport drivers Kconfig file Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> usb: yurex: Fix inconsistent locking bug in yurex_read() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: isch: Add missed 'else' Tommy Huang <tommy_huang(a)aspeedtech.com> i2c: aspeed: Update the stop sw state when the bus recovery occurs David Gow <davidgow(a)google.com> mm: only enforce minimum stack gap size if it's sensible Ma Ke <make24(a)iscas.ac.cn> pps: add an error check in parport_attach Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pps: remove usage of the deprecated ida_simple_xx() API Oliver Neukum <oneukum(a)suse.com> USB: misc: yurex: fix race between read and write Lee Jones <lee(a)kernel.org> usb: yurex: Replace snprintf() with the safer scnprintf() variant Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix soc_dev leak during device remove Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix memory leak during device remove Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Thomas Gleixner <tglx(a)linutronix.de> PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Jerome Brunet <jbrunet(a)baylibre.com> ASoC: meson: axg: extract sound card utils Li Lingfeng <lilingfeng3(a)huawei.com> nfs: fix memory leak in error path of nfs4_do_reclaim Mickaël Salaün <mic(a)digikod.net> fs: Fix file_set_fowner LSM hook inconsistencies Julian Sun <sunjunchao2870(a)gmail.com> vfs: fix race between evice_inodes() and find_inode()&iput() Guoqing Jiang <guoqing.jiang(a)canonical.com> hwrng: mtk - Use devm_pm_runtime_enable Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: prevent possible int overflow in dir_block_index() Zhen Lei <thunder.leizhen(a)huawei.com> debugobjects: Fix conditions in fill_pool() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: 8822c: Fix reported RX band width Werner Sembach <wse(a)tuxedocomputers.com> ACPI: resource: Add another DMI match for the TongFang GMxXGxx Thomas Weißschuh <linux(a)weissschuh.net> ACPI: sysfs: validate return type of _STR method Mikhail Lobanov <m.lobanov(a)rosalinux.ru> drbd: Add NULL check for net_conf to prevent dereference in state validation Qiu-ji Chen <chenqiuji666(a)gmail.com> drbd: Fix atomicity violation in drbd_uuid_set_bm() Florian Fainelli <florian.fainelli(a)broadcom.com> tty: rp2: Fix reset with non forgiving PCIe host bridges Jann Horn <jannh(a)google.com> firmware_loader: Block path traversal Oliver Neukum <oneukum(a)suse.com> USB: class: CDC-ACM: fix race between get_serial and set_serial Oliver Neukum <oneukum(a)suse.com> USB: misc: cypress_cy7c63: check for short transfer Oliver Neukum <oneukum(a)suse.com> USB: appledisplay: close race between probe and completion handler Robin Chen <robin.chen(a)amd.com> drm/amd/display: Round calculated vtotal Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: integrator: fix OF node leak in probe() error path Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Remove *.orig pattern from .gitignore Hailey Mothershead <hailmo(a)amazon.com> crypto: aead,cipher - zeroize key buffer after use Simon Horman <horms(a)kernel.org> netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS Youssef Samir <quic_yabdulra(a)quicinc.com> net: qrtr: Update packets cloning when broadcasting Josh Hunt <johunt(a)akamai.com> tcp: check skb is non-NULL in tcp_rto_delta_us() Kaixin Wang <kxwang23(a)m.fudan.edu.cn> net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() Suzuki K Poulose <suzuki.poulose(a)arm.com> coresight: tmc: sg: Do not leak sg_table Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix standby gpio state to match the documentation Guillaume Stols <gstols(a)baylibre.com> iio: adc: ad7606: fix oversampling gpio array Chao Yu <chao(a)kernel.org> f2fs: reduce expensive checkpoint trigger frequency Chao Yu <chao(a)kernel.org> f2fs: remove unneeded check condition in __f2fs_setxattr() Chao Yu <chao(a)kernel.org> f2fs: fix to update i_ctime in __f2fs_setxattr() Yonggil Song <yonggil.song(a)samsung.com> f2fs: fix typo Chao Yu <chao(a)kernel.org> f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() Li Lingfeng <lilingfeng3(a)huawei.com> nfsd: return -EINVAL when namelen is 0 Guoqing Jiang <guoqing.jiang(a)linux.dev> nfsd: call cache_put if xdr_reserve_space returns NULL Jinjie Ruan <ruanjinjie(a)huawei.com> ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() Mikhail Lobanov <m.lobanov(a)rosalinux.ru> RDMA/cxgb4: Added NULL check for lookup_atid Jinjie Ruan <ruanjinjie(a)huawei.com> riscv: Fix fp alignment bug in perf_callchain_user() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Optimize hem allocation performance Jonas Blixt <jonas.blixt(a)actia.se> watchdog: imx_sc_wdt: Don't disable WDT in suspend Wang Jianzheng <wangjianzheng(a)vivo.com> pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function David Lechner <dlechner(a)baylibre.com> clk: ti: dra7-atl: Fix leak of of_nodes Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: single: fix missing error code in pcs_probe() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix register misspelling Dan Carpenter <dan.carpenter(a)linaro.org> PCI: keystone: Fix if-statement expression in ks_pcie_quirk() Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Jonas Karlman <jonas(a)kwiboo.se> clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Ian Rogers <irogers(a)google.com> perf time-utils: Fix 32-bit nsec parsing Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fix missing free of session in perf_sched__timehist() Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential oob read in nilfs_btree_check_delete() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: determine empty node blocks as corrupted Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: avoid OOB when system.data xattr changes underneath the filesystem Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: return error on ext4_find_inline_entry Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid negative min_clusters in find_group_orlov() Jiawei Ye <jiawei.ye(a)foxmail.com> smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso yangerkun <yangerkun(a)huawei.com> ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard Mauricio Faria de Oliveira <mfo(a)canonical.com> jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() Chen Yu <yu.c.chen(a)intel.com> kthread: fix task state in kthread worker if being frozen Rob Clark <robdclark(a)chromium.org> kthread: add kthread_work tracepoints Lasse Collin <lasse.collin(a)tukaani.org> xz: cleanup CRC32 edits from 2018 Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling test_lru_map.c Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling tcp_rtt.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compiling flow_dissector.c with musl-libc Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c Jonathan McDowell <noodles(a)meta.com> tpm: Clean up TPM space after command failure Juergen Gross <jgross(a)suse.com> xen/swiotlb: add alignment check for dma buffers Juergen Gross <jgross(a)suse.com> xen: use correct end address of kernel for conflict checking Yuesong Li <liyuesong(a)vivo.com> drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() Sherry Yang <sherry.yang(a)oracle.com> drm/msm: fix %s null argument error Wolfram Sang <wsa+renesas(a)sang-engineering.com> ipmi: docs: don't advertise deprecated sysfs entries Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: fix races in preemption evaluation stage Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: properly clear preemption records on resume Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: disable preemption in submits by default Aleksandr Mishin <amishin(a)t-argos.ru> drm/msm: Fix incorrect file name output in adreno_request_fw() Jeongjun Park <aha310510(a)gmail.com> jfs: fix out-of-bounds in dbNextAG() and diAlloc() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets Jonas Karlman <jonas(a)kwiboo.se> drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode Alex Bee <knaerzche(a)gmail.com> drm/rockchip: vop: Allow 4096px width scaling Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/radeon: Replace one-element array with flexible-array member Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/amdgpu: Replace one-element array with flexible-array member Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/stm: Fix an error handling path in stm_drm_platform_probe() Charles Han <hanchunchao(a)inspur.com> mtd: powernv: Add check devm_kasprintf() returned value Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() Artur Weber <aweber.kernel(a)gmail.com> power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Chris Morgan <macromorgan(a)hotmail.com> power: supply: axp20x_battery: Remove design from min and max voltage Hermann Lauer <Hermann.Lauer(a)iwr.uni-heidelberg.de> power: supply: axp20x_battery: allow disabling battery charging Yuntao Liu <liuyuntao12(a)huawei.com> hwmon: (ntc_thermistor) fix module autoloading Mirsad Todorovac <mtodorovac69(a)gmail.com> mtd: slram: insert break after errors in parsing the map Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix overflows seen when writing limits Ankit Agrawal <agrawal.ag.ankit(a)gmail.com> clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: berlin: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: versatile: fix OF node leak in CPUs prepare Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ Ma Ke <make24(a)iscas.ac.cn> spi: ppc4xx: handle irq_of_parse_and_map() errors Yu Kuai <yukuai3(a)huawei.com> block, bfq: don't break merge chain in bfq_split_bfqq() Yu Kuai <yukuai3(a)huawei.com> block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix possible UAF for bfqq->bic with merge chain Su Hui <suhui(a)nfschina.com> net: tipc: avoid possible garbage value Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix not handling ZPL/short-transfer Kuniyuki Iwashima <kuniyu(a)amazon.com> can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Eric Dumazet <edumazet(a)google.com> sock_map: Add a cond_resched() in sock_hash_free() Jiawei Ye <jiawei.ye(a)foxmail.com> wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param Dmitry Antipov <dmantipov(a)yandex.ru> wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Mathy Vanhoef <Mathy.Vanhoef(a)kuleuven.be> mac80211: parse radiotap header when selecting Tx queue Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject expiration higher than timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject element expiration with no timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire Zhang Changzhong <zhangchangzhong(a)huawei.com> can: j1939: use correct function name in comment Olaf Hering <olaf(a)aepfle.de> mount: handle OOM on mnt_warn_timestamp_expiry Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> fs/namespace: fnic: Switch to use %ptTd Anthony Iliopoulos <ailiop(a)suse.com> mount: warn only once about timestamp range expiration Christoph Hellwig <hch(a)lst.de> fs: explicitly unregister per-superblock BDIs Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k: Remove error checks when creating debugfs entries Minjie Du <duminjie(a)vivo.com> wifi: ath9k: fix parameter check in ath9k_init_debug() Aleksandr Mishin <amishin(a)t-argos.ru> ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() Edward Adam Davis <eadavis(a)qq.com> USB: usbtmc: prevent kernel-usb-infoleak Junhao Xie <bigfoot(a)classfun.cn> USB: serial: pl2303: add device id for Macrosilicon MS3020 Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: Fix DEVMAP_HASH overflow check on 32-bit arches Florian Westphal <fw(a)strlen.de> inet: inet_defrag: prevent sk release while still in use Hagar Hemdan <hagarhem(a)amazon.com> gpio: prevent potential speculation leaks in gpio_device_get_desc() Ferry Meng <mengferry(a)linux.alibaba.com> ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() Ferry Meng <mengferry(a)linux.alibaba.com> ocfs2: add bounds checking to ocfs2_xattr_find_entry() Michael Kelley <mhklinux(a)outlook.com> x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency Liao Chen <liaochen4(a)huawei.com> spi: bcm63xx: Enable module autoloading hongchi.peng <hongchi.peng(a)siengine.com> drm: komeda: Fix an issue related to normalized zpos Liao Chen <liaochen4(a)huawei.com> ASoC: tda7419: fix module autoloading Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Ensure tx descriptor updates are visible Mike Rapoport <rppt(a)kernel.org> microblaze: don't treat zero reserved memory regions as error Thomas Blocher <thomas.blocher(a)ek-dev.de> pinctrl: at91: make it work with current gpiolib Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - FIxed ALC285 headphone no sound Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed ALC256 headphone no sound Hongbo Li <lihongbo22(a)huawei.com> ASoC: allow module autoloading for table db1200_pids Masami Hiramatsu <mhiramat(a)kernel.org> selftests: breakpoints: Fix a typo of function name Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 ------------- Diffstat: .gitignore | 1 - Documentation/IPMI.txt | 2 +- Documentation/admin-guide/kernel-parameters.txt | 10 + Documentation/arm64/silicon-errata.rst | 4 + .../devicetree/bindings/gpu/samsung-rotator.txt | 28 - .../devicetree/bindings/gpu/samsung-rotator.yaml | 48 + Makefile | 4 +- arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 +- arch/arm/boot/dts/imx7d-zii-rmu2.dts | 2 +- arch/arm/mach-realview/platsmp-dt.c | 1 + arch/arm64/Kconfig | 2 + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/uprobes.h | 12 +- arch/arm64/kernel/cpu_errata.c | 2 + arch/arm64/kernel/probes/decode-insn.c | 16 +- arch/arm64/kernel/probes/simulate-insn.c | 18 +- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/microblaze/mm/init.c | 5 - arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/riscv/Kconfig | 5 + arch/riscv/kernel/asm-offsets.c | 2 - arch/riscv/kernel/perf_callchain.c | 2 +- arch/s390/include/asm/facility.h | 6 +- arch/s390/kernel/perf_cpum_sf.c | 12 +- arch/s390/kvm/diag.c | 2 +- arch/s390/kvm/gaccess.c | 162 +- arch/s390/kvm/gaccess.h | 14 +- arch/s390/mm/cmm.c | 18 +- arch/x86/include/asm/cpufeatures.h | 3 +- arch/x86/include/asm/syscall.h | 7 +- arch/x86/kernel/apic/apic.c | 14 +- arch/x86/kernel/cpu/mshyperv.c | 1 + arch/x86/kernel/cpu/resctrl/core.c | 4 +- arch/x86/xen/setup.c | 2 +- block/bfq-iosched.c | 13 +- block/blk-rq-qos.c | 2 +- crypto/aead.c | 3 +- crypto/cipher.c | 3 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/battery.c | 28 +- drivers/acpi/button.c | 11 + drivers/acpi/device_sysfs.c | 5 +- drivers/acpi/ec.c | 55 +- drivers/acpi/pmic/tps68470_pmic.c | 6 +- drivers/acpi/resource.c | 27 + drivers/ata/sata_sil.c | 12 +- drivers/base/bus.c | 6 +- drivers/base/core.c | 13 +- drivers/base/firmware_loader/main.c | 30 + drivers/base/module.c | 4 - drivers/block/aoe/aoecmd.c | 13 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_state.c | 2 +- drivers/bluetooth/btmrvl_sdio.c | 16 +- drivers/bluetooth/btusb.c | 10 +- drivers/char/hw_random/mtk-rng.c | 2 +- drivers/char/tpm/tpm-dev-common.c | 2 + drivers/char/tpm/tpm2-space.c | 3 + drivers/char/virtio_console.c | 18 +- drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +- drivers/clk/qcom/clk-rpmh.c | 37 +- drivers/clk/rockchip/clk-rk3228.c | 2 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/ti/clk-dra7-atl.c | 1 + drivers/clocksource/timer-qcom.c | 7 +- drivers/firmware/arm_sdei.c | 2 +- drivers/firmware/tegra/bpmp.c | 6 - drivers/gpio/gpio-aspeed.c | 4 +- drivers/gpio/gpio-davinci.c | 8 +- drivers/gpio/gpiolib.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 26 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +- .../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +- .../drm/amd/display/modules/freesync/freesync.c | 2 +- drivers/gpu/drm/amd/include/atombios.h | 2 +- drivers/gpu/drm/arm/display/komeda/komeda_kms.c | 10 +- drivers/gpu/drm/drm_atomic_uapi.c | 2 +- drivers/gpu/drm/drm_crtc.c | 1 + drivers/gpu/drm/drm_mipi_dsi.c | 2 +- drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 8 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 26 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 +- drivers/gpu/drm/omapdrm/omap_drv.c | 5 + drivers/gpu/drm/radeon/atombios.h | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 62 +- drivers/gpu/drm/radeon/r100.c | 70 +- drivers/gpu/drm/radeon/radeon_atombios.c | 26 +- drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 +- drivers/gpu/drm/stm/drv.c | 4 +- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-plantronics.c | 23 + drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 2 +- drivers/hwmon/max16065.c | 5 +- drivers/hwmon/ntc_thermistor.c | 1 + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- drivers/i2c/busses/i2c-aspeed.c | 16 +- drivers/i2c/busses/i2c-i801.c | 9 +- drivers/i2c/busses/i2c-isch.c | 3 +- drivers/i2c/busses/i2c-qcom-geni.c | 59 +- drivers/i2c/busses/i2c-stm32f7.c | 6 +- drivers/i2c/busses/i2c-xiic.c | 19 +- drivers/iio/adc/Kconfig | 4 + drivers/iio/adc/ad7606.c | 8 +- drivers/iio/adc/ad7606_spi.c | 5 +- .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 2 + drivers/iio/light/opt3001.c | 4 + drivers/iio/magnetometer/ak8975.c | 32 +- drivers/iio/proximity/Kconfig | 2 + drivers/infiniband/core/iwcm.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- drivers/infiniband/hw/cxgb4/cm.c | 14 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 10 +- drivers/infiniband/sw/rxe/rxe_comp.c | 6 +- drivers/input/keyboard/adp5589-keys.c | 13 +- drivers/input/rmi4/rmi_driver.c | 6 +- drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/media/common/videobuf2/videobuf2-core.c | 8 +- drivers/media/dvb-frontends/rtl2830.c | 2 +- drivers/media/dvb-frontends/rtl2832.c | 2 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 + drivers/misc/sgi-gru/grukservices.c | 2 - drivers/misc/sgi-gru/grumain.c | 4 - drivers/misc/sgi-gru/grutlbpurge.c | 2 - drivers/misc/ti-st/st_core.c | 4 +- drivers/mtd/devices/powernv_flash.c | 3 + drivers/mtd/devices/slram.c | 2 + drivers/net/Kconfig | 64 +- drivers/net/caif/Kconfig | 36 +- drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/amd/mvme147.c | 7 +- drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/cortina/gemini.c | 15 +- drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/faraday/ftgmac100.c | 26 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- drivers/net/ethernet/freescale/fs_enet/Kconfig | 8 +- drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/i825xx/sun3_82586.c | 1 + drivers/net/ethernet/ibm/emac/mal.c | 2 +- drivers/net/ethernet/intel/ice/ice_sched.c | 6 +- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 6 +- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 + .../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 + .../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 35 +- drivers/net/ethernet/seeq/ether3.c | 2 + drivers/net/gtp.c | 27 +- drivers/net/hyperv/netvsc_drv.c | 30 + drivers/net/ieee802154/Kconfig | 13 +- drivers/net/ieee802154/mcr20a.c | 5 +- drivers/net/macsec.c | 18 - drivers/net/phy/vitesse.c | 14 - drivers/net/ppp/ppp_async.c | 2 +- drivers/net/slip/slhc.c | 57 +- drivers/net/usb/cdc_ncm.c | 8 +- drivers/net/usb/ipheth.c | 5 +- drivers/net/usb/usbnet.c | 3 +- drivers/net/wireless/ath/Kconfig | 12 +- drivers/net/wireless/ath/ar5523/Kconfig | 14 +- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 + drivers/net/wireless/ath/ath9k/Kconfig | 54 +- drivers/net/wireless/ath/ath9k/debug.c | 6 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 - drivers/net/wireless/atmel/Kconfig | 40 +- drivers/net/wireless/intel/iwlegacy/common.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 8 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/net/wireless/ralink/rt2x00/Kconfig | 44 +- drivers/net/wireless/realtek/rtw88/Kconfig | 1 + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 12 +- drivers/net/wireless/ti/wl12xx/Kconfig | 8 +- drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 + drivers/nvdimm/nd_virtio.c | 9 + drivers/of/irq.c | 38 +- drivers/parport/procfs.c | 22 +- drivers/pci/controller/dwc/pci-keystone.c | 2 +- drivers/pci/controller/pcie-xilinx-nwl.c | 24 +- drivers/pci/quirks.c | 8 + drivers/pinctrl/mvebu/pinctrl-dove.c | 42 +- drivers/pinctrl/pinctrl-at91.c | 5 +- drivers/pinctrl/pinctrl-single.c | 3 +- drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/axp20x_battery.c | 29 +- drivers/power/supply/max17042_battery.c | 5 +- drivers/pps/clients/pps_parport.c | 14 +- drivers/reset/reset-berlin.c | 3 +- drivers/rtc/rtc-at91sam9.c | 1 + drivers/s390/char/sclp_vt220.c | 4 +- drivers/scsi/aacraid/aacraid.h | 2 +- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 +- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-bcm63xx.c | 2 + drivers/spi/spi-nxp-fspi.c | 5 +- drivers/spi/spi-ppc4xx.c | 7 +- drivers/spi/spi-s3c64xx.c | 4 +- drivers/staging/iio/frequency/ad9832.c | 7 +- drivers/staging/wilc1000/wilc_hif.c | 4 +- drivers/target/target_core_user.c | 2 +- drivers/tty/serial/rp2.c | 2 +- drivers/tty/vt/vt.c | 2 +- drivers/usb/chipidea/udc.c | 8 +- drivers/usb/class/cdc-acm.c | 2 + drivers/usb/class/usbtmc.c | 2 +- drivers/usb/dwc2/platform.c | 26 +- drivers/usb/dwc3/core.c | 22 +- drivers/usb/dwc3/core.h | 4 - drivers/usb/dwc3/gadget.c | 11 - drivers/usb/host/xhci-pci.c | 5 + drivers/usb/host/xhci-ring.c | 16 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/misc/appledisplay.c | 15 +- drivers/usb/misc/cypress_cy7c63.c | 4 + drivers/usb/misc/yurex.c | 5 +- drivers/usb/phy/phy.c | 2 +- drivers/usb/serial/option.c | 8 + drivers/usb/serial/pl2303.c | 1 + drivers/usb/serial/pl2303.h | 4 + drivers/usb/storage/unusual_devs.h | 11 + drivers/usb/typec/class.c | 3 + drivers/video/fbdev/hpfb.c | 1 + drivers/video/fbdev/pxafb.c | 1 + drivers/video/fbdev/sis/sis_main.c | 2 +- drivers/watchdog/imx_sc_wdt.c | 24 - drivers/xen/swiotlb-xen.c | 6 + fs/btrfs/disk-io.c | 11 + fs/btrfs/relocation.c | 2 +- fs/ceph/addr.c | 1 - fs/cifs/smb2pdu.c | 9 + fs/erofs/decompressor.c | 24 +- fs/exec.c | 3 +- fs/ext4/extents.c | 5 +- fs/ext4/ialloc.c | 2 + fs/ext4/inline.c | 35 +- fs/ext4/inode.c | 11 +- fs/ext4/mballoc.c | 10 +- fs/ext4/migrate.c | 2 +- fs/ext4/namei.c | 14 +- fs/ext4/xattr.c | 4 +- fs/f2fs/acl.c | 23 +- fs/f2fs/dir.c | 3 +- fs/f2fs/f2fs.h | 4 +- fs/f2fs/file.c | 24 +- fs/f2fs/super.c | 4 +- fs/f2fs/xattr.c | 29 +- fs/fat/namei_vfat.c | 2 +- fs/fcntl.c | 14 +- fs/inode.c | 4 + fs/jbd2/checkpoint.c | 14 +- fs/jbd2/commit.c | 36 +- fs/jbd2/journal.c | 2 + fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 11 +- fs/jfs/jfs_imap.c | 2 +- fs/jfs/xattr.c | 2 + fs/namespace.c | 23 +- fs/nfs/callback_xdr.c | 2 + fs/nfs/nfs4state.c | 1 + fs/nfsd/nfs4idmap.c | 13 +- fs/nfsd/nfs4recover.c | 8 + fs/nfsd/nfs4state.c | 15 +- fs/nilfs2/btree.c | 12 +- fs/nilfs2/dir.c | 50 +- fs/nilfs2/namei.c | 42 +- fs/nilfs2/nilfs.h | 2 +- fs/nilfs2/page.c | 7 +- fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/file.c | 8 + fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 38 +- fs/proc/base.c | 61 +- fs/super.c | 3 + fs/udf/inode.c | 9 +- fs/unicode/mkutf8data.c | 70 - fs/unicode/utf8data.h_shipped | 6703 ++++++++++---------- include/drm/drm_print.h | 54 +- include/dt-bindings/power/r8a774b1-sysc.h | 26 + include/linux/fs.h | 2 + include/linux/jbd2.h | 4 + include/linux/pci_ids.h | 2 + include/linux/skbuff.h | 5 +- include/net/genetlink.h | 3 +- include/net/mac80211.h | 24 + include/net/sch_generic.h | 1 - include/net/sock.h | 8 +- include/net/tcp.h | 21 +- include/trace/events/f2fs.h | 3 +- include/trace/events/sched.h | 84 + include/uapi/linux/cec.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- kernel/bpf/arraymap.c | 3 + kernel/bpf/devmap.c | 9 +- kernel/bpf/hashtab.c | 3 + kernel/bpf/helpers.c | 4 +- kernel/bpf/lpm_trie.c | 2 +- kernel/cgroup/cgroup.c | 4 +- kernel/events/core.c | 6 +- kernel/events/uprobes.c | 2 +- kernel/kthread.c | 19 +- kernel/locking/lockdep.c | 215 +- kernel/resource.c | 58 +- kernel/signal.c | 11 +- kernel/time/posix-clock.c | 3 + kernel/trace/trace.c | 18 +- kernel/trace/trace_kprobe.c | 76 + kernel/trace/trace_output.c | 6 +- kernel/trace/trace_probe.c | 2 +- kernel/trace/trace_probe.h | 1 + lib/debugobjects.c | 5 +- lib/xz/xz_crc32.c | 2 +- lib/xz/xz_private.h | 4 - mm/shmem.c | 2 + mm/slab_common.c | 7 + mm/swapfile.c | 2 +- mm/util.c | 2 +- net/bluetooth/af_bluetooth.c | 1 + net/bluetooth/bnep/core.c | 3 +- net/bluetooth/rfcomm/sock.c | 2 - net/bridge/br_netfilter_hooks.c | 5 + net/can/bcm.c | 4 +- net/can/j1939/transport.c | 8 +- net/core/dev.c | 29 +- net/core/sock_destructor.h | 12 + net/core/sock_map.c | 1 + net/dccp/proto.c | 2 +- net/ipv4/af_inet.c | 2 +- net/ipv4/devinet.c | 41 +- net/ipv4/fib_frontend.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inet_fragment.c | 70 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/tcp.c | 4 +- net/ipv4/tcp_diag.c | 4 +- net/ipv4/tcp_input.c | 31 +- net/ipv4/tcp_ipv4.c | 5 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/ipv6/netfilter/nf_reject_ipv6.c | 14 +- net/ipv6/tcp_ipv6.c | 2 +- net/l2tp/l2tp_netlink.c | 4 +- net/mac80211/cfg.c | 6 +- net/mac80211/ieee80211_i.h | 3 + net/mac80211/iface.c | 32 +- net/mac80211/key.c | 44 +- net/mac80211/mlme.c | 14 +- net/mac80211/tx.c | 78 +- net/mac80211/util.c | 45 +- net/netfilter/nf_conntrack_netlink.c | 7 +- net/netfilter/nf_tables_api.c | 8 +- net/netfilter/nft_payload.c | 3 + net/netlink/af_netlink.c | 3 +- net/netlink/genetlink.c | 28 +- net/qrtr/qrtr.c | 2 +- net/sched/em_meta.c | 4 +- net/sched/sch_api.c | 9 +- net/sched/sch_taprio.c | 7 +- net/sctp/diag.c | 4 +- net/sctp/socket.c | 24 +- net/tipc/bcast.c | 2 +- net/tipc/bearer.c | 8 +- net/wireless/nl80211.c | 11 +- net/wireless/scan.c | 6 +- net/wireless/sme.c | 3 +- net/xfrm/xfrm_user.c | 6 +- scripts/kconfig/merge_config.sh | 2 + security/Kconfig | 32 + security/selinux/selinuxfs.c | 31 +- security/smack/smackfs.c | 2 +- security/tomoyo/domain.c | 9 +- sound/core/init.c | 14 +- sound/firewire/amdtp-stream.c | 3 + sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 125 +- sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/au1x/db1200.c | 1 + sound/soc/codecs/cs42l51.c | 7 +- sound/soc/codecs/tda7419.c | 1 + sound/soc/meson/Kconfig | 4 + sound/soc/meson/Makefile | 2 + sound/soc/meson/axg-card.c | 406 +- sound/soc/meson/meson-card-utils.c | 385 ++ sound/soc/meson/meson-card.h | 55 + tools/iio/iio_generic_buffer.c | 4 + tools/perf/builtin-sched.c | 8 +- tools/perf/util/time-utils.c | 4 +- tools/testing/ktest/ktest.pl | 2 +- .../selftests/bpf/map_tests/sk_storage_map.c | 2 +- .../selftests/bpf/prog_tests/flow_dissector.c | 1 + tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 + tools/testing/selftests/bpf/test_lru_map.c | 3 +- .../selftests/breakpoints/breakpoint_test_arm64.c | 2 +- .../breakpoints/step_after_suspend_test.c | 5 +- tools/testing/selftests/vDSO/parse_vdso.c | 3 +- tools/usb/usbip/src/usbip_detach.c | 1 + virt/kvm/kvm_main.c | 5 +- 438 files changed, 7183 insertions(+), 5448 deletions(-)

7 months, 2 weeks

6
6
0 0

FAILED: patch "[PATCH] arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8c462d56487e3abdbf8a61cedfe7c795a54f4a78 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110956-ungloved-yelp-6fba@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8c462d56487e3abdbf8a61cedfe7c795a54f4a78 Mon Sep 17 00:00:00 2001 From: Mark Rutland <mark.rutland(a)arm.com> Date: Wed, 6 Nov 2024 16:04:48 +0000 Subject: [PATCH] arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint SMCCCv1.3 added a hint bit which callers can set in an SMCCC function ID (AKA "FID") to indicate that it is acceptable for the SMCCC implementation to discard SVE and/or SME state over a specific SMCCC call. The kernel support for using this hint is broken and SMCCC calls may clobber the SVE and/or SME state of arbitrary tasks, though FPSIMD state is unaffected. The kernel support is intended to use the hint when there is no SVE or SME state to save, and to do this it checks whether TIF_FOREIGN_FPSTATE is set or TIF_SVE is clear in assembly code: | ldr <flags>, [<current_task>, #TSK_TI_FLAGS] | tbnz <flags>, #TIF_FOREIGN_FPSTATE, 1f // Any live FP state? | tbnz <flags>, #TIF_SVE, 2f // Does that state include SVE? | | 1: orr <fid>, <fid>, ARM_SMCCC_1_3_SVE_HINT | 2: | << SMCCC call using FID >> This is not safe as-is: (1) SMCCC calls can be made in a preemptible context and preemption can result in TIF_FOREIGN_FPSTATE being set or cleared at arbitrary points in time. Thus checking for TIF_FOREIGN_FPSTATE provides no guarantee. (2) TIF_FOREIGN_FPSTATE only indicates that the live FP/SVE/SME state in the CPU does not belong to the current task, and does not indicate that clobbering this state is acceptable. When the live CPU state is clobbered it is necessary to update fpsimd_last_state.st to ensure that a subsequent context switch will reload FP/SVE/SME state from memory rather than consuming the clobbered state. This and the SMCCC call itself must happen in a critical section with preemption disabled to avoid races. (3) Live SVE/SME state can exist with TIF_SVE clear (e.g. with only TIF_SME set), and checking TIF_SVE alone is insufficient. Remove the broken support for the SMCCCv1.3 SVE saving hint. This is effectively a revert of commits: * cfa7ff959a78 ("arm64: smccc: Support SMCCC v1.3 SVE register saving hint") * a7c3acca5380 ("arm64: smccc: Save lr before calling __arm_smccc_sve_check()") ... leaving behind the ARM_SMCCC_VERSION_1_3 and ARM_SMCCC_1_3_SVE_HINT definitions, since these are simply definitions from the SMCCC specification, and the latter is used in KVM via ARM_SMCCC_CALL_HINTS. If we want to bring this back in future, we'll probably want to handle this logic in C where we can use all the usual FPSIMD/SVE/SME helper functions, and that'll likely require some rework of the SMCCC code and/or its callers. Fixes: cfa7ff959a78 ("arm64: smccc: Support SMCCC v1.3 SVE register saving hint") Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: stable(a)vger.kernel.org Reviewed-by: Mark Brown <broonie(a)kernel.org> Link: https://lore.kernel.org/r/20241106160448.2712997-1-mark.rutland@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/smccc-call.S b/arch/arm64/kernel/smccc-call.S index 487381164ff6..2def9d0dd3dd 100644 --- a/arch/arm64/kernel/smccc-call.S +++ b/arch/arm64/kernel/smccc-call.S @@ -7,48 +7,19 @@ #include <asm/asm-offsets.h> #include <asm/assembler.h> -#include <asm/thread_info.h> - -/* - * If we have SMCCC v1.3 and (as is likely) no SVE state in - * the registers then set the SMCCC hint bit to say there's no - * need to preserve it. Do this by directly adjusting the SMCCC - * function value which is already stored in x0 ready to be called. - */ -SYM_FUNC_START(__arm_smccc_sve_check) - - ldr_l x16, smccc_has_sve_hint - cbz x16, 2f - - get_current_task x16 - ldr x16, [x16, #TSK_TI_FLAGS] - tbnz x16, #TIF_FOREIGN_FPSTATE, 1f // Any live FP state? - tbnz x16, #TIF_SVE, 2f // Does that state include SVE? - -1: orr x0, x0, ARM_SMCCC_1_3_SVE_HINT - -2: ret -SYM_FUNC_END(__arm_smccc_sve_check) -EXPORT_SYMBOL(__arm_smccc_sve_check) .macro SMCCC instr - stp x29, x30, [sp, #-16]! - mov x29, sp -alternative_if ARM64_SVE - bl __arm_smccc_sve_check -alternative_else_nop_endif \instr #0 - ldr x4, [sp, #16] + ldr x4, [sp] stp x0, x1, [x4, #ARM_SMCCC_RES_X0_OFFS] stp x2, x3, [x4, #ARM_SMCCC_RES_X2_OFFS] - ldr x4, [sp, #24] + ldr x4, [sp, #8] cbz x4, 1f /* no quirk structure */ ldr x9, [x4, #ARM_SMCCC_QUIRK_ID_OFFS] cmp x9, #ARM_SMCCC_QUIRK_QCOM_A6 b.ne 1f str x6, [x4, ARM_SMCCC_QUIRK_STATE_OFFS] -1: ldp x29, x30, [sp], #16 - ret +1: ret .endm /* diff --git a/drivers/firmware/smccc/smccc.c b/drivers/firmware/smccc/smccc.c index d670635914ec..a74600d9f2d7 100644 --- a/drivers/firmware/smccc/smccc.c +++ b/drivers/firmware/smccc/smccc.c @@ -16,7 +16,6 @@ static u32 smccc_version = ARM_SMCCC_VERSION_1_0; static enum arm_smccc_conduit smccc_conduit = SMCCC_CONDUIT_NONE; bool __ro_after_init smccc_trng_available = false; -u64 __ro_after_init smccc_has_sve_hint = false; s32 __ro_after_init smccc_soc_id_version = SMCCC_RET_NOT_SUPPORTED; s32 __ro_after_init smccc_soc_id_revision = SMCCC_RET_NOT_SUPPORTED; @@ -28,9 +27,6 @@ void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit) smccc_conduit = conduit; smccc_trng_available = smccc_probe_trng(); - if (IS_ENABLED(CONFIG_ARM64_SVE) && - smccc_version >= ARM_SMCCC_VERSION_1_3) - smccc_has_sve_hint = true; if ((smccc_version >= ARM_SMCCC_VERSION_1_2) && (smccc_conduit != SMCCC_CONDUIT_NONE)) { diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h index f59099a213d0..67f6fdf2e7cd 100644 --- a/include/linux/arm-smccc.h +++ b/include/linux/arm-smccc.h @@ -315,8 +315,6 @@ u32 arm_smccc_get_version(void); void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit); -extern u64 smccc_has_sve_hint; - /** * arm_smccc_get_soc_id_version() * @@ -414,15 +412,6 @@ struct arm_smccc_quirk { } state; }; -/** - * __arm_smccc_sve_check() - Set the SVE hint bit when doing SMC calls - * - * Sets the SMCCC hint bit to indicate if there is live state in the SVE - * registers, this modifies x0 in place and should never be called from C - * code. - */ -asmlinkage unsigned long __arm_smccc_sve_check(unsigned long x0); - /** * __arm_smccc_smc() - make SMC calls * @a0-a7: arguments passed in registers 0 to 7 @@ -490,20 +479,6 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, #endif -/* nVHE hypervisor doesn't have a current thread so needs separate checks */ -#if defined(CONFIG_ARM64_SVE) && !defined(__KVM_NVHE_HYPERVISOR__) - -#define SMCCC_SVE_CHECK ALTERNATIVE("nop \n", "bl __arm_smccc_sve_check \n", \ - ARM64_SVE) -#define smccc_sve_clobbers "x16", "x30", "cc", - -#else - -#define SMCCC_SVE_CHECK -#define smccc_sve_clobbers - -#endif - #define __constraint_read_2 "r" (arg0) #define __constraint_read_3 __constraint_read_2, "r" (arg1) #define __constraint_read_4 __constraint_read_3, "r" (arg2) @@ -574,12 +549,11 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, register unsigned long r3 asm("r3"); \ CONCATENATE(__declare_arg_, \ COUNT_ARGS(__VA_ARGS__))(__VA_ARGS__); \ - asm volatile(SMCCC_SVE_CHECK \ - inst "\n" : \ + asm volatile(inst "\n" : \ "=r" (r0), "=r" (r1), "=r" (r2), "=r" (r3) \ : CONCATENATE(__constraint_read_, \ COUNT_ARGS(__VA_ARGS__)) \ - : smccc_sve_clobbers "memory"); \ + : "memory"); \ if (___res) \ *___res = (typeof(*___res)){r0, r1, r2, r3}; \ } while (0) @@ -628,7 +602,7 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, asm ("" : \ : CONCATENATE(__constraint_read_, \ COUNT_ARGS(__VA_ARGS__)) \ - : smccc_sve_clobbers "memory"); \ + : "memory"); \ if (___res) \ ___res->a0 = SMCCC_RET_NOT_SUPPORTED; \ } while (0)

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 8c462d56487e3abdbf8a61cedfe7c795a54f4a78 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110954-gambling-matador-1fff@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8c462d56487e3abdbf8a61cedfe7c795a54f4a78 Mon Sep 17 00:00:00 2001 From: Mark Rutland <mark.rutland(a)arm.com> Date: Wed, 6 Nov 2024 16:04:48 +0000 Subject: [PATCH] arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint SMCCCv1.3 added a hint bit which callers can set in an SMCCC function ID (AKA "FID") to indicate that it is acceptable for the SMCCC implementation to discard SVE and/or SME state over a specific SMCCC call. The kernel support for using this hint is broken and SMCCC calls may clobber the SVE and/or SME state of arbitrary tasks, though FPSIMD state is unaffected. The kernel support is intended to use the hint when there is no SVE or SME state to save, and to do this it checks whether TIF_FOREIGN_FPSTATE is set or TIF_SVE is clear in assembly code: | ldr <flags>, [<current_task>, #TSK_TI_FLAGS] | tbnz <flags>, #TIF_FOREIGN_FPSTATE, 1f // Any live FP state? | tbnz <flags>, #TIF_SVE, 2f // Does that state include SVE? | | 1: orr <fid>, <fid>, ARM_SMCCC_1_3_SVE_HINT | 2: | << SMCCC call using FID >> This is not safe as-is: (1) SMCCC calls can be made in a preemptible context and preemption can result in TIF_FOREIGN_FPSTATE being set or cleared at arbitrary points in time. Thus checking for TIF_FOREIGN_FPSTATE provides no guarantee. (2) TIF_FOREIGN_FPSTATE only indicates that the live FP/SVE/SME state in the CPU does not belong to the current task, and does not indicate that clobbering this state is acceptable. When the live CPU state is clobbered it is necessary to update fpsimd_last_state.st to ensure that a subsequent context switch will reload FP/SVE/SME state from memory rather than consuming the clobbered state. This and the SMCCC call itself must happen in a critical section with preemption disabled to avoid races. (3) Live SVE/SME state can exist with TIF_SVE clear (e.g. with only TIF_SME set), and checking TIF_SVE alone is insufficient. Remove the broken support for the SMCCCv1.3 SVE saving hint. This is effectively a revert of commits: * cfa7ff959a78 ("arm64: smccc: Support SMCCC v1.3 SVE register saving hint") * a7c3acca5380 ("arm64: smccc: Save lr before calling __arm_smccc_sve_check()") ... leaving behind the ARM_SMCCC_VERSION_1_3 and ARM_SMCCC_1_3_SVE_HINT definitions, since these are simply definitions from the SMCCC specification, and the latter is used in KVM via ARM_SMCCC_CALL_HINTS. If we want to bring this back in future, we'll probably want to handle this logic in C where we can use all the usual FPSIMD/SVE/SME helper functions, and that'll likely require some rework of the SMCCC code and/or its callers. Fixes: cfa7ff959a78 ("arm64: smccc: Support SMCCC v1.3 SVE register saving hint") Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: stable(a)vger.kernel.org Reviewed-by: Mark Brown <broonie(a)kernel.org> Link: https://lore.kernel.org/r/20241106160448.2712997-1-mark.rutland@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/smccc-call.S b/arch/arm64/kernel/smccc-call.S index 487381164ff6..2def9d0dd3dd 100644 --- a/arch/arm64/kernel/smccc-call.S +++ b/arch/arm64/kernel/smccc-call.S @@ -7,48 +7,19 @@ #include <asm/asm-offsets.h> #include <asm/assembler.h> -#include <asm/thread_info.h> - -/* - * If we have SMCCC v1.3 and (as is likely) no SVE state in - * the registers then set the SMCCC hint bit to say there's no - * need to preserve it. Do this by directly adjusting the SMCCC - * function value which is already stored in x0 ready to be called. - */ -SYM_FUNC_START(__arm_smccc_sve_check) - - ldr_l x16, smccc_has_sve_hint - cbz x16, 2f - - get_current_task x16 - ldr x16, [x16, #TSK_TI_FLAGS] - tbnz x16, #TIF_FOREIGN_FPSTATE, 1f // Any live FP state? - tbnz x16, #TIF_SVE, 2f // Does that state include SVE? - -1: orr x0, x0, ARM_SMCCC_1_3_SVE_HINT - -2: ret -SYM_FUNC_END(__arm_smccc_sve_check) -EXPORT_SYMBOL(__arm_smccc_sve_check) .macro SMCCC instr - stp x29, x30, [sp, #-16]! - mov x29, sp -alternative_if ARM64_SVE - bl __arm_smccc_sve_check -alternative_else_nop_endif \instr #0 - ldr x4, [sp, #16] + ldr x4, [sp] stp x0, x1, [x4, #ARM_SMCCC_RES_X0_OFFS] stp x2, x3, [x4, #ARM_SMCCC_RES_X2_OFFS] - ldr x4, [sp, #24] + ldr x4, [sp, #8] cbz x4, 1f /* no quirk structure */ ldr x9, [x4, #ARM_SMCCC_QUIRK_ID_OFFS] cmp x9, #ARM_SMCCC_QUIRK_QCOM_A6 b.ne 1f str x6, [x4, ARM_SMCCC_QUIRK_STATE_OFFS] -1: ldp x29, x30, [sp], #16 - ret +1: ret .endm /* diff --git a/drivers/firmware/smccc/smccc.c b/drivers/firmware/smccc/smccc.c index d670635914ec..a74600d9f2d7 100644 --- a/drivers/firmware/smccc/smccc.c +++ b/drivers/firmware/smccc/smccc.c @@ -16,7 +16,6 @@ static u32 smccc_version = ARM_SMCCC_VERSION_1_0; static enum arm_smccc_conduit smccc_conduit = SMCCC_CONDUIT_NONE; bool __ro_after_init smccc_trng_available = false; -u64 __ro_after_init smccc_has_sve_hint = false; s32 __ro_after_init smccc_soc_id_version = SMCCC_RET_NOT_SUPPORTED; s32 __ro_after_init smccc_soc_id_revision = SMCCC_RET_NOT_SUPPORTED; @@ -28,9 +27,6 @@ void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit) smccc_conduit = conduit; smccc_trng_available = smccc_probe_trng(); - if (IS_ENABLED(CONFIG_ARM64_SVE) && - smccc_version >= ARM_SMCCC_VERSION_1_3) - smccc_has_sve_hint = true; if ((smccc_version >= ARM_SMCCC_VERSION_1_2) && (smccc_conduit != SMCCC_CONDUIT_NONE)) { diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h index f59099a213d0..67f6fdf2e7cd 100644 --- a/include/linux/arm-smccc.h +++ b/include/linux/arm-smccc.h @@ -315,8 +315,6 @@ u32 arm_smccc_get_version(void); void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit); -extern u64 smccc_has_sve_hint; - /** * arm_smccc_get_soc_id_version() * @@ -414,15 +412,6 @@ struct arm_smccc_quirk { } state; }; -/** - * __arm_smccc_sve_check() - Set the SVE hint bit when doing SMC calls - * - * Sets the SMCCC hint bit to indicate if there is live state in the SVE - * registers, this modifies x0 in place and should never be called from C - * code. - */ -asmlinkage unsigned long __arm_smccc_sve_check(unsigned long x0); - /** * __arm_smccc_smc() - make SMC calls * @a0-a7: arguments passed in registers 0 to 7 @@ -490,20 +479,6 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, #endif -/* nVHE hypervisor doesn't have a current thread so needs separate checks */ -#if defined(CONFIG_ARM64_SVE) && !defined(__KVM_NVHE_HYPERVISOR__) - -#define SMCCC_SVE_CHECK ALTERNATIVE("nop \n", "bl __arm_smccc_sve_check \n", \ - ARM64_SVE) -#define smccc_sve_clobbers "x16", "x30", "cc", - -#else - -#define SMCCC_SVE_CHECK -#define smccc_sve_clobbers - -#endif - #define __constraint_read_2 "r" (arg0) #define __constraint_read_3 __constraint_read_2, "r" (arg1) #define __constraint_read_4 __constraint_read_3, "r" (arg2) @@ -574,12 +549,11 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, register unsigned long r3 asm("r3"); \ CONCATENATE(__declare_arg_, \ COUNT_ARGS(__VA_ARGS__))(__VA_ARGS__); \ - asm volatile(SMCCC_SVE_CHECK \ - inst "\n" : \ + asm volatile(inst "\n" : \ "=r" (r0), "=r" (r1), "=r" (r2), "=r" (r3) \ : CONCATENATE(__constraint_read_, \ COUNT_ARGS(__VA_ARGS__)) \ - : smccc_sve_clobbers "memory"); \ + : "memory"); \ if (___res) \ *___res = (typeof(*___res)){r0, r1, r2, r3}; \ } while (0) @@ -628,7 +602,7 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, asm ("" : \ : CONCATENATE(__constraint_read_, \ COUNT_ARGS(__VA_ARGS__)) \ - : smccc_sve_clobbers "memory"); \ + : "memory"); \ if (___res) \ ___res->a0 = SMCCC_RET_NOT_SUPPORTED; \ } while (0)

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64/sve: Discard stale CPU state when handling SVE traps" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 751ecf6afd6568adc98f2a6052315552c0483d18 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110930-pelt-think-f459@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 751ecf6afd6568adc98f2a6052315552c0483d18 Mon Sep 17 00:00:00 2001 From: Mark Brown <broonie(a)kernel.org> Date: Wed, 30 Oct 2024 20:23:50 +0000 Subject: [PATCH] arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgq… https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@googl… The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Fixes: cccb78ce89c4 ("arm64/sve: Rework SVE access trap to convert state in registers") Reported-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Reviewed-by: Mark Rutland <mark.rutland(a)arm.com> Link: https://lore.kernel.org/r/20241030-arm64-fpsimd-foreign-flush-v1-1-bd7bd669… Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index 77006df20a75..6d21971ae559 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1367,6 +1367,7 @@ static void sve_init_regs(void) } else { fpsimd_to_sve(current); current->thread.fp_type = FP_STATE_SVE; + fpsimd_flush_task_state(current); } }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64/sve: Discard stale CPU state when handling SVE traps" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 751ecf6afd6568adc98f2a6052315552c0483d18 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110929-splendid-engine-1d44@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 751ecf6afd6568adc98f2a6052315552c0483d18 Mon Sep 17 00:00:00 2001 From: Mark Brown <broonie(a)kernel.org> Date: Wed, 30 Oct 2024 20:23:50 +0000 Subject: [PATCH] arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgq… https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@googl… The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Fixes: cccb78ce89c4 ("arm64/sve: Rework SVE access trap to convert state in registers") Reported-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Reviewed-by: Mark Rutland <mark.rutland(a)arm.com> Link: https://lore.kernel.org/r/20241030-arm64-fpsimd-foreign-flush-v1-1-bd7bd669… Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index 77006df20a75..6d21971ae559 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1367,6 +1367,7 @@ static void sve_init_regs(void) } else { fpsimd_to_sve(current); current->thread.fp_type = FP_STATE_SVE; + fpsimd_flush_task_state(current); } }

7 months, 2 weeks

1
0
0 0

[PATCH 6.1.y] ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3

by Werner Sembach

From: Christoffer Sandberg <cs(a)tuxedo.de> Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg <cs(a)tuxedo.de> Signed-off-by: Werner Sembach <wse(a)tuxedocomputers.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index a8bc95ffa41a3..da14ab97783f8 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10001,6 +10001,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1558, 0x1403, "Clevo N140CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x1404, "Clevo N150CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -- 2.43.0

7 months, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] dm cache: fix flushing uninitialized delayed_work on" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 135496c208ba26fd68cdef10b64ed7a91ac9a7ff # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110948-marathon-slouching-399d@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001 From: Ming-Hung Tsai <mtsai(a)redhat.com> Date: Tue, 22 Oct 2024 15:12:49 +0800 Subject: [PATCH] dm cache: fix flushing uninitialized delayed_work on cache_ctr error An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error. Reproduce steps: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed. Signed-off-by: Ming-Hung Tsai <mtsai(a)redhat.com> Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Acked-by: Joe Thornber <thornber(a)redhat.com> diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 90772b42c234..68e9a1abd303 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1905,16 +1905,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned int i; - mempool_exit(&cache->migration_pool); if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); - cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); @@ -1942,13 +1939,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy); + bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); - bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); } static void cache_dtr(struct dm_target *ti) @@ -2561,7 +2567,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; } @@ -2612,7 +2618,7 @@ static int cache_ctr(struct dm_target *ti, unsigned int argc, char **argv) r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] dm cache: fix flushing uninitialized delayed_work on" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 135496c208ba26fd68cdef10b64ed7a91ac9a7ff # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110946-juniper-subfloor-2651@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001 From: Ming-Hung Tsai <mtsai(a)redhat.com> Date: Tue, 22 Oct 2024 15:12:49 +0800 Subject: [PATCH] dm cache: fix flushing uninitialized delayed_work on cache_ctr error An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error. Reproduce steps: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed. Signed-off-by: Ming-Hung Tsai <mtsai(a)redhat.com> Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Acked-by: Joe Thornber <thornber(a)redhat.com> diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 90772b42c234..68e9a1abd303 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1905,16 +1905,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned int i; - mempool_exit(&cache->migration_pool); if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); - cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); @@ -1942,13 +1939,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy); + bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); - bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); } static void cache_dtr(struct dm_target *ti) @@ -2561,7 +2567,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; } @@ -2612,7 +2618,7 @@ static int cache_ctr(struct dm_target *ti, unsigned int argc, char **argv) r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] dm cache: fix flushing uninitialized delayed_work on" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 135496c208ba26fd68cdef10b64ed7a91ac9a7ff # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110947-footbath-census-7efa@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001 From: Ming-Hung Tsai <mtsai(a)redhat.com> Date: Tue, 22 Oct 2024 15:12:49 +0800 Subject: [PATCH] dm cache: fix flushing uninitialized delayed_work on cache_ctr error An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error. Reproduce steps: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed. Signed-off-by: Ming-Hung Tsai <mtsai(a)redhat.com> Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Acked-by: Joe Thornber <thornber(a)redhat.com> diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 90772b42c234..68e9a1abd303 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1905,16 +1905,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned int i; - mempool_exit(&cache->migration_pool); if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); - cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); @@ -1942,13 +1939,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy); + bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); - bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); } static void cache_dtr(struct dm_target *ti) @@ -2561,7 +2567,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; } @@ -2612,7 +2618,7 @@ static int cache_ctr(struct dm_target *ti, unsigned int argc, char **argv) r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] dm cache: fix flushing uninitialized delayed_work on" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 135496c208ba26fd68cdef10b64ed7a91ac9a7ff # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110945-caress-unmasked-1f81@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 135496c208ba26fd68cdef10b64ed7a91ac9a7ff Mon Sep 17 00:00:00 2001 From: Ming-Hung Tsai <mtsai(a)redhat.com> Date: Tue, 22 Oct 2024 15:12:49 +0800 Subject: [PATCH] dm cache: fix flushing uninitialized delayed_work on cache_ctr error An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error. Reproduce steps: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed. Signed-off-by: Ming-Hung Tsai <mtsai(a)redhat.com> Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Acked-by: Joe Thornber <thornber(a)redhat.com> diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 90772b42c234..68e9a1abd303 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1905,16 +1905,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned int i; - mempool_exit(&cache->migration_pool); if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); - cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); @@ -1942,13 +1939,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy); + bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); - bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); } static void cache_dtr(struct dm_target *ti) @@ -2561,7 +2567,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; } @@ -2612,7 +2618,7 @@ static int cache_ctr(struct dm_target *ti, unsigned int argc, char **argv) r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amd/display: Fix brightness level not retained over" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 4f26c95ffc21a91281429ed60180619bae19ae92 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110902-backslid-snagged-6d02@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4f26c95ffc21a91281429ed60180619bae19ae92 Mon Sep 17 00:00:00 2001 From: Tom Chung <chiahsuan.chung(a)amd.com> Date: Wed, 9 Oct 2024 17:09:38 +0800 Subject: [PATCH] drm/amd/display: Fix brightness level not retained over reboot [Why] During boot up and resume the DC layer will reset the panel brightness to fix a flicker issue. It will cause the dm->actual_brightness is not the current panel brightness level. (the dm->brightness is the correct panel level) [How] Set the backlight level after do the set mode. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Fixes: d9e865826c20 ("drm/amd/display: Simplify brightness initialization") Reported-by: Mark Herbert <mark.herbert42(a)gmail.com> Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3655 Reviewed-by: Sun peng Li <sunpeng.li(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Zaeem Mohamed <zaeem.mohamed(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 7875afafba84817b791be6d2282b836695146060) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 13421a58210d..07e9ce99694f 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -9429,6 +9429,7 @@ static void amdgpu_dm_commit_streams(struct drm_atomic_state *state, bool mode_set_reset_required = false; u32 i; struct dc_commit_streams_params params = {dc_state->streams, dc_state->stream_count}; + bool set_backlight_level = false; /* Disable writeback */ for_each_old_connector_in_state(state, connector, old_con_state, i) { @@ -9548,6 +9549,7 @@ static void amdgpu_dm_commit_streams(struct drm_atomic_state *state, acrtc->hw_mode = new_crtc_state->mode; crtc->hwmode = new_crtc_state->mode; mode_set_reset_required = true; + set_backlight_level = true; } else if (modereset_required(new_crtc_state)) { drm_dbg_atomic(dev, "Atomic commit: RESET. crtc id %d:[%p]\n", @@ -9599,6 +9601,19 @@ static void amdgpu_dm_commit_streams(struct drm_atomic_state *state, acrtc->otg_inst = status->primary_otg_inst; } } + + /* During boot up and resume the DC layer will reset the panel brightness + * to fix a flicker issue. + * It will cause the dm->actual_brightness is not the current panel brightness + * level. (the dm->brightness is the correct panel level) + * So we set the backlight level with dm->brightness value after set mode + */ + if (set_backlight_level) { + for (i = 0; i < dm->num_of_edps; i++) { + if (dm->backlight_dev[i]) + amdgpu_dm_backlight_set_level(dm, i, dm->brightness[i]); + } + } } static void dm_set_writeback(struct amdgpu_display_manager *dm,

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tpm: Lock TPM chip in tpm_pm_suspend() first" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9265fed6db601ee2ec47577815387458ef4f047a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110927-staple-scotch-2d0a@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9265fed6db601ee2ec47577815387458ef4f047a Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen <jarkko(a)kernel.org> Date: Thu, 31 Oct 2024 02:16:09 +0200 Subject: [PATCH] tpm: Lock TPM chip in tpm_pm_suspend() first Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. The recent bug report gives also evidence of this behaviour. Aadress this by locking the TPM chip before checking any chip->flags both in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() so that it will be always checked only when the lock is reserved. Cc: stable(a)vger.kernel.org # v6.4+ Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume") Reported-by: Mike Seo <mikeseohyungjin(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383 Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Tested-by: Mike Seo <mikeseohyungjin(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 1ff99a7091bb..7df7abaf3e52 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -525,10 +525,6 @@ static int tpm_hwrng_read(struct hwrng *rng, void *data, size_t max, bool wait) { struct tpm_chip *chip = container_of(rng, struct tpm_chip, hwrng); - /* Give back zero bytes, as TPM chip has not yet fully resumed: */ - if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) - return 0; - return tpm_get_random(chip, data, max); } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 8134f002b121..b1daa0d7b341 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -370,6 +370,13 @@ int tpm_pm_suspend(struct device *dev) if (!chip) return -ENODEV; + rc = tpm_try_get_ops(chip); + if (rc) { + /* Can be safely set out of locks, as no action cannot race: */ + chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) goto suspended; @@ -377,21 +384,19 @@ int tpm_pm_suspend(struct device *dev) !pm_suspend_via_firmware()) goto suspended; - rc = tpm_try_get_ops(chip); - if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) { - tpm2_end_auth_session(chip); - tpm2_shutdown(chip, TPM2_SU_STATE); - } else { - rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); - } - - tpm_put_ops(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); + tpm2_shutdown(chip, TPM2_SU_STATE); + goto suspended; } + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + suspended: chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + tpm_put_ops(chip); +out: if (rc) dev_err(dev, "Ignoring error %d while suspending\n", rc); return 0; @@ -440,11 +445,18 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max) if (!chip) return -ENODEV; + /* Give back zero bytes, as TPM chip has not yet fully resumed: */ + if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) { + rc = 0; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_TPM2) rc = tpm2_get_random(chip, out, max); else rc = tpm1_get_random(chip, out, max); +out: tpm_put_ops(chip); return rc; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] tpm: Lock TPM chip in tpm_pm_suspend() first" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9265fed6db601ee2ec47577815387458ef4f047a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110926-shortness-stark-e2ea@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9265fed6db601ee2ec47577815387458ef4f047a Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen <jarkko(a)kernel.org> Date: Thu, 31 Oct 2024 02:16:09 +0200 Subject: [PATCH] tpm: Lock TPM chip in tpm_pm_suspend() first Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. The recent bug report gives also evidence of this behaviour. Aadress this by locking the TPM chip before checking any chip->flags both in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() so that it will be always checked only when the lock is reserved. Cc: stable(a)vger.kernel.org # v6.4+ Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume") Reported-by: Mike Seo <mikeseohyungjin(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383 Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Tested-by: Mike Seo <mikeseohyungjin(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 1ff99a7091bb..7df7abaf3e52 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -525,10 +525,6 @@ static int tpm_hwrng_read(struct hwrng *rng, void *data, size_t max, bool wait) { struct tpm_chip *chip = container_of(rng, struct tpm_chip, hwrng); - /* Give back zero bytes, as TPM chip has not yet fully resumed: */ - if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) - return 0; - return tpm_get_random(chip, data, max); } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 8134f002b121..b1daa0d7b341 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -370,6 +370,13 @@ int tpm_pm_suspend(struct device *dev) if (!chip) return -ENODEV; + rc = tpm_try_get_ops(chip); + if (rc) { + /* Can be safely set out of locks, as no action cannot race: */ + chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) goto suspended; @@ -377,21 +384,19 @@ int tpm_pm_suspend(struct device *dev) !pm_suspend_via_firmware()) goto suspended; - rc = tpm_try_get_ops(chip); - if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) { - tpm2_end_auth_session(chip); - tpm2_shutdown(chip, TPM2_SU_STATE); - } else { - rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); - } - - tpm_put_ops(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); + tpm2_shutdown(chip, TPM2_SU_STATE); + goto suspended; } + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + suspended: chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + tpm_put_ops(chip); +out: if (rc) dev_err(dev, "Ignoring error %d while suspending\n", rc); return 0; @@ -440,11 +445,18 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max) if (!chip) return -ENODEV; + /* Give back zero bytes, as TPM chip has not yet fully resumed: */ + if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) { + rc = 0; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_TPM2) rc = tpm2_get_random(chip, out, max); else rc = tpm1_get_random(chip, out, max); +out: tpm_put_ops(chip); return rc; }

7 months, 2 weeks

1
0
0 0

[PATCH] iio: imu: inv_icm42600: fix spi burst write not supported

by Jean-Baptiste Maneyrol via B4 Relay

From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> Burst write with SPI is not working for all icm42600 chips. It was only used for setting user offsets with regmap_bulk_write. Allow tweak of common regmap_config for using only single write for spi. Fixes: 9f9ff91b775b ("iio: imu: inv_icm42600: add SPI driver for inv_icm42600 driver") Cc: stable(a)vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 2 +- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 2 +- drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600.h b/drivers/iio/imu/inv_icm42600/inv_icm42600.h index 3a07e43e4cf154f3107c015c30248330d8e677f8..36a3b0795fb7d6cb0c178fadd93896fbc346ba0d 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600.h +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600.h @@ -402,7 +402,7 @@ struct inv_icm42600_sensor_state { typedef int (*inv_icm42600_bus_setup)(struct inv_icm42600_state *); -extern const struct regmap_config inv_icm42600_regmap_config; +extern struct regmap_config inv_icm42600_regmap_config; extern const struct dev_pm_ops inv_icm42600_pm_ops; const struct iio_mount_matrix * diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 93b5d7a3339ccff16b21bf6c40ed7b2311317cf4..680373f6267b37d386e4e7bda543ba4efe97e66b 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -74,7 +74,7 @@ static const struct regmap_access_table inv_icm42600_regmap_rd_noinc_accesses[] }, }; -const struct regmap_config inv_icm42600_regmap_config = { +struct regmap_config inv_icm42600_regmap_config = { .name = "inv_icm42600", .reg_bits = 8, .val_bits = 8, diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c index 3b6d05fce65d544524b25299c6d342af92cfd1e0..73cacfd157a4538ae8c9d1c8d97157afa28aa672 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c @@ -59,6 +59,9 @@ static int inv_icm42600_probe(struct spi_device *spi) return -EINVAL; chip = (uintptr_t)match; + /* spi doesn't support burst write */ + inv_icm42600_regmap_config.use_single_write = true; + regmap = devm_regmap_init_spi(spi, &inv_icm42600_regmap_config); if (IS_ERR(regmap)) return PTR_ERR(regmap); --- base-commit: c9f8285ec18c08fae0de08835eb8e5953339e664 change-id: 20241107-inv-icm42600-fix-spi-burst-write-not-supported-efe78d7379a5 Best regards, -- Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com>

7 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/xe/guc/tlb: Flush g2h worker in case of tlb timeout" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 1491efb39acee3848b61fcb3e5cc4be8de304352 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110929-reveler-elevate-b941@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1491efb39acee3848b61fcb3e5cc4be8de304352 Mon Sep 17 00:00:00 2001 From: Nirmoy Das <nirmoy.das(a)intel.com> Date: Tue, 29 Oct 2024 13:01:17 +0100 Subject: [PATCH] drm/xe/guc/tlb: Flush g2h worker in case of tlb timeout Flush the g2h worker explicitly if TLB timeout happens which is observed on LNL and that points to the recent scheduling issue with E-cores on LNL. This is similar to the recent fix: commit e51527233804 ("drm/xe/guc/ct: Flush g2h worker in case of g2h response timeout") and should be removed once there is E core scheduling fix. v2: Add platform check(Himal) v3: Remove gfx platform check as the issue related to cpu platform(John) Use the common WA macro(John) and print when the flush resolves timeout(Matt B) v4: Remove the resolves log and do the flush before taking pending_lock(Matt A) Cc: Badal Nilawar <badal.nilawar(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: stable(a)vger.kernel.org # v6.11+ Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2687 Signed-off-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241029120117.449694-3-nirmo… Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit e1f6fa55664a0eeb0a641f497e1adfcf6672e995) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c index bbb9e411d21f..9d82ea30f4df 100644 --- a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c +++ b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c @@ -72,6 +72,8 @@ static void xe_gt_tlb_fence_timeout(struct work_struct *work) struct xe_device *xe = gt_to_xe(gt); struct xe_gt_tlb_invalidation_fence *fence, *next; + LNL_FLUSH_WORK(&gt->uc.guc.ct.g2h_worker); + spin_lock_irq(&gt->tlb_invalidation.pending_lock); list_for_each_entry_safe(fence, next, &gt->tlb_invalidation.pending_fences, link) {

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe/ufence: Flush xe ordered_wq in case of ufence timeout" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 7d1e2580ed166f36949b468373b468d188880cd3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110930-partition-dislike-9711@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d1e2580ed166f36949b468373b468d188880cd3 Mon Sep 17 00:00:00 2001 From: Nirmoy Das <nirmoy.das(a)intel.com> Date: Tue, 29 Oct 2024 13:01:16 +0100 Subject: [PATCH] drm/xe/ufence: Flush xe ordered_wq in case of ufence timeout Flush xe ordered_wq in case of ufence timeout which is observed on LNL and that points to recent scheduling issue with E-cores. This is similar to the recent fix: commit e51527233804 ("drm/xe/guc/ct: Flush g2h worker in case of g2h response timeout") and should be removed once there is a E-core scheduling fix for LNL. v2: Add platform check(Himal) s/__flush_workqueue/flush_workqueue(Jani) v3: Remove gfx platform check as the issue related to cpu platform(John) v4: Use the Common macro(John) and print when the flush resolves timeout(Matt B) Cc: Badal Nilawar <badal.nilawar(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: stable(a)vger.kernel.org # v6.11+ Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2754 Suggested-by: Matthew Brost <matthew.brost(a)intel.com> Signed-off-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241029120117.449694-2-nirmo… Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit 38c4c8722bd74452280951edc44c23de47612001) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_wait_user_fence.c b/drivers/gpu/drm/xe/xe_wait_user_fence.c index f5deb81eba01..5b4264ea38bd 100644 --- a/drivers/gpu/drm/xe/xe_wait_user_fence.c +++ b/drivers/gpu/drm/xe/xe_wait_user_fence.c @@ -155,6 +155,13 @@ int xe_wait_user_fence_ioctl(struct drm_device *dev, void *data, } if (!timeout) { + LNL_FLUSH_WORKQUEUE(xe->ordered_wq); + err = do_compare(addr, args->value, args->mask, + args->op); + if (err <= 0) { + drm_dbg(&xe->drm, "LNL_FLUSH_WORKQUEUE resolved ufence timeout\n"); + break; + } err = -ETIME; break; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Move LNL scheduling WA to xe_device.h" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 55e8a3f37e54eb1c7b914d6d5565a37282ec1978 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110922-submitter-street-a3f8@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 55e8a3f37e54eb1c7b914d6d5565a37282ec1978 Mon Sep 17 00:00:00 2001 From: Nirmoy Das <nirmoy.das(a)intel.com> Date: Tue, 29 Oct 2024 13:01:15 +0100 Subject: [PATCH] drm/xe: Move LNL scheduling WA to xe_device.h Move LNL scheduling WA to xe_device.h so this can be used in other places without needing keep the same comment about removal of this WA in the future. The WA, which flushes work or workqueues, is now wrapped in macros and can be reused wherever needed. Cc: Badal Nilawar <badal.nilawar(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> cc: stable(a)vger.kernel.org # v6.11+ Suggested-by: John Harrison <John.C.Harrison(a)Intel.com> Signed-off-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241029120117.449694-1-nirmo… Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit cbe006a6492c01a0058912ae15d473f4c149896c) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_device.h b/drivers/gpu/drm/xe/xe_device.h index 894f04770454..34620ef855c0 100644 --- a/drivers/gpu/drm/xe/xe_device.h +++ b/drivers/gpu/drm/xe/xe_device.h @@ -178,4 +178,18 @@ void xe_device_declare_wedged(struct xe_device *xe); struct xe_file *xe_file_get(struct xe_file *xef); void xe_file_put(struct xe_file *xef); +/* + * Occasionally it is seen that the G2H worker starts running after a delay of more than + * a second even after being queued and activated by the Linux workqueue subsystem. This + * leads to G2H timeout error. The root cause of issue lies with scheduling latency of + * Lunarlake Hybrid CPU. Issue disappears if we disable Lunarlake atom cores from BIOS + * and this is beyond xe kmd. + * + * TODO: Drop this change once workqueue scheduling delay issue is fixed on LNL Hybrid CPU. + */ +#define LNL_FLUSH_WORKQUEUE(wq__) \ + flush_workqueue(wq__) +#define LNL_FLUSH_WORK(wrk__) \ + flush_work(wrk__) + #endif diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 17986bfd8818..9c505d3517cd 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -897,17 +897,8 @@ static int guc_ct_send_recv(struct xe_guc_ct *ct, const u32 *action, u32 len, ret = wait_event_timeout(ct->g2h_fence_wq, g2h_fence.done, HZ); - /* - * Occasionally it is seen that the G2H worker starts running after a delay of more than - * a second even after being queued and activated by the Linux workqueue subsystem. This - * leads to G2H timeout error. The root cause of issue lies with scheduling latency of - * Lunarlake Hybrid CPU. Issue dissappears if we disable Lunarlake atom cores from BIOS - * and this is beyond xe kmd. - * - * TODO: Drop this change once workqueue scheduling delay issue is fixed on LNL Hybrid CPU. - */ if (!ret) { - flush_work(&ct->g2h_worker); + LNL_FLUSH_WORK(&ct->g2h_worker); if (g2h_fence.done) { xe_gt_warn(gt, "G2H fence %u, action %04x, done\n", g2h_fence.seqno, action[0]);

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b8fc56fbca7482c1e5c0e3351c6ae78982e25ada # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110908-basin-unrefined-82bf@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b8fc56fbca7482c1e5c0e3351c6ae78982e25ada Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Mon, 4 Nov 2024 13:40:41 +0900 Subject: [PATCH] ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp ksmbd_user_session_put should be called under smb3_preauth_hash_rsp(). It will avoid freeing session before calling smb3_preauth_hash_rsp(). Cc: stable(a)vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert(a)doyensec.com> Tested-by: Norbert Szetei <norbert(a)doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 9670c97f14b3..e7f14f8df943 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -238,11 +238,11 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, } while (is_chained == true); send: - if (work->sess) - ksmbd_user_session_put(work->sess); if (work->tcon) ksmbd_tree_connect_put(work->tcon); smb3_preauth_hash_rsp(work); + if (work->sess) + ksmbd_user_session_put(work->sess); if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work);

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: Fix the missing xa_store error check" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 3abab905b14f4ba756d413f37f1fb02b708eee93 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110956-unwired-hence-eb8d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3abab905b14f4ba756d413f37f1fb02b708eee93 Mon Sep 17 00:00:00 2001 From: Jinjie Ruan <ruanjinjie(a)huawei.com> Date: Mon, 28 Oct 2024 08:28:30 +0900 Subject: [PATCH] ksmbd: Fix the missing xa_store error check xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed, so check error for xa_store() to fix it. Cc: stable(a)vger.kernel.org Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray") Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 1e4624e9d434..9756a4bbfe54 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -90,7 +90,7 @@ static int __rpc_method(char *rpc_name) int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) { - struct ksmbd_session_rpc *entry; + struct ksmbd_session_rpc *entry, *old; struct ksmbd_rpc_command *resp; int method; @@ -106,16 +106,19 @@ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name) entry->id = ksmbd_ipc_id_alloc(); if (entry->id < 0) goto free_entry; - xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); + old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); + if (xa_is_err(old)) + goto free_id; resp = ksmbd_rpc_open(sess, entry->id); if (!resp) - goto free_id; + goto erase_xa; kvfree(resp); return entry->id; -free_id: +erase_xa: xa_erase(&sess->rpc_handle_list, entry->id); +free_id: ksmbd_rpc_id_free(entry->id); free_entry: kfree(entry);

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: check outstanding simultaneous SMB operations" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0a77d947f599b1f39065015bec99390d0c0022ee # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110945-emission-stegosaur-f847@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0a77d947f599b1f39065015bec99390d0c0022ee Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Mon, 4 Nov 2024 13:43:06 +0900 Subject: [PATCH] ksmbd: check outstanding simultaneous SMB operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If Client send simultaneous SMB operations to ksmbd, It exhausts too much memory through the "ksmbd_work_cache”. It will cause OOM issue. ksmbd has a credit mechanism but it can't handle this problem. This patch add the check if it exceeds max credits to prevent this problem by assuming that one smb request consumes at least one credit. Cc: stable(a)vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert(a)doyensec.com> Tested-by: Norbert Szetei <norbert(a)doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index aa2a37a7ce84..e6a72f75ab94 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -70,6 +70,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) atomic_set(&conn->req_running, 0); atomic_set(&conn->r_count, 0); atomic_set(&conn->refcnt, 1); + atomic_set(&conn->mux_smb_requests, 0); conn->total_credits = 1; conn->outstanding_credits = 0; diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h index b379ae4fdcdf..8ddd5a3c7baf 100644 --- a/fs/smb/server/connection.h +++ b/fs/smb/server/connection.h @@ -107,6 +107,7 @@ struct ksmbd_conn { __le16 signing_algorithm; bool binding; atomic_t refcnt; + atomic_t mux_smb_requests; }; struct ksmbd_conn_ops { diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index e7f14f8df943..e6cfedba9992 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -270,6 +270,7 @@ static void handle_ksmbd_work(struct work_struct *wk) ksmbd_conn_try_dequeue_request(work); ksmbd_free_work_struct(work); + atomic_dec(&conn->mux_smb_requests); /* * Checking waitqueue to dropping pending requests on * disconnection. waitqueue_active is safe because it @@ -291,6 +292,15 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn) struct ksmbd_work *work; int err; + err = ksmbd_init_smb_server(conn); + if (err) + return 0; + + if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) { + atomic_dec_return(&conn->mux_smb_requests); + return -ENOSPC; + } + work = ksmbd_alloc_work_struct(); if (!work) { pr_err("allocation for work failed\n"); @@ -301,12 +311,6 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn) work->request_buf = conn->request_buf; conn->request_buf = NULL; - err = ksmbd_init_smb_server(work); - if (err) { - ksmbd_free_work_struct(work); - return 0; - } - ksmbd_conn_enqueue_request(work); atomic_inc(&conn->r_count); /* update activity on connection */ diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index a2ebbe604c8c..75b4eb856d32 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -388,6 +388,10 @@ static struct smb_version_ops smb1_server_ops = { .set_rsp_status = set_smb1_rsp_status, }; +static struct smb_version_values smb1_server_values = { + .max_credits = SMB2_MAX_CREDITS, +}; + static int smb1_negotiate(struct ksmbd_work *work) { return ksmbd_smb_negotiate_common(work, SMB_COM_NEGOTIATE); @@ -399,18 +403,18 @@ static struct smb_version_cmds smb1_server_cmds[1] = { static int init_smb1_server(struct ksmbd_conn *conn) { + conn->vals = &smb1_server_values; conn->ops = &smb1_server_ops; conn->cmds = smb1_server_cmds; conn->max_cmds = ARRAY_SIZE(smb1_server_cmds); return 0; } -int ksmbd_init_smb_server(struct ksmbd_work *work) +int ksmbd_init_smb_server(struct ksmbd_conn *conn) { - struct ksmbd_conn *conn = work->conn; __le32 proto; - proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol; + proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol; if (conn->need_neg == false) { if (proto == SMB1_PROTO_NUMBER) return -EINVAL; diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h index cc1d6dfe29d5..a3d8a905b07e 100644 --- a/fs/smb/server/smb_common.h +++ b/fs/smb/server/smb_common.h @@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn *conn); int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); -int ksmbd_init_smb_server(struct ksmbd_work *work); +int ksmbd_init_smb_server(struct ksmbd_conn *conn); struct ksmbd_kstat; int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work,

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: check outstanding simultaneous SMB operations" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0a77d947f599b1f39065015bec99390d0c0022ee # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110945-blot-unsaid-0239@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0a77d947f599b1f39065015bec99390d0c0022ee Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Mon, 4 Nov 2024 13:43:06 +0900 Subject: [PATCH] ksmbd: check outstanding simultaneous SMB operations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If Client send simultaneous SMB operations to ksmbd, It exhausts too much memory through the "ksmbd_work_cache”. It will cause OOM issue. ksmbd has a credit mechanism but it can't handle this problem. This patch add the check if it exceeds max credits to prevent this problem by assuming that one smb request consumes at least one credit. Cc: stable(a)vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert(a)doyensec.com> Tested-by: Norbert Szetei <norbert(a)doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index aa2a37a7ce84..e6a72f75ab94 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -70,6 +70,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void) atomic_set(&conn->req_running, 0); atomic_set(&conn->r_count, 0); atomic_set(&conn->refcnt, 1); + atomic_set(&conn->mux_smb_requests, 0); conn->total_credits = 1; conn->outstanding_credits = 0; diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h index b379ae4fdcdf..8ddd5a3c7baf 100644 --- a/fs/smb/server/connection.h +++ b/fs/smb/server/connection.h @@ -107,6 +107,7 @@ struct ksmbd_conn { __le16 signing_algorithm; bool binding; atomic_t refcnt; + atomic_t mux_smb_requests; }; struct ksmbd_conn_ops { diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index e7f14f8df943..e6cfedba9992 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -270,6 +270,7 @@ static void handle_ksmbd_work(struct work_struct *wk) ksmbd_conn_try_dequeue_request(work); ksmbd_free_work_struct(work); + atomic_dec(&conn->mux_smb_requests); /* * Checking waitqueue to dropping pending requests on * disconnection. waitqueue_active is safe because it @@ -291,6 +292,15 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn) struct ksmbd_work *work; int err; + err = ksmbd_init_smb_server(conn); + if (err) + return 0; + + if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) { + atomic_dec_return(&conn->mux_smb_requests); + return -ENOSPC; + } + work = ksmbd_alloc_work_struct(); if (!work) { pr_err("allocation for work failed\n"); @@ -301,12 +311,6 @@ static int queue_ksmbd_work(struct ksmbd_conn *conn) work->request_buf = conn->request_buf; conn->request_buf = NULL; - err = ksmbd_init_smb_server(work); - if (err) { - ksmbd_free_work_struct(work); - return 0; - } - ksmbd_conn_enqueue_request(work); atomic_inc(&conn->r_count); /* update activity on connection */ diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index a2ebbe604c8c..75b4eb856d32 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -388,6 +388,10 @@ static struct smb_version_ops smb1_server_ops = { .set_rsp_status = set_smb1_rsp_status, }; +static struct smb_version_values smb1_server_values = { + .max_credits = SMB2_MAX_CREDITS, +}; + static int smb1_negotiate(struct ksmbd_work *work) { return ksmbd_smb_negotiate_common(work, SMB_COM_NEGOTIATE); @@ -399,18 +403,18 @@ static struct smb_version_cmds smb1_server_cmds[1] = { static int init_smb1_server(struct ksmbd_conn *conn) { + conn->vals = &smb1_server_values; conn->ops = &smb1_server_ops; conn->cmds = smb1_server_cmds; conn->max_cmds = ARRAY_SIZE(smb1_server_cmds); return 0; } -int ksmbd_init_smb_server(struct ksmbd_work *work) +int ksmbd_init_smb_server(struct ksmbd_conn *conn) { - struct ksmbd_conn *conn = work->conn; __le32 proto; - proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol; + proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol; if (conn->need_neg == false) { if (proto == SMB1_PROTO_NUMBER) return -EINVAL; diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h index cc1d6dfe29d5..a3d8a905b07e 100644 --- a/fs/smb/server/smb_common.h +++ b/fs/smb/server/smb_common.h @@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn *conn); int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count); -int ksmbd_init_smb_server(struct ksmbd_work *work); +int ksmbd_init_smb_server(struct ksmbd_conn *conn); struct ksmbd_kstat; int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work,

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0a77715db22611df50b178374c51e2ba0d58866e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110929-darwinism-jailbird-48ab@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0a77715db22611df50b178374c51e2ba0d58866e Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Sat, 2 Nov 2024 18:46:38 +0900 Subject: [PATCH] ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table. Cc: stable(a)vger.kernel.org # v5.15+ Reported-by: Norbert Szetei <norbert(a)doyensec.com> Tested-by: Norbert Szetei <norbert(a)doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 9756a4bbfe54..ad02fe555fda 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -178,6 +178,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) unsigned long id; struct ksmbd_session *sess; + down_write(&sessions_table_lock); down_write(&conn->session_lock); xa_for_each(&conn->sessions, id, sess) { if (atomic_read(&sess->refcnt) == 0 && @@ -191,6 +192,7 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn) } } up_write(&conn->session_lock); + up_write(&sessions_table_lock); } int ksmbd_session_register(struct ksmbd_conn *conn, @@ -232,7 +234,6 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) } } } - up_write(&sessions_table_lock); down_write(&conn->session_lock); xa_for_each(&conn->sessions, id, sess) { @@ -252,6 +253,7 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) } } up_write(&conn->session_lock); + up_write(&sessions_table_lock); } struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,

7 months, 2 weeks

1
0
0 0

FAILED: Patch "io_uring/rw: fix missing NOWAIT check for O_DIRECT start write" failed to apply to v5.15-stable tree

by Sasha Levin

The patch below does not apply to the v5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 1d60d74e852647255bd8e76f5a22dc42531e4389 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 31 Oct 2024 08:05:44 -0600 Subject: [PATCH] io_uring/rw: fix missing NOWAIT check for O_DIRECT start write When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write: task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963 with the attempting freezer stuck trying to grab the rwsem: task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress. Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user. Cc: stable(a)vger.kernel.org # 5.10+ Reported-by: Peter Mann <peter.mann(a)sh.cz> Link: https://lore.kernel.org/io-uring/38c94aec-81c9-4f62-b44e-1d87f5597644@sh.cz Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- io_uring/rw.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/io_uring/rw.c b/io_uring/rw.c index 354c4e175654c..155938f100931 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -1014,6 +1014,25 @@ int io_read_mshot(struct io_kiocb *req, unsigned int issue_flags) return IOU_OK; } +static bool io_kiocb_start_write(struct io_kiocb *req, struct kiocb *kiocb) +{ + struct inode *inode; + bool ret; + + if (!(req->flags & REQ_F_ISREG)) + return true; + if (!(kiocb->ki_flags & IOCB_NOWAIT)) { + kiocb_start_write(kiocb); + return true; + } + + inode = file_inode(kiocb->ki_filp); + ret = sb_start_write_trylock(inode->i_sb); + if (ret) + __sb_writers_release(inode->i_sb, SB_FREEZE_WRITE); + return ret; +} + int io_write(struct io_kiocb *req, unsigned int issue_flags) { bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK; @@ -1051,8 +1070,8 @@ int io_write(struct io_kiocb *req, unsigned int issue_flags) if (unlikely(ret)) return ret; - if (req->flags & REQ_F_ISREG) - kiocb_start_write(kiocb); + if (unlikely(!io_kiocb_start_write(req, kiocb))) + return -EAGAIN; kiocb->ki_flags |= IOCB_WRITE; if (likely(req->file->f_op->write_iter)) -- 2.43.0

7 months, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] media: av7110: fix a spectre vulnerability" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 458ea1c0be991573ec436aa0afa23baacfae101a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110949-sinner-broadband-3aa8@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Date: Tue, 15 Oct 2024 09:24:24 +0200 Subject: [PATCH] media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] media: av7110: fix a spectre vulnerability" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 458ea1c0be991573ec436aa0afa23baacfae101a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110949-unseeing-smolder-1b43@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Date: Tue, 15 Oct 2024 09:24:24 +0200 Subject: [PATCH] media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] media: av7110: fix a spectre vulnerability" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 458ea1c0be991573ec436aa0afa23baacfae101a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110948-repugnant-numbly-fe39@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Date: Tue, 15 Oct 2024 09:24:24 +0200 Subject: [PATCH] media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] media: av7110: fix a spectre vulnerability" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 458ea1c0be991573ec436aa0afa23baacfae101a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110948-sharply-unissued-74b9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Date: Tue, 15 Oct 2024 09:24:24 +0200 Subject: [PATCH] media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] media: av7110: fix a spectre vulnerability" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 458ea1c0be991573ec436aa0afa23baacfae101a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110947-probing-conform-ac38@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Date: Tue, 15 Oct 2024 09:24:24 +0200 Subject: [PATCH] media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] media: av7110: fix a spectre vulnerability" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 458ea1c0be991573ec436aa0afa23baacfae101a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110947-passivism-unstirred-8a08@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Date: Tue, 15 Oct 2024 09:24:24 +0200 Subject: [PATCH] media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; }

7 months, 2 weeks

1
0
0 0

FAILED: Patch "posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone" failed to apply to v6.1-stable tree

by Sasha Levin

The patch below does not apply to the v6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From b5413156bad91dc2995a5c4eab1b05e56914638a Mon Sep 17 00:00:00 2001 From: Benjamin Segall <bsegall(a)google.com> Date: Fri, 25 Oct 2024 18:35:35 -0700 Subject: [PATCH] posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone When cloning a new thread, its posix_cputimers are not inherited, and are cleared by posix_cputimers_init(). However, this does not clear the tick dependency it creates in tsk->tick_dep_mask, and the handler does not reach the code to clear the dependency if there were no timers to begin with. Thus if a thread has a cputimer running before clone/fork, all descendants will prevent nohz_full unless they create a cputimer of their own. Fix this by entirely clearing the tick_dep_mask in copy_process(). (There is currently no inherited state that needs a tick dependency) Process-wide timers do not have this problem because fork does not copy signal_struct as a baseline, it creates one from scratch. Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model") Signed-off-by: Ben Segall <bsegall(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com --- include/linux/tick.h | 8 ++++++++ kernel/fork.c | 2 ++ 2 files changed, 10 insertions(+) diff --git a/include/linux/tick.h b/include/linux/tick.h index 72744638c5b0f..99c9c5a7252aa 100644 --- a/include/linux/tick.h +++ b/include/linux/tick.h @@ -251,12 +251,19 @@ static inline void tick_dep_set_task(struct task_struct *tsk, if (tick_nohz_full_enabled()) tick_nohz_dep_set_task(tsk, bit); } + static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { if (tick_nohz_full_enabled()) tick_nohz_dep_clear_task(tsk, bit); } + +static inline void tick_dep_init_task(struct task_struct *tsk) +{ + atomic_set(&tsk->tick_dep_mask, 0); +} + static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { @@ -290,6 +297,7 @@ static inline void tick_dep_set_task(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { } +static inline void tick_dep_init_task(struct task_struct *tsk) { } static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_signal(struct signal_struct *signal, diff --git a/kernel/fork.c b/kernel/fork.c index 89ceb4a68af25..6fa9fe62e01e3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -105,6 +105,7 @@ #include <linux/rseq.h> #include <uapi/linux/pidfd.h> #include <linux/pidfs.h> +#include <linux/tick.h> #include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -2292,6 +2293,7 @@ __latent_entropy struct task_struct *copy_process( acct_clear_integrals(p); posix_cputimers_init(&p->posix_cputimers); + tick_dep_init_task(p); p->io_context = NULL; audit_set_context(p, NULL); -- 2.43.0

7 months, 2 weeks

2
2
0 0

[PATCH] USB: core: remove dead code in do_proc_bulk()

by Rex Nie

Since len1 is unsigned int, len1 < 0 always false. Remove it keep code simple. Signed-off-by: Rex Nie <rex.nie(a)jaguarmicro.com> --- drivers/usb/core/devio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 3beb6a862e80..712e290bab04 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1295,7 +1295,7 @@ static int do_proc_bulk(struct usb_dev_state *ps, return ret; len1 = bulk->len; - if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb))) + if (len1 >= (INT_MAX - sizeof(struct urb))) return -EINVAL; if (bulk->ep & USB_DIR_IN) -- 2.17.1

7 months, 2 weeks

3
3
0 0

[PATCH 1/3] spmi: pmic-arb: fix return path in for_each_available_child_of_node()

by Stephen Boyd

From: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> This loop requires explicit calls to of_node_put() upon early exits (break, goto, return) to decrement the child refcounter and avoid memory leaks if the child is not required out of the loop. A more robust solution is using the scoped variant of the macro, which automatically calls of_node_put() when the child goes out of scope. Cc: stable(a)vger.kernel.org Fixes: 979987371739 ("spmi: pmic-arb: Add multi bus support") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Link: https://lore.kernel.org/r/20241001-spmi-pmic-arb-scoped-v1-1-5872bab34ed6@g… Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Signed-off-by: Stephen Boyd <sboyd(a)kernel.org> --- drivers/spmi/spmi-pmic-arb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c index 9ba9495fcc4b..ea843159b745 100644 --- a/drivers/spmi/spmi-pmic-arb.c +++ b/drivers/spmi/spmi-pmic-arb.c @@ -1763,14 +1763,13 @@ static int spmi_pmic_arb_register_buses(struct spmi_pmic_arb *pmic_arb, { struct device *dev = &pdev->dev; struct device_node *node = dev->of_node; - struct device_node *child; int ret; /* legacy mode doesn't provide child node for the bus */ if (of_device_is_compatible(node, "qcom,spmi-pmic-arb")) return spmi_pmic_arb_bus_init(pdev, node, pmic_arb); - for_each_available_child_of_node(node, child) { + for_each_available_child_of_node_scoped(node, child) { if (of_node_name_eq(child, "spmi")) { ret = spmi_pmic_arb_bus_init(pdev, child, pmic_arb); if (ret) -- https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/ https://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi.git

7 months, 2 weeks

1
0
0 0

[PATCH v5 04/10] crypto: ccp: Fix uapi definitions of PSP errors

by Dionna Glaze

Additions to the error enum after the explicit 0x27 setting for SEV_RET_INVALID_KEY leads to incorrect value assignments. Use explicit values to match the manufacturer specifications more clearly. Fixes: 3a45dc2b419e ("crypto: ccp: Define the SEV-SNP commands") CC: Sean Christopherson <seanjc(a)google.com> CC: Paolo Bonzini <pbonzini(a)redhat.com> CC: Thomas Gleixner <tglx(a)linutronix.de> CC: Ingo Molnar <mingo(a)redhat.com> CC: Borislav Petkov <bp(a)alien8.de> CC: Dave Hansen <dave.hansen(a)linux.intel.com> CC: Ashish Kalra <ashish.kalra(a)amd.com> CC: Tom Lendacky <thomas.lendacky(a)amd.com> CC: John Allen <john.allen(a)amd.com> CC: Herbert Xu <herbert(a)gondor.apana.org.au> CC: "David S. Miller" <davem(a)davemloft.net> CC: Michael Roth <michael.roth(a)amd.com> CC: Luis Chamberlain <mcgrof(a)kernel.org> CC: Russ Weight <russ.weight(a)linux.dev> CC: Danilo Krummrich <dakr(a)redhat.com> CC: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CC: "Rafael J. Wysocki" <rafael(a)kernel.org> CC: Tianfei zhang <tianfei.zhang(a)intel.com> CC: Alexey Kardashevskiy <aik(a)amd.com> CC: stable(a)vger.kernel.org From: Alexey Kardashevskiy <aik(a)amd.com> Signed-off-by: Alexey Kardashevskiy <aik(a)amd.com> Signed-off-by: Dionna Glaze <dionnaglaze(a)google.com> --- include/uapi/linux/psp-sev.h | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/psp-sev.h b/include/uapi/linux/psp-sev.h index 832c15d9155bd..eeb20dfb1fdaa 100644 --- a/include/uapi/linux/psp-sev.h +++ b/include/uapi/linux/psp-sev.h @@ -73,13 +73,20 @@ typedef enum { SEV_RET_INVALID_PARAM, SEV_RET_RESOURCE_LIMIT, SEV_RET_SECURE_DATA_INVALID, - SEV_RET_INVALID_KEY = 0x27, - SEV_RET_INVALID_PAGE_SIZE, - SEV_RET_INVALID_PAGE_STATE, - SEV_RET_INVALID_MDATA_ENTRY, - SEV_RET_INVALID_PAGE_OWNER, - SEV_RET_INVALID_PAGE_AEAD_OFLOW, - SEV_RET_RMP_INIT_REQUIRED, + SEV_RET_INVALID_PAGE_SIZE = 0x0019, + SEV_RET_INVALID_PAGE_STATE = 0x001A, + SEV_RET_INVALID_MDATA_ENTRY = 0x001B, + SEV_RET_INVALID_PAGE_OWNER = 0x001C, + SEV_RET_AEAD_OFLOW = 0x001D, + SEV_RET_EXIT_RING_BUFFER = 0x001F, + SEV_RET_RMP_INIT_REQUIRED = 0x0020, + SEV_RET_BAD_SVN = 0x0021, + SEV_RET_BAD_VERSION = 0x0022, + SEV_RET_SHUTDOWN_REQUIRED = 0x0023, + SEV_RET_UPDATE_FAILED = 0x0024, + SEV_RET_RESTORE_REQUIRED = 0x0025, + SEV_RET_RMP_INITIALIZATION_FAILED = 0x0026, + SEV_RET_INVALID_KEY = 0x0027, SEV_RET_MAX, } sev_ret_code; -- 2.47.0.277.g8800431eea-goog

7 months, 2 weeks

3
2
0 0

Linux 6.6.60

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.60 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/imx8ulp.dtsi | 2 arch/riscv/kernel/acpi.c | 4 arch/riscv/kernel/asm-offsets.c | 2 arch/riscv/kernel/cpu-hotplug.c | 2 arch/riscv/kernel/efi-header.S | 2 arch/riscv/kernel/traps_misaligned.c | 2 arch/riscv/kernel/vdso/Makefile | 1 arch/x86/include/asm/bug.h | 12 arch/x86/kernel/traps.c | 71 ++ block/blk-map.c | 4 drivers/acpi/cppc_acpi.c | 9 drivers/base/core.c | 48 +- drivers/base/module.c | 4 drivers/cxl/acpi.c | 7 drivers/cxl/core/hdm.c | 50 +- drivers/cxl/core/port.c | 13 drivers/cxl/core/region.c | 48 -- drivers/cxl/core/trace.h | 17 drivers/cxl/cxl.h | 3 drivers/firmware/arm_sdei.c | 2 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 drivers/iio/adc/ad7124.c | 2 drivers/iio/industrialio-gts-helper.c | 4 drivers/iio/light/veml6030.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 38 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 drivers/infiniband/hw/cxgb4/provider.c | 1 drivers/infiniband/hw/mlx5/qp.c | 4 drivers/input/joystick/xpad.c | 12 drivers/input/touchscreen/edt-ft5x06.c | 19 drivers/misc/mei/client.c | 4 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/mmc/host/sdhci-pci-gli.c | 38 + drivers/mtd/spi-nor/winbond.c | 7 drivers/net/ethernet/amd/mvme147.c | 7 drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c | 26 + drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c | 7 drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 8 drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 drivers/net/gtp.c | 22 drivers/net/macsec.c | 3 drivers/net/mctp/mctp-i2c.c | 3 drivers/net/netdevsim/fib.c | 4 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/ath/ath11k/dp_rx.c | 7 drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 drivers/net/wireless/intel/iwlegacy/common.c | 15 drivers/net/wireless/intel/iwlegacy/common.h | 12 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 24 - drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 3 drivers/nvme/target/auth.c | 1 drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 10 drivers/phy/qualcomm/phy-qcom-qmp-usb-legacy.c | 1 drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 1 drivers/scsi/scsi_transport_fc.c | 4 drivers/spi/spi-fsl-dspi.c | 6 drivers/spi/spi-geni-qcom.c | 8 drivers/staging/iio/frequency/ad9832.c | 7 drivers/thermal/intel/int340x_thermal/processor_thermal_rapl.c | 70 +- drivers/thermal/thermal_core.c | 25 - drivers/thunderbolt/tb.c | 48 +- drivers/usb/gadget/udc/dummy_hcd.c | 57 +- drivers/usb/host/xhci-pci.c | 6 drivers/usb/host/xhci-ring.c | 16 drivers/usb/phy/phy.c | 2 drivers/usb/typec/class.c | 1 drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 4 fs/afs/dir.c | 25 + fs/afs/dir_edit.c | 91 +++ fs/afs/internal.h | 2 fs/dax.c | 45 + fs/iomap/buffered-io.c | 7 fs/nfs/delegation.c | 5 fs/nilfs2/namei.c | 3 fs/nilfs2/page.c | 1 fs/ntfs3/file.c | 9 fs/ntfs3/frecord.c | 4 fs/ntfs3/inode.c | 15 fs/ntfs3/lznt.c | 3 fs/ntfs3/namei.c | 2 fs/ntfs3/ntfs_fs.h | 2 fs/ntfs3/record.c | 31 - fs/ocfs2/file.c | 8 fs/smb/client/cifs_unicode.c | 17 fs/smb/client/reparse.c | 174 ++++++- fs/smb/client/reparse.h | 9 fs/smb/client/smb2inode.c | 3 fs/smb/client/smb2proto.h | 1 fs/xfs/xfs_filestream.c | 23 fs/xfs/xfs_trace.h | 15 include/acpi/cppc_acpi.h | 2 include/linux/compiler-gcc.h | 4 include/linux/device.h | 3 include/linux/huge_mm.h | 18 include/linux/iomap.h | 19 include/linux/sched.h | 2 include/linux/thermal.h | 2 include/linux/ubsan.h | 5 include/net/ip_tunnels.h | 2 include/trace/events/afs.h | 240 +--------- init/init_task.c | 1 io_uring/io_uring.c | 13 io_uring/rw.c | 23 kernel/bpf/cgroup.c | 19 kernel/bpf/lpm_trie.c | 2 kernel/bpf/verifier.c | 9 kernel/cgroup/cgroup.c | 4 kernel/fork.c | 1 kernel/rcu/tasks.h | 90 ++- kernel/sched/fair.c | 4 lib/Kconfig.ubsan | 4 lib/iov_iter.c | 6 mm/huge_memory.c | 13 mm/kasan/kasan_test.c | 27 - mm/memory.c | 9 mm/migrate.c | 2 mm/page_alloc.c | 10 mm/shmem.c | 2 net/bluetooth/hci_sync.c | 18 net/bpf/test_run.c | 1 net/core/dev.c | 4 net/core/rtnetlink.c | 4 net/ipv6/netfilter/nf_reject_ipv6.c | 15 net/mac80211/Kconfig | 2 net/mac80211/agg-tx.c | 4 net/mac80211/cfg.c | 3 net/mac80211/key.c | 42 + net/mptcp/protocol.c | 2 net/netfilter/nft_payload.c | 3 net/netfilter/x_tables.c | 2 net/sched/sch_api.c | 2 net/sunrpc/svc.c | 9 net/wireless/core.c | 1 sound/pci/hda/patch_realtek.c | 23 sound/soc/codecs/cs42l51.c | 7 sound/soc/sof/ipc4-control.c | 175 +++++++ sound/soc/sof/ipc4-topology.c | 49 +- sound/soc/sof/ipc4-topology.h | 19 sound/usb/mixer_quirks.c | 3 tools/mm/page-types.c | 9 tools/mm/slabinfo.c | 4 tools/testing/cxl/test/cxl.c | 14 tools/testing/selftests/bpf/bpf_experimental.h | 31 + tools/testing/selftests/mm/uffd-common.c | 5 tools/testing/selftests/mm/uffd-common.h | 3 tools/testing/selftests/mm/uffd-unit-tests.c | 21 tools/usb/usbip/src/usbip_detach.c | 1 154 files changed, 1653 insertions(+), 771 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix "task hung" problem Alexander Usyskin (1): mei: use kvmalloc for read buffer Alexandre Ghiti (1): riscv: vdso: Prevent the compiler from inserting calls to memset() Amit Cohen (1): mlxsw: spectrum_ptp: Add missing verification before pushing Tx header Andrew Ballance (1): fs/ntfs3: Check if more than chunk-size bytes are written Andrey Konovalov (2): usb: gadget: dummy_hcd: execute hrtimer callback in softirq context kasan: remove vmalloc_percpu test Basavaraj Natikar (1): xhci: Use pm_runtime_get to prevent RPM on unsupported systems Ben Chuang (2): mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process Ben Hutchings (1): wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Benjamin Marzinski (1): scsi: scsi_transport_fc: Allow setting rport state to current state Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Brenton Simpson (1): Input: xpad - sort xpad_device by vendor and product ID Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Chen Ridong (1): cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction Christoffer Sandberg (2): ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Christoph Hellwig (3): iomap: improve shared block detection in iomap_unshare_iter iomap: turn iomap_want_unshare_iter into an inline function xfs: fix finding a last resort AG in xfs_filestream_pick_ag Christophe JAILLET (1): ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Chuck Lever (1): SUNRPC: Remove BUG_ON call sites Chunyan Zhang (2): riscv: Remove unused GENERATING_ASM_OFFSETS riscv: Remove duplicated GET_RM Dai Ngo (1): NFS: remove revoked delegation from server's delegation list Dan Williams (3): cxl/port: Fix use-after-free, permit out-of-order decoder shutdown cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() cxl/acpi: Ensure ports ready at cxl_acpi_probe() return Daniel Gabay (1): wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Darrick J. Wong (4): iomap: don't bother unsharing delalloc extents iomap: share iomap_unshare_iter predicate code with fsdax fsdax: remove zeroing code from dax_unshare_iter fsdax: dax_unshare_iter needs to copy entire blocks David Hildenbrand (1): mm: don't install PMD mappings when THPs are disabled by the hw/process/vma David Howells (2): afs: Automatically generate trace tag enums afs: Fix missing subdir edit when renamed between parent dirs Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Dmitry Torokhov (1): Input: edt-ft5x06 - fix regmap leak when probe fails Dong Chenchen (1): netfilter: Fix use-after-free in get_info() Eduard Zingerman (1): bpf: Force checkpoint when jmp history is too long Edward Adam Davis (1): ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Edward Liaw (2): Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" Emmanuel Grumbach (2): wifi: iwlwifi: mvm: disconnect station vifs if recovery failed wifi: iwlwifi: mvm: don't add default link in fw restart flow Eric Dumazet (1): netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Frank Li (1): spi: spi-fsl-dspi: Fix crash when not using GPIO chip select Furong Xu (1): net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Gatlin Newhouse (1): x86/traps: Enable UBSAN traps on x86 Geert Uytterhoeven (2): mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING wifi: brcm80211: BRCM_TRACING should depend on TRACING Georgi Djakov (1): spi: geni-qcom: Fix boot warning related to pm_runtime and devres Gil Fine (1): thunderbolt: Honor TMU requirements in the domain when setting TMU mode Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 6.6.60 Gregory Price (1): vmscan,migrate: fix page count imbalance on node stats when demoting pages Haibo Chen (1): arm64: dts: imx8ulp: correct the flexspi compatible string Heinrich Schuchardt (1): riscv: efi: Set NX compat flag in PE/COFF header Hugh Dickins (1): iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP Ido Schimmel (2): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address Jan Schär (1): ALSA: usb-audio: Add quirks for Dell WD19 dock Javier Carrasco (3): usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes iio: light: veml6030: fix microlux value calculation Jens Axboe (1): io_uring/rw: fix missing NOWAIT check for O_DIRECT start write Jeongjun Park (1): mm: shmem: fix data-race in shmem_getattr() Jianbo Liu (1): macsec: Fix use-after-free while sending the offloading packet Jinjie Ruan (2): iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() Johan Hovold (2): phy: qcom: qmp-usb: fix NULL-deref on runtime suspend phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend Johannes Berg (2): wifi: cfg80211: clear wdev->cqm_config pointer on free wifi: iwlwifi: mvm: fix 6 GHz scan construction Kailang Yang (1): ALSA: hda/realtek: Limit internal Mic boost on Dell platform Kefeng Wang (1): mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() Konstantin Komarov (8): fs/ntfs3: Fix warning possible deadlock in ntfs_set_state fs/ntfs3: Stale inode instead of bad fs/ntfs3: Add rough attr alloc_size check fs/ntfs3: Fix possible deadlock in mi_read fs/ntfs3: Additional check in ni_clear() fs/ntfs3: Fix general protection fault in run_is_mapped_full fs/ntfs3: Additional check in ntfs_file_release fs/ntfs3: Sequential field availability check in mi_enum_attr() Leon Romanovsky (1): RDMA/cxgb4: Dump vendor specific QP details Ley Foon Tan (1): net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Marcello Sylvester Bauer (2): usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler usb: gadget: dummy_hcd: Set transfer interval to 1 microframe Marco Elver (1): kasan: Fix Software Tag-Based KASAN with GCC Matt Fleming (1): mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Matt Johnston (1): mctp i2c: handle NULL header address Matthieu Baerts (NGI0) (1): mptcp: init: protect sched with rcu_read_lock Michael Walle (1): mtd: spi-nor: winbond: fix w25q128 regression Pablo Neira Ayuso (2): gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Pali Rohár (2): cifs: Improve creating native symlinks pointing to directory cifs: Fix creating native symlinks pointing to current or parent directory Patrisious Haddad (1): RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Paul E. McKenney (3): rcu-tasks: Pull sampling of ->percpu_dequeue_lim out of loop rcu-tasks: Add data to eliminate RCU-tasks/do_exit() deadlocks rcu-tasks: Initialize data to eliminate RCU-tasks/do_exit() deadlocks Paulo Alcantara (2): smb: client: fix parsing of device numbers smb: client: set correct device number on nfs reparse points Pavel Begunkov (1): io_uring: always lock __io_cqring_overflow_flush Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Peter Ujfalusi (3): ASoC: SOF: ipc4-topology: Add definition for generic switch/enum control ASoC: SOF: ipc4-control: Add support for ALSA switch control ASoC: SOF: ipc4-control: Add support for ALSA enum control Pierre Gondois (1): ACPI: CPPC: Make rmw_lock a raw_spin_lock Rafael J. Wysocki (3): thermal: core: Make thermal_zone_device_unregister() return after freeing the zone thermal: core: Rework thermal zone availability check thermal: core: Free tzp copy along with the thermal zone Remi Pommarel (1): wifi: ath11k: Fix invalid ring usage in full monitor mode Richard Zhu (1): phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check Ryusuke Konishi (2): nilfs2: fix potential deadlock with newly created symlinks nilfs2: fix kernel bug due to missing clearing of checked flag Sabyrzhan Tasbolatov (1): x86/traps: move kmsan check after instrumentation_begin Selvin Xavier (2): RDMA/bnxt_re: Fix the usage of control path spin locks RDMA/bnxt_re: synchronize the qp-handle table array Shawn Wang (1): sched/numa: Fix the potential null pointer dereference in task_numa_work() Shiju Jose (1): cxl/events: Fix Trace DRAM Event Record Srinivasan Shanmugam (1): drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing Stefan Kerkmann (1): Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller Sungwoo Kim (1): Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Toke Høiland-Jørgensen (1): bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device Vitaliy Shevtsov (1): nvmet-auth: assign dh_key to NULL after kfree_sensitive Wang Liang (1): net: fix crash when config small gso_max_size/gso_ipv4_max_size WangYuli (1): riscv: Use '%u' to format the output of 'cpu' Wladislav Wiebe (1): tools/mm: -Werror fixes in page-types/slabinfo Xinyu Zhang (1): block: fix sanity checks in blk_rq_map_user_bvec Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Yonghong Song (1): selftests/bpf: Add bpf_percpu_obj_{new,drop}() macro in bpf_experimental.h Yunhui Cui (1): RISC-V: ACPI: fix early_ioremap to early_memremap Zhang Rui (2): thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support thermal: intel: int340x: processor: Add MMIO RAPL PL4 support Zichen Xie (1): netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Zicheng Qu (2): staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Zijun Hu (1): usb: phy: Fix API devm_usb_put_phy() can not release the phy Zong-Zhe Yang (1): wifi: mac80211: fix NULL dereference at band check in starting tx ba session Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path Zqiang (1): rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() lei lu (1): ntfs3: Add bounds checking to mi_enum_attr()

7 months, 2 weeks

1
1
0 0

Linux 6.11.7

by Greg Kroah-Hartman

I'm announcing the release of the 6.11.7 kernel. All users of the 6.11 kernel series must upgrade. The updated 6.11.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.11.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/iio/adc/adi,ad7380.yaml | 21 Documentation/driver-api/dpll.rst | 21 Documentation/netlink/specs/dpll.yaml | 24 Documentation/rust/arch-support.rst | 2 Makefile | 2 arch/arm64/boot/dts/freescale/imx8ulp.dtsi | 2 arch/arm64/boot/dts/qcom/msm8939.dtsi | 2 arch/arm64/boot/dts/qcom/x1e80100-asus-vivobook-s15.dts | 2 arch/arm64/boot/dts/qcom/x1e80100-crd.dts | 2 arch/arm64/boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts | 2 arch/arm64/boot/dts/qcom/x1e80100-qcp.dts | 2 arch/arm64/boot/dts/qcom/x1e80100.dtsi | 34 - arch/mips/kernel/cmpxchg.c | 1 arch/riscv/Kconfig | 2 arch/riscv/boot/dts/starfive/jh7110-common.dtsi | 2 arch/riscv/boot/dts/starfive/jh7110-pine64-star64.dts | 3 arch/riscv/kernel/acpi.c | 4 arch/riscv/kernel/asm-offsets.c | 2 arch/riscv/kernel/cacheinfo.c | 7 arch/riscv/kernel/cpu-hotplug.c | 2 arch/riscv/kernel/efi-header.S | 2 arch/riscv/kernel/traps_misaligned.c | 2 arch/riscv/kernel/vdso/Makefile | 1 arch/x86/include/asm/bug.h | 12 arch/x86/kernel/traps.c | 71 ++ block/blk-map.c | 4 drivers/accel/ivpu/ivpu_debugfs.c | 9 drivers/accel/ivpu/ivpu_hw.c | 1 drivers/accel/ivpu/ivpu_hw.h | 1 drivers/accel/ivpu/ivpu_hw_ip.c | 5 drivers/acpi/cppc_acpi.c | 9 drivers/acpi/resource.c | 18 drivers/base/core.c | 48 + drivers/base/module.c | 4 drivers/char/tpm/tpm-chip.c | 10 drivers/char/tpm/tpm-dev-common.c | 3 drivers/char/tpm/tpm-interface.c | 6 drivers/char/tpm/tpm2-sessions.c | 100 ++- drivers/cxl/Kconfig | 1 drivers/cxl/Makefile | 20 drivers/cxl/acpi.c | 7 drivers/cxl/core/hdm.c | 50 + drivers/cxl/core/port.c | 13 drivers/cxl/core/region.c | 48 - drivers/cxl/core/trace.h | 17 drivers/cxl/cxl.h | 3 drivers/cxl/port.c | 17 drivers/dpll/dpll_netlink.c | 130 ++++ drivers/dpll/dpll_nl.c | 5 drivers/firmware/arm_sdei.c | 2 drivers/firmware/microchip/mpfs-auto-update.c | 42 - drivers/gpio/gpio-sloppy-logic-analyzer.c | 4 drivers/gpio/gpiolib.c | 4 drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c | 9 drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 15 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 6 drivers/gpu/drm/i915/display/intel_alpm.c | 2 drivers/gpu/drm/i915/display/intel_backlight.c | 10 drivers/gpu/drm/i915/display/intel_display_device.c | 5 drivers/gpu/drm/i915/display/intel_display_device.h | 2 drivers/gpu/drm/i915/display/intel_display_power.c | 8 drivers/gpu/drm/i915/display/intel_display_power_well.c | 4 drivers/gpu/drm/i915/display/intel_display_types.h | 1 drivers/gpu/drm/i915/display/intel_display_wa.h | 8 drivers/gpu/drm/i915/display/intel_dp.c | 29 drivers/gpu/drm/i915/display/intel_dp.h | 1 drivers/gpu/drm/i915/display/intel_dp_aux.c | 4 drivers/gpu/drm/i915/display/intel_dp_hdcp.c | 11 drivers/gpu/drm/i915/display/intel_fbc.c | 6 drivers/gpu/drm/i915/display/intel_hdcp.c | 7 drivers/gpu/drm/i915/display/intel_pps.c | 14 drivers/gpu/drm/i915/display/intel_psr.c | 6 drivers/gpu/drm/i915/display/intel_tc.c | 3 drivers/gpu/drm/i915/display/intel_vrr.c | 3 drivers/gpu/drm/i915/display/skl_universal_plane.c | 5 drivers/gpu/drm/i915/intel_device_info.c | 5 drivers/gpu/drm/i915/intel_device_info.h | 2 drivers/gpu/drm/mediatek/mtk_crtc.c | 47 - drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 9 drivers/gpu/drm/mediatek/mtk_dp.c | 85 ++ drivers/gpu/drm/panthor/panthor_fw.c | 4 drivers/gpu/drm/panthor/panthor_gem.c | 11 drivers/gpu/drm/panthor/panthor_mmu.c | 16 drivers/gpu/drm/panthor/panthor_mmu.h | 1 drivers/gpu/drm/panthor/panthor_sched.c | 20 drivers/gpu/drm/tegra/drm.c | 4 drivers/gpu/drm/tests/drm_connector_test.c | 24 drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 8 drivers/gpu/drm/tests/drm_kunit_helpers.c | 42 + drivers/gpu/drm/xe/Makefile | 1 drivers/gpu/drm/xe/compat-i915-headers/i915_drv.h | 1 drivers/gpu/drm/xe/display/xe_display_wa.c | 16 drivers/gpu/drm/xe/regs/xe_gt_regs.h | 17 drivers/gpu/drm/xe/regs/xe_regs.h | 10 drivers/gpu/drm/xe/regs/xe_sriov_regs.h | 23 drivers/gpu/drm/xe/xe_device_types.h | 6 drivers/gpu/drm/xe/xe_ggtt.c | 10 drivers/gpu/drm/xe/xe_gt.c | 10 drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 2 drivers/gpu/drm/xe/xe_guc_submit.c | 18 drivers/gpu/drm/xe/xe_lmtt.c | 2 drivers/gpu/drm/xe/xe_module.c | 39 + drivers/gpu/drm/xe/xe_sriov.c | 2 drivers/gpu/drm/xe/xe_tuning.c | 21 drivers/gpu/drm/xe/xe_wa.c | 4 drivers/iio/adc/ad7124.c | 2 drivers/iio/industrialio-gts-helper.c | 4 drivers/iio/light/veml6030.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 38 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 drivers/infiniband/hw/cxgb4/provider.c | 1 drivers/infiniband/hw/mlx5/qp.c | 4 drivers/input/input.c | 134 ++-- drivers/input/touchscreen/edt-ft5x06.c | 19 drivers/misc/mei/client.c | 4 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/mmc/host/sdhci-pci-gli.c | 38 - drivers/net/ethernet/amd/mvme147.c | 7 drivers/net/ethernet/intel/ice/ice_dpll.c | 293 +++++++++- drivers/net/ethernet/intel/ice/ice_dpll.h | 1 drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 21 drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 1 drivers/net/ethernet/mediatek/mtk_wed_wo.h | 4 drivers/net/ethernet/mellanox/mlxsw/pci.c | 25 drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c | 26 drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c | 7 drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 8 drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 drivers/net/gtp.c | 22 drivers/net/macsec.c | 3 drivers/net/mctp/mctp-i2c.c | 3 drivers/net/netdevsim/fib.c | 4 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/ath/ath11k/dp_rx.c | 7 drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 drivers/net/wireless/intel/iwlegacy/common.c | 15 drivers/net/wireless/intel/iwlegacy/common.h | 12 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 28 drivers/net/wireless/intel/iwlwifi/iwl-drv.h | 3 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 12 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 34 - drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 drivers/net/wireless/realtek/rtlwifi/rtl8192du/sw.c | 1 drivers/net/wireless/realtek/rtw89/pci.c | 48 + drivers/nvme/host/core.c | 19 drivers/nvme/host/ioctl.c | 7 drivers/nvme/target/auth.c | 1 drivers/pci/pci.c | 14 drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 10 drivers/phy/qualcomm/phy-qcom-qmp-usb-legacy.c | 1 drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 1 drivers/phy/qualcomm/phy-qcom-qmp-usbc.c | 1 drivers/powercap/intel_rapl_msr.c | 1 drivers/scsi/scsi_debug.c | 10 drivers/scsi/scsi_transport_fc.c | 4 drivers/soc/qcom/pmic_glink.c | 25 drivers/spi/spi-fsl-dspi.c | 6 drivers/spi/spi-geni-qcom.c | 8 drivers/staging/iio/frequency/ad9832.c | 7 drivers/thermal/intel/int340x_thermal/processor_thermal_rapl.c | 70 -- drivers/thunderbolt/retimer.c | 5 drivers/thunderbolt/tb.c | 48 + drivers/ufs/core/ufshcd.c | 2 drivers/usb/host/xhci-pci.c | 6 drivers/usb/host/xhci-ring.c | 16 drivers/usb/phy/phy.c | 2 drivers/usb/typec/class.c | 1 drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 10 drivers/usb/typec/tcpm/tcpm.c | 10 fs/afs/dir.c | 25 fs/afs/dir_edit.c | 91 +++ fs/afs/internal.h | 2 fs/btrfs/bio.c | 62 -- fs/btrfs/bio.h | 3 fs/btrfs/defrag.c | 10 fs/btrfs/extent_map.c | 7 fs/btrfs/volumes.c | 1 fs/dax.c | 45 - fs/iomap/buffered-io.c | 7 fs/nfs/delegation.c | 5 fs/nfsd/nfs4proc.c | 8 fs/nilfs2/namei.c | 3 fs/nilfs2/page.c | 1 fs/ntfs3/file.c | 9 fs/ntfs3/frecord.c | 4 fs/ntfs3/inode.c | 15 fs/ntfs3/lznt.c | 3 fs/ntfs3/namei.c | 2 fs/ntfs3/ntfs_fs.h | 2 fs/ntfs3/record.c | 31 - fs/ocfs2/file.c | 8 fs/smb/client/cifs_unicode.c | 17 fs/smb/client/reparse.c | 174 +++++ fs/smb/client/reparse.h | 9 fs/smb/client/smb2inode.c | 3 fs/smb/client/smb2proto.h | 1 fs/userfaultfd.c | 28 fs/xfs/xfs_filestream.c | 23 fs/xfs/xfs_trace.h | 15 include/acpi/cppc_acpi.h | 2 include/drm/drm_kunit_helpers.h | 4 include/linux/bpf_mem_alloc.h | 3 include/linux/compiler-gcc.h | 4 include/linux/device.h | 3 include/linux/dpll.h | 15 include/linux/input.h | 10 include/linux/iomap.h | 19 include/linux/ksm.h | 10 include/linux/mmzone.h | 7 include/linux/rcutiny.h | 5 include/linux/rcutree.h | 1 include/linux/tick.h | 8 include/linux/ubsan.h | 5 include/linux/userfaultfd_k.h | 5 include/net/ip_tunnels.h | 2 include/trace/events/afs.h | 7 include/uapi/linux/dpll.h | 3 io_uring/rw.c | 23 kernel/bpf/cgroup.c | 19 kernel/bpf/helpers.c | 21 kernel/bpf/lpm_trie.c | 2 kernel/bpf/memalloc.c | 14 kernel/bpf/verifier.c | 9 kernel/cgroup/cgroup.c | 4 kernel/fork.c | 14 kernel/rcu/tree.c | 118 +++- kernel/resource.c | 4 kernel/sched/fair.c | 4 lib/Kconfig.ubsan | 4 lib/codetag.c | 3 lib/iov_iter.c | 6 lib/slub_kunit.c | 2 mm/kasan/kasan_test.c | 27 mm/migrate.c | 2 mm/mmap.c | 3 mm/page_alloc.c | 10 mm/rmap.c | 24 mm/shmem.c | 2 mm/shrinker.c | 8 mm/vmscan.c | 109 ++- net/bluetooth/hci_sync.c | 18 net/bpf/test_run.c | 1 net/core/dev.c | 4 net/core/rtnetlink.c | 4 net/core/sock_map.c | 4 net/ipv4/ip_tunnel.c | 2 net/ipv6/netfilter/nf_reject_ipv6.c | 15 net/mac80211/Kconfig | 2 net/mac80211/cfg.c | 3 net/mac80211/key.c | 42 - net/mptcp/protocol.c | 2 net/netfilter/nft_payload.c | 3 net/netfilter/x_tables.c | 2 net/sched/cls_api.c | 1 net/sched/sch_api.c | 2 net/sunrpc/xprtrdma/ib_client.c | 1 net/wireless/core.c | 1 rust/kernel/device.rs | 15 rust/kernel/firmware.rs | 2 sound/pci/hda/patch_realtek.c | 23 sound/soc/codecs/cs42l51.c | 7 sound/soc/soc-dapm.c | 2 sound/usb/mixer_quirks.c | 3 tools/mm/page-types.c | 9 tools/mm/slabinfo.c | 4 tools/perf/util/python.c | 3 tools/perf/util/syscalltbl.c | 10 tools/testing/cxl/test/cxl.c | 14 tools/testing/selftests/mm/uffd-common.c | 5 tools/testing/selftests/mm/uffd-common.h | 3 tools/testing/selftests/mm/uffd-unit-tests.c | 21 tools/usb/usbip/src/usbip_detach.c | 1 280 files changed, 2925 insertions(+), 1075 deletions(-) Abel Vesa (1): arm64: dts: qcom: x1e80100: Add Broadcast_AND region in LLCC block Akshata Jahagirdar (1): drm/xe/xe2: Introduce performance changes Aleksei Vetrov (1): ASoC: dapm: fix bounds checker error in dapm_widget_list_create Alex Deucher (4): drm/amdgpu/smu13: fix profile reporting drm/amdgpu/swsmu: fix ordering for setting workload_mask drm/amdgpu/swsmu: default to fullscreen 3D profile for dGPUs drm/amdgpu: handle default profile on on devices without fullscreen 3D Alexander Usyskin (1): mei: use kvmalloc for read buffer Alexandre Ghiti (1): riscv: vdso: Prevent the compiler from inserting calls to memset() Amit Cohen (3): mlxsw: spectrum_ptp: Add missing verification before pushing Tx header mlxsw: pci: Sync Rx buffers for CPU mlxsw: pci: Sync Rx buffers for device Amit Sunil Dhamne (1): usb: typec: tcpm: restrict SNK_WAIT_CAPABILITIES_TIMEOUT transitions to non self-powered devices Andrew Ballance (1): fs/ntfs3: Check if more than chunk-size bytes are written Andrey Konovalov (1): kasan: remove vmalloc_percpu test Andrzej Kacprowski (1): accel/ivpu: Fix NOC firewall interrupt handling Andy Shevchenko (1): gpio: sloppy-logic-analyzer: Check for error code from devm_mutex_init() call Arkadiusz Kubalewski (3): dpll: add Embedded SYNC feature for a pin ice: add callbacks for Embedded SYNC enablement on dpll pins ice: fix crash on probe for DPLL enabled E810 LOM Arnaldo Carvalho de Melo (1): perf python: Fix up the build on architectures without HAVE_KVM_STAT_SUPPORT Basavaraj Natikar (1): xhci: Use pm_runtime_get to prevent RPM on unsupported systems Ben Chuang (2): mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process Ben Hutchings (1): wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Benjamin Marzinski (1): scsi: scsi_transport_fc: Allow setting rport state to current state Benjamin Segall (1): posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Bitterblue Smith (1): wifi: rtlwifi: rtl8192du: Don't claim USB ID 0bda:8171 Bjorn Andersson (1): soc: qcom: pmic_glink: Handle GLINK intent allocation rejections Boris Brezillon (3): drm/panthor: Fix firmware initialization on systems with a page size > 4k drm/panthor: Fail job creation when the group is dead drm/panthor: Report group as timedout when we fail to properly suspend Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Chen Ridong (2): mm: shrinker: avoid memleak in alloc_shrinker_info cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction Christoffer Sandberg (2): ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Christoph Hellwig (3): iomap: improve shared block detection in iomap_unshare_iter iomap: turn iomap_want_unshare_iter into an inline function xfs: fix finding a last resort AG in xfs_filestream_pick_ag Christophe JAILLET (1): ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Chuck Lever (3): NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error rpcrdma: Always release the rpcrdma_device's xa_array Chun-Kuang Hu (1): drm/mediatek: Use cmdq_pkt_create() and cmdq_pkt_destroy() Chunyan Zhang (2): riscv: Remove unused GENERATING_ASM_OFFSETS riscv: Remove duplicated GET_RM Cong Wang (1): sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() Conor Dooley (3): firmware: microchip: auto-update: fix poll_complete() to not report spurious timeout errors riscv: dts: starfive: disable unused csi/camss nodes RISC-V: disallow gcc + rust builds Dai Ngo (1): NFS: remove revoked delegation from server's delegation list Dan Carpenter (2): drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy() drm/tegra: Fix NULL vs IS_ERR() check in probe() Dan Williams (4): cxl/port: Fix use-after-free, permit out-of-order decoder shutdown cxl/port: Fix CXL port initialization order when the subsystem is built-in cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() cxl/acpi: Ensure ports ready at cxl_acpi_probe() return Daniel Gabay (1): wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Daniel Golle (1): net: ethernet: mtk_wed: fix path of MT7988 WO firmware Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Darrick J. Wong (4): iomap: don't bother unsharing delalloc extents iomap: share iomap_unshare_iter predicate code with fsdax fsdax: remove zeroing code from dax_unshare_iter fsdax: dax_unshare_iter needs to copy entire blocks David Howells (1): afs: Fix missing subdir edit when renamed between parent dirs David Sterba (1): MIPS: export __cmpxchg_small() Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Dmitry Torokhov (2): Input: edt-ft5x06 - fix regmap leak when probe fails Input: fix regression when re-registering input handlers Dong Chenchen (1): netfilter: Fix use-after-free in get_info() E Shattow (1): riscv: dts: starfive: Update ethernet phy0 delay parameter values for Star64 Eduard Zingerman (1): bpf: Force checkpoint when jmp history is too long Edward Adam Davis (1): ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Edward Liaw (2): Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" Emmanuel Grumbach (3): wifi: iwlwifi: mvm: don't leak a link on AP removal wifi: iwlwifi: mvm: don't add default link in fw restart flow Revert "wifi: iwlwifi: remove retry loops in start" Eric Dumazet (1): netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() Fabien Parent (1): arm64: dts: qcom: msm8939: revert use of APCS mbox for RPM Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Filipe Manana (2): btrfs: fix extent map merging not happening for adjacent extents btrfs: fix defrag not merging contiguous extents due to merged extent maps Florian Westphal (1): lib: alloc_tag_module_unload must wait for pending kfree_rcu calls Frank Li (1): spi: spi-fsl-dspi: Fix crash when not using GPIO chip select Frank Min (1): drm/amdgpu: fix random data corruption for sdma 7 Furong Xu (1): net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Gatlin Newhouse (1): x86/traps: Enable UBSAN traps on x86 Geert Uytterhoeven (2): mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING wifi: brcm80211: BRCM_TRACING should depend on TRACING Georgi Djakov (1): spi: geni-qcom: Fix boot warning related to pm_runtime and devres Gil Fine (1): thunderbolt: Honor TMU requirements in the domain when setting TMU mode Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 6.11.7 Gregory Price (2): resource,kexec: walk_system_ram_res_rev must retain resource flags vmscan,migrate: fix page count imbalance on node stats when demoting pages Guilherme Giacomo Simoes (1): rust: device: change the from_raw() function Gustavo Sousa (1): drm/i915: Skip programming FIA link enable bits for MTL+ Haibo Chen (1): arm64: dts: imx8ulp: correct the flexspi compatible string Hans de Goede (1): ACPI: resource: Fold Asus Vivobook Pro N6506M* DMI quirks together Heinrich Schuchardt (1): riscv: efi: Set NX compat flag in PE/COFF header Hou Tao (3): bpf: Free dynamically allocated bits in bpf_iter_bits_destroy() bpf: Add bpf_mem_alloc_check_size() helper bpf: Check the validity of nr_words in bpf_iter_bits_new() Hsin-Te Yuan (1): drm/mediatek: Fix color format MACROs in OVL Hugh Dickins (1): iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP Ido Schimmel (3): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address Jan Schär (1): ALSA: usb-audio: Add quirks for Dell WD19 dock Jani Nikula (2): drm/i915: move rawclk from runtime to display runtime info drm/xe/display: drop unused rawclk_freq and RUNTIME_INFO() Jarkko Sakkinen (3): tpm: Return tpm2_sessions_init() when null key creation fails tpm: Rollback tpm2_load_null() tpm: Lazily flush the auth session Jason Gunthorpe (1): PCI: Fix pci_enable_acs() support for the ACS quirks Jason-JH.Lin (1): drm/mediatek: ovl: Remove the color format comment for ovl_fmt_convert() Javier Carrasco (4): usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes usb: typec: qcom-pmic-typec: fix missing fwnode removal in error path iio: light: veml6030: fix microlux value calculation Jens Axboe (1): io_uring/rw: fix missing NOWAIT check for O_DIRECT start write Jeongjun Park (1): mm: shmem: fix data-race in shmem_getattr() Jianbo Liu (1): macsec: Fix use-after-free while sending the offloading packet Jinjie Ruan (5): iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic() drm/tests: hdmi: Fix memory leaks in drm_display_mode_from_cea_vic() Jiri Slaby (1): perf trace: Fix non-listed archs in the syscalltbl routines Johan Hovold (11): phy: qcom: qmp-usb: fix NULL-deref on runtime suspend phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend phy: qcom: qmp-usbc: fix NULL-deref on runtime suspend gpiolib: fix debugfs newline separators gpiolib: fix debugfs dangling chip separator arm64: dts: qcom: x1e80100-yoga-slim7x: fix nvme regulator boot glitch arm64: dts: qcom: x1e80100-vivobook-s15: fix nvme regulator boot glitch arm64: dts: qcom: x1e80100: fix PCIe4 interconnect arm64: dts: qcom: x1e80100-qcp: fix nvme regulator boot glitch arm64: dts: qcom: x1e80100-crd: fix nvme regulator boot glitch arm64: dts: qcom: x1e80100: fix PCIe4 and PCIe6a PHY clocks Johannes Berg (2): wifi: cfg80211: clear wdev->cqm_config pointer on free wifi: iwlwifi: mvm: fix 6 GHz scan construction John Garry (1): scsi: scsi_debug: Fix do_device_access() handling of unexpected SG copy length Jouni Högander (1): drm/i915/psr: Prevent Panel Replay if CRC calculation is enabled Juha-Pekka Heikkila (1): drm/i915/display: Don't enable decompression on Xe2 with Tile4 Julien Stephan (1): dt-bindings: iio: adc: ad7380: fix ad7380-4 reference supply Kailang Yang (1): ALSA: hda/realtek: Limit internal Mic boost on Dell platform Keith Busch (2): nvme: module parameter to disable pi with offsets nvme: re-fix error-handling for io_uring nvme-passthrough Konrad Dybcio (1): arm64: dts: qcom: x1e80100: Fix up BAR spaces Konstantin Komarov (8): fs/ntfs3: Fix warning possible deadlock in ntfs_set_state fs/ntfs3: Stale inode instead of bad fs/ntfs3: Add rough attr alloc_size check fs/ntfs3: Fix possible deadlock in mi_read fs/ntfs3: Additional check in ni_clear() fs/ntfs3: Fix general protection fault in run_is_mapped_full fs/ntfs3: Additional check in ntfs_file_release fs/ntfs3: Sequential field availability check in mi_enum_attr() Leon Romanovsky (1): RDMA/cxgb4: Dump vendor specific QP details Ley Foon Tan (1): net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values Liankun Yang (1): drm/mediatek: Fix get efuse issue for MT8188 DPTX Lorenzo Stoakes (2): fork: do not invoke uffd on fork if error occurs fork: only invoke khugepaged, ksm hooks if no error Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Marco Elver (1): kasan: Fix Software Tag-Based KASAN with GCC Matt Fleming (1): mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Matt Johnston (1): mctp i2c: handle NULL header address Matthew Auld (1): drm/i915: disable fbc due to Wa_16023588340 Matthew Brost (2): drm/xe: Add mmio read before GGTT invalidate drm/xe: Don't short circuit TDR on jobs not started Matthieu Baerts (NGI0) (1): mptcp: init: protect sched with rcu_read_lock Michal Wajdeczko (2): drm/xe: Fix register definition order in xe_regs.h drm/xe: Kill regs/xe_sriov_regs.h Mika Westerberg (1): thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() Miquel Sabaté Solà (1): riscv: Prevent a bad reference count on CPU nodes Miri Korenblit (1): wifi: iwlwifi: mvm: really send iwl_txpower_constraints_cmd Mitul Golani (3): drm/i915/display: Cache adpative sync caps to use it later drm/i915/display: WA for Re-initialize dispcnlunitt1 xosc clock drm/i915/display/dp: Compute AS SDP when vrr is also enabled Naohiro Aota (1): btrfs: fix error propagation of split bios Ovidiu Bunea (1): Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35" Pablo Neira Ayuso (2): gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Pali Rohár (2): cifs: Improve creating native symlinks pointing to directory cifs: Fix creating native symlinks pointing to current or parent directory Patrisious Haddad (1): RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Paulo Alcantara (2): smb: client: fix parsing of device numbers smb: client: set correct device number on nfs reparse points Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pei Xiao (1): slub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof Peter Wang (1): scsi: ufs: core: Fix another deadlock during RTC update Pierre Gondois (1): ACPI: CPPC: Make rmw_lock a raw_spin_lock Ping-Ke Shih (1): wifi: rtw89: pci: early chips only enable 36-bit DMA on specific PCI hosts Qu Wenruo (1): btrfs: merge btrfs_orig_bbio_end_io() into btrfs_bio_end_io() Remi Pommarel (1): wifi: ath11k: Fix invalid ring usage in full monitor mode Richard Zhu (1): phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check Ryusuke Konishi (2): nilfs2: fix kernel bug due to missing clearing of checked flag nilfs2: fix potential deadlock with newly created symlinks Sabyrzhan Tasbolatov (1): x86/traps: move kmsan check after instrumentation_begin Sai Teja Pottumuttu (1): drm/xe/xe2hpg: Introduce performance tuning changes for Xe2_HPG Selvin Xavier (2): RDMA/bnxt_re: Fix the usage of control path spin locks RDMA/bnxt_re: synchronize the qp-handle table array Shawn Wang (1): sched/numa: Fix the potential null pointer dereference in task_numa_work() Shekhar Chauhan (1): drm/xe/xe2: Add performance turning changes Shiju Jose (1): cxl/events: Fix Trace DRAM Event Record Sumeet Pawnikar (1): powercap: intel_rapl_msr: Add PL4 support for Arrowlake-U Sungwoo Kim (1): Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Suraj Kandpal (4): drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability drm/i915/hdcp: Add encoder check in hdcp2_get_capability drm/i915/dp: Clear VSC SDP during post ddi disable routine drm/i915/pps: Disable DPLS_GATING around pps sequence Tejas Upadhyay (4): drm/xe/xe2hpg: Add Wa_15016589081 drm/xe: Move enable host l2 VRAM post MCR init drm/xe: Define STATELESS_COMPRESSION_CTRL as mcr register drm/xe: Write all slices if its mcr register Thomas Zimmermann (1): drm/xe: Support 'nomodeset' kernel command-line option Toke Høiland-Jørgensen (1): bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Tvrtko Ursulin (1): drm/amd/pm: Vangogh: Fix kernel memory out of bounds write Uladzislau Rezki (Sony) (2): rcu/kvfree: Add kvfree_rcu_barrier() API rcu/kvfree: Refactor kvfree_rcu_queue_batch() Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device Vitaliy Shevtsov (1): nvmet-auth: assign dh_key to NULL after kfree_sensitive Vladimir Oltean (1): net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext() Vlastimil Babka (1): mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes Wang Liang (1): net: fix crash when config small gso_max_size/gso_ipv4_max_size WangYuli (1): riscv: Use '%u' to format the output of 'cpu' Wladislav Wiebe (1): tools/mm: -Werror fixes in page-types/slabinfo Xinyu Zhang (1): block: fix sanity checks in blk_rq_map_user_bvec Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Yu Zhao (2): mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() Yuanchu Xie (1): mm: multi-gen LRU: ignore non-leaf pmd_young for force_scan=true Yunhui Cui (1): RISC-V: ACPI: fix early_ioremap to early_memremap Zhang Rui (2): thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support thermal: intel: int340x: processor: Add MMIO RAPL PL4 support Zhiguo Jiang (1): mm: shrink skip folio mapped by an exiting process Zhihao Cheng (1): btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() Zichen Xie (1): netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Zicheng Qu (2): staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Zijun Hu (1): usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path lei lu (1): ntfs3: Add bounds checking to mi_enum_attr()

7 months, 2 weeks

1
1
0 0

Linux 6.1.116

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.116 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/alpha/include/asm/pgtable.h | 2 arch/arc/include/asm/pgtable-bits-arcv2.h | 2 arch/arm/include/asm/pgtable-nommu.h | 2 arch/arm/include/asm/pgtable.h | 4 arch/arm64/include/asm/pgtable.h | 2 arch/arm64/mm/mmu.c | 47 - arch/arm64/mm/pageattr.c | 3 arch/csky/include/asm/pgtable.h | 3 arch/hexagon/include/asm/page.h | 7 arch/ia64/include/asm/pgtable.h | 16 arch/loongarch/include/asm/pgtable.h | 2 arch/loongarch/kernel/vdso.c | 28 arch/m68k/include/asm/pgtable_mm.h | 2 arch/m68k/include/asm/pgtable_no.h | 1 arch/microblaze/include/asm/pgtable.h | 3 arch/mips/include/asm/pgtable.h | 2 arch/nios2/include/asm/pgtable.h | 2 arch/openrisc/include/asm/pgtable.h | 2 arch/parisc/include/asm/pgtable.h | 15 arch/powerpc/include/asm/pgtable.h | 7 arch/riscv/include/asm/pgtable.h | 2 arch/riscv/kernel/asm-offsets.c | 2 arch/riscv/kernel/cpu-hotplug.c | 2 arch/riscv/kernel/efi-header.S | 2 arch/riscv/kernel/traps_misaligned.c | 2 arch/riscv/kernel/vdso/Makefile | 1 arch/s390/include/asm/io.h | 2 arch/s390/include/asm/pgtable.h | 2 arch/sh/include/asm/pgtable.h | 2 arch/sparc/include/asm/pgtable_32.h | 6 arch/sparc/mm/init_32.c | 3 arch/sparc/mm/init_64.c | 1 arch/um/include/asm/pgtable.h | 2 arch/x86/include/asm/nospec-branch.h | 11 arch/x86/include/asm/pgtable_32.h | 9 arch/x86/include/asm/pgtable_64.h | 1 arch/x86/mm/init_64.c | 41 - arch/xtensa/include/asm/pgtable.h | 2 block/blk-map.c | 4 drivers/acpi/cppc_acpi.c | 9 drivers/base/core.c | 13 drivers/base/module.c | 4 drivers/cpufreq/mediatek-cpufreq-hw.c | 14 drivers/cxl/acpi.c | 17 drivers/cxl/core/port.c | 26 drivers/cxl/cxl.h | 3 drivers/firmware/arm_sdei.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 drivers/iio/adc/ad7124.c | 2 drivers/iio/light/veml6030.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 drivers/infiniband/hw/cxgb4/provider.c | 1 drivers/infiniband/hw/mlx5/qp.c | 4 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/mtd/spi-nor/winbond.c | 7 drivers/net/ethernet/amd/mvme147.c | 7 drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.c | 119 ++- drivers/net/ethernet/mellanox/mlxsw/spectrum_ipip.h | 1 drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c | 7 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 drivers/net/gtp.c | 22 drivers/net/macsec.c | 3 drivers/net/mctp/mctp-i2c.c | 3 drivers/net/netdevsim/fib.c | 4 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/ath/ath11k/dp_rx.c | 7 drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 drivers/net/wireless/intel/iwlegacy/common.c | 15 drivers/net/wireless/intel/iwlegacy/common.h | 12 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 3 drivers/nvme/target/auth.c | 1 drivers/scsi/scsi_transport_fc.c | 4 drivers/staging/iio/frequency/ad9832.c | 7 drivers/tty/vt/vt.c | 2 drivers/usb/gadget/udc/dummy_hcd.c | 57 + drivers/usb/host/xhci-pci.c | 6 drivers/usb/host/xhci-ring.c | 16 drivers/usb/phy/phy.c | 2 drivers/usb/typec/class.c | 1 fs/afs/dir.c | 25 fs/afs/dir_edit.c | 91 ++ fs/afs/internal.h | 2 fs/dax.c | 45 - fs/iomap/buffered-io.c | 31 fs/nfs/delegation.c | 5 fs/nilfs2/namei.c | 3 fs/nilfs2/page.c | 1 fs/ntfs3/frecord.c | 4 fs/ntfs3/inode.c | 10 fs/ntfs3/lznt.c | 3 fs/ntfs3/namei.c | 2 fs/ntfs3/ntfs_fs.h | 2 fs/ocfs2/file.c | 8 fs/proc/kcore.c | 94 +- include/acpi/cppc_acpi.h | 2 include/linux/compiler-gcc.h | 12 include/linux/cpufreq.h | 34 include/linux/fs.h | 36 + include/linux/iomap.h | 19 include/linux/migrate.h | 1 include/net/ip_tunnels.h | 2 include/trace/events/afs.h | 240 ------ io_uring/io_uring.c | 11 io_uring/rw.c | 52 - kernel/bpf/cgroup.c | 19 kernel/bpf/lpm_trie.c | 2 kernel/cgroup/cgroup.c | 4 mm/huge_memory.c | 4 mm/internal.h | 13 mm/kasan/kasan_test.c | 27 mm/migrate.c | 636 ++++++++++++------ mm/page_alloc.c | 93 +- mm/shmem.c | 2 net/bluetooth/hci_sync.c | 18 net/core/dev.c | 4 net/ipv6/netfilter/nf_reject_ipv6.c | 15 net/mac80211/Kconfig | 2 net/mac80211/agg-tx.c | 4 net/mac80211/cfg.c | 3 net/mac80211/key.c | 42 - net/netfilter/nft_payload.c | 3 net/netfilter/x_tables.c | 2 net/sched/sch_api.c | 2 net/wireless/core.c | 1 sound/pci/hda/patch_realtek.c | 22 sound/soc/codecs/cs42l51.c | 7 sound/usb/mixer_quirks.c | 3 tools/testing/selftests/vm/hmm-tests.c | 2 tools/usb/usbip/src/usbip_detach.c | 1 138 files changed, 1421 insertions(+), 995 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix "task hung" problem Alex Hung (1): drm/amd/display: Skip on writeback when it's not applicable Alexander Gordeev (1): fs/proc/kcore.c: allow translation of physical memory addresses Alexandre Ghiti (1): riscv: vdso: Prevent the compiler from inserting calls to memset() Amir Goldstein (3): io_uring: rename kiocb_end_write() local helper fs: create kiocb_{start,end}_write() helpers io_uring: use kiocb_{start,end}_write() helpers Amit Cohen (1): mlxsw: spectrum_ptp: Add missing verification before pushing Tx header Andrew Ballance (1): fs/ntfs3: Check if more than chunk-size bytes are written Andrey Konovalov (2): usb: gadget: dummy_hcd: execute hrtimer callback in softirq context kasan: remove vmalloc_percpu test Baolin Wang (1): mm: migrate: try again if THP split is failed due to page refcnt Basavaraj Natikar (1): xhci: Use pm_runtime_get to prevent RPM on unsupported systems Ben Hutchings (1): wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Benjamin Marzinski (1): scsi: scsi_transport_fc: Allow setting rport state to current state Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Chen Ridong (1): cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction Christoffer Sandberg (1): ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Christoph Hellwig (2): iomap: improve shared block detection in iomap_unshare_iter iomap: turn iomap_want_unshare_iter into an inline function Christophe JAILLET (1): ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Chunyan Zhang (2): riscv: Remove unused GENERATING_ASM_OFFSETS riscv: Remove duplicated GET_RM Dai Ngo (1): NFS: remove revoked delegation from server's delegation list Dan Williams (2): cxl/acpi: Move rescan to the workqueue cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() Daniel Gabay (1): wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Darrick J. Wong (5): iomap: convert iomap_unshare_iter to use large folios iomap: don't bother unsharing delalloc extents iomap: share iomap_unshare_iter predicate code with fsdax fsdax: remove zeroing code from dax_unshare_iter fsdax: dax_unshare_iter needs to copy entire blocks David Howells (2): afs: Automatically generate trace tag enums afs: Fix missing subdir edit when renamed between parent dirs Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Donet Tom (1): selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Dong Chenchen (1): netfilter: Fix use-after-free in get_info() Edward Adam Davis (1): ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Emmanuel Grumbach (1): wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Eric Dumazet (1): netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Furong Xu (1): net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Geert Uytterhoeven (2): mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 6.1.116 Gregory Price (1): vmscan,migrate: fix page count imbalance on node stats when demoting pages Hector Martin (1): cpufreq: Generalize of_perf_domain_get_sharing_cpumask phandle format Heinrich Schuchardt (1): riscv: efi: Set NX compat flag in PE/COFF header Huacai Chen (1): LoongArch: Fix build errors due to backported TIMENS Huang Ying (7): migrate: convert unmap_and_move() to use folios migrate: convert migrate_pages() to use folios migrate_pages: organize stats with struct migrate_pages_stats migrate_pages: separate hugetlb folios migration migrate_pages: restrict number of pages to migrate in batch migrate_pages: split unmap_and_move() to _unmap() and _move() migrate_pages_batch: fix statistics for longterm pin retry Ido Schimmel (4): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() mlxsw: spectrum_router: Add support for double entry RIFs mlxsw: spectrum_ipip: Rename Spectrum-2 ip6gre operations mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address Jan Schär (1): ALSA: usb-audio: Add quirks for Dell WD19 dock Javier Carrasco (2): usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() iio: light: veml6030: fix microlux value calculation Jens Axboe (1): io_uring/rw: fix missing NOWAIT check for O_DIRECT start write Jeongjun Park (2): mm: shmem: fix data-race in shmem_getattr() vt: prevent kernel-infoleak in con_font_get() Jianbo Liu (1): macsec: Fix use-after-free while sending the offloading packet Johannes Berg (2): wifi: cfg80211: clear wdev->cqm_config pointer on free wifi: iwlwifi: mvm: fix 6 GHz scan construction Kailang Yang (1): ALSA: hda/realtek: Limit internal Mic boost on Dell platform Kefeng Wang (1): mm: remove kern_addr_valid() completely Konstantin Komarov (4): fs/ntfs3: Fix warning possible deadlock in ntfs_set_state fs/ntfs3: Stale inode instead of bad fs/ntfs3: Fix possible deadlock in mi_read fs/ntfs3: Additional check in ni_clear() Leon Romanovsky (1): RDMA/cxgb4: Dump vendor specific QP details Linus Torvalds (1): mm: avoid gcc complaint about pointer casting Lorenzo Stoakes (3): fs/proc/kcore: avoid bounce buffer for ktext data fs/proc/kcore: convert read_kcore() to read_kcore_iter() fs/proc/kcore: reinstate bounce buffer for KCORE_TEXT regions Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Marcello Sylvester Bauer (2): usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler usb: gadget: dummy_hcd: Set transfer interval to 1 microframe Marco Elver (1): kasan: Fix Software Tag-Based KASAN with GCC Matt Fleming (1): mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Matt Johnston (1): mctp i2c: handle NULL header address Mel Gorman (5): mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE mm/page_alloc: treat RT tasks similar to __GFP_HIGH mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags mm/page_alloc: explicitly define what alloc flags deplete min reserves mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Michael Walle (1): mtd: spi-nor: winbond: fix w25q128 regression Miguel Ojeda (2): compiler-gcc: be consistent with underscores use for `no_sanitize` compiler-gcc: remove attribute support check for `__no_sanitize_address__` Miquel Sabaté Solà (1): cpufreq: Avoid a bad reference count on CPU node Pablo Neira Ayuso (2): gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Patrisious Haddad (1): RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Pavel Begunkov (1): io_uring: always lock __io_cqring_overflow_flush Pawan Gupta (1): x86/bugs: Use code segment selector for VERW operand Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pierre Gondois (1): ACPI: CPPC: Make rmw_lock a raw_spin_lock Remi Pommarel (1): wifi: ath11k: Fix invalid ring usage in full monitor mode Ryusuke Konishi (2): nilfs2: fix potential deadlock with newly created symlinks nilfs2: fix kernel bug due to missing clearing of checked flag Selvin Xavier (1): RDMA/bnxt_re: synchronize the qp-handle table array Srinivasan Shanmugam (1): drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing Sungwoo Kim (1): Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device Vitaliy Shevtsov (1): nvmet-auth: assign dh_key to NULL after kfree_sensitive WangYuli (1): riscv: Use '%u' to format the output of 'cpu' Xinyu Zhang (1): block: fix sanity checks in blk_rq_map_user_bvec Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Yang Li (1): mm/migrate.c: stop using 0 as NULL pointer Zichen Xie (1): netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Zicheng Qu (2): staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Zijun Hu (1): usb: phy: Fix API devm_usb_put_phy() can not release the phy Zong-Zhe Yang (1): wifi: mac80211: fix NULL dereference at band check in starting tx ba session Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path

7 months, 2 weeks

1
1
0 0

Linux 5.15.171

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.171 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/riscv/kernel/asm-offsets.c | 2 arch/riscv/kernel/cpu-hotplug.c | 2 arch/riscv/kernel/efi-header.S | 2 arch/riscv/kernel/traps_misaligned.c | 2 arch/riscv/kernel/vdso/Makefile | 1 arch/x86/include/asm/nospec-branch.h | 11 + drivers/acpi/cppc_acpi.c | 9 - drivers/acpi/prmt.c | 33 ++- drivers/base/core.c | 13 - drivers/base/module.c | 4 drivers/firmware/arm_sdei.c | 2 drivers/gpu/drm/drm_mipi_dsi.c | 2 drivers/gpu/drm/i915/gem/i915_gem_context.c | 24 ++ drivers/iio/adc/ad7124.c | 2 drivers/iio/light/veml6030.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 + drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 drivers/infiniband/hw/cxgb4/provider.c | 1 drivers/infiniband/hw/mlx5/qp.c | 4 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/net/ethernet/amd/mvme147.c | 7 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 ++ drivers/net/gtp.c | 22 +- drivers/net/netdevsim/fib.c | 4 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 drivers/net/wireless/intel/iwlegacy/common.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 3 drivers/scsi/scsi_transport_fc.c | 4 drivers/staging/iio/frequency/ad9832.c | 7 drivers/tty/vt/vt.c | 2 drivers/usb/host/xhci-pci.c | 6 drivers/usb/host/xhci-ring.c | 16 - drivers/usb/phy/phy.c | 2 drivers/usb/typec/class.c | 1 fs/ksmbd/mgmt/user_session.c | 26 ++- fs/ksmbd/mgmt/user_session.h | 4 fs/ksmbd/server.c | 2 fs/ksmbd/smb2pdu.c | 8 fs/nfs/delegation.c | 5 fs/nilfs2/namei.c | 3 fs/nilfs2/page.c | 1 fs/ntfs3/frecord.c | 4 fs/ntfs3/lznt.c | 3 fs/ntfs3/namei.c | 2 fs/ntfs3/ntfs_fs.h | 2 fs/ocfs2/file.c | 8 include/acpi/cppc_acpi.h | 2 include/net/ip_tunnels.h | 2 include/net/mac80211.h | 10 + include/trace/events/kmem.h | 14 + kernel/bpf/lpm_trie.c | 2 kernel/cgroup/cgroup.c | 4 mm/internal.h | 13 + mm/page_alloc.c | 183 +++++++++++++--------- mm/shmem.c | 2 net/core/dev.c | 4 net/mac80211/Kconfig | 2 net/mac80211/cfg.c | 3 net/mac80211/ieee80211_i.h | 3 net/mac80211/key.c | 42 +++-- net/mac80211/mlme.c | 14 + net/mac80211/util.c | 45 ++++- net/netfilter/nft_payload.c | 3 net/netfilter/x_tables.c | 2 net/sched/sch_api.c | 2 sound/soc/codecs/cs42l51.c | 7 tools/testing/selftests/vm/hmm-tests.c | 2 tools/usb/usbip/src/usbip_detach.c | 1 75 files changed, 478 insertions(+), 227 deletions(-) Alexandre Ghiti (1): riscv: vdso: Prevent the compiler from inserting calls to memset() Andrew Ballance (1): fs/ntfs3: Check if more than chunk-size bytes are written Aubrey Li (1): ACPI: PRM: Remove unnecessary blank lines Basavaraj Natikar (1): xhci: Use pm_runtime_get to prevent RPM on unsupported systems Benjamin Marzinski (1): scsi: scsi_transport_fc: Allow setting rport state to current state Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Christophe JAILLET (1): ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Chunyan Zhang (2): riscv: Remove unused GENERATING_ASM_OFFSETS riscv: Remove duplicated GET_RM Dai Ngo (1): NFS: remove revoked delegation from server's delegation list Daniel Gabay (1): wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Donet Tom (1): selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Dong Chenchen (1): netfilter: Fix use-after-free in get_info() Edward Adam Davis (1): ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Emmanuel Grumbach (1): wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Eric Dumazet (1): mm/page_alloc: call check_new_pages() while zone spinlock is not held Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Furong Xu (1): net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Geert Uytterhoeven (2): mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 5.15.171 Heinrich Schuchardt (1): riscv: efi: Set NX compat flag in PE/COFF header Ido Schimmel (1): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Jason-JH.Lin (1): Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Javier Carrasco (2): usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() iio: light: veml6030: fix microlux value calculation Jeongjun Park (2): mm: shmem: fix data-race in shmem_getattr() vt: prevent kernel-infoleak in con_font_get() Johannes Berg (3): mac80211: do drv_reconfig_complete() before restarting all wifi: iwlwifi: mvm: fix 6 GHz scan construction mac80211: always have ieee80211_sta_restart() Koba Ko (1): ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Konstantin Komarov (3): fs/ntfs3: Fix warning possible deadlock in ntfs_set_state fs/ntfs3: Fix possible deadlock in mi_read fs/ntfs3: Additional check in ni_clear() Leon Romanovsky (1): RDMA/cxgb4: Dump vendor specific QP details Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Matt Fleming (1): mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Mel Gorman (6): mm/page_alloc: split out buddy removal code from rmqueue into separate helper mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE mm/page_alloc: treat RT tasks similar to __GFP_HIGH mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags mm/page_alloc: explicitly define what alloc flags deplete min reserves mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Namjae Jeon (1): ksmbd: fix user-after-free from session log off Pablo Neira Ayuso (2): gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Patrisious Haddad (1): RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Pawan Gupta (1): x86/bugs: Use code segment selector for VERW operand Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pierre Gondois (1): ACPI: CPPC: Make rmw_lock a raw_spin_lock Rob Clark (1): drm/i915: Fix potential context UAFs Ryusuke Konishi (2): nilfs2: fix potential deadlock with newly created symlinks nilfs2: fix kernel bug due to missing clearing of checked flag Selvin Xavier (1): RDMA/bnxt_re: synchronize the qp-handle table array Sudeep Holla (1): ACPI: PRM: Change handler_addr type to void pointer Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device WangYuli (1): riscv: Use '%u' to format the output of 'cpu' Wonhyuk Yang (1): mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Youghandhar Chintala (1): mac80211: Add support to trigger sta disconnect on hardware restart Zichen Xie (1): netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Zicheng Qu (2): staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Zijun Hu (1): usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path

7 months, 2 weeks

1
1
0 0

Linux 5.10.229

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.229 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 arch/arm64/Makefile | 2 arch/arm64/include/asm/uprobes.h | 12 - arch/arm64/kernel/probes/uprobes.c | 4 arch/riscv/kernel/asm-offsets.c | 2 arch/riscv/kernel/cpu-hotplug.c | 2 arch/riscv/kernel/efi-header.S | 2 arch/riscv/kernel/traps_misaligned.c | 2 arch/riscv/kernel/vdso/Makefile | 1 arch/s390/include/asm/perf_event.h | 1 arch/s390/kvm/gaccess.c | 162 ++++++++++++++---------- arch/s390/kvm/gaccess.h | 14 +- arch/x86/include/asm/nospec-branch.h | 11 + arch/x86/kvm/svm/nested.c | 6 block/bfq-iosched.c | 33 ++-- drivers/acpi/button.c | 11 + drivers/acpi/resource.c | 7 + drivers/base/core.c | 13 - drivers/base/module.c | 4 drivers/firmware/arm_sdei.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/drm_gem_shmem_helper.c | 5 drivers/gpu/drm/drm_mipi_dsi.c | 2 drivers/gpu/drm/msm/dsi/dsi_host.c | 2 drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 + drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 drivers/iio/light/veml6030.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 15 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 --- drivers/infiniband/hw/cxgb4/cm.c | 9 - drivers/infiniband/hw/cxgb4/provider.c | 1 drivers/infiniband/hw/mlx5/qp.c | 4 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/amd/mvme147.c | 7 - drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/emulex/benet/be_main.c | 10 - drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/realtek/r8169_main.c | 4 drivers/net/gtp.c | 22 +-- drivers/net/hyperv/netvsc_drv.c | 30 ++++ drivers/net/macsec.c | 18 -- drivers/net/phy/dp83822.c | 4 drivers/net/usb/usbnet.c | 3 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 - drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 drivers/net/wireless/intel/iwlegacy/common.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 ++- drivers/staging/iio/frequency/ad9832.c | 7 - drivers/target/target_core_device.c | 2 drivers/target/target_core_user.c | 2 drivers/tty/serial/serial_core.c | 16 +- drivers/tty/vt/vt.c | 2 drivers/usb/host/xhci-pci.c | 6 drivers/usb/host/xhci-ring.c | 16 +- drivers/usb/phy/phy.c | 2 drivers/usb/typec/class.c | 3 fs/cifs/smb2pdu.c | 9 + fs/exec.c | 21 +-- fs/iomap/direct-io.c | 18 +- fs/jfs/jfs_dmap.c | 2 fs/nfs/delegation.c | 5 fs/nilfs2/namei.c | 3 fs/nilfs2/page.c | 7 - fs/ocfs2/file.c | 8 + fs/open.c | 2 include/linux/compiler-gcc.h | 12 - include/linux/mm.h | 2 include/net/genetlink.h | 3 include/net/ip_tunnels.h | 2 include/net/mac80211.h | 10 + include/net/xfrm.h | 28 ++-- kernel/bpf/lpm_trie.c | 2 kernel/cgroup/cgroup.c | 4 kernel/time/posix-clock.c | 6 kernel/trace/trace_probe.c | 2 mm/memory.c | 70 +++++++--- mm/shmem.c | 2 net/bluetooth/bnep/core.c | 3 net/core/dev.c | 17 ++ net/ipv4/devinet.c | 35 +++-- net/ipv4/xfrm4_policy.c | 40 ++--- net/ipv6/xfrm6_policy.c | 31 ++-- net/l2tp/l2tp_netlink.c | 4 net/mac80211/Kconfig | 2 net/mac80211/cfg.c | 3 net/mac80211/ieee80211_i.h | 3 net/mac80211/key.c | 42 +++--- net/mac80211/mlme.c | 14 +- net/mac80211/util.c | 45 +++++- net/netfilter/nft_payload.c | 3 net/netlink/genetlink.c | 28 ++-- net/sched/sch_api.c | 2 net/sched/sch_taprio.c | 3 net/smc/smc_pnet.c | 2 net/wireless/nl80211.c | 8 - net/xfrm/xfrm_device.c | 11 + net/xfrm/xfrm_policy.c | 50 +++++-- net/xfrm/xfrm_user.c | 6 security/selinux/selinuxfs.c | 27 ++-- sound/firewire/amdtp-stream.c | 3 sound/pci/hda/patch_realtek.c | 48 ++++--- sound/soc/codecs/cs42l51.c | 7 - sound/soc/fsl/fsl_sai.c | 5 sound/soc/fsl/fsl_sai.h | 1 sound/soc/qcom/lpass-cpu.c | 2 tools/testing/selftests/vm/hmm-tests.c | 2 tools/usb/usbip/src/usbip_detach.c | 1 115 files changed, 789 insertions(+), 471 deletions(-) Aleksa Sarai (1): openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Alexandre Ghiti (1): riscv: vdso: Prevent the compiler from inserting calls to memset() Andrey Shumilin (1): ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Anumula Murali Mohan Reddy (1): RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Basavaraj Natikar (1): xhci: Use pm_runtime_get to prevent RPM on unsupported systems Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Bhargava Chenna Marreddy (1): RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Christian Heusel (1): ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Christoph Hellwig (2): iomap: update ki_pos a little later in iomap_dio_complete mm: add remap_pfn_range_notrack Christophe JAILLET (1): ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Chunyan Zhang (2): riscv: Remove unused GENERATING_ASM_OFFSETS riscv: Remove duplicated GET_RM Dai Ngo (1): NFS: remove revoked delegation from server's delegation list Daniel Gabay (1): wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Dave Kleikamp (1): jfs: Fix sanity check in dbMount Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Dmitry Antipov (1): net: sched: fix use-after-free in taprio_change() Donet Tom (1): selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Edward Adam Davis (1): ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Emmanuel Grumbach (1): wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Eric Dumazet (1): genetlink: hold RCU in genlmsg_mcast() Eyal Birger (2): xfrm: extract dst lookup parameters into a struct xfrm: respect ip protocols rules criteria when performing dst lookups Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Florian Klink (1): ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Geert Uytterhoeven (2): mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 5.10.229 Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Hans de Goede (1): drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Heiko Carstens (1): s390: Initialize psw mask in perf_arch_fetch_caller_regs() Heiner Kallweit (1): r8169: avoid unsolicited interrupts Heinrich Schuchardt (1): riscv: efi: Set NX compat flag in PE/COFF header Ido Schimmel (1): ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Janis Schoetterl-Glausch (3): KVM: s390: gaccess: Refactor gpa and length calculation KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Cleanup access to guest pages Jason-JH.Lin (1): Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Javier Carrasco (1): iio: light: veml6030: fix microlux value calculation Jeongjun Park (2): mm: shmem: fix data-race in shmem_getattr() vt: prevent kernel-infoleak in con_font_get() Jinjie Ruan (1): posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jiri Slaby (SUSE) (1): serial: protect uart_port_dtr_rts() in uart_shutdown() too Johannes Berg (2): mac80211: do drv_reconfig_complete() before restarting all mac80211: always have ieee80211_sta_restart() Jonathan Marek (1): drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation José Relvas (1): ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Kailang Yang (1): ALSA: hda/realtek: Update default depop procedure Kalesh AP (2): RDMA/bnxt_re: Add a check for memory allocation RDMA/bnxt_re: Return more meaningful error Leo Yan (1): tracing: Consider the NULL character when validating the event length Leon Romanovsky (1): RDMA/cxgb4: Dump vendor specific QP details Li RongQing (1): net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Marco Elver (1): kasan: Fix Software Tag-Based KASAN with GCC Mario Limonciello (1): drm/amd: Guard against bad data for ATIF ACPI method Mark Rutland (2): arm64: probes: Fix uprobes for big-endian kernels arm64: Force position-independent veneers Mateusz Guzik (1): exec: don't WARN for racy path_noexec check Michel Alex (1): net: phy: dp83822: Fix reset pin definitions Miguel Ojeda (2): compiler-gcc: be consistent with underscores use for `no_sanitize` compiler-gcc: remove attribute support check for `__no_sanitize_address__` Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Oliver Neukum (1): net: usb: usbnet: fix name regression Pablo Neira Ayuso (2): gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Patrisious Haddad (1): RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Paul Moore (1): selinux: improve error checking in sel_write_load() Paulo Alcantara (1): smb: client: fix OOBs when building SMB2_IOCTL request Pawan Gupta (1): x86/bugs: Use code segment selector for VERW operand Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Ryusuke Konishi (3): nilfs2: fix kernel bug due to missing clearing of buffer delay flag nilfs2: fix potential deadlock with newly created symlinks nilfs2: fix kernel bug due to missing clearing of checked flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Christopherson (1): KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Selvin Xavier (1): RDMA/bnxt_re: synchronize the qp-handle table array Shengjiu Wang (1): ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Thadeu Lima de Souza Cascardo (1): usb: typec: altmode should keep reference to parent Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device Wachowski, Karol (1): drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Wang Hai (5): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: systemport: fix potential memory leak in bcm_sysport_xmit() scsi: target: core: Fix null-ptr-deref in target_alloc_device() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() WangYuli (1): riscv: Use '%u' to format the output of 'cpu' Xin Long (2): ipv4: give an IPv4 dev to blackhole_netdev net: support ip generic csum processing in skb_csum_hwoffload_help Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Ye Bin (1): Bluetooth: bnep: fix wild-memory-access in proto_unregister Youghandhar Chintala (1): mac80211: Add support to trigger sta disconnect on hardware restart Yu Kuai (1): block, bfq: fix procress reference leakage for bfqq in merge chain Zichen Xie (1): ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Zicheng Qu (1): staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Zijun Hu (1): usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path junhua huang (2): arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning

7 months, 2 weeks

1
1
0 0

Linux 5.4.285

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.285 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ .gitignore | 1 Documentation/IPMI.txt | 2 Documentation/admin-guide/kernel-parameters.txt | 10 Documentation/arm64/silicon-errata.rst | 4 Documentation/devicetree/bindings/gpu/samsung-rotator.txt | 28 Documentation/devicetree/bindings/gpu/samsung-rotator.yaml | 48 Makefile | 2 arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 arch/arm/boot/dts/imx7d-zii-rmu2.dts | 2 arch/arm/mach-realview/platsmp-dt.c | 1 arch/arm64/Kconfig | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 arch/arm64/include/asm/cputype.h | 4 arch/arm64/include/asm/uprobes.h | 12 arch/arm64/kernel/cpu_errata.c | 2 arch/arm64/kernel/probes/decode-insn.c | 16 arch/arm64/kernel/probes/simulate-insn.c | 18 arch/arm64/kernel/probes/uprobes.c | 4 arch/microblaze/mm/init.c | 5 arch/parisc/kernel/entry.S | 6 arch/parisc/kernel/syscall.S | 14 arch/riscv/Kconfig | 5 arch/riscv/kernel/asm-offsets.c | 2 arch/riscv/kernel/perf_callchain.c | 2 arch/s390/include/asm/facility.h | 6 arch/s390/kernel/perf_cpum_sf.c | 12 arch/s390/kvm/diag.c | 2 arch/s390/kvm/gaccess.c | 162 arch/s390/kvm/gaccess.h | 14 arch/s390/mm/cmm.c | 18 arch/x86/include/asm/cpufeatures.h | 3 arch/x86/include/asm/syscall.h | 7 arch/x86/kernel/apic/apic.c | 14 arch/x86/kernel/cpu/mshyperv.c | 1 arch/x86/kernel/cpu/resctrl/core.c | 4 arch/x86/xen/setup.c | 2 block/bfq-iosched.c | 13 block/blk-rq-qos.c | 2 crypto/aead.c | 3 crypto/cipher.c | 3 drivers/acpi/acpica/dbconvert.c | 2 drivers/acpi/acpica/exprep.c | 3 drivers/acpi/acpica/psargs.c | 47 drivers/acpi/battery.c | 28 drivers/acpi/button.c | 11 drivers/acpi/device_sysfs.c | 5 drivers/acpi/ec.c | 55 drivers/acpi/pmic/tps68470_pmic.c | 6 drivers/acpi/resource.c | 27 drivers/ata/sata_sil.c | 12 drivers/base/bus.c | 6 drivers/base/core.c | 13 drivers/base/firmware_loader/main.c | 30 drivers/base/module.c | 4 drivers/block/aoe/aoecmd.c | 13 drivers/block/drbd/drbd_main.c | 6 drivers/block/drbd/drbd_state.c | 2 drivers/bluetooth/btmrvl_sdio.c | 16 drivers/bluetooth/btusb.c | 10 drivers/char/hw_random/mtk-rng.c | 2 drivers/char/tpm/tpm-dev-common.c | 2 drivers/char/tpm/tpm2-space.c | 3 drivers/char/virtio_console.c | 18 drivers/clk/bcm/clk-bcm53573-ilp.c | 2 drivers/clk/qcom/clk-rpmh.c | 33 drivers/clk/rockchip/clk-rk3228.c | 2 drivers/clk/rockchip/clk.c | 3 drivers/clk/ti/clk-dra7-atl.c | 1 drivers/clocksource/timer-qcom.c | 7 drivers/firmware/arm_sdei.c | 2 drivers/firmware/tegra/bpmp.c | 6 drivers/gpio/gpio-aspeed.c | 4 drivers/gpio/gpio-davinci.c | 8 drivers/gpio/gpiolib.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 26 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 drivers/gpu/drm/amd/display/modules/freesync/freesync.c | 2 drivers/gpu/drm/amd/include/atombios.h | 2 drivers/gpu/drm/arm/display/komeda/komeda_kms.c | 10 drivers/gpu/drm/drm_atomic_uapi.c | 2 drivers/gpu/drm/drm_crtc.c | 1 drivers/gpu/drm/drm_mipi_dsi.c | 2 drivers/gpu/drm/drm_print.c | 13 drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 8 drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 26 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 drivers/gpu/drm/msm/dsi/dsi_host.c | 2 drivers/gpu/drm/nouveau/nouveau_dmem.c | 2 drivers/gpu/drm/omapdrm/omap_drv.c | 5 drivers/gpu/drm/radeon/atombios.h | 2 drivers/gpu/drm/radeon/evergreen_cs.c | 62 drivers/gpu/drm/radeon/r100.c | 70 drivers/gpu/drm/radeon/radeon_atombios.c | 26 drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c | 2 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 drivers/gpu/drm/stm/drv.c | 4 drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/hid/hid-ids.h | 2 drivers/hid/hid-plantronics.c | 23 drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 2 drivers/hwmon/max16065.c | 5 drivers/hwmon/ntc_thermistor.c | 1 drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 drivers/i2c/busses/i2c-aspeed.c | 16 drivers/i2c/busses/i2c-i801.c | 9 drivers/i2c/busses/i2c-isch.c | 3 drivers/i2c/busses/i2c-qcom-geni.c | 59 drivers/i2c/busses/i2c-stm32f7.c | 6 drivers/i2c/busses/i2c-xiic.c | 19 drivers/iio/adc/Kconfig | 4 drivers/iio/adc/ad7606.c | 8 drivers/iio/adc/ad7606_spi.c | 5 drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 2 drivers/iio/light/opt3001.c | 4 drivers/iio/magnetometer/ak8975.c | 32 drivers/iio/proximity/Kconfig | 2 drivers/infiniband/core/iwcm.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 drivers/infiniband/hw/cxgb4/cm.c | 14 drivers/infiniband/hw/hns/hns_roce_hem.c | 10 drivers/infiniband/sw/rxe/rxe_comp.c | 6 drivers/input/keyboard/adp5589-keys.c | 13 drivers/input/rmi4/rmi_driver.c | 6 drivers/mailbox/bcm2835-mailbox.c | 3 drivers/mailbox/rockchip-mailbox.c | 2 drivers/media/common/videobuf2/videobuf2-core.c | 8 drivers/media/dvb-frontends/rtl2830.c | 2 drivers/media/dvb-frontends/rtl2832.c | 2 drivers/media/platform/qcom/venus/core.c | 1 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/misc/ti-st/st_core.c | 4 drivers/mtd/devices/powernv_flash.c | 3 drivers/mtd/devices/slram.c | 2 drivers/net/Kconfig | 64 drivers/net/caif/Kconfig | 36 drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/amd/mvme147.c | 7 drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/cortina/gemini.c | 15 drivers/net/ethernet/emulex/benet/be_main.c | 10 drivers/net/ethernet/faraday/ftgmac100.c | 26 drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/freescale/fs_enet/Kconfig | 8 drivers/net/ethernet/hisilicon/hip04_eth.c | 1 drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 drivers/net/ethernet/hisilicon/hns_mdio.c | 1 drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/ibm/emac/mal.c | 2 drivers/net/ethernet/intel/ice/ice_sched.c | 6 drivers/net/ethernet/intel/ice/ice_switch.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 4 drivers/net/ethernet/jme.c | 10 drivers/net/ethernet/lantiq_etop.c | 4 drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 drivers/net/ethernet/realtek/r8169_main.c | 35 drivers/net/ethernet/seeq/ether3.c | 2 drivers/net/gtp.c | 27 drivers/net/hyperv/netvsc_drv.c | 30 drivers/net/ieee802154/Kconfig | 13 drivers/net/ieee802154/mcr20a.c | 5 drivers/net/macsec.c | 18 drivers/net/phy/vitesse.c | 14 drivers/net/ppp/ppp_async.c | 2 drivers/net/slip/slhc.c | 57 drivers/net/usb/cdc_ncm.c | 8 drivers/net/usb/ipheth.c | 5 drivers/net/usb/usbnet.c | 3 drivers/net/wireless/ath/Kconfig | 12 drivers/net/wireless/ath/ar5523/Kconfig | 14 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/ath/ath9k/Kconfig | 58 drivers/net/wireless/ath/ath9k/debug.c | 6 drivers/net/wireless/ath/ath9k/hif_usb.c | 6 drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 drivers/net/wireless/atmel/Kconfig | 42 drivers/net/wireless/intel/iwlegacy/common.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 8 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/scan.c | 3 drivers/net/wireless/ralink/rt2x00/Kconfig | 44 drivers/net/wireless/realtek/rtw88/Kconfig | 1 drivers/net/wireless/realtek/rtw88/rtw8822c.c | 10 drivers/net/wireless/ti/wl12xx/Kconfig | 8 drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 drivers/nvdimm/nd_virtio.c | 9 drivers/of/irq.c | 38 drivers/parport/procfs.c | 22 drivers/pci/controller/dwc/pci-keystone.c | 2 drivers/pci/controller/pcie-xilinx-nwl.c | 24 drivers/pci/quirks.c | 8 drivers/pinctrl/mvebu/pinctrl-dove.c | 42 drivers/pinctrl/pinctrl-at91.c | 5 drivers/pinctrl/pinctrl-single.c | 3 drivers/power/reset/brcmstb-reboot.c | 3 drivers/power/supply/axp20x_battery.c | 31 drivers/power/supply/max17042_battery.c | 5 drivers/pps/clients/pps_parport.c | 14 drivers/reset/reset-berlin.c | 3 drivers/rtc/rtc-at91sam9.c | 1 drivers/s390/char/sclp_vt220.c | 4 drivers/scsi/aacraid/aacraid.h | 2 drivers/soc/versatile/soc-integrator.c | 1 drivers/soc/versatile/soc-realview.c | 20 drivers/soundwire/stream.c | 8 drivers/spi/spi-bcm63xx.c | 2 drivers/spi/spi-nxp-fspi.c | 5 drivers/spi/spi-ppc4xx.c | 7 drivers/spi/spi-s3c64xx.c | 4 drivers/staging/iio/frequency/ad9832.c | 7 drivers/staging/wilc1000/wilc_hif.c | 4 drivers/target/target_core_user.c | 2 drivers/tty/serial/rp2.c | 2 drivers/tty/vt/vt.c | 2 drivers/usb/chipidea/udc.c | 8 drivers/usb/class/cdc-acm.c | 2 drivers/usb/class/usbtmc.c | 2 drivers/usb/dwc2/platform.c | 26 drivers/usb/dwc3/core.c | 22 drivers/usb/dwc3/core.h | 4 drivers/usb/dwc3/gadget.c | 11 drivers/usb/host/xhci-pci.c | 5 drivers/usb/host/xhci-ring.c | 16 drivers/usb/host/xhci.h | 2 drivers/usb/misc/appledisplay.c | 15 drivers/usb/misc/cypress_cy7c63.c | 4 drivers/usb/misc/yurex.c | 5 drivers/usb/phy/phy.c | 2 drivers/usb/serial/option.c | 8 drivers/usb/serial/pl2303.c | 1 drivers/usb/serial/pl2303.h | 4 drivers/usb/storage/unusual_devs.h | 11 drivers/usb/typec/class.c | 3 drivers/video/fbdev/hpfb.c | 1 drivers/video/fbdev/pxafb.c | 1 drivers/video/fbdev/sis/sis_main.c | 2 drivers/watchdog/imx_sc_wdt.c | 24 drivers/xen/swiotlb-xen.c | 6 fs/btrfs/disk-io.c | 11 fs/btrfs/relocation.c | 2 fs/ceph/addr.c | 1 fs/cifs/smb2pdu.c | 9 fs/erofs/decompressor.c | 24 fs/exec.c | 3 fs/ext4/extents.c | 5 fs/ext4/ialloc.c | 2 fs/ext4/inline.c | 35 fs/ext4/inode.c | 11 fs/ext4/mballoc.c | 10 fs/ext4/migrate.c | 2 fs/ext4/namei.c | 14 fs/ext4/xattr.c | 4 fs/f2fs/acl.c | 23 fs/f2fs/dir.c | 3 fs/f2fs/f2fs.h | 4 fs/f2fs/file.c | 24 fs/f2fs/super.c | 4 fs/f2fs/xattr.c | 27 fs/fat/namei_vfat.c | 2 fs/fcntl.c | 14 fs/inode.c | 4 fs/jbd2/checkpoint.c | 14 fs/jbd2/commit.c | 36 fs/jbd2/journal.c | 2 fs/jfs/jfs_discard.c | 11 fs/jfs/jfs_dmap.c | 11 fs/jfs/jfs_imap.c | 2 fs/jfs/xattr.c | 2 fs/namespace.c | 23 fs/nfs/callback_xdr.c | 2 fs/nfs/nfs4state.c | 1 fs/nfsd/nfs4idmap.c | 13 fs/nfsd/nfs4recover.c | 8 fs/nfsd/nfs4state.c | 15 fs/nilfs2/btree.c | 12 fs/nilfs2/dir.c | 50 fs/nilfs2/namei.c | 42 fs/nilfs2/nilfs.h | 2 fs/nilfs2/page.c | 7 fs/ocfs2/aops.c | 5 fs/ocfs2/buffer_head_io.c | 4 fs/ocfs2/file.c | 8 fs/ocfs2/journal.c | 7 fs/ocfs2/localalloc.c | 19 fs/ocfs2/quota_local.c | 8 fs/ocfs2/refcounttree.c | 26 fs/ocfs2/xattr.c | 38 fs/proc/base.c | 61 fs/super.c | 3 fs/udf/inode.c | 9 fs/unicode/mkutf8data.c | 70 fs/unicode/utf8data.h_shipped | 6703 ++++------ include/drm/drm_print.h | 54 include/linux/fs.h | 2 include/linux/jbd2.h | 4 include/linux/pci_ids.h | 2 include/linux/skbuff.h | 5 include/net/genetlink.h | 3 include/net/mac80211.h | 24 include/net/sch_generic.h | 1 include/net/sock.h | 8 include/net/tcp.h | 21 include/trace/events/f2fs.h | 3 include/trace/events/sched.h | 84 include/uapi/linux/cec.h | 6 include/uapi/linux/netfilter/nf_tables.h | 2 kernel/bpf/arraymap.c | 3 kernel/bpf/devmap.c | 9 kernel/bpf/hashtab.c | 3 kernel/bpf/helpers.c | 4 kernel/bpf/lpm_trie.c | 2 kernel/cgroup/cgroup.c | 4 kernel/events/core.c | 6 kernel/events/uprobes.c | 2 kernel/kthread.c | 19 kernel/locking/lockdep.c | 215 kernel/resource.c | 58 kernel/signal.c | 11 kernel/time/posix-clock.c | 3 kernel/trace/trace.c | 18 kernel/trace/trace_kprobe.c | 76 kernel/trace/trace_output.c | 6 kernel/trace/trace_probe.c | 2 kernel/trace/trace_probe.h | 1 lib/debugobjects.c | 5 lib/xz/xz_crc32.c | 2 lib/xz/xz_private.h | 4 mm/shmem.c | 2 mm/slab_common.c | 7 mm/swapfile.c | 2 mm/util.c | 2 net/bluetooth/af_bluetooth.c | 1 net/bluetooth/bnep/core.c | 3 net/bluetooth/rfcomm/sock.c | 2 net/bridge/br_netfilter_hooks.c | 5 net/can/bcm.c | 4 net/can/j1939/transport.c | 8 net/core/dev.c | 29 net/core/sock_destructor.h | 12 net/core/sock_map.c | 1 net/dccp/proto.c | 2 net/ipv4/af_inet.c | 2 net/ipv4/devinet.c | 41 net/ipv4/fib_frontend.c | 2 net/ipv4/inet_connection_sock.c | 2 net/ipv4/inet_fragment.c | 70 net/ipv4/ip_fragment.c | 2 net/ipv4/ip_gre.c | 6 net/ipv4/netfilter/nf_dup_ipv4.c | 7 net/ipv4/tcp.c | 4 net/ipv4/tcp_diag.c | 4 net/ipv4/tcp_input.c | 31 net/ipv4/tcp_ipv4.c | 5 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 net/ipv6/netfilter/nf_dup_ipv6.c | 7 net/ipv6/netfilter/nf_reject_ipv6.c | 14 net/ipv6/tcp_ipv6.c | 2 net/l2tp/l2tp_netlink.c | 4 net/mac80211/cfg.c | 6 net/mac80211/ieee80211_i.h | 3 net/mac80211/iface.c | 32 net/mac80211/key.c | 44 net/mac80211/mlme.c | 14 net/mac80211/tx.c | 78 net/mac80211/util.c | 45 net/netfilter/nf_conntrack_netlink.c | 7 net/netfilter/nf_tables_api.c | 8 net/netfilter/nft_payload.c | 3 net/netlink/af_netlink.c | 3 net/netlink/genetlink.c | 28 net/qrtr/qrtr.c | 2 net/sched/em_meta.c | 4 net/sched/sch_api.c | 9 net/sched/sch_taprio.c | 7 net/sctp/diag.c | 4 net/sctp/socket.c | 24 net/tipc/bcast.c | 2 net/tipc/bearer.c | 8 net/wireless/nl80211.c | 11 net/wireless/scan.c | 6 net/wireless/sme.c | 3 net/xfrm/xfrm_user.c | 6 scripts/kconfig/merge_config.sh | 2 security/Kconfig | 32 security/selinux/selinuxfs.c | 31 security/smack/smackfs.c | 2 security/tomoyo/domain.c | 9 sound/core/init.c | 14 sound/firewire/amdtp-stream.c | 3 sound/pci/asihpi/hpimsgx.c | 2 sound/pci/hda/hda_generic.c | 4 sound/pci/hda/patch_conexant.c | 24 sound/pci/hda/patch_realtek.c | 125 sound/pci/rme9652/hdsp.c | 6 sound/pci/rme9652/hdspm.c | 6 sound/soc/au1x/db1200.c | 1 sound/soc/codecs/cs42l51.c | 7 sound/soc/codecs/tda7419.c | 1 sound/soc/meson/Kconfig | 4 sound/soc/meson/Makefile | 2 sound/soc/meson/axg-card.c | 406 sound/soc/meson/meson-card-utils.c | 385 sound/soc/meson/meson-card.h | 55 tools/iio/iio_generic_buffer.c | 4 tools/perf/builtin-sched.c | 8 tools/perf/util/time-utils.c | 4 tools/testing/ktest/ktest.pl | 2 tools/testing/selftests/bpf/map_tests/sk_storage_map.c | 2 tools/testing/selftests/bpf/prog_tests/flow_dissector.c | 1 tools/testing/selftests/bpf/prog_tests/tcp_rtt.c | 1 tools/testing/selftests/bpf/test_lru_map.c | 3 tools/testing/selftests/breakpoints/breakpoint_test_arm64.c | 2 tools/testing/selftests/breakpoints/step_after_suspend_test.c | 5 tools/testing/selftests/vDSO/parse_vdso.c | 3 tools/usb/usbip/src/usbip_detach.c | 1 virt/kvm/kvm_main.c | 5 437 files changed, 7154 insertions(+), 5445 deletions(-) Aaron Thompson (1): Bluetooth: Remove debugfs directory on module init failure Abhishek Pandit-Subedi (1): Bluetooth: btmrvl_sdio: Refactor irq wakeup Adrian Ratiu (1): proc: add config & param to block forcing mem writes Aleksander Jan Bajkowski (1): net: ethernet: lantiq_etop: fix memory disclosure Aleksandr Mishin (3): ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() drm/msm: Fix incorrect file name output in adreno_request_fw() ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Aleksandrs Vinarskis (1): ACPICA: iasl: handle empty connection_node Alex Bee (1): drm/rockchip: vop: Allow 4096px width scaling Alex Deucher (2): drm/amdgpu: properly handle vbios fake edid sizing drm/radeon: properly handle vbios fake edid sizing Alex Hung (2): drm/amd/display: Check stream before comparing them drm/amd/display: Initialize get_bytes_per_element's default to 1 Alex Williamson (1): PCI: Mark Creative Labs EMU20k2 INTx masking as broken Anastasia Kovaleva (1): net: Fix an unsafe loop on the list Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andrew Davis (1): power: reset: brcmstb: Do not go into infinite loop if reset fails Andrew Jones (1): of/irq: Support #msi-cells=<0> in of_msi_get_domain Andrey Shumilin (2): fbdev: sisfb: Fix strbuf array overflow ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Andrii Nakryiko (1): tracing/kprobes: Fix symbol counting logic by looking at modules as well Andy Roulin (1): netfilter: br_netfilter: fix panic with metadata_dst skb Andy Shevchenko (3): fs/namespace: fnic: Switch to use %ptTd spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ i2c: isch: Add missed 'else' Ankit Agrawal (1): clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Anshuman Khandual (1): arm64: Add Cortex-715 CPU part definition Anthony Iliopoulos (1): mount: warn only once about timestamp range expiration Anton Danilov (1): ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Anumula Murali Mohan Reddy (1): RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Armin Wolf (4): ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook Arnd Bergmann (1): nfsd: use ktime_get_seconds() for timestamps Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Artem Sadovnikov (1): ext4: fix i_data_sem unlock order in ext4_ind_migrate() Artur Weber (1): power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Baokun Li (4): ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Barnabás Czémán (1): iio: magnetometer: ak8975: Fix reading for ak099xx sensors Ben Dooks (1): spi: s3c64xx: fix timeout counters in flush_fifo Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Billy Tsai (2): gpio: aspeed: Add the flush write to ensure the write complete. gpio: aspeed: Use devm_clk api to manage clock source Bitterblue Smith (1): wifi: rtw88: 8822c: Fix reported RX band width Bob Pearson (1): RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt Breno Leitao (1): KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Chao Yu (4): f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() f2fs: fix to update i_ctime in __f2fs_setxattr() f2fs: remove unneeded check condition in __f2fs_setxattr() f2fs: reduce expensive checkpoint trigger frequency Charles Han (1): mtd: powernv: Add check devm_kasprintf() returned value Chen Yu (1): kthread: fix task state in kthread worker if being frozen Chris Morgan (1): power: supply: axp20x_battery: Remove design from min and max voltage Christian Heusel (1): ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Christoph Hellwig (1): fs: explicitly unregister per-superblock BDIs Christophe JAILLET (6): fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() drm/stm: Fix an error handling path in stm_drm_platform_probe() pps: remove usage of the deprecated ida_simple_xx() API iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() gtp: simplify error handling code in 'gtp_encap_enable()' Christophe Leroy (1): selftests: vDSO: fix vDSO symbols lookup for powerpc64 Chun-Yi Lee (1): aoe: fix the potential use-after-free problem in more places Chunyan Zhang (1): riscv: Remove unused GENERATING_ASM_OFFSETS Colin Ian King (1): r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Damien Le Moal (1): ata: sata_sil: Rename sil_blacklist to sil_quirks Dan Carpenter (2): PCI: keystone: Fix if-statement expression in ks_pcie_quirk() SUNRPC: Fix integer overflow in decode_rc_list() Daniel Borkmann (1): bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit Daniel Gabay (2): wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Daniel Jordan (1): ktest.pl: Avoid false positives with grub2 skip regex Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Danilo Krummrich (1): mm: krealloc: consider spare memory for __GFP_ZERO Dave Ertman (1): ice: fix VLAN replay after reset Dave Kleikamp (1): jfs: Fix sanity check in dbMount David Gow (1): mm: only enforce minimum stack gap size if it's sensible David Lechner (1): clk: ti: dra7-atl: Fix leak of of_nodes Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Dmitry Antipov (5): wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() net: sched: consistently use rcu_replace_pointer() in taprio_change() net: sched: fix use-after-free in taprio_change() Dmitry Kandybka (1): wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Edward Adam Davis (5): USB: usbtmc: prevent kernel-usb-infoleak jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree ext4: no need to continue when the number of entries is 1 ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Emanuele Ghidoli (1): gpio: davinci: fix lazy disable Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Emmanuel Grumbach (2): wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Eric Dumazet (11): sock_map: Add a cond_resched() in sock_hash_free() netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() netfilter: nf_tables: prevent nf_skb_duplicated corruption net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() net/sched: accept TCA_STAB only for root qdisc net: annotate lockless accesses to sk->sk_ack_backlog net: annotate lockless accesses to sk->sk_max_ack_backlog ppp: fix ppp_async_encode() illegal access slip: make slhc_remember() more robust against malicious packets genetlink: hold RCU in genlmsg_mcast() Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Ferry Meng (2): ocfs2: add bounds checking to ocfs2_xattr_find_entry() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() Filipe Manana (1): btrfs: wait for fixup workers before stopping cleaner kthread during umount Florian Fainelli (1): tty: rp2: Fix reset with non forgiving PCIe host bridges Florian Klink (1): ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Florian Westphal (1): inet: inet_defrag: prevent sk release while still in use Foster Snowhill (1): usbnet: ipheth: fix carrier detection in modes 1 and 4 Francis Laniel (1): tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Gabriel Krisman Bertazi (1): unicode: Don't special case ignorable code points Gao Xiang (1): erofs: fix lz4 inplace decompression Gautham Ananthakrishna (1): ocfs2: reserve space for inline xattr before attaching reflink tree Geert Uytterhoeven (2): drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() Gerald Schaefer (1): s390/mm: Add cond_resched() to cmm_alloc/free_pages() Gianfranco Trad (1): udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 5.4.285 Guenter Roeck (1): hwmon: (max16065) Fix overflows seen when writing limits Guillaume Stols (2): iio: adc: ad7606: fix oversampling gpio array iio: adc: ad7606: fix standby gpio state to match the documentation Guoqing Jiang (2): nfsd: call cache_put if xdr_reserve_space returns NULL hwrng: mtk - Use devm_pm_runtime_enable Gustavo A. R. Silva (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Hagar Hemdan (1): gpio: prevent potential speculation leaks in gpio_device_get_desc() Hailey Mothershead (1): crypto: aead,cipher - zeroize key buffer after use Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans Verkuil (1): media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Hans de Goede (4): ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] i2c: i801: Use a different adapter-name for IDF adapters drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Harshit Mogalapalli (1): usb: yurex: Fix inconsistent locking bug in yurex_read() Heiko Carstens (1): s390/facility: Disable compile time optimization for decompressor code Heiner Kallweit (2): r8169: add tally counter fields added with RTL8125 r8169: avoid unsolicited interrupts Helge Deller (3): parisc: Fix itlb miss handler for 64-bit programs parisc: Fix 64-bit userspace syscall path parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Heming Zhao (1): ocfs2: fix the la space leak when unmounting an ocfs2 volume Hermann Lauer (1): power: supply: axp20x_battery: allow disabling battery charging Hongbo Li (1): ASoC: allow module autoloading for table db1200_pids Huang Ying (1): resource: fix region_intersects() vs add_memory_driver_managed() Ian Rogers (1): perf time-utils: Fix 32-bit nsec parsing Icenowy Zheng (1): usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Ido Schimmel (1): ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Jacky Chou (2): net: ftgmac100: Enable TX interrupt to avoid TX timeout net: ftgmac100: Ensure tx descriptor updates are visible Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Janis Schoetterl-Glausch (3): KVM: s390: gaccess: Refactor gpa and length calculation KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Cleanup access to guest pages Jann Horn (2): firmware_loader: Block path traversal f2fs: Require FMODE_WRITE for atomic write ioctls Jaroslav Kysela (1): ALSA: core: add isascii() check to card ID generator Jason Xing (1): tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Jason-JH.Lin (1): Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Javier Carrasco (5): iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig iio: adc: ti-ads124s08: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jeongjun Park (3): jfs: fix out-of-bounds in dbNextAG() and diAlloc() mm: shmem: fix data-race in shmem_getattr() vt: prevent kernel-infoleak in con_font_get() Jerome Brunet (1): ASoC: meson: axg: extract sound card utils Jiawei Ye (2): wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (10): riscv: Fix fp alignment bug in perf_callchain_user() ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() ieee802154: Fix build error net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() nfp: Use IRQF_NO_AUTOEN flag in request_irq() spi: bcm63xx: Fix module autoloading i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() posix-clock: Fix missing timespec64 check in pc_clock_settime() posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jisheng Zhang (1): riscv: define ILLEGAL_POINTER_VALUE for 64bit Johannes Berg (3): wifi: mac80211: fix potential key use-after-free mac80211: do drv_reconfig_complete() before restarting all mac80211: always have ieee80211_sta_restart() Jonas Blixt (1): watchdog: imx_sc_wdt: Don't disable WDT in suspend Jonas Karlman (2): drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Jonathan Marek (1): drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jonathan McDowell (1): tpm: Clean up TPM space after command failure Jose Alberto Reguero (1): usb: xhci: Fix problem with xhci resume from suspend Joseph Qi (2): ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: cancel dqi_sync_work before freeing oinfo Josh Hunt (1): tcp: check skb is non-NULL in tcp_rto_delta_us() José Relvas (1): ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Juergen Gross (2): xen: use correct end address of kernel for conflict checking xen/swiotlb: add alignment check for dma buffers Julian Sun (2): vfs: fix race between evice_inodes() and find_inode()&iput() ocfs2: fix null-ptr-deref when journal load failed. Junhao Xie (1): USB: serial: pl2303: add device id for Macrosilicon MS3020 Junlin Li (2): drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Junxian Huang (1): RDMA/hns: Optimize hem allocation performance Kailang Yang (3): ALSA: hda/realtek - Fixed ALC256 headphone no sound ALSA: hda/realtek - FIxed ALC285 headphone no sound ALSA: hda/realtek: Update default depop procedure Kaixin Wang (3): net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition fbdev: pxafb: Fix possible use after free in pxafb_task() ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition Kalesh AP (1): RDMA/bnxt_re: Return more meaningful error Kees Cook (2): x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() scsi: aacraid: Rearrange order of struct aac_srb_unit Kemeng Shi (1): ext4: avoid negative min_clusters in find_group_orlov() Krzysztof Kozlowski (14): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property ARM: versatile: fix OF node leak in CPUs prepare reset: berlin: fix OF node leak in probe() error path soc: versatile: integrator: fix OF node leak in probe() error path soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove drivers: net: Fix Kconfig indentation, continued net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() rtc: at91sam9: fix OF node leak in probe() error path clk: bcm: bcm53573: fix OF node leak in init Kuniyuki Iwashima (2): can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Lasse Collin (1): xz: cleanup CRC32 edits from 2018 Laurent Pinchart (2): Remove *.orig pattern from .gitignore media: sun4i_csi: Implement link validate for sun4i_csi subdev Lee Jones (1): usb: yurex: Replace snprintf() with the safer scnprintf() variant Leo Yan (1): tracing: Consider the NULL character when validating the event length Li Lingfeng (2): nfsd: return -EINVAL when namelen is 0 nfs: fix memory leak in error path of nfs4_do_reclaim Liao Chen (3): ASoC: tda7419: fix module autoloading spi: bcm63xx: Enable module autoloading mailbox: rockchip: fix a typo in module autoloading Linus Walleij (1): net: ethernet: cortina: Drop TSO support Liu Shixin (1): mm/swapfile: skip HugeTLB pages for unuse_vma Lizhi Xu (2): ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Luis Henriques (SUSE) (2): ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Luiz Augusto von Dentz (3): Bluetooth: btusb: Fix not handling ZPL/short-transfer Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Luo Gengkun (1): perf/core: Fix small negative period being ignored Ma Ke (3): spi: ppc4xx: handle irq_of_parse_and_map() errors pps: add an error check in parport_attach drm: omapdrm: Add missing check for alloc_ordered_workqueue Maciej Falkowski (1): dt-bindings: gpu: Convert Samsung Image Rotator to dt-schema Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Marek Vasut (1): i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Mario Limonciello (1): drm/amd: Guard against bad data for ATIF ACPI method Mark Rutland (5): arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() arm64: probes: Fix uprobes for big-endian kernels Masami Hiramatsu (1): selftests: breakpoints: Fix a typo of function name Mathias Krause (1): Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Mathias Nyman (1): xhci: Fix incorrect stream context type macro Mathy Vanhoef (2): mac80211: parse radiotap header when selecting Tx queue mac80211: Fix NULL ptr deref for injected rate info Matthew Brost (1): drm/printer: Allow NULL data in devcoredump printer Mauricio Faria de Oliveira (1): jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() Michael Kelley (1): x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Michael S. Tsirkin (1): virtio_console: fix misc probe bugs Mickaël Salaün (1): fs: Fix file_set_fowner LSM hook inconsistencies Mike Rapoport (1): microblaze: don't treat zero reserved memory regions as error Mike Tipton (1): clk: qcom: clk-rpmh: Fix overflow in BCM vote Mikhail Lobanov (2): RDMA/cxgb4: Added NULL check for lookup_atid drbd: Add NULL check for net_conf to prevent dereference in state validation Minjie Du (1): wifi: ath9k: fix parameter check in ath9k_init_debug() Mirsad Todorovac (1): mtd: slram: insert break after errors in parsing the map Mohamed Khalfella (2): net/mlx5: Added cond_resched() to crdump collection igb: Do not bring the device up after non-fatal error Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Nathan Chancellor (1): x86/resctrl: Annotate get_mem_config() functions as __init Neal Cardwell (2): tcp: fix to allow timestamp undo if no retransmits were sent tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe NeilBrown (1): nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Nikita Zhandarovich (3): drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets f2fs: prevent possible int overflow in dir_block_index() f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly Nuno Sa (1): Input: adp5589-keys - fix adp5589_gpio_get_value() OGAWA Hirofumi (1): fat: fix uninitialized variable Oder Chiou (1): ALSA: hda/realtek: Fix the push button function for the ALC257 Olaf Hering (1): mount: handle OOM on mnt_warn_timestamp_expiry Oleg Nesterov (1): uprobes: fix kernel info leak via "[uprobes]" vma Oliver Neukum (7): USB: appledisplay: close race between probe and completion handler USB: misc: cypress_cy7c63: check for short transfer USB: class: CDC-ACM: fix race between get_serial and set_serial USB: misc: yurex: fix race between read and write CDC-NCM: avoid overflow in sanity checking Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" net: usb: usbnet: fix name regression Omar Sandoval (1): blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race Pablo Neira Ayuso (5): netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire netfilter: nf_tables: reject element expiration with no timeout netfilter: nf_tables: reject expiration higher than timeout gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Paul Moore (1): selinux: improve error checking in sel_write_load() Paulo Alcantara (1): smb: client: fix OOBs when building SMB2_IOCTL request Paulo Miguel Almeida (2): drm/amdgpu: Replace one-element array with flexible-array member drm/radeon: Replace one-element array with flexible-array member Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pei Xiao (1): ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Peter Zijlstra (2): locking/lockdep: Fix bad recursion pattern locking/lockdep: Rework lockdep_lock Phil Sutter (1): netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Philip Chen (1): virtio_pmem: Check device status before requesting flush Qiu-ji Chen (1): drbd: Fix atomicity violation in drbd_uuid_set_bm() Qu Wenruo (1): btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Quentin Schulz (1): arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Qun-Wei Lin (1): mm: krealloc: Fix MTE false alarm in __do_krealloc Rafael J. Wysocki (1): ACPI: EC: Do not release locks during operation region accesses Remington Brasga (1): jfs: UBSAN: shift-out-of-bounds in dbFindBits Rob Clark (2): kthread: add kthread_work tracepoints drm/crtc: fix uninitialized variable use even harder Robert Hancock (1): i2c: xiic: Wait for TX empty to avoid missed TX NAKs Robin Chen (1): drm/amd/display: Round calculated vtotal Rosen Penev (1): net: ibm: emac: mal: fix wrong goto Ryusuke Konishi (7): nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() nilfs2: determine empty node blocks as corrupted nilfs2: fix potential oob read in nilfs_btree_check_delete() nilfs2: propagate directory read errors from nilfs_find_entry() nilfs2: fix kernel bug due to missing clearing of buffer delay flag nilfs2: fix potential deadlock with newly created symlinks nilfs2: fix kernel bug due to missing clearing of checked flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Anderson (3): net: dpaa: Pad packets to ETH_ZLEN PCI: xilinx-nwl: Fix register misspelling PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Sebastian Reichel (1): clk: rockchip: fix error for unknown clocks Selvarasu Ganesan (1): usb: dwc3: core: Stop processing of pending events if controller is halted Shahar Shitrit (1): net/mlx5e: Add missing link modes to ptys2ethtool_map Shawn Shao (1): usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario Sherry Yang (1): drm/msm: fix %s null argument error Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Simon Horman (3): netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer Srinivasan Shanmugam (1): drm/amd/display: Fix index out of bounds in degamma hardware format translation Stefan Wahren (1): mailbox: bcm2835: Fix timeout during suspend mode Stephen Boyd (3): i2c: qcom-geni: Let firmware specify irq trigger flags i2c: qcom-geni: Grow a dev pointer to simplify code clk: qcom: rpmh: Simplify clk_rpmh_bcm_send_cmd() Steven Rostedt (Google) (2): tracing: Remove precision vsnprintf() check from print event tracing: Have saved_cmdlines arrays all in one allocation Su Hui (1): net: tipc: avoid possible garbage value Subramanian Ananthanarayanan (1): PCI: Add ACS quirk for Qualcomm SA8775P SurajSonawane2415 (1): hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma Suzuki K Poulose (1): coresight: tmc: sg: Do not leak sg_table Takashi Iwai (5): ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop parport: Proper fix for array out-of-bounds access Tao Chen (1): bpf: Check percpu map value size first Tetsuo Handa (1): tomoyo: fallback to realpath if symlink's pathname does not exist Thadeu Lima de Souza Cascardo (4): ext4: return error on ext4_find_inline_entry ext4: avoid OOB when system.data xattr changes underneath the filesystem ext4: ext4_search_dir should return a proper error usb: typec: altmode should keep reference to parent Thomas Blocher (1): pinctrl: at91: make it work with current gpiolib Thomas Gleixner (2): PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() signal: Replace BUG_ON()s Thomas Richter (1): s390/cpum_sf: Remove WARN_ON_ONCE statements Thomas Weißschuh (2): ACPI: sysfs: validate return type of _STR method s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Thomas Zimmermann (1): drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Toke Høiland-Jørgensen (3): bpf: Fix DEVMAP_HASH overflow check on 32-bit arches wifi: ath9k: Remove error checks when creating debugfs entries wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Tommy Huang (1): i2c: aspeed: Update the stop sw state when the bus recovery occurs Tony Ambardar (4): selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c selftests/bpf: Fix compiling flow_dissector.c with musl-libc selftests/bpf: Fix compiling tcp_rtt.c with musl-libc selftests/bpf: Fix error compiling test_lru_map.c Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device Vladimir Lypak (3): drm/msm/a5xx: disable preemption in submits by default drm/msm/a5xx: properly clear preemption records on resume drm/msm/a5xx: fix races in preemption evaluation stage Wade Wang (1): HID: plantronics: Workaround for an unexcepted opposite volume key Waiman Long (1): locking/lockdep: Avoid potential access of invalid memory in lock_class Wang Hai (4): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: systemport: fix potential memory leak in bcm_sysport_xmit() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() Wang Jianzheng (1): pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function WangYuli (1): PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Werner Sembach (1): ACPI: resource: Add another DMI match for the TongFang GMxXGxx Wojciech Gładysz (1): ext4: nested locking for xattr inode Wolfram Sang (1): ipmi: docs: don't advertise deprecated sysfs entries Xin Long (4): sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start ipv4: give an IPv4 dev to blackhole_netdev net: support ip generic csum processing in skb_csum_hwoffload_help Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Xiubo Li (1): ceph: remove the incorrect Fw reference check when dirtying pages Xu Yang (1): usb: chipidea: udc: enable suspend interrupt after usb reset Yang Jihong (2): perf sched timehist: Fix missing free of session in perf_sched__timehist() perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yang Yingliang (1): pinctrl: single: fix missing error code in pcs_probe() Ye Bin (1): Bluetooth: bnep: fix wild-memory-access in proto_unregister Yifei Liu (1): selftests: breakpoints: use remaining time to check if suspend succeed Yonatan Maman (1): nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error Yonggil Song (1): f2fs: fix typo Youghandhar Chintala (1): mac80211: Add support to trigger sta disconnect on hardware restart Youssef Samir (1): net: qrtr: Update packets cloning when broadcasting Yu Kuai (3): block, bfq: fix possible UAF for bfqq->bic with merge chain block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() block, bfq: don't break merge chain in bfq_split_bfqq() Yuesong Li (1): drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() Yunke Cao (1): media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Yuntao Liu (1): hwmon: (ntc_thermistor) fix module autoloading Zhang Changzhong (1): can: j1939: use correct function name in comment Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer Zhao Mengmeng (1): jfs: Fix uninit-value access of new_ea in ea_buffer Zhen Lei (1): debugobjects: Fix conditions in fill_pool() Zheng Wang (1): media: venus: fix use after free bug in venus_remove due to race condition Zhiguo Niu (1): lockdep: fix deadlock issue between lockdep and rcu Zhu Jun (1): tools/iio: Add memory allocation failure check for trigger_name Zhu Yanjun (1): RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Zicheng Qu (1): staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Zijun Hu (2): driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute usb: phy: Fix API devm_usb_put_phy() can not release the phy Zong-Zhe Yang (1): wifi: rtw88: select WANT_DEV_COREDUMP Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path hongchi.peng (1): drm: komeda: Fix an issue related to normalized zpos junhua huang (2): arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning rd.dunlab(a)gmail.com (1): Minor fixes to the CAIF Transport drivers Kconfig file yangerkun (1): ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard zhanchengbin (1): ext4: fix inode tree inconsistency caused by ENOMEM zhong jiang (1): drivers/misc: ti-st: Remove unneeded variable in st_tty_open

7 months, 2 weeks

1
1
0 0

Linux 4.19.323

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.323 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ .gitignore | 1 Documentation/IPMI.txt | 2 Documentation/arm64/silicon-errata.txt | 2 Documentation/driver-model/devres.txt | 1 Makefile | 2 arch/arm/mach-realview/platsmp-dt.c | 1 arch/arm64/Kconfig | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 arch/arm64/include/asm/cputype.h | 4 arch/arm64/include/asm/uprobes.h | 12 arch/arm64/kernel/cpu_errata.c | 2 arch/arm64/kernel/probes/decode-insn.c | 16 arch/arm64/kernel/probes/simulate-insn.c | 18 arch/arm64/kernel/probes/uprobes.c | 4 arch/microblaze/mm/init.c | 5 arch/parisc/kernel/entry.S | 6 arch/parisc/kernel/syscall.S | 14 arch/riscv/Kconfig | 5 arch/s390/include/asm/facility.h | 6 arch/s390/kernel/perf_cpum_sf.c | 12 arch/s390/kvm/diag.c | 2 arch/s390/kvm/gaccess.c | 162 ++- arch/s390/kvm/gaccess.h | 14 arch/s390/mm/cmm.c | 18 arch/x86/include/asm/cpufeatures.h | 3 arch/x86/kernel/apic/apic.c | 14 arch/x86/kernel/cpu/mshyperv.c | 1 arch/x86/xen/setup.c | 2 block/bfq-iosched.c | 13 crypto/aead.c | 3 crypto/cipher.c | 3 drivers/acpi/acpica/dbconvert.c | 2 drivers/acpi/acpica/exprep.c | 3 drivers/acpi/acpica/psargs.c | 47 + drivers/acpi/battery.c | 28 drivers/acpi/button.c | 11 drivers/acpi/device_sysfs.c | 5 drivers/acpi/ec.c | 55 + drivers/acpi/pmic/tps68470_pmic.c | 6 drivers/ata/sata_sil.c | 12 drivers/base/bus.c | 6 drivers/base/core.c | 13 drivers/base/firmware_loader/main.c | 30 drivers/base/module.c | 4 drivers/block/aoe/aoecmd.c | 13 drivers/block/drbd/drbd_main.c | 6 drivers/block/drbd/drbd_state.c | 2 drivers/bluetooth/btusb.c | 10 drivers/char/virtio_console.c | 18 drivers/clk/bcm/clk-bcm53573-ilp.c | 2 drivers/clk/clk-devres.c | 105 +- drivers/clk/rockchip/clk-rk3228.c | 2 drivers/clk/rockchip/clk.c | 3 drivers/clk/ti/clk-dra7-atl.c | 1 drivers/clocksource/timer-qcom.c | 7 drivers/firmware/arm_sdei.c | 2 drivers/gpio/gpio-aspeed.c | 4 drivers/gpio/gpio-davinci.c | 8 drivers/gpio/gpiolib.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 26 drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 drivers/gpu/drm/amd/include/atombios.h | 4 drivers/gpu/drm/drm_crtc.c | 17 drivers/gpu/drm/drm_print.c | 13 drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 26 drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 drivers/gpu/drm/msm/dsi/dsi_host.c | 2 drivers/gpu/drm/radeon/atombios.h | 2 drivers/gpu/drm/radeon/evergreen_cs.c | 62 - drivers/gpu/drm/radeon/r100.c | 70 - drivers/gpu/drm/radeon/radeon_atombios.c | 26 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 drivers/gpu/drm/stm/drv.c | 4 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/hid/hid-ids.h | 2 drivers/hid/hid-plantronics.c | 23 drivers/hwmon/max16065.c | 5 drivers/hwmon/ntc_thermistor.c | 1 drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 drivers/i2c/busses/i2c-aspeed.c | 16 drivers/i2c/busses/i2c-i801.c | 9 drivers/i2c/busses/i2c-isch.c | 3 drivers/i2c/busses/i2c-xiic.c | 19 drivers/iio/adc/Kconfig | 2 drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 2 drivers/iio/dac/Kconfig | 1 drivers/iio/light/opt3001.c | 4 drivers/iio/magnetometer/ak8975.c | 32 drivers/infiniband/core/iwcm.c | 2 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 drivers/infiniband/hw/cxgb4/cm.c | 14 drivers/input/keyboard/adp5589-keys.c | 13 drivers/input/rmi4/rmi_driver.c | 6 drivers/mailbox/bcm2835-mailbox.c | 3 drivers/mailbox/rockchip-mailbox.c | 2 drivers/media/common/videobuf2/videobuf2-core.c | 8 drivers/media/dvb-frontends/rtl2830.c | 2 drivers/media/dvb-frontends/rtl2832.c | 2 drivers/media/platform/qcom/venus/core.c | 1 drivers/misc/sgi-gru/grukservices.c | 2 drivers/misc/sgi-gru/grumain.c | 4 drivers/misc/sgi-gru/grutlbpurge.c | 2 drivers/mtd/devices/slram.c | 2 drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 drivers/net/ethernet/aeroflex/greth.c | 3 drivers/net/ethernet/amd/mvme147.c | 7 drivers/net/ethernet/broadcom/bcmsysport.c | 1 drivers/net/ethernet/cortina/gemini.c | 15 drivers/net/ethernet/emulex/benet/be_main.c | 10 drivers/net/ethernet/faraday/ftgmac100.c | 26 drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/hisilicon/hip04_eth.c | 1 drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 drivers/net/ethernet/hisilicon/hns_mdio.c | 1 drivers/net/ethernet/i825xx/sun3_82586.c | 1 drivers/net/ethernet/ibm/emac/mal.c | 2 drivers/net/ethernet/intel/igb/igb_main.c | 4 drivers/net/ethernet/jme.c | 10 drivers/net/ethernet/lantiq_etop.c | 4 drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 drivers/net/ethernet/seeq/ether3.c | 2 drivers/net/gtp.c | 27 drivers/net/hyperv/netvsc_drv.c | 30 drivers/net/macsec.c | 18 drivers/net/phy/vitesse.c | 14 drivers/net/ppp/ppp_async.c | 2 drivers/net/usb/cdc_ncm.c | 8 drivers/net/usb/ipheth.c | 5 drivers/net/usb/r8152.c | 73 - drivers/net/usb/usbnet.c | 3 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 drivers/net/wireless/ath/ath10k/wmi.c | 2 drivers/net/wireless/ath/ath9k/debug.c | 6 drivers/net/wireless/ath/ath9k/hif_usb.c | 6 drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 drivers/net/wireless/intel/iwlegacy/common.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 8 drivers/net/wireless/marvell/mwifiex/fw.h | 2 drivers/net/wireless/marvell/mwifiex/scan.c | 3 drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 drivers/of/irq.c | 38 drivers/parport/procfs.c | 22 drivers/pci/controller/pcie-xilinx-nwl.c | 24 drivers/pci/quirks.c | 6 drivers/pinctrl/mvebu/pinctrl-dove.c | 42 drivers/pinctrl/pinctrl-at91.c | 5 drivers/pinctrl/pinctrl-single.c | 3 drivers/power/reset/brcmstb-reboot.c | 3 drivers/power/supply/max17042_battery.c | 5 drivers/pps/clients/pps_parport.c | 14 drivers/reset/reset-berlin.c | 3 drivers/rtc/Kconfig | 2 drivers/rtc/rtc-at91sam9.c | 45 drivers/s390/char/sclp_vt220.c | 4 drivers/scsi/aacraid/aacraid.h | 2 drivers/soc/versatile/soc-integrator.c | 1 drivers/soc/versatile/soc-realview.c | 20 drivers/soundwire/stream.c | 8 drivers/spi/spi-bcm63xx.c | 2 drivers/spi/spi-ppc4xx.c | 7 drivers/spi/spi-s3c64xx.c | 4 drivers/staging/iio/frequency/ad9834.c | 54 - drivers/staging/iio/frequency/ad9834.h | 28 drivers/tty/serial/rp2.c | 2 drivers/tty/vt/vt.c | 2 drivers/usb/chipidea/udc.c | 8 drivers/usb/dwc3/core.c | 49 - drivers/usb/dwc3/core.h | 11 drivers/usb/dwc3/gadget.c | 11 drivers/usb/host/xhci-pci.c | 5 drivers/usb/host/xhci-ring.c | 16 drivers/usb/host/xhci.h | 2 drivers/usb/misc/appledisplay.c | 15 drivers/usb/misc/cypress_cy7c63.c | 4 drivers/usb/misc/yurex.c | 5 drivers/usb/phy/phy.c | 2 drivers/usb/serial/option.c | 8 drivers/usb/serial/pl2303.c | 1 drivers/usb/serial/pl2303.h | 4 drivers/usb/storage/unusual_devs.h | 11 drivers/usb/typec/class.c | 3 drivers/video/fbdev/hpfb.c | 1 drivers/video/fbdev/pxafb.c | 1 drivers/video/fbdev/sis/sis_main.c | 2 drivers/xen/swiotlb-xen.c | 34 fs/btrfs/disk-io.c | 11 fs/ceph/addr.c | 1 fs/ext4/ext4.h | 1 fs/ext4/extents.c | 70 + fs/ext4/ialloc.c | 2 fs/ext4/inline.c | 35 fs/ext4/inode.c | 11 fs/ext4/mballoc.c | 10 fs/ext4/migrate.c | 2 fs/ext4/move_extent.c | 1 fs/ext4/namei.c | 14 fs/ext4/xattr.c | 4 fs/f2fs/acl.c | 23 fs/f2fs/dir.c | 3 fs/f2fs/f2fs.h | 4 fs/f2fs/file.c | 24 fs/f2fs/super.c | 4 fs/f2fs/xattr.c | 27 fs/fat/namei_vfat.c | 2 fs/fcntl.c | 14 fs/inode.c | 4 fs/jbd2/checkpoint.c | 14 fs/jbd2/commit.c | 36 fs/jbd2/journal.c | 2 fs/jfs/jfs_discard.c | 11 fs/jfs/jfs_dmap.c | 11 fs/jfs/jfs_imap.c | 2 fs/jfs/xattr.c | 2 fs/lockd/clnt4xdr.c | 14 fs/lockd/clntxdr.c | 14 fs/nfs/callback_xdr.c | 61 - fs/nfs/nfs2xdr.c | 84 - fs/nfs/nfs3xdr.c | 163 +-- fs/nfs/nfs42xdr.c | 21 fs/nfs/nfs4state.c | 1 fs/nfs/nfs4xdr.c | 451 ++-------- fs/nfsd/nfs4callback.c | 13 fs/nfsd/nfs4idmap.c | 13 fs/nfsd/nfs4state.c | 15 fs/nilfs2/btree.c | 12 fs/nilfs2/dir.c | 50 - fs/nilfs2/namei.c | 42 fs/nilfs2/nilfs.h | 2 fs/nilfs2/page.c | 7 fs/ocfs2/aops.c | 5 fs/ocfs2/buffer_head_io.c | 4 fs/ocfs2/file.c | 8 fs/ocfs2/journal.c | 7 fs/ocfs2/localalloc.c | 19 fs/ocfs2/quota_local.c | 8 fs/ocfs2/refcounttree.c | 26 fs/ocfs2/xattr.c | 38 fs/udf/inode.c | 9 include/drm/drm_print.h | 54 + include/linux/clk.h | 145 +++ include/linux/jbd2.h | 4 include/linux/pci_ids.h | 2 include/net/sock.h | 2 include/net/tcp.h | 27 include/trace/events/f2fs.h | 3 include/trace/events/sched.h | 84 + include/uapi/linux/cec.h | 6 include/uapi/linux/netfilter/nf_tables.h | 2 kernel/bpf/arraymap.c | 3 kernel/bpf/hashtab.c | 3 kernel/bpf/lpm_trie.c | 2 kernel/cgroup/cgroup.c | 4 kernel/events/core.c | 6 kernel/events/uprobes.c | 2 kernel/kthread.c | 19 kernel/signal.c | 11 kernel/time/posix-clock.c | 3 kernel/trace/trace_output.c | 6 lib/xz/xz_crc32.c | 2 lib/xz/xz_private.h | 4 mm/shmem.c | 2 net/bluetooth/af_bluetooth.c | 1 net/bluetooth/bnep/core.c | 3 net/bluetooth/rfcomm/sock.c | 2 net/bridge/br_netfilter_hooks.c | 5 net/can/bcm.c | 4 net/core/dev.c | 29 net/ipv4/devinet.c | 6 net/ipv4/fib_frontend.c | 2 net/ipv4/ip_gre.c | 6 net/ipv4/netfilter/nf_dup_ipv4.c | 7 net/ipv4/tcp_input.c | 24 net/ipv4/tcp_ipv4.c | 5 net/ipv4/tcp_output.c | 2 net/ipv4/tcp_rate.c | 15 net/ipv4/tcp_recovery.c | 5 net/ipv6/addrconf.c | 8 net/ipv6/netfilter/nf_dup_ipv6.c | 7 net/ipv6/netfilter/nf_reject_ipv6.c | 14 net/mac80211/cfg.c | 3 net/mac80211/iface.c | 17 net/mac80211/key.c | 42 net/netfilter/nf_conntrack_netlink.c | 7 net/netfilter/nf_tables_api.c | 2 net/netfilter/nft_payload.c | 3 net/netlink/af_netlink.c | 3 net/qrtr/qrtr.c | 2 net/sched/sch_api.c | 2 net/sctp/socket.c | 4 net/tipc/bearer.c | 8 net/wireless/nl80211.c | 3 net/wireless/scan.c | 6 net/wireless/sme.c | 3 net/xfrm/xfrm_user.c | 6 scripts/kconfig/merge_config.sh | 2 security/selinux/selinuxfs.c | 31 security/smack/smackfs.c | 2 security/tomoyo/domain.c | 9 sound/core/init.c | 14 sound/pci/asihpi/hpimsgx.c | 2 sound/pci/hda/hda_generic.c | 4 sound/pci/hda/patch_conexant.c | 24 sound/pci/hda/patch_realtek.c | 38 sound/pci/rme9652/hdsp.c | 6 sound/pci/rme9652/hdspm.c | 6 sound/soc/au1x/db1200.c | 1 sound/soc/codecs/tda7419.c | 1 tools/iio/iio_generic_buffer.c | 4 tools/perf/builtin-sched.c | 8 tools/perf/util/time-utils.c | 4 tools/testing/ktest/ktest.pl | 2 tools/testing/selftests/bpf/test_lru_map.c | 3 tools/testing/selftests/breakpoints/step_after_suspend_test.c | 5 tools/testing/selftests/kcmp/kcmp_test.c | 1 tools/testing/selftests/vDSO/parse_vdso.c | 3 tools/testing/selftests/vm/compaction_test.c | 2 tools/usb/usbip/src/usbip_detach.c | 1 virt/kvm/kvm_main.c | 5 325 files changed, 2608 insertions(+), 1776 deletions(-) Aaron Thompson (1): Bluetooth: Remove debugfs directory on module init failure Aleksander Jan Bajkowski (1): net: ethernet: lantiq_etop: fix memory disclosure Aleksandr Mishin (2): staging: iio: frequency: ad9834: Validate frequency parameter value ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() Aleksandrs Vinarskis (1): ACPICA: iasl: handle empty connection_node Alex Bee (1): drm/rockchip: vop: Allow 4096px width scaling Alex Deucher (2): drm/amdgpu: properly handle vbios fake edid sizing drm/radeon: properly handle vbios fake edid sizing Alex Hung (1): drm/amd/display: Check stream before comparing them Alex Williamson (1): PCI: Mark Creative Labs EMU20k2 INTx masking as broken Alexandre Belloni (1): rtc: at91sam9: drop platform_data support Anastasia Kovaleva (1): net: Fix an unsafe loop on the list Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andrew Davis (1): power: reset: brcmstb: Do not go into infinite loop if reset fails Andrew Jones (1): of/irq: Support #msi-cells=<0> in of_msi_get_domain Andrey Shumilin (1): fbdev: sisfb: Fix strbuf array overflow Andrey Skvortsov (1): clk: Fix slab-out-of-bounds error in devm_clk_release() Andy Roulin (1): netfilter: br_netfilter: fix panic with metadata_dst skb Andy Shevchenko (2): spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ i2c: isch: Add missed 'else' Ankit Agrawal (1): clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Anshuman Khandual (1): arm64: Add Cortex-715 CPU part definition Anton Danilov (1): ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Anumula Murali Mohan Reddy (1): RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Armin Wolf (4): ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails ACPICA: Fix memory leak if acpi_ps_get_next_field() fails ACPI: battery: Simplify battery hook locking ACPI: battery: Fix possible crash when unregistering a battery hook Arnd Bergmann (1): nfsd: use ktime_get_seconds() for timestamps Artem Sadovnikov (1): ext4: fix i_data_sem unlock order in ext4_ind_migrate() Artur Weber (1): power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Baokun Li (6): ext4: propagate errors from ext4_find_extent() in ext4_insert_range() ext4: aovid use-after-free in ext4_ext_insert_extent() ext4: fix double brelse() the buffer of the extents path jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error ext4: fix slab-use-after-free in ext4_split_extent_at() ext4: update orig_path in ext4_find_extent() Barnabás Czémán (1): iio: magnetometer: ak8975: Fix reading for ak099xx sensors Ben Dooks (1): spi: s3c64xx: fix timeout counters in flush_fifo Beniamin Bia (2): staging: iio: frequency: ad9833: Get frequency value statically staging: iio: frequency: ad9833: Load clock using clock framework Benjamin B. Frost (1): USB: serial: option: add support for Quectel EG916Q-GL Benoît Monin (1): net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Billy Tsai (2): gpio: aspeed: Add the flush write to ensure the write complete. gpio: aspeed: Use devm_clk api to manage clock source Breno Leitao (1): KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Byeonguk Jeong (1): bpf: Fix out-of-bounds write in trie_get_next_key() Chao Yu (4): f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() f2fs: fix to update i_ctime in __f2fs_setxattr() f2fs: remove unneeded check condition in __f2fs_setxattr() f2fs: reduce expensive checkpoint trigger frequency Chen Yu (1): kthread: fix task state in kthread worker if being frozen Christophe JAILLET (5): fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() drm/stm: Fix an error handling path in stm_drm_platform_probe() pps: remove usage of the deprecated ida_simple_xx() API iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() gtp: simplify error handling code in 'gtp_encap_enable()' Christophe Leroy (1): selftests: vDSO: fix vDSO symbols lookup for powerpc64 Chuck Lever (1): NFS: Remove print_overflow_msg() Chun-Yi Lee (1): aoe: fix the potential use-after-free problem in more places Damien Le Moal (1): ata: sata_sil: Rename sil_blacklist to sil_quirks Dan Carpenter (1): SUNRPC: Fix integer overflow in decode_rc_list() Daniel Gabay (1): wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() Daniel Jordan (1): ktest.pl: Avoid false positives with grub2 skip regex Daniel Palmer (1): net: amd: mvme147: Fix probe banner message Daniele Palmas (1): USB: serial: option: add Telit FN920C04 MBIM compositions Dave Kleikamp (1): jfs: Fix sanity check in dbMount David Lechner (1): clk: ti: dra7-atl: Fix leak of of_nodes Dimitri Sivanich (1): misc: sgi-gru: Don't disable preemption in GRU driver Dmitry Antipov (3): wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Dmitry Kandybka (1): wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Edward Adam Davis (4): jfs: Fix uaf in dbFreeBits jfs: check if leafidx greater than num leaves per dmap tree ext4: no need to continue when the number of entries is 1 ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Emanuele Ghidoli (1): gpio: davinci: fix lazy disable Emil Gedenryd (1): iio: light: opt3001: add missing full-scale range value Emmanuel Grumbach (1): wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead Eran Ben Elisha (1): net/mlx5: Update the list of the PCI supported devices Eric Dumazet (6): netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() tcp: introduce tcp_skb_timestamp_us() helper netfilter: nf_tables: prevent nf_skb_duplicated corruption net: avoid potential underflow in qdisc_pkt_len_init() with UFO net: add more sanity checks to qdisc_pkt_len_init() ppp: fix ppp_async_encode() illegal access Faisal Hassan (1): xhci: Fix Link TRB DMA in command ring stopped completion event Felix Fietkau (2): wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Ferry Meng (2): ocfs2: add bounds checking to ocfs2_xattr_find_entry() ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() Filipe Manana (1): btrfs: wait for fixup workers before stopping cleaner kthread during umount Florian Fainelli (1): tty: rp2: Fix reset with non forgiving PCIe host bridges Foster Snowhill (1): usbnet: ipheth: fix carrier detection in modes 1 and 4 Gautham Ananthakrishna (1): ocfs2: reserve space for inline xattr before attaching reflink tree Geert Uytterhoeven (2): drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() of/irq: Refer to actual buffer size in of_irq_parse_one() Gerald Schaefer (1): s390/mm: Add cond_resched() to cmm_alloc/free_pages() Gianfranco Trad (1): udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman (2): Revert "driver core: Fix uevent_show() vs driver detach race" Linux 4.19.323 Guenter Roeck (1): hwmon: (max16065) Fix overflows seen when writing limits Guoqing Jiang (1): nfsd: call cache_put if xdr_reserve_space returns NULL Gustavo A. R. Silva (1): wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Hagar Hemdan (1): gpio: prevent potential speculation leaks in gpio_device_get_desc() Hailey Mothershead (1): crypto: aead,cipher - zeroize key buffer after use Haiyang Zhang (1): hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Hans Verkuil (1): media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Hans de Goede (1): i2c: i801: Use a different adapter-name for IDF adapters Harshit Mogalapalli (1): usb: yurex: Fix inconsistent locking bug in yurex_read() Heiko Carstens (1): s390/facility: Disable compile time optimization for decompressor code Helge Deller (2): parisc: Fix itlb miss handler for 64-bit programs parisc: Fix 64-bit userspace syscall path Heming Zhao (1): ocfs2: fix the la space leak when unmounting an ocfs2 volume Hongbo Li (1): ASoC: allow module autoloading for table db1200_pids Ian Rogers (1): perf time-utils: Fix 32-bit nsec parsing Icenowy Zheng (1): usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Ido Schimmel (1): ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Jacky Chou (2): net: ftgmac100: Enable TX interrupt to avoid TX timeout net: ftgmac100: Ensure tx descriptor updates are visible Janis Schoetterl-Glausch (3): KVM: s390: gaccess: Refactor gpa and length calculation KVM: s390: gaccess: Refactor access address range check KVM: s390: gaccess: Cleanup access to guest pages Jann Horn (2): firmware_loader: Block path traversal f2fs: Require FMODE_WRITE for atomic write ioctls Jaroslav Kysela (1): ALSA: core: add isascii() check to card ID generator Jason Xing (1): tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Javier Carrasco (2): iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Jeongjun Park (3): jfs: fix out-of-bounds in dbNextAG() and diAlloc() mm: shmem: fix data-race in shmem_getattr() vt: prevent kernel-infoleak in con_font_get() Jiawei Ye (1): smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso Jim Mattson (1): x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Jinjie Ruan (4): ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() spi: bcm63xx: Fix module autoloading posix-clock: Fix missing timespec64 check in pc_clock_settime() posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Jisheng Zhang (1): riscv: define ILLEGAL_POINTER_VALUE for 64bit Jonas Karlman (1): clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Jonathan Marek (1): drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Jose Alberto Reguero (1): usb: xhci: Fix problem with xhci resume from suspend Joseph Huang (1): net: dsa: mv88e6xxx: Fix out-of-bound access Joseph Qi (2): ocfs2: fix uninit-value in ocfs2_get_block() ocfs2: cancel dqi_sync_work before freeing oinfo Josh Hunt (1): tcp: check skb is non-NULL in tcp_rto_delta_us() Juergen Gross (3): xen: use correct end address of kernel for conflict checking xen/swiotlb: simplify range_straddles_page_boundary() xen/swiotlb: add alignment check for dma buffers Julian Sun (2): vfs: fix race between evice_inodes() and find_inode()&iput() ocfs2: fix null-ptr-deref when journal load failed. Junhao Xie (1): USB: serial: pl2303: add device id for Macrosilicon MS3020 Junlin Li (2): drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Kailang Yang (1): ALSA: hda/realtek: Update default depop procedure Kaixin Wang (2): net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition fbdev: pxafb: Fix possible use after free in pxafb_task() Kalesh AP (1): RDMA/bnxt_re: Return more meaningful error Kees Cook (1): scsi: aacraid: Rearrange order of struct aac_srb_unit Kemeng Shi (1): ext4: avoid negative min_clusters in find_group_orlov() Krzysztof Kozlowski (11): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" ARM: versatile: fix OF node leak in CPUs prepare reset: berlin: fix OF node leak in probe() error path soc: versatile: integrator: fix OF node leak in probe() error path soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove net: hisilicon: hip04: fix OF node leak in probe() net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() net: hisilicon: hns_mdio: fix OF node leak in probe() rtc: at91sam9: fix OF node leak in probe() error path clk: bcm: bcm53573: fix OF node leak in init Kuniyuki Iwashima (2): can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Lasse Collin (1): xz: cleanup CRC32 edits from 2018 Laurent Pinchart (1): Remove *.orig pattern from .gitignore Lee Jones (1): usb: yurex: Replace snprintf() with the safer scnprintf() variant Li Lingfeng (1): nfs: fix memory leak in error path of nfs4_do_reclaim Liao Chen (3): ASoC: tda7419: fix module autoloading spi: bcm63xx: Enable module autoloading mailbox: rockchip: fix a typo in module autoloading Linus Walleij (1): net: ethernet: cortina: Drop TSO support Lizhi Xu (2): ocfs2: remove unreasonable unlock in ocfs2_read_blocks ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Luis Henriques (SUSE) (2): ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Luiz Augusto von Dentz (3): Bluetooth: btusb: Fix not handling ZPL/short-transfer Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Luo Gengkun (1): perf/core: Fix small negative period being ignored Ma Ke (2): spi: ppc4xx: handle irq_of_parse_and_map() errors pps: add an error check in parport_attach Manikanta Pubbisetty (1): wifi: ath10k: Fix memory leak in management tx Marek Szyprowski (1): usb: dwc3: remove generic PHY calibrate() calls Mario Limonciello (1): drm/amd: Guard against bad data for ATIF ACPI method Mark Rutland (5): arm64: cputype: Add Neoverse-N3 definitions arm64: errata: Expand speculative SSBS workaround once more arm64: probes: Remove broken LDR (literal) uprobe support arm64: probes: Fix simulate_ldr*_literal() arm64: probes: Fix uprobes for big-endian kernels Mathias Krause (1): Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Mathias Nyman (1): xhci: Fix incorrect stream context type macro Matteo Croce (1): drm/amd: fix typo Matthew Brost (1): drm/printer: Allow NULL data in devcoredump printer Mauricio Faria de Oliveira (1): jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() Michael Kelley (1): x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency Michael Mueller (1): KVM: s390: Change virtual to physical address access in diag 0x258 handler Michael S. Tsirkin (1): virtio_console: fix misc probe bugs Mickaël Salaün (1): fs: Fix file_set_fowner LSM hook inconsistencies Mike Rapoport (1): microblaze: don't treat zero reserved memory regions as error Mikhail Lobanov (2): RDMA/cxgb4: Added NULL check for lookup_atid drbd: Add NULL check for net_conf to prevent dereference in state validation Minjie Du (1): wifi: ath9k: fix parameter check in ath9k_init_debug() Mirsad Todorovac (1): mtd: slram: insert break after errors in parsing the map Mohamed Khalfella (1): igb: Do not bring the device up after non-fatal error Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Neal Cardwell (1): tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe NeilBrown (1): nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Nico Boehr (1): KVM: s390: gaccess: Check if guest address is in memslot Nikita Zhandarovich (3): drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets f2fs: prevent possible int overflow in dir_block_index() f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikolay Kuratov (1): drm/vmwgfx: Handle surface check failure correctly Nuno Sa (1): Input: adp5589-keys - fix adp5589_gpio_get_value() OGAWA Hirofumi (1): fat: fix uninitialized variable Oleg Nesterov (1): uprobes: fix kernel info leak via "[uprobes]" vma Oliver Neukum (6): USB: appledisplay: close race between probe and completion handler USB: misc: cypress_cy7c63: check for short transfer USB: misc: yurex: fix race between read and write CDC-NCM: avoid overflow in sanity checking Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" net: usb: usbnet: fix name regression Pablo Neira Ayuso (3): netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire gtp: allow -1 to be specified as file description from userspace netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Paul Moore (1): selinux: improve error checking in sel_write_load() Paulo Miguel Almeida (2): drm/amdgpu: Replace one-element array with flexible-array member drm/radeon: Replace one-element array with flexible-array member Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Pedro Tammela (1): net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pei Xiao (1): ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Phil Edworthy (1): clk: Add (devm_)clk_get_optional() functions Phil Sutter (1): netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Prashant Malani (1): r8152: Factor out OOB link list waits Qiu-ji Chen (1): drbd: Fix atomicity violation in drbd_uuid_set_bm() Quentin Schulz (1): arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rafael J. Wysocki (1): ACPI: EC: Do not release locks during operation region accesses Remington Brasga (1): jfs: UBSAN: shift-out-of-bounds in dbFindBits Rob Clark (2): kthread: add kthread_work tracepoints drm/crtc: fix uninitialized variable use even harder Robert Hancock (1): i2c: xiic: Wait for TX empty to avoid missed TX NAKs Rosen Penev (1): net: ibm: emac: mal: fix wrong goto Ryusuke Konishi (7): nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() nilfs2: determine empty node blocks as corrupted nilfs2: fix potential oob read in nilfs_btree_check_delete() nilfs2: propagate directory read errors from nilfs_find_entry() nilfs2: fix kernel bug due to missing clearing of buffer delay flag nilfs2: fix potential deadlock with newly created symlinks nilfs2: fix kernel bug due to missing clearing of checked flag Sabrina Dubroca (2): macsec: don't increment counters for an unrelated SA xfrm: validate new SA's prefixlen using SA family when sel.family is unset Samasth Norway Ananda (2): selftests/vm: remove call to ksft_set_plan() selftests/kcmp: remove call to ksft_set_plan() Saravanan Vajravel (1): RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Sean Anderson (3): net: dpaa: Pad packets to ETH_ZLEN PCI: xilinx-nwl: Fix register misspelling PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Sean Paul (1): drm: Move drm_mode_setcrtc() local re-init to failure path Sebastian Reichel (1): clk: rockchip: fix error for unknown clocks Selvarasu Ganesan (1): usb: dwc3: core: Stop processing of pending events if controller is halted Sherry Yang (1): drm/msm: fix %s null argument error Shubham Panwar (1): ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Simon Horman (3): netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS tipc: guard against string buffer overrun net: mvpp2: Increase size of queue_name buffer Srinivasan Shanmugam (1): drm/amd/display: Fix index out of bounds in degamma hardware format translation Stefan Wahren (1): mailbox: bcm2835: Fix timeout during suspend mode Steven Rostedt (Google) (1): tracing: Remove precision vsnprintf() check from print event Suzuki K Poulose (1): coresight: tmc: sg: Do not leak sg_table Takashi Iwai (5): ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin ALSA: asihpi: Fix potential OOB array access ALSA: hdsp: Break infinite MIDI input flush loop parport: Proper fix for array out-of-bounds access Tao Chen (1): bpf: Check percpu map value size first Tetsuo Handa (1): tomoyo: fallback to realpath if symlink's pathname does not exist Thadeu Lima de Souza Cascardo (4): ext4: return error on ext4_find_inline_entry ext4: avoid OOB when system.data xattr changes underneath the filesystem ext4: ext4_search_dir should return a proper error usb: typec: altmode should keep reference to parent Theodore Ts'o (1): ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path Thomas Blocher (1): pinctrl: at91: make it work with current gpiolib Thomas Gleixner (2): PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() signal: Replace BUG_ON()s Thomas Richter (1): s390/cpum_sf: Remove WARN_ON_ONCE statements Thomas Weißschuh (2): ACPI: sysfs: validate return type of _STR method s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Toke Høiland-Jørgensen (2): wifi: ath9k: Remove error checks when creating debugfs entries wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Tommy Huang (1): i2c: aspeed: Update the stop sw state when the bus recovery occurs Tony Ambardar (1): selftests/bpf: Fix error compiling test_lru_map.c Uwe Kleine-König (3): clk: generalize devm_clk_get() a bit clk: Provide new devm_clk helpers for prepared and enabled clocks clk: Fix pointer casting to prevent oops in devm_clk_release() Ville Syrjälä (1): wifi: iwlegacy: Clear stale interrupts before resuming device Vladimir Lypak (2): drm/msm/a5xx: properly clear preemption records on resume drm/msm/a5xx: fix races in preemption evaluation stage Wade Wang (1): HID: plantronics: Workaround for an unexcepted opposite volume key Wang Hai (4): net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() net: systemport: fix potential memory leak in bcm_sysport_xmit() net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() be2net: fix potential memory leak in be_xmit() Wang Jianzheng (1): pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function WangYuli (1): PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Wojciech Gładysz (1): ext4: nested locking for xattr inode Wolfram Sang (1): ipmi: docs: don't advertise deprecated sysfs entries Xin Long (2): sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start net: support ip generic csum processing in skb_csum_hwoffload_help Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Xiu Jianfeng (1): cgroup: Fix potential overflow issue when checking max_depth Xiubo Li (1): ceph: remove the incorrect Fw reference check when dirtying pages Xu Yang (1): usb: chipidea: udc: enable suspend interrupt after usb reset Yang Jihong (2): perf sched timehist: Fix missing free of session in perf_sched__timehist() perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yang Yingliang (1): pinctrl: single: fix missing error code in pcs_probe() Ye Bin (1): Bluetooth: bnep: fix wild-memory-access in proto_unregister Yifei Liu (1): selftests: breakpoints: use remaining time to check if suspend succeed Yonggil Song (1): f2fs: fix typo Youssef Samir (1): net: qrtr: Update packets cloning when broadcasting Yu Chen (1): usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc Yu Kuai (3): block, bfq: fix possible UAF for bfqq->bic with merge chain block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() block, bfq: don't break merge chain in bfq_split_bfqq() Yunke Cao (1): media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Yuntao Liu (1): hwmon: (ntc_thermistor) fix module autoloading Zhang Rui (1): x86/apic: Always explicitly disarm TSC-deadline timer Zhao Mengmeng (1): jfs: Fix uninit-value access of new_ea in ea_buffer Zheng Wang (1): media: venus: fix use after free bug in venus_remove due to race condition Zhu Jun (1): tools/iio: Add memory allocation failure check for trigger_name Zhu Yanjun (1): RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Zijun Hu (2): driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou (1): usbip: tools: Fix detach_port() invalid port error path j.nixdorf(a)avm.de (1): net: ipv6: ensure we call ipv6_mc_down() at most once junhua huang (2): arm64:uprobe fix the uprobe SWBP_INSN in big-endian arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning yangerkun (1): ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard zhanchengbin (1): ext4: fix inode tree inconsistency caused by ENOMEM

7 months, 2 weeks

1
1
0 0

patch "iio: accel: kx022a: Fix raw read format" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: accel: kx022a: Fix raw read format to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. From b7d2bc99b3bdc03fff9b416dd830632346d83530 Mon Sep 17 00:00:00 2001 From: Matti Vaittinen <mazziesaccount(a)gmail.com> Date: Wed, 30 Oct 2024 15:16:11 +0200 Subject: iio: accel: kx022a: Fix raw read format The KX022A provides the accelerometer data in two subsequent registers. The registers are laid out so that the value obtained via bulk-read of these registers can be interpreted as signed 16-bit little endian value. The read value is converted to cpu_endianes and stored into 32bit integer. The le16_to_cpu() casts value to unsigned 16-bit value, and when this is assigned to 32-bit integer the resulting value will always be positive. This has not been a problem to users (at least not all users) of the sysfs interface, who know the data format based on the scan info and who have converted the read value back to 16-bit signed value. This isn't compliant with the ABI however. This, however, will be a problem for those who use the in-kernel interfaces, especially the iio_read_channel_processed_scale(). The iio_read_channel_processed_scale() performs multiplications to the returned (always positive) raw value, which will cause strange results when the data from the sensor has been negative. Fix the read_raw format by casting the result of the le_to_cpu() to signed 16-bit value before assigning it to the integer. This will make the negative readings to be correctly reported as negative. This fix will be visible to users by changing values returned via sysfs to appear in correct (negative) format. Reported-by: Kalle Niemi <kaleposti(a)gmail.com> Fixes: 7c1d1677b322 ("iio: accel: Support Kionix/ROHM KX022A accelerometer") Signed-off-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Tested-by: Kalle Niemi <kaleposti(a)gmail.com> Cc: <Stable(a)vger.kernel.org> Link: https://patch.msgid.link/ZyIxm_zamZfIGrnB@mva-rohm Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/kionix-kx022a.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/accel/kionix-kx022a.c b/drivers/iio/accel/kionix-kx022a.c index 53d59a04ae15..b6a828a6df93 100644 --- a/drivers/iio/accel/kionix-kx022a.c +++ b/drivers/iio/accel/kionix-kx022a.c @@ -594,7 +594,7 @@ static int kx022a_get_axis(struct kx022a_data *data, if (ret) return ret; - *val = le16_to_cpu(data->buffer[0]); + *val = (s16)le16_to_cpu(data->buffer[0]); return IIO_VAL_INT; } -- 2.47.0

7 months, 2 weeks

1
0
0 0

patch "iio: accel: kx022a: Fix raw read format" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: accel: kx022a: Fix raw read format to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. From b7d2bc99b3bdc03fff9b416dd830632346d83530 Mon Sep 17 00:00:00 2001 From: Matti Vaittinen <mazziesaccount(a)gmail.com> Date: Wed, 30 Oct 2024 15:16:11 +0200 Subject: iio: accel: kx022a: Fix raw read format The KX022A provides the accelerometer data in two subsequent registers. The registers are laid out so that the value obtained via bulk-read of these registers can be interpreted as signed 16-bit little endian value. The read value is converted to cpu_endianes and stored into 32bit integer. The le16_to_cpu() casts value to unsigned 16-bit value, and when this is assigned to 32-bit integer the resulting value will always be positive. This has not been a problem to users (at least not all users) of the sysfs interface, who know the data format based on the scan info and who have converted the read value back to 16-bit signed value. This isn't compliant with the ABI however. This, however, will be a problem for those who use the in-kernel interfaces, especially the iio_read_channel_processed_scale(). The iio_read_channel_processed_scale() performs multiplications to the returned (always positive) raw value, which will cause strange results when the data from the sensor has been negative. Fix the read_raw format by casting the result of the le_to_cpu() to signed 16-bit value before assigning it to the integer. This will make the negative readings to be correctly reported as negative. This fix will be visible to users by changing values returned via sysfs to appear in correct (negative) format. Reported-by: Kalle Niemi <kaleposti(a)gmail.com> Fixes: 7c1d1677b322 ("iio: accel: Support Kionix/ROHM KX022A accelerometer") Signed-off-by: Matti Vaittinen <mazziesaccount(a)gmail.com> Tested-by: Kalle Niemi <kaleposti(a)gmail.com> Cc: <Stable(a)vger.kernel.org> Link: https://patch.msgid.link/ZyIxm_zamZfIGrnB@mva-rohm Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/kionix-kx022a.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/accel/kionix-kx022a.c b/drivers/iio/accel/kionix-kx022a.c index 53d59a04ae15..b6a828a6df93 100644 --- a/drivers/iio/accel/kionix-kx022a.c +++ b/drivers/iio/accel/kionix-kx022a.c @@ -594,7 +594,7 @@ static int kx022a_get_axis(struct kx022a_data *data, if (ret) return ret; - *val = le16_to_cpu(data->buffer[0]); + *val = (s16)le16_to_cpu(data->buffer[0]); return IIO_VAL_INT; } -- 2.47.0

7 months, 2 weeks

1
0
0 0

[PATCH 6.1 000/126] 6.1.116-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.116 release. There are 126 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 08 Nov 2024 12:02:47 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.116-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.116-rc1 Huang Ying <ying.huang(a)intel.com> migrate_pages_batch: fix statistics for longterm pin retry Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid gcc complaint about pointer casting Jeongjun Park <aha310510(a)gmail.com> vt: prevent kernel-infoleak in con_font_get() Alex Hung <alex.hung(a)amd.com> drm/amd/display: Skip on writeback when it's not applicable Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing Michael Walle <mwalle(a)kernel.org> mtd: spi-nor: winbond: fix w25q128 regression Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix build errors due to backported TIMENS Jeongjun Park <aha310510(a)gmail.com> mm: shmem: fix data-race in shmem_getattr() Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: fix 6 GHz scan construction Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of checked flag Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: mac80211: fix NULL dereference at band check in starting tx ba session Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bugs: Use code segment selector for VERW operand Pavel Begunkov <asml.silence(a)gmail.com> io_uring: always lock __io_cqring_overflow_flush Gregory Price <gourry(a)gourry.net> vmscan,migrate: fix page count imbalance on node stats when demoting pages Huang Ying <ying.huang(a)intel.com> migrate_pages: split unmap_and_move() to _unmap() and _move() Huang Ying <ying.huang(a)intel.com> migrate_pages: restrict number of pages to migrate in batch Huang Ying <ying.huang(a)intel.com> migrate_pages: separate hugetlb folios migration Huang Ying <ying.huang(a)intel.com> migrate_pages: organize stats with struct migrate_pages_stats Yang Li <yang.lee(a)linux.alibaba.com> mm/migrate.c: stop using 0 as NULL pointer Huang Ying <ying.huang(a)intel.com> migrate: convert migrate_pages() to use folios Huang Ying <ying.huang(a)intel.com> migrate: convert unmap_and_move() to use folios Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: migrate: try again if THP split is failed due to page refcnt Jens Axboe <axboe(a)kernel.dk> io_uring/rw: fix missing NOWAIT check for O_DIRECT start write Amir Goldstein <amir73il(a)gmail.com> io_uring: use kiocb_{start,end}_write() helpers Amir Goldstein <amir73il(a)gmail.com> fs: create kiocb_{start,end}_write() helpers Amir Goldstein <amir73il(a)gmail.com> io_uring: rename kiocb_end_write() local helper Andrey Konovalov <andreyknvl(a)gmail.com> kasan: remove vmalloc_percpu test Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> nvmet-auth: assign dh_key to NULL after kfree_sensitive Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Matt Johnston <matt(a)codeconstruct.com.au> mctp i2c: handle NULL header address Edward Adam Davis <eadavis(a)qq.com> ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Matt Fleming <mfleming(a)cloudflare.com> mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Mel Gorman <mgorman(a)techsingularity.net> mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves Mel Gorman <mgorman(a)techsingularity.net> mm/page_alloc: explicitly define what alloc flags deplete min reserves Mel Gorman <mgorman(a)techsingularity.net> mm/page_alloc: explicitly record high-order atomic allocations in alloc_flags Mel Gorman <mgorman(a)techsingularity.net> mm/page_alloc: treat RT tasks similar to __GFP_HIGH Mel Gorman <mgorman(a)techsingularity.net> mm/page_alloc: rename ALLOC_HIGH to ALLOC_MIN_RESERVE Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() Dan Williams <dan.j.williams(a)intel.com> cxl/acpi: Move rescan to the workqueue Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove duplicated GET_RM Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove unused GENERATING_ASM_OFFSETS WangYuli <wangyuli(a)uniontech.com> riscv: Use '%u' to format the output of 'cpu' Heinrich Schuchardt <heinrich.schuchardt(a)canonical.com> riscv: efi: Set NX compat flag in PE/COFF header Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Limit internal Mic boost on Dell platform Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: vdso: Prevent the compiler from inserting calls to memset() Chen Ridong <chenridong(a)huawei.com> cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction Xinyu Zhang <xizhang(a)purestorage.com> block: fix sanity checks in blk_rq_map_user_bvec Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential deadlock with newly created symlinks Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix microlux value calculation Zicheng Qu <quzicheng(a)huawei.com> iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Zicheng Qu <quzicheng(a)huawei.com> staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Ville Syrjälä <ville.syrjala(a)linux.intel.com> wifi: iwlegacy: Clear stale interrupts before resuming device Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: clear wdev->cqm_config pointer on free Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> wifi: ath10k: Fix memory leak in management tx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "driver core: Fix uevent_show() vs driver detach race" Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Use pm_runtime_get to prevent RPM on unsupported systems Faisal Hassan <quic_faisalh(a)quicinc.com> xhci: Fix Link TRB DMA in command ring stopped completion event Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Zijun Hu <quic_zijuhu(a)quicinc.com> usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou <zhouzongmin(a)kylinos.cn> usbip: tools: Fix detach_port() invalid port error path Jan Schär <jan(a)jschaer.ch> ALSA: usb-audio: Add quirks for Dell WD19 dock Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix "task hung" problem Andrey Konovalov <andreyknvl(a)gmail.com> usb: gadget: dummy_hcd: execute hrtimer callback in softirq context Marcello Sylvester Bauer <sylv(a)sylv.io> usb: gadget: dummy_hcd: Set transfer interval to 1 microframe Marcello Sylvester Bauer <sylv(a)sylv.io> usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler Dimitri Sivanich <sivanich(a)hpe.com> misc: sgi-gru: Don't disable preemption in GRU driver Dai Ngo <dai.ngo(a)oracle.com> NFS: remove revoked delegation from server's delegation list Daniel Palmer <daniel(a)0x0f.com> net: amd: mvme147: Fix probe banner message Benjamin Marzinski <bmarzins(a)redhat.com> scsi: scsi_transport_fc: Allow setting rport state to current state Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Additional check in ni_clear() Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix possible deadlock in mi_read Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Stale inode instead of bad Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Andrew Ballance <andrewjballance(a)gmail.com> fs/ntfs3: Check if more than chunk-size bytes are written Pierre Gondois <pierre.gondois(a)arm.com> ACPI: CPPC: Make rmw_lock a raw_spin_lock David Howells <dhowells(a)redhat.com> afs: Fix missing subdir edit when renamed between parent dirs David Howells <dhowells(a)redhat.com> afs: Automatically generate trace tag enums Xiongfeng Wang <wangxiongfeng2(a)huawei.com> firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Marco Elver <elver(a)google.com> kasan: Fix Software Tag-Based KASAN with GCC Miguel Ojeda <ojeda(a)kernel.org> compiler-gcc: remove attribute support check for `__no_sanitize_address__` Miguel Ojeda <ojeda(a)kernel.org> compiler-gcc: be consistent with underscores use for `no_sanitize` Christoph Hellwig <hch(a)lst.de> iomap: turn iomap_want_unshare_iter into an inline function Darrick J. Wong <djwong(a)kernel.org> fsdax: dax_unshare_iter needs to copy entire blocks Darrick J. Wong <djwong(a)kernel.org> fsdax: remove zeroing code from dax_unshare_iter Darrick J. Wong <djwong(a)kernel.org> iomap: share iomap_unshare_iter predicate code with fsdax Darrick J. Wong <djwong(a)kernel.org> iomap: don't bother unsharing delalloc extents Christoph Hellwig <hch(a)lst.de> iomap: improve shared block detection in iomap_unshare_iter Darrick J. Wong <djwong(a)kernel.org> iomap: convert iomap_unshare_iter to use large folios Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_ipip: Rename Spectrum-2 ip6gre operations Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_router: Add support for double entry RIFs Amit Cohen <amcohen(a)nvidia.com> mlxsw: spectrum_ptp: Add missing verification before pushing Tx header Benoît Monin <benoit.monin(a)gmx.fr> net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Sungwoo Kim <iam(a)sung-woo.kim> Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() Dong Chenchen <dongchenchen2(a)huawei.com> netfilter: Fix use-after-free in get_info() Byeonguk Jeong <jungbu2855(a)gmail.com> bpf: Fix out-of-bounds write in trie_get_next_key() Zichen Xie <zichenxie0106(a)gmail.com> netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pablo Neira Ayuso <pablo(a)netfilter.org> gtp: allow -1 to be specified as file description from userspace Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Wander Lairson Costa <wander(a)redhat.com> igb: Disable threaded IRQ for igb_msix_other Furong Xu <0x1207(a)gmail.com> net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Jianbo Liu <jianbol(a)nvidia.com> macsec: Fix use-after-free while sending the offloading packet Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: synchronize the qp-handle table array Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Leon Romanovsky <leon(a)kernel.org> RDMA/cxgb4: Dump vendor specific QP details Geert Uytterhoeven <geert(a)linux-m68k.org> wifi: brcm80211: BRCM_TRACING should depend on TRACING Remi Pommarel <repk(a)triplefau.lt> wifi: ath11k: Fix invalid ring usage in full monitor mode Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Geert Uytterhoeven <geert(a)linux-m68k.org> mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Ben Hutchings <ben(a)decadent.org.uk> wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Xiu Jianfeng <xiujianfeng(a)huawei.com> cgroup: Fix potential overflow issue when checking max_depth Alexander Gordeev <agordeev(a)linux.ibm.com> fs/proc/kcore.c: allow translation of physical memory addresses Lorenzo Stoakes <lstoakes(a)gmail.com> fs/proc/kcore: reinstate bounce buffer for KCORE_TEXT regions Lorenzo Stoakes <lstoakes(a)gmail.com> fs/proc/kcore: convert read_kcore() to read_kcore_iter() Lorenzo Stoakes <lstoakes(a)gmail.com> fs/proc/kcore: avoid bounce buffer for ktext data Kefeng Wang <wangkefeng.wang(a)huawei.com> mm: remove kern_addr_valid() completely Donet Tom <donettom(a)linux.ibm.com> selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Miquel Sabaté Solà <mikisabate(a)gmail.com> cpufreq: Avoid a bad reference count on CPU node Hector Martin <marcan(a)marcan.st> cpufreq: Generalize of_perf_domain_get_sharing_cpumask phandle format ------------- Diffstat: Makefile | 4 +- arch/alpha/include/asm/pgtable.h | 2 - arch/arc/include/asm/pgtable-bits-arcv2.h | 2 - arch/arm/include/asm/pgtable-nommu.h | 2 - arch/arm/include/asm/pgtable.h | 4 - arch/arm64/include/asm/pgtable.h | 2 - arch/arm64/mm/mmu.c | 47 -- arch/arm64/mm/pageattr.c | 3 +- arch/csky/include/asm/pgtable.h | 3 - arch/hexagon/include/asm/page.h | 7 - arch/ia64/include/asm/pgtable.h | 16 - arch/loongarch/include/asm/pgtable.h | 2 - arch/loongarch/kernel/vdso.c | 28 +- arch/m68k/include/asm/pgtable_mm.h | 2 - arch/m68k/include/asm/pgtable_no.h | 1 - arch/microblaze/include/asm/pgtable.h | 3 - arch/mips/include/asm/pgtable.h | 2 - arch/nios2/include/asm/pgtable.h | 2 - arch/openrisc/include/asm/pgtable.h | 2 - arch/parisc/include/asm/pgtable.h | 15 - arch/powerpc/include/asm/pgtable.h | 7 - arch/riscv/include/asm/pgtable.h | 2 - arch/riscv/kernel/asm-offsets.c | 2 - arch/riscv/kernel/cpu-hotplug.c | 2 +- arch/riscv/kernel/efi-header.S | 2 +- arch/riscv/kernel/traps_misaligned.c | 2 - arch/riscv/kernel/vdso/Makefile | 1 + arch/s390/include/asm/io.h | 2 + arch/s390/include/asm/pgtable.h | 2 - arch/sh/include/asm/pgtable.h | 2 - arch/sparc/include/asm/pgtable_32.h | 6 - arch/sparc/mm/init_32.c | 3 +- arch/sparc/mm/init_64.c | 1 - arch/um/include/asm/pgtable.h | 2 - arch/x86/include/asm/nospec-branch.h | 11 +- arch/x86/include/asm/pgtable_32.h | 9 - arch/x86/include/asm/pgtable_64.h | 1 - arch/x86/mm/init_64.c | 41 -- arch/xtensa/include/asm/pgtable.h | 2 - block/blk-map.c | 4 +- drivers/acpi/cppc_acpi.c | 9 +- drivers/base/core.c | 13 +- drivers/base/module.c | 4 - drivers/cpufreq/mediatek-cpufreq-hw.c | 14 +- drivers/cxl/acpi.c | 17 +- drivers/cxl/core/port.c | 26 +- drivers/cxl/cxl.h | 3 +- drivers/firmware/arm_sdei.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 + drivers/iio/adc/ad7124.c | 2 +- drivers/iio/light/veml6030.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 + drivers/infiniband/hw/cxgb4/provider.c | 1 + drivers/infiniband/hw/mlx5/qp.c | 4 +- drivers/misc/sgi-gru/grukservices.c | 2 - drivers/misc/sgi-gru/grumain.c | 4 - drivers/misc/sgi-gru/grutlbpurge.c | 2 - drivers/mtd/spi-nor/winbond.c | 7 +- drivers/net/ethernet/amd/mvme147.c | 7 +- drivers/net/ethernet/intel/igb/igb_main.c | 2 +- .../net/ethernet/mellanox/mlxsw/spectrum_ipip.c | 119 ++-- .../net/ethernet/mellanox/mlxsw/spectrum_ipip.h | 1 + drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c | 7 + .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 +- drivers/net/gtp.c | 22 +- drivers/net/macsec.c | 3 +- drivers/net/mctp/mctp-i2c.c | 3 + drivers/net/netdevsim/fib.c | 4 +- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 + drivers/net/wireless/ath/ath11k/dp_rx.c | 7 +- drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 + drivers/net/wireless/intel/iwlegacy/common.c | 15 +- drivers/net/wireless/intel/iwlegacy/common.h | 12 + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 3 +- drivers/nvme/target/auth.c | 1 + drivers/scsi/scsi_transport_fc.c | 4 +- drivers/staging/iio/frequency/ad9832.c | 7 +- drivers/tty/vt/vt.c | 2 +- drivers/usb/gadget/udc/dummy_hcd.c | 57 +- drivers/usb/host/xhci-pci.c | 6 +- drivers/usb/host/xhci-ring.c | 16 +- drivers/usb/phy/phy.c | 2 +- drivers/usb/typec/class.c | 1 + fs/afs/dir.c | 25 + fs/afs/dir_edit.c | 91 ++- fs/afs/internal.h | 2 + fs/dax.c | 49 +- fs/iomap/buffered-io.c | 31 +- fs/nfs/delegation.c | 5 + fs/nilfs2/namei.c | 3 + fs/nilfs2/page.c | 1 + fs/ntfs3/frecord.c | 4 +- fs/ntfs3/inode.c | 10 +- fs/ntfs3/lznt.c | 3 + fs/ntfs3/namei.c | 2 +- fs/ntfs3/ntfs_fs.h | 2 +- fs/ocfs2/file.c | 8 + fs/proc/kcore.c | 94 ++- include/acpi/cppc_acpi.h | 2 +- include/linux/compiler-gcc.h | 12 +- include/linux/cpufreq.h | 34 +- include/linux/fs.h | 36 ++ include/linux/iomap.h | 19 + include/linux/migrate.h | 1 + include/net/ip_tunnels.h | 2 +- include/trace/events/afs.h | 240 +------ io_uring/io_uring.c | 11 +- io_uring/rw.c | 52 +- kernel/bpf/cgroup.c | 19 +- kernel/bpf/lpm_trie.c | 2 +- kernel/cgroup/cgroup.c | 4 +- mm/huge_memory.c | 4 +- mm/internal.h | 13 +- mm/kasan/kasan_test.c | 27 - mm/migrate.c | 690 ++++++++++++++------- mm/page_alloc.c | 95 ++- mm/shmem.c | 2 + net/bluetooth/hci_sync.c | 18 +- net/core/dev.c | 4 + net/ipv6/netfilter/nf_reject_ipv6.c | 15 +- net/mac80211/Kconfig | 2 +- net/mac80211/agg-tx.c | 4 +- net/mac80211/cfg.c | 3 +- net/mac80211/key.c | 42 +- net/netfilter/nft_payload.c | 3 + net/netfilter/x_tables.c | 2 +- net/sched/sch_api.c | 2 +- net/wireless/core.c | 1 + sound/pci/hda/patch_realtek.c | 22 +- sound/soc/codecs/cs42l51.c | 7 +- sound/usb/mixer_quirks.c | 3 + tools/testing/selftests/vm/hmm-tests.c | 2 +- tools/usb/usbip/src/usbip_detach.c | 1 + 139 files changed, 1453 insertions(+), 1027 deletions(-)

7 months, 2 weeks

12
137
0 0

[PATCH] iommu/dma: Reserve iova ranges for reserved regions of all devices

by Jerry Snitselaar

Only the first device that is passed when the domain is set up will have its reserved regions reserved in the iova address space. So if there are other devices in the group with unique reserved regions, those regions will not get reserved in the iova address space. All of the ranges do get set up in the iopagetables via calls to iommu_create_device_direct_mappings for all devices in a group. In the case of vt-d system this resulted in messages like the following: [ 1632.693264] DMAR: ERROR: DMA PTE for vPFN 0xf1f7e already set (to f1f7e003 not 173025001) To make sure iova ranges are reserved for the reserved regions all of the devices, call iova_reserve_iommu_regions in iommu_dma_init_domain prior to exiting in the case where the domain is already initialized. Cc: Robin Murphy <robin.murphy(a)arm.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: Will Deacon <will(a)kernel.org> Cc: linux-kernel(a)vger.kernel.org Cc: stable(a)vger.kernel.org Fixes: 7c1b058c8b5a ("iommu/dma: Handle IOMMU API reserved regions") Signed-off-by: Jerry Snitselaar <jsnitsel(a)redhat.com> --- Robin: I wasn't positive if this is the correct solution, or if it should be done for the entire group at once. drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 2a9fa0c8cc00..5fd3cccbb233 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -707,7 +707,7 @@ static int iommu_dma_init_domain(struct iommu_domain *domain, struct device *dev goto done_unlock; } - ret = 0; + ret = iova_reserve_iommu_regions(dev, domain); goto done_unlock; } -- 2.44.0

7 months, 2 weeks

2
2
0 0

[PATCH 1/2 net V3] net: vertexcom: mse102x: Fix possible double free of TX skb

by Stefan Wahren

The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, we should free the the temporary skb instead of the original skb. Otherwise the original TX skb pointer would be freed again in mse102x_tx_work(), which leads to crashes: Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 Hardware name: chargebyte Charge SOM DC-ONE (DT) Workqueue: events mse102x_tx_work [mse102x] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_release_data+0xb8/0x1d8 lr : skb_release_data+0x1ac/0x1d8 sp : ffff8000819a3cc0 x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 x8 : fffffc00001bc008 x7 : 0000000000000000 x6 : 0000000000000008 x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 Call trace: skb_release_data+0xb8/0x1d8 kfree_skb_reason+0x48/0xb0 mse102x_tx_work+0x164/0x35c [mse102x] process_one_work+0x138/0x260 worker_thread+0x32c/0x438 kthread+0x118/0x11c ret_from_fork+0x10/0x20 Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660) Cc: stable(a)vger.kernel.org Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support") Signed-off-by: Stefan Wahren <wahrenst(a)gmx.net> --- drivers/net/ethernet/vertexcom/mse102x.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c index a04d4073def9..2c37957478fb 100644 --- a/drivers/net/ethernet/vertexcom/mse102x.c +++ b/drivers/net/ethernet/vertexcom/mse102x.c @@ -222,7 +222,7 @@ static int mse102x_tx_frame_spi(struct mse102x_net *mse, struct sk_buff *txp, struct mse102x_net_spi *mses = to_mse102x_spi(mse); struct spi_transfer *xfer = &mses->spi_xfer; struct spi_message *msg = &mses->spi_msg; - struct sk_buff *tskb; + struct sk_buff *tskb = NULL; int ret; netif_dbg(mse, tx_queued, mse->ndev, "%s: skb %p, %d@%p\n", @@ -235,7 +235,6 @@ static int mse102x_tx_frame_spi(struct mse102x_net *mse, struct sk_buff *txp, if (!tskb) return -ENOMEM; - dev_kfree_skb(txp); txp = tskb; } @@ -257,6 +256,8 @@ static int mse102x_tx_frame_spi(struct mse102x_net *mse, struct sk_buff *txp, mse->stats.xfer_err++; } + dev_kfree_skb(tskb); + return ret; } -- 2.34.1

7 months, 2 weeks

1
0
0 0

[PATCH 6.1 resend] Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link"

by Fedor Pchelkin

This reverts commit 7c887efda1201110211fed8921a92a713e0b6bcd which is commit 8151a6c13111b465dbabe07c19f572f7cbd16fef upstream. It is a duplicate of the change made in 6.1.105 by commit 282f0a482ee6 ("drm/amd/display: Skip Recompute DSC Params if no Stream on Link"). This is a consequence of two different upstream commits performing the exact same change and one of which has been cherry-picked. No point to keep it in the stable branch. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool. Reported-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Dropped from other stables by Jonathan Gray https://lore.kernel.org/stable/20241007035711.46624-1-jsg@jsg.id.au/T/#u drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 1acef5f3838f..855cd71f636f 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -1255,9 +1255,6 @@ static bool is_dsc_need_re_compute( } } - if (new_stream_on_link_num == 0) - return false; - if (new_stream_on_link_num == 0) return false; -- 2.39.5

7 months, 2 weeks

1
0
0 0

[PATCH 0/1] On DRM -> stable process

by Fedor Pchelkin

Hi all, I'm writing as a bystander working with 6.1.y stable branch and possibly lacking some context with the established DRM -> stable patch flow, Cc'ing a large number of people. The commit being reverted from 6.1.y is the one that duplicates the changes already backported to that branch with another commit. It is essentially a "similar" commit but cherry-picked at some point during the DRM development process. The duplicate has no runtime effect but should not actually remain in the stable trees. It was already reverted [1] from 6.6/6.10/6.11 but still made its way later to 6.1. [1]: https://lore.kernel.org/stable/20241007035711.46624-1-jsg@jsg.id.au/T/#u At [1] Greg KH also stated that the observed problems are quite common while backporting DRM patches to stable trees. The current duplicate patch has in every sense a cosmetic impact but in other circumstances and for other patches this may have gone wrong. So, is there any way to adjust this process? BTW, a question to the stable-team: what Git magic (3-way-merge?) let the duplicate patch be applied successfully? The patch context in stable trees was different to that moment so should the duplicate have been expected to fail to be applied? -- Fedor

7 months, 2 weeks

4
8
0 0

🚀 Drive Unlimited Organic Traffic for 6 Months!

by Unlimited Organic Traffic

Hi there, Imagine unlimited organic traffic flowing to your site for 6 months—all based on the keywords you choose. With our service, we can deliver consistent traffic to help grow your online presence, all at an affordable rate! Get Started Today: https://www.1unlimitedtraffic.net/get-started/ (https://www.1unlimitedtraffic.net/get-started/) Note: Daily traffic may vary depending on your selected keywords. Don’t miss out on this opportunity to boost your website’s traffic and visibility! Cheers, Mike Plummer WhatsApp us (https://wa.link/p22nfi) Unsubscribe (https://clicks.1unlimitedtraffic.net/?na=u&nk=979918-746207ce49&nek=18-) | Manage your subscription (https://clicks.1unlimitedtraffic.net/?na=p&nk=979918-746207ce49&nek=18-) | View online (https://clicks.1unlimitedtraffic.net/?na=v&nk=979918-746207ce49&id=18) whatsapp

7 months, 2 weeks

1
0
0 0

[PATCH 6.11 000/245] 6.11.7-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.7 release. There are 245 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 08 Nov 2024 12:02:47 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.7-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.7-rc1 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: handle default profile on on devices without fullscreen 3D Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Sequential field availability check in mi_enum_attr() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/swsmu: default to fullscreen 3D profile for dGPUs Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/swsmu: fix ordering for setting workload_mask Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Write all slices if its mcr register Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Define STATELESS_COMPRESSION_CTRL as mcr register Shekhar Chauhan <shekhar.chauhan(a)intel.com> drm/xe/xe2: Add performance turning changes Akshata Jahagirdar <akshata.jahagirdar(a)intel.com> drm/xe/xe2: Introduce performance changes Sai Teja Pottumuttu <sai.teja.pottumuttu(a)intel.com> drm/xe/xe2hpg: Introduce performance tuning changes for Xe2_HPG Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe: Move enable host l2 VRAM post MCR init Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/xe2hpg: Add Wa_15016589081 Thomas Zimmermann <tzimmermann(a)suse.de> drm/xe: Support 'nomodeset' kernel command-line option Juha-Pekka Heikkila <juhapekka.heikkila(a)gmail.com> drm/i915/display: Don't enable decompression on Xe2 with Tile4 Jouni Högander <jouni.hogander(a)intel.com> drm/i915/psr: Prevent Panel Replay if CRC calculation is enabled Jani Nikula <jani.nikula(a)intel.com> drm/xe/display: drop unused rawclk_freq and RUNTIME_INFO() Jani Nikula <jani.nikula(a)intel.com> drm/i915: move rawclk from runtime to display runtime info Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/pps: Disable DPLS_GATING around pps sequence Mitul Golani <mitulkumar.ajitkumar.golani(a)intel.com> drm/i915/display/dp: Compute AS SDP when vrr is also enabled Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/dp: Clear VSC SDP during post ddi disable routine Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/hdcp: Add encoder check in hdcp2_get_capability Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability Mitul Golani <mitulkumar.ajitkumar.golani(a)intel.com> drm/i915/display: WA for Re-initialize dispcnlunitt1 xosc clock Mitul Golani <mitulkumar.ajitkumar.golani(a)intel.com> drm/i915/display: Cache adpative sync caps to use it later Matthew Auld <matthew.auld(a)intel.com> drm/i915: disable fbc due to Wa_16023588340 Gustavo Sousa <gustavo.sousa(a)intel.com> drm/i915: Skip programming FIA link enable bits for MTL+ Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100: fix PCIe4 and PCIe6a PHY clocks Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: x1e80100: Add Broadcast_AND region in LLCC block Haibo Chen <haibo.chen(a)nxp.com> arm64: dts: imx8ulp: correct the flexspi compatible string Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-crd: fix nvme regulator boot glitch Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-qcp: fix nvme regulator boot glitch Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100: fix PCIe4 interconnect Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-vivobook-s15: fix nvme regulator boot glitch Konrad Dybcio <konradybcio(a)kernel.org> arm64: dts: qcom: x1e80100: Fix up BAR spaces Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: x1e80100-yoga-slim7x: fix nvme regulator boot glitch Fabien Parent <fabien.parent(a)linaro.org> arm64: dts: qcom: msm8939: revert use of APCS mbox for RPM Conor Dooley <conor.dooley(a)microchip.com> riscv: dts: starfive: disable unused csi/camss nodes E Shattow <e(a)freeshell.de> riscv: dts: starfive: Update ethernet phy0 delay parameter values for Star64 Yu Zhao <yuzhao(a)google.com> mm: multi-gen LRU: use {ptep,pmdp}_clear_young_notify() Zhiguo Jiang <justinjiang(a)vivo.com> mm: shrink skip folio mapped by an exiting process Yu Zhao <yuzhao(a)google.com> mm: multi-gen LRU: remove MM_LEAF_OLD and MM_NONLEAF_TOTAL stats Yuanchu Xie <yuanchu(a)google.com> mm: multi-gen LRU: ignore non-leaf pmd_young for force_scan=true Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: fix regression when re-registering input handlers Vlastimil Babka <vbabka(a)suse.cz> mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes Gregory Price <gourry(a)gourry.net> vmscan,migrate: fix page count imbalance on node stats when demoting pages Johan Hovold <johan+linaro(a)kernel.org> gpiolib: fix debugfs dangling chip separator Johan Hovold <johan+linaro(a)kernel.org> gpiolib: fix debugfs newline separators Filipe Manana <fdmanana(a)suse.com> btrfs: fix defrag not merging contiguous extents due to merged extent maps Filipe Manana <fdmanana(a)suse.com> btrfs: fix extent map merging not happening for adjacent extents Jens Axboe <axboe(a)kernel.dk> io_uring/rw: fix missing NOWAIT check for O_DIRECT start write Matthew Brost <matthew.brost(a)intel.com> drm/xe: Don't short circuit TDR on jobs not started Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add mmio read before GGTT invalidate Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe: Kill regs/xe_sriov_regs.h Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe: Fix register definition order in xe_regs.h Jinjie Ruan <ruanjinjie(a)huawei.com> drm/tests: hdmi: Fix memory leaks in drm_display_mode_from_cea_vic() Jinjie Ruan <ruanjinjie(a)huawei.com> drm/connector: hdmi: Fix memory leak in drm_display_mode_from_cea_vic() Jinjie Ruan <ruanjinjie(a)huawei.com> drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() Andrey Konovalov <andreyknvl(a)gmail.com> kasan: remove vmalloc_percpu test Keith Busch <kbusch(a)kernel.org> nvme: re-fix error-handling for io_uring nvme-passthrough Vitaliy Shevtsov <v.shevtsov(a)maxima.ru> nvmet-auth: assign dh_key to NULL after kfree_sensitive Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Christoffer Sandberg <cs(a)tuxedo.de> ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 Christoph Hellwig <hch(a)lst.de> xfs: fix finding a last resort AG in xfs_filestream_pick_ag Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Fix NOC firewall interrupt handling Zhihao Cheng <chengzhihao1(a)huawei.com> btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() Matt Johnston <matt(a)codeconstruct.com.au> mctp i2c: handle NULL header address Gregory Price <gourry(a)gourry.net> resource,kexec: walk_system_ram_res_rev must retain resource flags Edward Adam Davis <eadavis(a)qq.com> ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Sabyrzhan Tasbolatov <snovitoll(a)gmail.com> x86/traps: move kmsan check after instrumentation_begin Gatlin Newhouse <gatlin.newhouse(a)gmail.com> x86/traps: Enable UBSAN traps on x86 Matt Fleming <mfleming(a)cloudflare.com> mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> fork: only invoke khugepaged, ksm hooks if no error Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> fork: do not invoke uffd on fork if error occurs Alexander Usyskin <alexander.usyskin(a)intel.com> mei: use kvmalloc for read buffer Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: init: protect sched with rcu_read_lock Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Lazily flush the auth session Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/smu13: fix profile reporting Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/amd/pm: Vangogh: Fix kernel memory out of bounds write Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Rollback tpm2_load_null() Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Return tpm2_sessions_init() when null key creation fails Hugh Dickins <hughd(a)google.com> iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP Benjamin Segall <bsegall(a)google.com> posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone Shawn Wang <shawnwang(a)linux.alibaba.com> sched/numa: Fix the potential null pointer dereference in task_numa_work() Dan Williams <dan.j.williams(a)intel.com> cxl/acpi: Ensure ports ready at cxl_acpi_probe() return Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix cxl_bus_rescan() vs bus_rescan_devices() Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: core: Fix another deadlock during RTC update Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove duplicated GET_RM Chunyan Zhang <zhangchunyan(a)iscas.ac.cn> riscv: Remove unused GENERATING_ASM_OFFSETS WangYuli <wangyuli(a)uniontech.com> riscv: Use '%u' to format the output of 'cpu' Miquel Sabaté Solà <mikisabate(a)gmail.com> riscv: Prevent a bad reference count on CPU nodes Heinrich Schuchardt <heinrich.schuchardt(a)canonical.com> riscv: efi: Set NX compat flag in PE/COFF header Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Limit internal Mic boost on Dell platform Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: edt-ft5x06 - fix regmap leak when probe fails Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: vdso: Prevent the compiler from inserting calls to memset() Frank Li <Frank.Li(a)nxp.com> spi: spi-fsl-dspi: Fix crash when not using GPIO chip select Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: fix error propagation of split bios Qu Wenruo <wqu(a)suse.com> btrfs: merge btrfs_orig_bbio_end_io() into btrfs_bio_end_io() Richard Zhu <hongxing.zhu(a)nxp.com> phy: freescale: imx8m-pcie: Do CMN_RST just before PHY PLL lock check Chen Ridong <chenridong(a)huawei.com> cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction Xinyu Zhang <xizhang(a)purestorage.com> block: fix sanity checks in blk_rq_map_user_bvec Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix low power mode in the SD Express process Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix low power mode on the set clock function Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix CXL port initialization order when the subsystem is built-in Dan Williams <dan.j.williams(a)intel.com> cxl/port: Fix use-after-free, permit out-of-order decoder shutdown Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: pmic_glink: Handle GLINK intent allocation rejections Gil Fine <gil.fine(a)linux.intel.com> thunderbolt: Honor TMU requirements in the domain when setting TMU mode Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() Conor Dooley <conor.dooley(a)microchip.com> firmware: microchip: auto-update: fix poll_complete() to not report spurious timeout errors Chen Ridong <chenridong(a)huawei.com> mm: shrinker: avoid memleak in alloc_shrinker_info Wladislav Wiebe <wladislav.kw(a)gmail.com> tools/mm: -Werror fixes in page-types/slabinfo Jeongjun Park <aha310510(a)gmail.com> mm: shmem: fix data-race in shmem_getattr() Yunhui Cui <cuiyunhui(a)bytedance.com> RISC-V: ACPI: fix early_ioremap to early_memremap Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential deadlock with newly created symlinks Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of checked flag Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: veml6030: fix microlux value calculation Jinjie Ruan <ruanjinjie(a)huawei.com> iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() Jinjie Ruan <ruanjinjie(a)huawei.com> iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() Zicheng Qu <quzicheng(a)huawei.com> iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() Julien Stephan <jstephan(a)baylibre.com> dt-bindings: iio: adc: ad7380: fix ad7380-4 reference supply Zicheng Qu <quzicheng(a)huawei.com> staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: fix 6 GHz scan construction Ville Syrjälä <ville.syrjala(a)linux.intel.com> wifi: iwlegacy: Clear stale interrupts before resuming device Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: clear wdev->cqm_config pointer on free Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> wifi: ath10k: Fix memory leak in management tx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Edward Liaw <edliaw(a)google.com> Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" Edward Liaw <edliaw(a)google.com> Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "driver core: Fix uevent_show() vs driver detach race" Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Use pm_runtime_get to prevent RPM on unsupported systems Faisal Hassan <quic_faisalh(a)quicinc.com> xhci: Fix Link TRB DMA in command ring stopped completion event Johan Hovold <johan+linaro(a)kernel.org> phy: qcom: qmp-usbc: fix NULL-deref on runtime suspend Johan Hovold <johan+linaro(a)kernel.org> phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend Johan Hovold <johan+linaro(a)kernel.org> phy: qcom: qmp-usb: fix NULL-deref on runtime suspend Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: qcom-pmic-typec: fix missing fwnode removal in error path Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: qcom-pmic-typec: use fwnode_handle_put() to release fwnodes Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: tcpm: restrict SNK_WAIT_CAPABILITIES_TIMEOUT transitions to non self-powered devices Javier Carrasco <javier.carrasco.cruz(a)gmail.com> usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() Zijun Hu <quic_zijuhu(a)quicinc.com> usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou <zhouzongmin(a)kylinos.cn> usbip: tools: Fix detach_port() invalid port error path Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192du: Don't claim USB ID 0bda:8171 Jan Schär <jan(a)jschaer.ch> ALSA: usb-audio: Add quirks for Dell WD19 dock Chuck Lever <chuck.lever(a)oracle.com> rpcrdma: Always release the rpcrdma_device's xa_array Chuck Lever <chuck.lever(a)oracle.com> NFSD: Never decrement pending_async_copies on error Chuck Lever <chuck.lever(a)oracle.com> NFSD: Initialize struct nfsd4_copy earlier Dimitri Sivanich <sivanich(a)hpe.com> misc: sgi-gru: Don't disable preemption in GRU driver Dai Ngo <dai.ngo(a)oracle.com> NFS: remove revoked delegation from server's delegation list Daniel Palmer <daniel(a)0x0f.com> net: amd: mvme147: Fix probe banner message Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Add MMIO RAPL PL4 support Zhang Rui <rui.zhang(a)intel.com> thermal: intel: int340x: processor: Remove MMIO RAPL CPU hotplug support Sumeet Pawnikar <sumeet.r.pawnikar(a)intel.com> powercap: intel_rapl_msr: Add PL4 support for Arrowlake-U Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Fold Asus Vivobook Pro N6506M* DMI quirks together Pali Rohár <pali(a)kernel.org> cifs: Fix creating native symlinks pointing to current or parent directory Pali Rohár <pali(a)kernel.org> cifs: Improve creating native symlinks pointing to directory Benjamin Marzinski <bmarzins(a)redhat.com> scsi: scsi_transport_fc: Allow setting rport state to current state Guilherme Giacomo Simoes <trintaeoitogc(a)gmail.com> rust: device: change the from_raw() function Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Additional check in ntfs_file_release Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix general protection fault in run_is_mapped_full Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Additional check in ni_clear() Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix possible deadlock in mi_read Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Add rough attr alloc_size check Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Stale inode instead of bad Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix warning possible deadlock in ntfs_set_state Andrew Ballance <andrewjballance(a)gmail.com> fs/ntfs3: Check if more than chunk-size bytes are written lei lu <llfamsec(a)gmail.com> ntfs3: Add bounds checking to mi_enum_attr() Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Report group as timedout when we fail to properly suspend Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Fail job creation when the group is dead Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Fix firmware initialization on systems with a page size > 4k Keith Busch <kbusch(a)kernel.org> nvme: module parameter to disable pi with offsets Jason Gunthorpe <jgg(a)ziepe.ca> PCI: Fix pci_enable_acs() support for the ACS quirks Shiju Jose <shiju.jose(a)huawei.com> cxl/events: Fix Trace DRAM Event Record Dan Carpenter <dan.carpenter(a)linaro.org> drm/tegra: Fix NULL vs IS_ERR() check in probe() Dan Carpenter <dan.carpenter(a)linaro.org> drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy() Chun-Kuang Hu <chunkuang.hu(a)kernel.org> drm/mediatek: Use cmdq_pkt_create() and cmdq_pkt_destroy() Liankun Yang <liankun.yang(a)mediatek.com> drm/mediatek: Fix get efuse issue for MT8188 DPTX Hsin-Te Yuan <yuanhsinte(a)chromium.org> drm/mediatek: Fix color format MACROs in OVL Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: ovl: Remove the color format comment for ovl_fmt_convert() Paulo Alcantara <pc(a)manguebit.com> smb: client: set correct device number on nfs reparse points Paulo Alcantara <pc(a)manguebit.com> smb: client: fix parsing of device numbers Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpio: sloppy-logic-analyzer: Check for error code from devm_mutex_init() call Pierre Gondois <pierre.gondois(a)arm.com> ACPI: CPPC: Make rmw_lock a raw_spin_lock David Howells <dhowells(a)redhat.com> afs: Fix missing subdir edit when renamed between parent dirs Xiongfeng Wang <wangxiongfeng2(a)huawei.com> firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Marco Elver <elver(a)google.com> kasan: Fix Software Tag-Based KASAN with GCC Christoph Hellwig <hch(a)lst.de> iomap: turn iomap_want_unshare_iter into an inline function Darrick J. Wong <djwong(a)kernel.org> fsdax: dax_unshare_iter needs to copy entire blocks Darrick J. Wong <djwong(a)kernel.org> fsdax: remove zeroing code from dax_unshare_iter Darrick J. Wong <djwong(a)kernel.org> iomap: share iomap_unshare_iter predicate code with fsdax Darrick J. Wong <djwong(a)kernel.org> iomap: don't bother unsharing delalloc extents Christoph Hellwig <hch(a)lst.de> iomap: improve shared block detection in iomap_unshare_iter Toke Høiland-Jørgensen <toke(a)redhat.com> bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_wed: fix path of MT7988 WO firmware Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address Amit Cohen <amcohen(a)nvidia.com> mlxsw: pci: Sync Rx buffers for device Amit Cohen <amcohen(a)nvidia.com> mlxsw: pci: Sync Rx buffers for CPU Amit Cohen <amcohen(a)nvidia.com> mlxsw: spectrum_ptp: Add missing verification before pushing Tx header Benoît Monin <benoit.monin(a)gmx.fr> net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Hou Tao <houtao1(a)huawei.com> bpf: Check the validity of nr_words in bpf_iter_bits_new() Hou Tao <houtao1(a)huawei.com> bpf: Add bpf_mem_alloc_check_size() helper Hou Tao <houtao1(a)huawei.com> bpf: Free dynamically allocated bits in bpf_iter_bits_destroy() Sungwoo Kim <iam(a)sung-woo.kim> Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() Dong Chenchen <dongchenchen2(a)huawei.com> netfilter: Fix use-after-free in get_info() Wang Liang <wangliang74(a)huawei.com> net: fix crash when config small gso_max_size/gso_ipv4_max_size Byeonguk Jeong <jungbu2855(a)gmail.com> bpf: Fix out-of-bounds write in trie_get_next_key() Vladimir Oltean <vladimir.oltean(a)nxp.com> net/sched: sch_api: fix xa_insert() error path in tcf_block_get_ext() Zichen Xie <zichenxie0106(a)gmail.com> netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() Eduard Zingerman <eddyz87(a)gmail.com> bpf: Force checkpoint when jmp history is too long Pedro Tammela <pctammela(a)mojatatu.com> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pablo Neira Ayuso <pablo(a)netfilter.org> gtp: allow -1 to be specified as file description from userspace Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() Ido Schimmel <idosch(a)nvidia.com> ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> ice: fix crash on probe for DPLL enabled E810 LOM Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> ice: add callbacks for Embedded SYNC enablement on dpll pins Arkadiusz Kubalewski <arkadiusz.kubalewski(a)intel.com> dpll: add Embedded SYNC feature for a pin Wander Lairson Costa <wander(a)redhat.com> igb: Disable threaded IRQ for igb_msix_other Furong Xu <0x1207(a)gmail.com> net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data Ley Foon Tan <leyfoon.tan(a)starfivetech.com> net: stmmac: dwmac4: Fix high address display by updating reg_space[] from register values Cong Wang <cong.wang(a)bytedance.com> sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() Aleksei Vetrov <vvvvvv(a)google.com> ASoC: dapm: fix bounds checker error in dapm_widget_list_create Jianbo Liu <jianbol(a)nvidia.com> macsec: Fix use-after-free while sending the offloading packet Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> Revert "wifi: iwlwifi: remove retry loops in start" Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't add default link in fw restart flow Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: really send iwl_txpower_constraints_cmd Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't leak a link on AP removal Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: synchronize the qp-handle table array Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix the usage of control path spin locks Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Leon Romanovsky <leon(a)kernel.org> RDMA/cxgb4: Dump vendor specific QP details Geert Uytterhoeven <geert(a)linux-m68k.org> wifi: brcm80211: BRCM_TRACING should depend on TRACING Ping-Ke Shih <pkshih(a)realtek.com> wifi: rtw89: pci: early chips only enable 36-bit DMA on specific PCI hosts Remi Pommarel <repk(a)triplefau.lt> wifi: ath11k: Fix invalid ring usage in full monitor mode Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Geert Uytterhoeven <geert(a)linux-m68k.org> mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Ben Hutchings <ben(a)decadent.org.uk> wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() John Garry <john.g.garry(a)oracle.com> scsi: scsi_debug: Fix do_device_access() handling of unexpected SG copy length Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Fix up the build on architectures without HAVE_KVM_STAT_SUPPORT Jiri Slaby <jirislaby(a)kernel.org> perf trace: Fix non-listed archs in the syscalltbl routines Pei Xiao <xiaopei01(a)kylinos.cn> slub/kunit: fix a WARNING due to unwrapped __kmalloc_cache_noprof Georgi Djakov <djakov(a)kernel.org> spi: geni-qcom: Fix boot warning related to pm_runtime and devres Xiu Jianfeng <xiujianfeng(a)huawei.com> cgroup: Fix potential overflow issue when checking max_depth Frank Min <Frank.Min(a)amd.com> drm/amdgpu: fix random data corruption for sdma 7 Florian Westphal <fw(a)strlen.de> lib: alloc_tag_module_unload must wait for pending kfree_rcu calls ------------- Diffstat: .../devicetree/bindings/iio/adc/adi,ad7380.yaml | 21 ++ Documentation/driver-api/dpll.rst | 21 ++ Documentation/netlink/specs/dpll.yaml | 24 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8ulp.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8939.dtsi | 2 +- .../boot/dts/qcom/x1e80100-asus-vivobook-s15.dts | 2 + arch/arm64/boot/dts/qcom/x1e80100-crd.dts | 2 + .../boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts | 2 + arch/arm64/boot/dts/qcom/x1e80100-qcp.dts | 2 + arch/arm64/boot/dts/qcom/x1e80100.dtsi | 34 ++- arch/riscv/boot/dts/starfive/jh7110-common.dtsi | 2 - .../boot/dts/starfive/jh7110-pine64-star64.dts | 3 +- arch/riscv/kernel/acpi.c | 4 +- arch/riscv/kernel/asm-offsets.c | 2 - arch/riscv/kernel/cacheinfo.c | 7 +- arch/riscv/kernel/cpu-hotplug.c | 2 +- arch/riscv/kernel/efi-header.S | 2 +- arch/riscv/kernel/traps_misaligned.c | 2 - arch/riscv/kernel/vdso/Makefile | 1 + arch/x86/include/asm/bug.h | 12 + arch/x86/kernel/traps.c | 71 ++++- block/blk-map.c | 4 +- drivers/accel/ivpu/ivpu_debugfs.c | 9 + drivers/accel/ivpu/ivpu_hw.c | 1 + drivers/accel/ivpu/ivpu_hw.h | 1 + drivers/accel/ivpu/ivpu_hw_ip.c | 5 +- drivers/acpi/cppc_acpi.c | 9 +- drivers/acpi/resource.c | 18 +- drivers/base/core.c | 48 +++- drivers/base/module.c | 4 - drivers/char/tpm/tpm-chip.c | 10 + drivers/char/tpm/tpm-dev-common.c | 3 + drivers/char/tpm/tpm-interface.c | 6 +- drivers/char/tpm/tpm2-sessions.c | 100 ++++--- drivers/cxl/Kconfig | 1 + drivers/cxl/Makefile | 20 +- drivers/cxl/acpi.c | 7 + drivers/cxl/core/hdm.c | 50 +++- drivers/cxl/core/port.c | 13 +- drivers/cxl/core/region.c | 48 +--- drivers/cxl/core/trace.h | 17 +- drivers/cxl/cxl.h | 3 +- drivers/cxl/port.c | 17 +- drivers/dpll/dpll_netlink.c | 130 +++++++++ drivers/dpll/dpll_nl.c | 5 +- drivers/firmware/arm_sdei.c | 2 +- drivers/firmware/microchip/mpfs-auto-update.c | 42 +-- drivers/gpio/gpio-sloppy-logic-analyzer.c | 4 +- drivers/gpio/gpiolib.c | 4 +- drivers/gpu/drm/amd/amdgpu/sdma_v7_0.c | 9 +- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 15 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 6 +- drivers/gpu/drm/i915/display/intel_alpm.c | 2 +- drivers/gpu/drm/i915/display/intel_backlight.c | 10 +- .../gpu/drm/i915/display/intel_display_device.c | 5 + .../gpu/drm/i915/display/intel_display_device.h | 2 + drivers/gpu/drm/i915/display/intel_display_power.c | 8 + .../drm/i915/display/intel_display_power_well.c | 4 +- drivers/gpu/drm/i915/display/intel_display_types.h | 1 + drivers/gpu/drm/i915/display/intel_display_wa.h | 8 + drivers/gpu/drm/i915/display/intel_dp.c | 29 +- drivers/gpu/drm/i915/display/intel_dp.h | 1 - drivers/gpu/drm/i915/display/intel_dp_aux.c | 4 +- drivers/gpu/drm/i915/display/intel_dp_hdcp.c | 11 +- drivers/gpu/drm/i915/display/intel_fbc.c | 6 + drivers/gpu/drm/i915/display/intel_hdcp.c | 7 +- drivers/gpu/drm/i915/display/intel_pps.c | 14 +- drivers/gpu/drm/i915/display/intel_psr.c | 6 + drivers/gpu/drm/i915/display/intel_tc.c | 3 + drivers/gpu/drm/i915/display/intel_vrr.c | 3 +- drivers/gpu/drm/i915/display/skl_universal_plane.c | 5 - drivers/gpu/drm/i915/intel_device_info.c | 5 - drivers/gpu/drm/i915/intel_device_info.h | 2 - drivers/gpu/drm/mediatek/mtk_crtc.c | 47 +--- drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 9 +- drivers/gpu/drm/mediatek/mtk_dp.c | 85 +++++- drivers/gpu/drm/panthor/panthor_fw.c | 4 +- drivers/gpu/drm/panthor/panthor_gem.c | 11 +- drivers/gpu/drm/panthor/panthor_mmu.c | 16 +- drivers/gpu/drm/panthor/panthor_mmu.h | 1 + drivers/gpu/drm/panthor/panthor_sched.c | 20 +- drivers/gpu/drm/tegra/drm.c | 4 +- drivers/gpu/drm/tests/drm_connector_test.c | 24 +- drivers/gpu/drm/tests/drm_hdmi_state_helper_test.c | 8 +- drivers/gpu/drm/tests/drm_kunit_helpers.c | 42 +++ drivers/gpu/drm/xe/Makefile | 1 + drivers/gpu/drm/xe/compat-i915-headers/i915_drv.h | 1 - drivers/gpu/drm/xe/display/xe_display_wa.c | 16 ++ drivers/gpu/drm/xe/regs/xe_gt_regs.h | 17 +- drivers/gpu/drm/xe/regs/xe_regs.h | 10 +- drivers/gpu/drm/xe/regs/xe_sriov_regs.h | 23 -- drivers/gpu/drm/xe/xe_device_types.h | 6 - drivers/gpu/drm/xe/xe_ggtt.c | 10 + drivers/gpu/drm/xe/xe_gt.c | 10 +- drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 2 +- drivers/gpu/drm/xe/xe_guc_submit.c | 18 +- drivers/gpu/drm/xe/xe_lmtt.c | 2 +- drivers/gpu/drm/xe/xe_module.c | 39 ++- drivers/gpu/drm/xe/xe_sriov.c | 2 +- drivers/gpu/drm/xe/xe_tuning.c | 21 +- drivers/gpu/drm/xe/xe_wa.c | 4 + drivers/iio/adc/ad7124.c | 2 +- drivers/iio/industrialio-gts-helper.c | 4 +- drivers/iio/light/veml6030.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 38 +-- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 + drivers/infiniband/hw/cxgb4/provider.c | 1 + drivers/infiniband/hw/mlx5/qp.c | 4 +- drivers/input/input.c | 134 +++++----- drivers/input/touchscreen/edt-ft5x06.c | 19 +- drivers/misc/mei/client.c | 4 +- drivers/misc/sgi-gru/grukservices.c | 2 - drivers/misc/sgi-gru/grumain.c | 4 - drivers/misc/sgi-gru/grutlbpurge.c | 2 - drivers/mmc/host/sdhci-pci-gli.c | 38 ++- drivers/net/ethernet/amd/mvme147.c | 7 +- drivers/net/ethernet/intel/ice/ice_dpll.c | 293 ++++++++++++++++++++- drivers/net/ethernet/intel/ice/ice_dpll.h | 1 + drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 21 +- drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 1 + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- drivers/net/ethernet/mediatek/mtk_wed_wo.h | 4 +- drivers/net/ethernet/mellanox/mlxsw/pci.c | 25 +- .../net/ethernet/mellanox/mlxsw/spectrum_ipip.c | 26 +- drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c | 7 + drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c | 8 + drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h | 2 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 +- drivers/net/gtp.c | 22 +- drivers/net/macsec.c | 3 +- drivers/net/mctp/mctp-i2c.c | 3 + drivers/net/netdevsim/fib.c | 4 +- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 + drivers/net/wireless/ath/ath11k/dp_rx.c | 7 +- drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 + drivers/net/wireless/intel/iwlegacy/common.c | 15 +- drivers/net/wireless/intel/iwlegacy/common.h | 12 + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 34 ++- drivers/net/wireless/intel/iwlwifi/iwl-drv.h | 3 + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 +- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 12 +- .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 34 ++- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 +- .../net/wireless/realtek/rtlwifi/rtl8192du/sw.c | 1 - drivers/net/wireless/realtek/rtw89/pci.c | 48 +++- drivers/nvme/host/core.c | 19 +- drivers/nvme/host/ioctl.c | 7 +- drivers/nvme/target/auth.c | 1 + drivers/pci/pci.c | 14 +- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 10 +- drivers/phy/qualcomm/phy-qcom-qmp-usb-legacy.c | 1 + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 1 + drivers/phy/qualcomm/phy-qcom-qmp-usbc.c | 1 + drivers/powercap/intel_rapl_msr.c | 1 + drivers/scsi/scsi_debug.c | 10 +- drivers/scsi/scsi_transport_fc.c | 4 +- drivers/soc/qcom/pmic_glink.c | 25 +- drivers/spi/spi-fsl-dspi.c | 6 +- drivers/spi/spi-geni-qcom.c | 8 +- drivers/staging/iio/frequency/ad9832.c | 7 +- .../intel/int340x_thermal/processor_thermal_rapl.c | 70 ++--- drivers/thunderbolt/retimer.c | 5 +- drivers/thunderbolt/tb.c | 48 +++- drivers/ufs/core/ufshcd.c | 2 +- drivers/usb/host/xhci-pci.c | 6 +- drivers/usb/host/xhci-ring.c | 16 +- drivers/usb/phy/phy.c | 2 +- drivers/usb/typec/class.c | 1 + drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 10 +- drivers/usb/typec/tcpm/tcpm.c | 10 +- fs/afs/dir.c | 25 ++ fs/afs/dir_edit.c | 91 ++++++- fs/afs/internal.h | 2 + fs/btrfs/bio.c | 62 ++--- fs/btrfs/bio.h | 3 + fs/btrfs/defrag.c | 10 +- fs/btrfs/extent_map.c | 7 +- fs/btrfs/volumes.c | 1 + fs/dax.c | 49 ++-- fs/iomap/buffered-io.c | 7 +- fs/nfs/delegation.c | 5 + fs/nfsd/nfs4proc.c | 10 +- fs/nilfs2/namei.c | 3 + fs/nilfs2/page.c | 1 + fs/ntfs3/file.c | 9 +- fs/ntfs3/frecord.c | 4 +- fs/ntfs3/inode.c | 15 +- fs/ntfs3/lznt.c | 3 + fs/ntfs3/namei.c | 2 +- fs/ntfs3/ntfs_fs.h | 2 +- fs/ntfs3/record.c | 31 ++- fs/ocfs2/file.c | 8 + fs/smb/client/cifs_unicode.c | 17 +- fs/smb/client/reparse.c | 174 +++++++++++- fs/smb/client/reparse.h | 9 +- fs/smb/client/smb2inode.c | 3 +- fs/smb/client/smb2proto.h | 1 + fs/userfaultfd.c | 28 ++ fs/xfs/xfs_filestream.c | 23 +- fs/xfs/xfs_trace.h | 15 +- include/acpi/cppc_acpi.h | 2 +- include/drm/drm_kunit_helpers.h | 4 + include/linux/bpf_mem_alloc.h | 3 + include/linux/compiler-gcc.h | 4 + include/linux/device.h | 3 + include/linux/dpll.h | 15 ++ include/linux/input.h | 10 +- include/linux/iomap.h | 19 ++ include/linux/ksm.h | 10 +- include/linux/mmzone.h | 7 +- include/linux/tick.h | 8 + include/linux/ubsan.h | 5 + include/linux/userfaultfd_k.h | 5 + include/net/ip_tunnels.h | 2 +- include/trace/events/afs.h | 7 +- include/uapi/linux/dpll.h | 3 + io_uring/rw.c | 23 +- kernel/bpf/cgroup.c | 19 +- kernel/bpf/helpers.c | 21 +- kernel/bpf/lpm_trie.c | 2 +- kernel/bpf/memalloc.c | 14 +- kernel/bpf/verifier.c | 9 +- kernel/cgroup/cgroup.c | 4 +- kernel/fork.c | 14 +- kernel/resource.c | 4 +- kernel/sched/fair.c | 4 +- lib/Kconfig.ubsan | 4 +- lib/codetag.c | 3 + lib/iov_iter.c | 6 +- lib/slub_kunit.c | 2 +- mm/kasan/kasan_test.c | 27 -- mm/migrate.c | 2 +- mm/mmap.c | 3 +- mm/page_alloc.c | 10 +- mm/rmap.c | 24 +- mm/shmem.c | 2 + mm/shrinker.c | 8 +- mm/vmscan.c | 109 ++++---- net/bluetooth/hci_sync.c | 18 +- net/bpf/test_run.c | 1 + net/core/dev.c | 4 + net/core/rtnetlink.c | 4 +- net/core/sock_map.c | 4 + net/ipv4/ip_tunnel.c | 2 +- net/ipv6/netfilter/nf_reject_ipv6.c | 15 +- net/mac80211/Kconfig | 2 +- net/mac80211/cfg.c | 3 +- net/mac80211/key.c | 42 +-- net/mptcp/protocol.c | 2 + net/netfilter/nft_payload.c | 3 + net/netfilter/x_tables.c | 2 +- net/sched/cls_api.c | 1 + net/sched/sch_api.c | 2 +- net/sunrpc/xprtrdma/ib_client.c | 1 + net/wireless/core.c | 1 + rust/kernel/device.rs | 15 +- rust/kernel/firmware.rs | 2 +- sound/pci/hda/patch_realtek.c | 23 +- sound/soc/codecs/cs42l51.c | 7 +- sound/soc/soc-dapm.c | 2 + sound/usb/mixer_quirks.c | 3 + tools/mm/page-types.c | 9 +- tools/mm/slabinfo.c | 4 +- tools/perf/util/python.c | 3 + tools/perf/util/syscalltbl.c | 10 + tools/testing/cxl/test/cxl.c | 14 +- tools/testing/selftests/mm/uffd-common.c | 5 +- tools/testing/selftests/mm/uffd-common.h | 3 +- tools/testing/selftests/mm/uffd-unit-tests.c | 21 +- tools/usb/usbip/src/usbip_detach.c | 1 + 275 files changed, 2818 insertions(+), 1069 deletions(-)

7 months, 2 weeks

10
254
0 0

[PATCH] media: uvcvideo: Fix double free in error path

by Laurent Pinchart

If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Fixes: a31a4055473b ("V4L/DVB:usbvideo:don't use part of buffer for USB transfer #4") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> --- drivers/media/usb/uvc/uvc_status.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c index 02c90acf6964..d269d163b579 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -269,6 +269,7 @@ int uvc_status_init(struct uvc_device *dev) dev->int_urb = usb_alloc_urb(0, GFP_KERNEL); if (!dev->int_urb) { kfree(dev->status); + dev->status = NULL; return -ENOMEM; } base-commit: ed61c59139509f76d3592683c90dc3fdc6e23cd6 -- Regards, Laurent Pinchart

7 months, 2 weeks

2
1
0 0

[PATCH] media: uvcvideo:Create input device for all uvc devices with status endpoints.

by chenchangcheng

Some applications need to check if there is an input device on the camera before proceeding to the next step. When there is no input device, the application will report an error. Create input device for all uvc devices with status endpoints. and only when bTriggerSupport and bTriggerUsage are one are allowed to report camera button. Fixes: 3bc22dc66a4f ("media: uvcvideo: Only create input devs if hw supports it") Signed-off-by: chenchangcheng <ccc194101(a)163.com> --- drivers/media/usb/uvc/uvc_status.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c index a78a88c710e2..177640c6a813 100644 --- a/drivers/media/usb/uvc/uvc_status.c +++ b/drivers/media/usb/uvc/uvc_status.c @@ -44,9 +44,6 @@ static int uvc_input_init(struct uvc_device *dev) struct input_dev *input; int ret; - if (!uvc_input_has_button(dev)) - return 0; - input = input_allocate_device(); if (input == NULL) return -ENOMEM; @@ -110,10 +107,12 @@ static void uvc_event_streaming(struct uvc_device *dev, if (len <= offsetof(struct uvc_status, streaming)) return; - uvc_dbg(dev, STATUS, "Button (intf %u) %s len %d\n", - status->bOriginator, - status->streaming.button ? "pressed" : "released", len); - uvc_input_report_key(dev, KEY_CAMERA, status->streaming.button); + if (uvc_input_has_button(dev)) { + uvc_dbg(dev, STATUS, "Button (intf %u) %s len %d\n", + status->bOriginator, + status->streaming.button ? "pressed" : "released", len); + uvc_input_report_key(dev, KEY_CAMERA, status->streaming.button); + } } else { uvc_dbg(dev, STATUS, "Stream %u error event %02x len %d\n", status->bOriginator, status->bEvent, len); base-commit: ff7afaeca1a15fbeaa2c4795ee806c0667bd77b2 -- 2.25.1

7 months, 2 weeks

3
2
0 0

[PATCH 4/4] f2fs: fix to requery extent which cross boundary of inquiry

by Chao Yu

dd if=/dev/zero of=file bs=4k count=5 xfs_io file -c "fiemap -v 2 16384" file: EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..31]: 139272..139303 32 0x1000 1: [32..39]: 139304..139311 8 0x1001 xfs_io file -c "fiemap -v 0 16384" file: EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..31]: 139272..139303 32 0x1000 xfs_io file -c "fiemap -v 0 16385" file: EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS 0: [0..39]: 139272..139311 40 0x1001 There are two problems: - continuous extent is split to two - FIEMAP_EXTENT_LAST is missing in last extent The root cause is: if upper boundary of inquiry crosses extent, f2fs_map_blocks() will truncate length of returned extent to F2FS_BYTES_TO_BLK(len), and also, it will stop to query latter extent or hole to make sure current extent is last or not. In order to fix this issue, once we found an extent locates in the end of inquiry range by f2fs_map_blocks(), we need to expand inquiry range to requiry. Cc: stable(a)vger.kernel.org Fixes: 7f63eb77af7b ("f2fs: report unwritten area in f2fs_fiemap") Reported-by: Zhiguo Niu <zhiguo.niu(a)unisoc.com> Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/data.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index 69f1cb0490ee..ee5614324df0 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1896,7 +1896,7 @@ int f2fs_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, u64 start, u64 len) { struct f2fs_map_blocks map; - sector_t start_blk, last_blk; + sector_t start_blk, last_blk, blk_len, max_len; pgoff_t next_pgofs; u64 logical = 0, phys = 0, size = 0; u32 flags = 0; @@ -1940,14 +1940,13 @@ int f2fs_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, start_blk = F2FS_BYTES_TO_BLK(start); last_blk = F2FS_BYTES_TO_BLK(start + len - 1); - - if (len & F2FS_BLKSIZE_MASK) - len = round_up(len, F2FS_BLKSIZE); + blk_len = last_blk - start_blk + 1; + max_len = F2FS_BYTES_TO_BLK(maxbytes) - start_blk; next: memset(&map, 0, sizeof(map)); map.m_lblk = start_blk; - map.m_len = F2FS_BYTES_TO_BLK(len); + map.m_len = blk_len; map.m_next_pgofs = &next_pgofs; map.m_seg_type = NO_CHECK_TYPE; @@ -1970,6 +1969,17 @@ int f2fs_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, flags |= FIEMAP_EXTENT_LAST; } + /* + * current extent may cross boundary of inquiry, increase len to + * requery. + */ + if (!compr_cluster && (map.m_flags & F2FS_MAP_MAPPED) && + map.m_lblk + map.m_len - 1 == last_blk && + blk_len != max_len) { + blk_len = max_len; + goto next; + } + compr_appended = false; /* In a case of compressed cluster, append this to the last extent */ if (compr_cluster && ((map.m_flags & F2FS_MAP_DELALLOC) || -- 2.40.1

7 months, 2 weeks

1
0
0 0

[PATCH v5 02/10] KVM: SVM: Fix snp_context_create error reporting

by Dionna Glaze

Failure to allocate should not return -ENOTTY. Command failure has multiple possible error modes. Fixes: 136d8bc931c8 ("KVM: SEV: Add KVM_SEV_SNP_LAUNCH_START command") CC: Sean Christopherson <seanjc(a)google.com> CC: Paolo Bonzini <pbonzini(a)redhat.com> CC: Thomas Gleixner <tglx(a)linutronix.de> CC: Ingo Molnar <mingo(a)redhat.com> CC: Borislav Petkov <bp(a)alien8.de> CC: Dave Hansen <dave.hansen(a)linux.intel.com> CC: Ashish Kalra <ashish.kalra(a)amd.com> CC: Tom Lendacky <thomas.lendacky(a)amd.com> CC: John Allen <john.allen(a)amd.com> CC: Herbert Xu <herbert(a)gondor.apana.org.au> CC: "David S. Miller" <davem(a)davemloft.net> CC: Michael Roth <michael.roth(a)amd.com> CC: Luis Chamberlain <mcgrof(a)kernel.org> CC: Russ Weight <russ.weight(a)linux.dev> CC: Danilo Krummrich <dakr(a)redhat.com> CC: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CC: "Rafael J. Wysocki" <rafael(a)kernel.org> CC: Tianfei zhang <tianfei.zhang(a)intel.com> CC: Alexey Kardashevskiy <aik(a)amd.com> CC: stable(a)vger.kernel.org Signed-off-by: Dionna Glaze <dionnaglaze(a)google.com> --- arch/x86/kvm/svm/sev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 357906375ec59..d0e0152aefb32 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2171,7 +2171,7 @@ static void *snp_context_create(struct kvm *kvm, struct kvm_sev_cmd *argp) /* Allocate memory for context page */ context = snp_alloc_firmware_page(GFP_KERNEL_ACCOUNT); if (!context) - return NULL; + return ERR_PTR(-ENOMEM); data.address = __psp_pa(context); rc = __sev_issue_cmd(argp->sev_fd, SEV_CMD_SNP_GCTX_CREATE, &data, &argp->error); @@ -2179,7 +2179,7 @@ static void *snp_context_create(struct kvm *kvm, struct kvm_sev_cmd *argp) pr_warn("Failed to create SEV-SNP context, rc %d fw_error %d", rc, argp->error); snp_free_firmware_page(context); - return NULL; + return ERR_PTR(rc); } return context; @@ -2227,8 +2227,8 @@ static int snp_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) return -EINVAL; sev->snp_context = snp_context_create(kvm, argp); - if (!sev->snp_context) - return -ENOTTY; + if (IS_ERR(sev->snp_context)) + return PTR_ERR(sev->snp_context); start.gctx_paddr = __psp_pa(sev->snp_context); start.policy = params.policy; -- 2.47.0.277.g8800431eea-goog

7 months, 2 weeks

1
0
0 0

[PATCH v5 01/10] KVM: SVM: Fix gctx page leak on invalid inputs

by Dionna Glaze

Ensure that snp gctx page allocation is adequately deallocated on failure during snp_launch_start. Fixes: 136d8bc931c8 ("KVM: SEV: Add KVM_SEV_SNP_LAUNCH_START command") CC: Sean Christopherson <seanjc(a)google.com> CC: Paolo Bonzini <pbonzini(a)redhat.com> CC: Thomas Gleixner <tglx(a)linutronix.de> CC: Ingo Molnar <mingo(a)redhat.com> CC: Borislav Petkov <bp(a)alien8.de> CC: Dave Hansen <dave.hansen(a)linux.intel.com> CC: Ashish Kalra <ashish.kalra(a)amd.com> CC: Tom Lendacky <thomas.lendacky(a)amd.com> CC: John Allen <john.allen(a)amd.com> CC: Herbert Xu <herbert(a)gondor.apana.org.au> CC: "David S. Miller" <davem(a)davemloft.net> CC: Michael Roth <michael.roth(a)amd.com> CC: Luis Chamberlain <mcgrof(a)kernel.org> CC: Russ Weight <russ.weight(a)linux.dev> CC: Danilo Krummrich <dakr(a)redhat.com> CC: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CC: "Rafael J. Wysocki" <rafael(a)kernel.org> CC: Tianfei zhang <tianfei.zhang(a)intel.com> CC: Alexey Kardashevskiy <aik(a)amd.com> CC: stable(a)vger.kernel.org Signed-off-by: Dionna Glaze <dionnaglaze(a)google.com> Acked-by: Sean Christopherson <seanjc(a)google.com> --- arch/x86/kvm/svm/sev.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index c6c8524859001..357906375ec59 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2212,10 +2212,6 @@ static int snp_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) if (sev->snp_context) return -EINVAL; - sev->snp_context = snp_context_create(kvm, argp); - if (!sev->snp_context) - return -ENOTTY; - if (params.flags) return -EINVAL; @@ -2230,6 +2226,10 @@ static int snp_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp) if (params.policy & SNP_POLICY_MASK_SINGLE_SOCKET) return -EINVAL; + sev->snp_context = snp_context_create(kvm, argp); + if (!sev->snp_context) + return -ENOTTY; + start.gctx_paddr = __psp_pa(sev->snp_context); start.policy = params.policy; memcpy(start.gosvw, params.gosvw, sizeof(params.gosvw)); -- 2.47.0.277.g8800431eea-goog

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() has been removed from the -mm tree. Its filename was ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrew Kanner <andrew.kanner(a)gmail.com> Subject: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Date: Sun, 3 Nov 2024 20:38:45 +0100 Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10 [ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0 [ 57.335164] ocfs2_xa_set+0x704/0xcf0 [ 57.335381] ? _raw_spin_unlock+0x1a/0x40 [ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20 [ 57.335915] ? trace_preempt_on+0x1e/0x70 [ 57.336153] ? start_this_handle+0x16c/0x500 [ 57.336410] ? preempt_count_sub+0x50/0x80 [ 57.336656] ? _raw_read_unlock+0x20/0x40 [ 57.336906] ? start_this_handle+0x16c/0x500 [ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0 [ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0 [ 57.337706] ? ocfs2_start_trans+0x13d/0x290 [ 57.337971] ocfs2_xattr_set+0xb13/0xfb0 [ 57.338207] ? dput+0x46/0x1c0 [ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338948] __vfs_removexattr+0x92/0xc0 [ 57.339182] __vfs_removexattr_locked+0xd5/0x190 [ 57.339456] ? preempt_count_sub+0x50/0x80 [ 57.339705] vfs_removexattr+0x5f/0x100 [...] Reproducer uses faultinject facility to fail ocfs2_xa_remove() -> ocfs2_xa_value_truncate() with -ENOMEM. In this case the comment mentions that we can return 0 if ocfs2_xa_cleanup_value_truncate() is going to wipe the entry anyway. But the following 'rc' check is wrong and execution flow do 'ocfs2_xa_remove_entry(loc);' twice: * 1st: in ocfs2_xa_cleanup_value_truncate(); * 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'. Fix this by skipping the 2nd removal of the same entry and making syzkaller repro happy. Link: https://lkml.kernel.org/r/20241103193845.2940988-1-andrew.kanner@gmail.com Fixes: 399ff3a748cf ("ocfs2: Handle errors while setting external xattr values.") Signed-off-by: Andrew Kanner <andrew.kanner(a)gmail.com> Reported-by: syzbot+386ce9e60fa1b18aac5b(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/671e13ab.050a0220.2b8c0f.01d0.GAE@google.com/T/ Tested-by: syzbot+386ce9e60fa1b18aac5b(a)syzkaller.appspotmail.com Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/xattr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/fs/ocfs2/xattr.c~ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove +++ a/fs/ocfs2/xattr.c @@ -2036,8 +2036,7 @@ static int ocfs2_xa_remove(struct ocfs2_ rc = 0; ocfs2_xa_cleanup_value_truncate(loc, "removing", orig_clusters); - if (rc) - goto out; + goto out; } } _ Patches currently in -mm which might be from andrew.kanner(a)gmail.com are

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] signal-restore-the-override_rlimit-logic.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: signal: restore the override_rlimit logic has been removed from the -mm tree. Its filename was signal-restore-the-override_rlimit-logic.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Roman Gushchin <roman.gushchin(a)linux.dev> Subject: signal: restore the override_rlimit logic Date: Mon, 4 Nov 2024 19:54:19 +0000 Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of signals. However now it's enforced unconditionally, even if override_rlimit is set. This behavior change caused production issues. For example, if the limit is reached and a process receives a SIGSEGV signal, sigqueue_alloc fails to allocate the necessary resources for the signal delivery, preventing the signal from being delivered with siginfo. This prevents the process from correctly identifying the fault address and handling the error. From the user-space perspective, applications are unaware that the limit has been reached and that the siginfo is effectively 'corrupted'. This can lead to unpredictable behavior and crashes, as we observed with java applications. Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip the comparison to max there if override_rlimit is set. This effectively restores the old behavior. Link: https://lkml.kernel.org/r/20241104195419.3962584-1-roman.gushchin@linux.dev Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Co-developed-by: Andrei Vagin <avagin(a)google.com> Signed-off-by: Andrei Vagin <avagin(a)google.com> Acked-by: Oleg Nesterov <oleg(a)redhat.com> Acked-by: Alexey Gladkov <legion(a)kernel.org> Cc: Kees Cook <kees(a)kernel.org> Cc: "Eric W. Biederman" <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/user_namespace.h | 3 ++- kernel/signal.c | 3 ++- kernel/ucount.c | 6 ++++-- 3 files changed, 8 insertions(+), 4 deletions(-) --- a/include/linux/user_namespace.h~signal-restore-the-override_rlimit-logic +++ a/include/linux/user_namespace.h @@ -141,7 +141,8 @@ static inline long get_rlimit_value(stru long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v); -long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type); +long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, + bool override_rlimit); void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type); bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max); --- a/kernel/signal.c~signal-restore-the-override_rlimit-logic +++ a/kernel/signal.c @@ -419,7 +419,8 @@ __sigqueue_alloc(int sig, struct task_st */ rcu_read_lock(); ucounts = task_ucounts(t); - sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING); + sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, + override_rlimit); rcu_read_unlock(); if (!sigpending) return NULL; --- a/kernel/ucount.c~signal-restore-the-override_rlimit-logic +++ a/kernel/ucount.c @@ -307,7 +307,8 @@ void dec_rlimit_put_ucounts(struct ucoun do_dec_rlimit_put_ucounts(ucounts, NULL, type); } -long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type) +long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type, + bool override_rlimit) { /* Caller must hold a reference to ucounts */ struct ucounts *iter; @@ -320,7 +321,8 @@ long inc_rlimit_get_ucounts(struct ucoun goto dec_unwind; if (iter == ucounts) ret = new; - max = get_userns_rlimit_max(iter->ns, type); + if (!override_rlimit) + max = get_userns_rlimit_max(iter->ns, type); /* * Grab an extra ucount reference for the caller when * the rlimit count was previously 0. _ Patches currently in -mm which might be from roman.gushchin(a)linux.dev are mm-page_alloc-move-mlocked-flag-clearance-into-free_pages_prepare.patch

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ucounts: fix counter leak in inc_rlimit_get_ucounts() has been removed from the -mm tree. Its filename was ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrei Vagin <avagin(a)google.com> Subject: ucounts: fix counter leak in inc_rlimit_get_ucounts() Date: Fri, 1 Nov 2024 19:19:40 +0000 The inc_rlimit_get_ucounts() increments the specified rlimit counter and then checks its limit. If the value exceeds the limit, the function returns an error without decrementing the counter. Link: https://lkml.kernel.org/r/20241101191940.3211128-1-roman.gushchin@linux.dev Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting") Signed-off-by: Andrei Vagin <avagin(a)google.com> Co-developed-by: Roman Gushchin <roman.gushchin(a)linux.dev> Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Tested-by: Roman Gushchin <roman.gushchin(a)linux.dev> Acked-by: Alexey Gladkov <legion(a)kernel.org> Cc: Kees Cook <kees(a)kernel.org> Cc: Andrei Vagin <avagin(a)google.com> Cc: "Eric W. Biederman" <ebiederm(a)xmission.com> Cc: Alexey Gladkov <legion(a)kernel.org> Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/ucount.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/kernel/ucount.c~ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts +++ a/kernel/ucount.c @@ -317,7 +317,7 @@ long inc_rlimit_get_ucounts(struct ucoun for (iter = ucounts; iter; iter = iter->ns->ucounts) { long new = atomic_long_add_return(1, &iter->rlimit[type]); if (new < 0 || new > max) - goto unwind; + goto dec_unwind; if (iter == ucounts) ret = new; max = get_userns_rlimit_max(iter->ns, type); @@ -334,7 +334,6 @@ long inc_rlimit_get_ucounts(struct ucoun dec_unwind: dec = atomic_long_sub_return(1, &iter->rlimit[type]); WARN_ON_ONCE(dec < 0); -unwind: do_dec_rlimit_put_ucounts(ucounts, iter, type); return 0; } _ Patches currently in -mm which might be from avagin(a)google.com are

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] selftests-hugetlb_dio-check-for-initial-conditions-to-skip-in-the-start.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: selftests: hugetlb_dio: check for initial conditions to skip in the start has been removed from the -mm tree. Its filename was selftests-hugetlb_dio-check-for-initial-conditions-to-skip-in-the-start.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Subject: selftests: hugetlb_dio: check for initial conditions to skip in the start Date: Fri, 1 Nov 2024 19:15:57 +0500 The test should be skipped if initial conditions aren't fulfilled in the start instead of failing and outputting non-compliant TAP logs. This kind of failure pollutes the results. The initial conditions are: - The test should only execute if /tmp file can be allocated. - The test should only execute if huge pages are free. Before: TAP version 13 1..4 Bail out! Error opening file : Read-only file system (30) # Planned tests != run tests (4 != 0) # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:0 After: TAP version 13 1..0 # SKIP Unable to allocate file: Read-only file system Link: https://lkml.kernel.org/r/20241101141557.3159432-1-usama.anjum@collabora.com Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Fixes: 3a103b5315b7 ("selftest: mm: Test if hugepage does not get leaked during __bio_release_pages()") Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Donet Tom <donettom(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/hugetlb_dio.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) --- a/tools/testing/selftests/mm/hugetlb_dio.c~selftests-hugetlb_dio-check-for-initial-conditions-to-skip-in-the-start +++ a/tools/testing/selftests/mm/hugetlb_dio.c @@ -44,13 +44,6 @@ void run_dio_using_hugetlb(unsigned int if (fd < 0) ksft_exit_fail_perror("Error opening file\n"); - /* Get the free huge pages before allocation */ - free_hpage_b = get_free_hugepages(); - if (free_hpage_b == 0) { - close(fd); - ksft_exit_skip("No free hugepage, exiting!\n"); - } - /* Allocate a hugetlb page */ orig_buffer = mmap(NULL, h_pagesize, mmap_prot, mmap_flags, -1, 0); if (orig_buffer == MAP_FAILED) { @@ -94,8 +87,20 @@ void run_dio_using_hugetlb(unsigned int int main(void) { size_t pagesize = 0; + int fd; ksft_print_header(); + + /* Open the file to DIO */ + fd = open("/tmp", O_TMPFILE | O_RDWR | O_DIRECT, 0664); + if (fd < 0) + ksft_exit_skip("Unable to allocate file: %s\n", strerror(errno)); + close(fd); + + /* Check if huge pages are free */ + if (!get_free_hugepages()) + ksft_exit_skip("No free hugepage, exiting\n"); + ksft_set_plan(4); /* Get base page size */ _ Patches currently in -mm which might be from usama.anjum(a)collabora.com are

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: avoid overflow in damon_feed_loop_next_input() has been removed from the -mm tree. Its filename was mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: avoid overflow in damon_feed_loop_next_input() Date: Thu, 31 Oct 2024 09:12:03 -0700 damon_feed_loop_next_input() is inefficient and fragile to overflows. Specifically, 'score_goal_diff_bp' calculation can overflow when 'score' is high. The calculation is actually unnecessary at all because 'goal' is a constant of value 10,000. Calculation of 'compensation' is again fragile to overflow. Final calculation of return value for under-achiving case is again fragile to overflow when the current score is under-achieving the target. Add two corner cases handling at the beginning of the function to make the body easier to read, and rewrite the body of the function to avoid overflows and the unnecessary bp value calcuation. Link: https://lkml.kernel.org/r/20241031161203.47751-1-sj@kernel.org Fixes: 9294a037c015 ("mm/damon/core: implement goal-oriented feedback-driven quota auto-tuning") Signed-off-by: SeongJae Park <sj(a)kernel.org> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Closes: https://lore.kernel.org/944f3d5b-9177-48e7-8ec9-7f1331a3fea3@roeck-us.net Tested-by: Guenter Roeck <linux(a)roeck-us.net> Cc: <stable(a)vger.kernel.org> [6.8.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) --- a/mm/damon/core.c~mm-damon-core-avoid-overflow-in-damon_feed_loop_next_input +++ a/mm/damon/core.c @@ -1456,17 +1456,31 @@ static unsigned long damon_feed_loop_nex unsigned long score) { const unsigned long goal = 10000; - unsigned long score_goal_diff = max(goal, score) - min(goal, score); - unsigned long score_goal_diff_bp = score_goal_diff * 10000 / goal; - unsigned long compensation = last_input * score_goal_diff_bp / 10000; /* Set minimum input as 10000 to avoid compensation be zero */ const unsigned long min_input = 10000; + unsigned long score_goal_diff, compensation; + bool over_achieving = score > goal; - if (goal > score) + if (score == goal) + return last_input; + if (score >= goal * 2) + return min_input; + + if (over_achieving) + score_goal_diff = score - goal; + else + score_goal_diff = goal - score; + + if (last_input < ULONG_MAX / score_goal_diff) + compensation = last_input * score_goal_diff / goal; + else + compensation = last_input / goal * score_goal_diff; + + if (over_achieving) + return max(last_input - compensation, min_input); + if (last_input < ULONG_MAX - compensation) return last_input + compensation; - if (last_input > compensation + min_input) - return last_input - compensation; - return min_input; + return ULONG_MAX; } #ifdef CONFIG_PSI _ Patches currently in -mm which might be from sj(a)kernel.org are selftests-damon-huge_count_read_write-remove-unnecessary-debugging-message.patch selftests-damon-_debugfs_common-hide-expected-error-message-from-test_write_result.patch selftests-damon-debugfs_duplicate_context_creation-hide-errors-from-expected-file-write-failures.patch mm-damon-kconfig-update-dbgfs_kunit-prompt-copy-for-sysfs_kunit.patch mm-damon-tests-dbgfs-kunit-fix-the-header-double-inclusion-guarding-ifdef-comment.patch docs-mm-damon-recommend-academic-papers-to-read-and-or-cite.patch maintainers-memory-management-add-document-files-for-mm.patch

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-handle-zero-schemes-apply-interval.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: handle zero schemes apply interval has been removed from the -mm tree. Its filename was mm-damon-core-handle-zero-schemes-apply-interval.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: handle zero schemes apply interval Date: Thu, 31 Oct 2024 11:37:57 -0700 DAMON's logics to determine if this is the time to apply damos schemes assumes next_apply_sis is always set larger than current passed_sample_intervals. And therefore assume continuously incrementing passed_sample_intervals will make it reaches to the next_apply_sis in future. The logic hence does apply the scheme and update next_apply_sis only if passed_sample_intervals is same to next_apply_sis. If Schemes apply interval is set as zero, however, next_apply_sis is set same to current passed_sample_intervals, respectively. And passed_sample_intervals is incremented before doing the next_apply_sis check. Hence, next_apply_sis becomes larger than next_apply_sis, and the logic says it is not the time to apply schemes and update next_apply_sis. In other words, DAMON stops applying schemes until passed_sample_intervals overflows. Based on the documents and the common sense, a reasonable behavior for such inputs would be applying the schemes for every sampling interval. Handle the case by removing the assumption. Link: https://lkml.kernel.org/r/20241031183757.49610-3-sj@kernel.org Fixes: 42f994b71404 ("mm/damon/core: implement scheme-specific apply interval") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.7.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/mm/damon/core.c~mm-damon-core-handle-zero-schemes-apply-interval +++ a/mm/damon/core.c @@ -1412,7 +1412,7 @@ static void damon_do_apply_schemes(struc damon_for_each_scheme(s, c) { struct damos_quota *quota = &s->quota; - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; if (!s->wmarks.activated) @@ -1622,7 +1622,7 @@ static void kdamond_apply_schemes(struct bool has_schemes_to_apply = false; damon_for_each_scheme(s, c) { - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; if (!s->wmarks.activated) @@ -1642,9 +1642,9 @@ static void kdamond_apply_schemes(struct } damon_for_each_scheme(s, c) { - if (c->passed_sample_intervals != s->next_apply_sis) + if (c->passed_sample_intervals < s->next_apply_sis) continue; - s->next_apply_sis += + s->next_apply_sis = c->passed_sample_intervals + (s->apply_interval_us ? s->apply_interval_us : c->attrs.aggr_interval) / sample_interval; } _ Patches currently in -mm which might be from sj(a)kernel.org are selftests-damon-huge_count_read_write-remove-unnecessary-debugging-message.patch selftests-damon-_debugfs_common-hide-expected-error-message-from-test_write_result.patch selftests-damon-debugfs_duplicate_context_creation-hide-errors-from-expected-file-write-failures.patch mm-damon-kconfig-update-dbgfs_kunit-prompt-copy-for-sysfs_kunit.patch mm-damon-tests-dbgfs-kunit-fix-the-header-double-inclusion-guarding-ifdef-comment.patch docs-mm-damon-recommend-academic-papers-to-read-and-or-cite.patch maintainers-memory-management-add-document-files-for-mm.patch

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-handle-zero-aggregationops_update-intervals.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: handle zero {aggregation,ops_update} intervals has been removed from the -mm tree. Its filename was mm-damon-core-handle-zero-aggregationops_update-intervals.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: handle zero {aggregation,ops_update} intervals Date: Thu, 31 Oct 2024 11:37:56 -0700 Patch series "mm/damon/core: fix handling of zero non-sampling intervals". DAMON's internal intervals accounting logic is not correctly handling non-sampling intervals of zero values for a wrong assumption. This could cause unexpected monitoring behavior, and even result in infinite hang of DAMON sysfs interface user threads in case of zero aggregation interval. Fix those by updating the intervals accounting logic. For details of the root case and solutions, please refer to commit messages of fixes. This patch (of 2): DAMON's logics to determine if this is the time to do aggregation and ops update assumes next_{aggregation,ops_update}_sis are always set larger than current passed_sample_intervals. And therefore it further assumes continuously incrementing passed_sample_intervals every sampling interval will make it reaches to the next_{aggregation,ops_update}_sis in future. The logic therefore make the action and update next_{aggregation,ops_updaste}_sis only if passed_sample_intervals is same to the counts, respectively. If Aggregation interval or Ops update interval are zero, however, next_aggregation_sis or next_ops_update_sis are set same to current passed_sample_intervals, respectively. And passed_sample_intervals is incremented before doing the next_{aggregation,ops_update}_sis check. Hence, passed_sample_intervals becomes larger than next_{aggregation,ops_update}_sis, and the logic says it is not the time to do the action and update next_{aggregation,ops_update}_sis forever, until an overflow happens. In other words, DAMON stops doing aggregations or ops updates effectively forever, and users cannot get monitoring results. Based on the documents and the common sense, a reasonable behavior for such inputs is doing an aggregation and an ops update for every sampling interval. Handle the case by removing the assumption. Note that this could incur particular real issue for DAMON sysfs interface users, in case of zero Aggregation interval. When user starts DAMON with zero Aggregation interval and asks online DAMON parameter tuning via DAMON sysfs interface, the request is handled by the aggregation callback. Until the callback finishes the work, the user who requested the online tuning just waits. Hence, the user will be stuck until the passed_sample_intervals overflows. Link: https://lkml.kernel.org/r/20241031183757.49610-1-sj@kernel.org Link: https://lkml.kernel.org/r/20241031183757.49610-2-sj@kernel.org Fixes: 4472edf63d66 ("mm/damon/core: use number of passed access sampling as a timer") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.7.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/damon/core.c~mm-damon-core-handle-zero-aggregationops_update-intervals +++ a/mm/damon/core.c @@ -2000,7 +2000,7 @@ static int kdamond_fn(void *data) if (ctx->ops.check_accesses) max_nr_accesses = ctx->ops.check_accesses(ctx); - if (ctx->passed_sample_intervals == next_aggregation_sis) { + if (ctx->passed_sample_intervals >= next_aggregation_sis) { kdamond_merge_regions(ctx, max_nr_accesses / 10, sz_limit); @@ -2018,7 +2018,7 @@ static int kdamond_fn(void *data) sample_interval = ctx->attrs.sample_interval ? ctx->attrs.sample_interval : 1; - if (ctx->passed_sample_intervals == next_aggregation_sis) { + if (ctx->passed_sample_intervals >= next_aggregation_sis) { ctx->next_aggregation_sis = next_aggregation_sis + ctx->attrs.aggr_interval / sample_interval; @@ -2028,7 +2028,7 @@ static int kdamond_fn(void *data) ctx->ops.reset_aggregated(ctx); } - if (ctx->passed_sample_intervals == next_ops_update_sis) { + if (ctx->passed_sample_intervals >= next_ops_update_sis) { ctx->next_ops_update_sis = next_ops_update_sis + ctx->attrs.ops_update_interval / sample_interval; _ Patches currently in -mm which might be from sj(a)kernel.org are selftests-damon-huge_count_read_write-remove-unnecessary-debugging-message.patch selftests-damon-_debugfs_common-hide-expected-error-message-from-test_write_result.patch selftests-damon-debugfs_duplicate_context_creation-hide-errors-from-expected-file-write-failures.patch mm-damon-kconfig-update-dbgfs_kunit-prompt-copy-for-sysfs_kunit.patch mm-damon-tests-dbgfs-kunit-fix-the-header-double-inclusion-guarding-ifdef-comment.patch docs-mm-damon-recommend-academic-papers-to-read-and-or-cite.patch maintainers-memory-management-add-document-files-for-mm.patch

7 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-mlock-set-the-correct-prev-on-failure.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/mlock: set the correct prev on failure has been removed from the -mm tree. Its filename was mm-mlock-set-the-correct-prev-on-failure.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: mm/mlock: set the correct prev on failure Date: Sun, 27 Oct 2024 12:33:21 +0000 After commit 94d7d9233951 ("mm: abstract the vma_merge()/split_vma() pattern for mprotect() et al."), if vma_modify_flags() return error, the vma is set to an error code. This will lead to an invalid prev be returned. Generally this shouldn't matter as the caller should treat an error as indicating state is now invalidated, however unfortunately apply_mlockall_flags() does not check for errors and assumes that mlock_fixup() correctly maintains prev even if an error were to occur. This patch fixes that assumption. [lorenzo.stoakes(a)oracle.com: provide a better fix and rephrase the log] Link: https://lkml.kernel.org/r/20241027123321.19511-1-richard.weiyang@gmail.com Fixes: 94d7d9233951 ("mm: abstract the vma_merge()/split_vma() pattern for mprotect() et al.") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mlock.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/mm/mlock.c~mm-mlock-set-the-correct-prev-on-failure +++ a/mm/mlock.c @@ -725,14 +725,17 @@ static int apply_mlockall_flags(int flag } for_each_vma(vmi, vma) { + int error; vm_flags_t newflags; newflags = vma->vm_flags & ~VM_LOCKED_MASK; newflags |= to_add; - /* Ignore errors */ - mlock_fixup(&vmi, vma, &prev, vma->vm_start, vma->vm_end, - newflags); + error = mlock_fixup(&vmi, vma, &prev, vma->vm_start, vma->vm_end, + newflags); + /* Ignore errors, but prev needs fixing up. */ + if (error) + prev = vma; cond_resched(); } out: _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are maple_tree-print-empty-for-an-empty-tree-on-mt_dump.patch maple_tree-the-return-value-of-mas_root_expand-is-not-used.patch maple_tree-not-necessary-to-check-index-last-again.patch maple_tree-refine-mas_store_root-on-storing-null.patch maple_tree-add-a-test-checking-storing-null.patch

7 months, 2 weeks

1
0
0 0

[PATCH v6] media: uvcvideo: Fix crash during unbind if gpio unit is in use

by Ricardo Ribalda

We used the wrong device for the device managed functions. We used the usb device, when we should be using the interface device. If we unbind the driver from the usb interface, the cleanup functions are never called. In our case, the IRQ is never disabled. If an IRQ is triggered, it will try to access memory sections that are already free, causing an OOPS. We cannot use the function devm_request_threaded_irq here. The devm_* clean functions may be called after the main structure is released by uvc_delete. Luckily this bug has small impact, as it is only affected by devices with gpio units and the user has to unbind the device, a disconnect will not trigger this error. Cc: stable(a)vger.kernel.org Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT") Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v6: - Rename cleanup as deinit - Move cleanup to the beginning of the uvc_unregister_video. - Fix commit message. - Link to v5: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v5-1-8623fa51a74f@chromiu… Changes in v5: - Revert non refcount, that belongs to a different set - Move cleanup to a different function - Link to v4: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v4-0-410e548f097a@chromiu… Changes in v4: Thanks Laurent. - Remove refcounted cleaup to support devres. - Link to v3: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v3-1-c0959c8906d3@chromiu… Changes in v3: Thanks Sakari. - Rename variable to initialized. - Other CodeStyle. - Link to v2: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v2-1-547ce6a6962e@chromiu… Changes in v2: Thanks to Laurent. - The main structure is not allocated with devres so there is a small period of time where we can get an irq with the structure free. Do not use devres for the IRQ. - Link to v1: https://lore.kernel.org/r/20241031-uvc-crashrmmod-v1-1-059fe593b1e6@chromiu… --- drivers/media/usb/uvc/uvc_driver.c | 28 +++++++++++++++++++++------- drivers/media/usb/uvc/uvcvideo.h | 1 + 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index a96f6ca0889f..cd13bf01265d 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1295,14 +1295,14 @@ static int uvc_gpio_parse(struct uvc_device *dev) struct gpio_desc *gpio_privacy; int irq; - gpio_privacy = devm_gpiod_get_optional(&dev->udev->dev, "privacy", + gpio_privacy = devm_gpiod_get_optional(&dev->intf->dev, "privacy", GPIOD_IN); if (IS_ERR_OR_NULL(gpio_privacy)) return PTR_ERR_OR_ZERO(gpio_privacy); irq = gpiod_to_irq(gpio_privacy); if (irq < 0) - return dev_err_probe(&dev->udev->dev, irq, + return dev_err_probe(&dev->intf->dev, irq, "No IRQ for privacy GPIO\n"); unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, @@ -1329,15 +1329,27 @@ static int uvc_gpio_parse(struct uvc_device *dev) static int uvc_gpio_init_irq(struct uvc_device *dev) { struct uvc_entity *unit = dev->gpio_unit; + int ret; if (!unit || unit->gpio.irq < 0) return 0; - return devm_request_threaded_irq(&dev->udev->dev, unit->gpio.irq, NULL, - uvc_gpio_irq, - IRQF_ONESHOT | IRQF_TRIGGER_FALLING | - IRQF_TRIGGER_RISING, - "uvc_privacy_gpio", dev); + ret = request_threaded_irq(unit->gpio.irq, NULL, uvc_gpio_irq, + IRQF_ONESHOT | IRQF_TRIGGER_FALLING | + IRQF_TRIGGER_RISING, + "uvc_privacy_gpio", dev); + + unit->gpio.initialized = !ret; + + return ret; +} + +static void uvc_gpio_deinit(struct uvc_device *dev) +{ + if (!dev->gpio_unit || !dev->gpio_unit->gpio.initialized) + return; + + free_irq(dev->gpio_unit->gpio.irq, dev); } /* ------------------------------------------------------------------------ @@ -1934,6 +1946,8 @@ static void uvc_unregister_video(struct uvc_device *dev) { struct uvc_streaming *stream; + uvc_gpio_deinit(dev); + list_for_each_entry(stream, &dev->streams, list) { /* Nothing to do here, continue. */ if (!video_is_registered(&stream->vdev)) diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 07f9921d83f2..965a789ed03e 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -234,6 +234,7 @@ struct uvc_entity { u8 *bmControls; struct gpio_desc *gpio_privacy; int irq; + bool initialized; } gpio; }; --- base-commit: c7ccf3683ac9746b263b0502255f5ce47f64fe0a change-id: 20241031-uvc-crashrmmod-666de3fc9141 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

7 months, 2 weeks

2
1
0 0

[to-be-updated] mm-fix-__wp_page_copy_user-fallback-path-for-remote-mm.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: fix __wp_page_copy_user fallback path for remote mm has been removed from the -mm tree. Its filename was mm-fix-__wp_page_copy_user-fallback-path-for-remote-mm.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Asahi Lina <lina(a)asahilina.net> Subject: mm: fix __wp_page_copy_user fallback path for remote mm Date: Fri, 01 Nov 2024 21:08:02 +0900 If the source page is a PFN mapping, we copy back from userspace. However, if this fault is a remote access, we cannot use __copy_from_user_inatomic. Instead, use access_remote_vm() in this case. Fixes WARN and incorrect zero-filling when writing to CoW mappings in a remote process, such as when using gdb on a binary present on a DAX filesystem. [ 143.683782] ------------[ cut here ]------------ [ 143.683784] WARNING: CPU: 1 PID: 350 at mm/memory.c:2904 __wp_page_copy_user+0x120/0x2bc [ 143.683793] CPU: 1 PID: 350 Comm: gdb Not tainted 6.6.52 #1 [ 143.683794] Hardware name: linux,dummy-virt (DT) [ 143.683795] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 143.683796] pc : __wp_page_copy_user+0x120/0x2bc [ 143.683798] lr : __wp_page_copy_user+0x254/0x2bc [ 143.683799] sp : ffff80008272b8b0 [ 143.683799] x29: ffff80008272b8b0 x28: 0000000000000000 x27: ffff000083bad580 [ 143.683801] x26: 0000000000000000 x25: 0000fffff7fd5000 x24: ffff000081db04c0 [ 143.683802] x23: ffff00014f24b000 x22: fffffc00053c92c0 x21: ffff000083502150 [ 143.683803] x20: 0000fffff7fd5000 x19: ffff80008272b9d0 x18: 0000000000000000 [ 143.683804] x17: ffff000081db0500 x16: ffff800080fe52a0 x15: 0000fffff7fd5000 [ 143.683804] x14: 0000000000bb1845 x13: 0000000000000080 x12: ffff80008272b880 [ 143.683805] x11: ffff000081d13600 x10: ffff000081d13608 x9 : ffff000081d1360c [ 143.683806] x8 : ffff000083a16f00 x7 : 0000000000000010 x6 : ffff00014f24b000 [ 143.683807] x5 : ffff00014f24c000 x4 : 0000000000000000 x3 : ffff000083582000 [ 143.683807] x2 : 0000000000000f80 x1 : 0000fffff7fd5000 x0 : 0000000000001000 [ 143.683808] Call trace: [ 143.683809] __wp_page_copy_user+0x120/0x2bc [ 143.683810] wp_page_copy+0x98/0x5c0 [ 143.683813] do_wp_page+0x250/0x530 [ 143.683814] __handle_mm_fault+0x278/0x284 [ 143.683817] handle_mm_fault+0x64/0x1e8 [ 143.683819] faultin_page+0x5c/0x110 [ 143.683820] __get_user_pages+0xc8/0x2f4 [ 143.683821] get_user_pages_remote+0xac/0x30c [ 143.683823] __access_remote_vm+0xb4/0x368 [ 143.683824] access_remote_vm+0x10/0x1c [ 143.683826] mem_rw.isra.0+0xc4/0x218 [ 143.683831] mem_write+0x18/0x24 [ 143.683831] vfs_write+0xa0/0x37c [ 143.683834] ksys_pwrite64+0x7c/0xc0 [ 143.683834] __arm64_sys_pwrite64+0x20/0x2c [ 143.683835] invoke_syscall+0x48/0x10c [ 143.683837] el0_svc_common.constprop.0+0x40/0xe0 [ 143.683839] do_el0_svc+0x1c/0x28 [ 143.683841] el0_svc+0x3c/0xdc [ 143.683846] el0t_64_sync_handler+0x120/0x12c [ 143.683848] el0t_64_sync+0x194/0x198 [ 143.683849] ---[ end trace 0000000000000000 ]--- [akpm(a)linux-foundation.org: coding style tweaks] Link: https://lkml.kernel.org/r/20241101-mm-remote-pfn-v1-1-080b609270b7@asahilin… Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings") Signed-off-by: Asahi Lina <lina(a)asahilina.net> Cc: Jia He <justin.he(a)arm.com> Cc: Yibo Cai <Yibo.Cai(a)arm.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Asahi Lina <lina(a)asahilina.net> Cc: Sergio Lopez Pascual <slp(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) --- a/mm/memory.c~mm-fix-__wp_page_copy_user-fallback-path-for-remote-mm +++ a/mm/memory.c @@ -3082,12 +3082,19 @@ static inline int __wp_page_copy_user(st } /* - * This really shouldn't fail, because the page is there - * in the page tables. But it might just be unreadable, - * in which case we just give up and fill the result with - * zeroes. + * If the mm is a remote mm, copy in the page using access_remote_vm() */ - if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) { + if (current->mm != mm) { + if (access_remote_vm(mm, (unsigned long)uaddr, kaddr, + PAGE_SIZE, 0) != PAGE_SIZE) + goto warn; + } else if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) { + /* + * This really shouldn't fail, because the page is there + * in the page tables. But it might just be unreadable, + * in which case we just give up and fill the result with + * zeroes. + */ if (vmf->pte) goto warn; _ Patches currently in -mm which might be from lina(a)asahilina.net are

7 months, 2 weeks

1
0
0 0

[PATCH net v2] net: phy: dp83869: fix status reporting for 1000base-x autonegotiation

by Romain Gantois

The DP83869 PHY transceiver supports converting from RGMII to 1000base-x. In this operation mode, autonegotiation can be performed, as described in IEEE802.3. The DP83869 has a set of fiber-specific registers located at offset 0xc00. When the transceiver is configured in RGMII-to-1000base-x mode, these registers are mapped onto offset 0, which should, in theory, make reading the autonegotiation status transparent. However, the fiber registers at offset 0xc04 and 0xc05 do not follow the bit layout of their standard counterparts. Thus, genphy_read_status() doesn't properly read the capabilities advertised by the link partner, resulting in incorrect link parameters. Similarly, genphy_config_aneg() doesn't properly write advertised capabilities. Fix the 1000base-x autonegotiation procedure by replacing genphy_read_status() and genphy_config_aneg() with driver-specific functions which take into account the nonstandard bit layout of the DP83869 registers in 1000base-x mode. Fixes: a29de52ba2a1 ("net: dp83869: Add ability to advertise Fiber connection") Cc: stable(a)vger.kernel.org Signed-off-by: Romain Gantois <romain.gantois(a)bootlin.com> --- Changes in v2: - Fixed an uninitialized use. - Link to v1: https://lore.kernel.org/r/20241029-dp83869-1000base-x-v1-1-fcafe360bd98@boo… --- drivers/net/phy/dp83869.c | 130 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 127 insertions(+), 3 deletions(-) diff --git a/drivers/net/phy/dp83869.c b/drivers/net/phy/dp83869.c index 5f056d7db83eed23f1cab42365fdc566a0d8e47f..ca1c247d478ced890a3c7ae97b855f20056eb916 100644 --- a/drivers/net/phy/dp83869.c +++ b/drivers/net/phy/dp83869.c @@ -41,6 +41,8 @@ #define DP83869_IO_MUX_CFG 0x0170 #define DP83869_OP_MODE 0x01df #define DP83869_FX_CTRL 0x0c00 +#define DP83869_FX_ANADV 0x0c04 +#define DP83869_FX_LPABL 0x0c05 #define DP83869_SW_RESET BIT(15) #define DP83869_SW_RESTART BIT(14) @@ -135,6 +137,17 @@ #define DP83869_DOWNSHIFT_4_COUNT 4 #define DP83869_DOWNSHIFT_8_COUNT 8 +/* FX_ANADV bits */ +#define DP83869_BP_FULL_DUPLEX BIT(5) +#define DP83869_BP_PAUSE BIT(7) +#define DP83869_BP_ASYMMETRIC_PAUSE BIT(8) + +/* FX_LPABL bits */ +#define DP83869_LPA_1000FULL BIT(5) +#define DP83869_LPA_PAUSE_CAP BIT(7) +#define DP83869_LPA_PAUSE_ASYM BIT(8) +#define DP83869_LPA_LPACK BIT(14) + enum { DP83869_PORT_MIRRORING_KEEP, DP83869_PORT_MIRRORING_EN, @@ -153,19 +166,129 @@ struct dp83869_private { int mode; }; +static int dp83869_config_aneg(struct phy_device *phydev) +{ + struct dp83869_private *dp83869 = phydev->priv; + unsigned long *advertising; + int err, changed = false; + u32 adv = 0; + + if (dp83869->mode != DP83869_RGMII_1000_BASE) + return genphy_config_aneg(phydev); + + /* Forcing speed or duplex isn't supported in 1000base-x mode */ + if (phydev->autoneg != AUTONEG_ENABLE) + return 0; + + /* In fiber modes, register locations 0xc0... get mapped to offset 0. + * Unfortunately, the fiber-specific autonegotiation advertisement + * register at address 0xc04 does not have the same bit layout as the + * corresponding standard MII_ADVERTISE register. Thus, functions such + * as genphy_config_advert() will write the advertisement register + * incorrectly. + */ + advertising = phydev->advertising; + + /* Only allow advertising what this PHY supports */ + linkmode_and(advertising, advertising, + phydev->supported); + + if (linkmode_test_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, advertising)) + adv |= DP83869_BP_FULL_DUPLEX; + if (linkmode_test_bit(ETHTOOL_LINK_MODE_Pause_BIT, advertising)) + adv |= DP83869_BP_PAUSE; + if (linkmode_test_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, advertising)) + adv |= DP83869_BP_ASYMMETRIC_PAUSE; + + err = phy_modify_changed(phydev, DP83869_FX_ANADV, + DP83869_BP_FULL_DUPLEX | DP83869_BP_PAUSE | + DP83869_BP_ASYMMETRIC_PAUSE, + adv); + + if (err < 0) + return err; + else if (err) + changed = true; + + return genphy_check_and_restart_aneg(phydev, changed); +} + +static int dp83869_read_status_fiber(struct phy_device *phydev) +{ + int err, lpa, old_link = phydev->link; + unsigned long *lp_advertising; + + err = genphy_update_link(phydev); + if (err) + return err; + + if (phydev->autoneg == AUTONEG_ENABLE && old_link && phydev->link) + return 0; + + phydev->speed = SPEED_UNKNOWN; + phydev->duplex = DUPLEX_UNKNOWN; + phydev->pause = 0; + phydev->asym_pause = 0; + + lp_advertising = phydev->lp_advertising; + + if (phydev->autoneg != AUTONEG_ENABLE) { + linkmode_zero(lp_advertising); + + phydev->duplex = DUPLEX_FULL; + phydev->speed = SPEED_1000; + + return 0; + } + + if (!phydev->autoneg_complete) { + linkmode_zero(lp_advertising); + return 0; + } + + /* In fiber modes, register locations 0xc0... get mapped to offset 0. + * Unfortunately, the fiber-specific link partner capabilities register + * at address 0xc05 does not have the same bit layout as the + * corresponding standard MII_LPA register. Thus, functions such as + * genphy_read_lpa() will read autonegotiation results incorrectly. + */ + + lpa = phy_read(phydev, DP83869_FX_LPABL); + if (lpa < 0) + return lpa; + + linkmode_mod_bit(ETHTOOL_LINK_MODE_1000baseX_Full_BIT, + lp_advertising, lpa & DP83869_LPA_1000FULL); + + linkmode_mod_bit(ETHTOOL_LINK_MODE_Pause_BIT, lp_advertising, + lpa & DP83869_LPA_PAUSE_CAP); + + linkmode_mod_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, lp_advertising, + lpa & DP83869_LPA_PAUSE_ASYM); + + linkmode_mod_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, + lp_advertising, lpa & DP83869_LPA_LPACK); + + phy_resolve_aneg_linkmode(phydev); + + return 0; +} + static int dp83869_read_status(struct phy_device *phydev) { struct dp83869_private *dp83869 = phydev->priv; int ret; + if (dp83869->mode == DP83869_RGMII_1000_BASE) + return dp83869_read_status_fiber(phydev); + ret = genphy_read_status(phydev); if (ret) return ret; - if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported)) { + if (dp83869->mode == DP83869_RGMII_100_BASE) { if (phydev->link) { - if (dp83869->mode == DP83869_RGMII_100_BASE) - phydev->speed = SPEED_100; + phydev->speed = SPEED_100; } else { phydev->speed = SPEED_UNKNOWN; phydev->duplex = DUPLEX_UNKNOWN; @@ -898,6 +1021,7 @@ static int dp83869_phy_reset(struct phy_device *phydev) .soft_reset = dp83869_phy_reset, \ .config_intr = dp83869_config_intr, \ .handle_interrupt = dp83869_handle_interrupt, \ + .config_aneg = dp83869_config_aneg, \ .read_status = dp83869_read_status, \ .get_tunable = dp83869_get_tunable, \ .set_tunable = dp83869_set_tunable, \ --- base-commit: 5ccdcdf186aec6b9111845fd37e1757e9b413e2f change-id: 20241025-dp83869-1000base-x-0f0a61725784 Best regards, -- Romain Gantois <romain.gantois(a)bootlin.com>

7 months, 2 weeks

3
2
0 0

[PATCH] drm/panthor: Be stricter about IO mapping flags

by Jann Horn

The current panthor_device_mmap_io() implementation has two issues: 1. For mapping DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET, panthor_device_mmap_io() bails if VM_WRITE is set, but does not clear VM_MAYWRITE. That means userspace can use mprotect() to make the mapping writable later on. This is a classic Linux driver gotcha. I don't think this actually has any impact in practice: When the GPU is powered, writes to the FLUSH_ID seem to be ignored; and when the GPU is not powered, the dummy_latest_flush page provided by the driver is deliberately designed to not do any flushes, so the only thing writing to the dummy_latest_flush could achieve would be to make *more* flushes happen. 2. panthor_device_mmap_io() does not block MAP_PRIVATE mappings (which are mappings without the VM_SHARED flag). MAP_PRIVATE in combination with VM_MAYWRITE indicates that the VMA has copy-on-write semantics, which for VM_PFNMAP are semi-supported but fairly cursed. In particular, in such a mapping, the driver can only install PTEs during mmap() by calling remap_pfn_range() (because remap_pfn_range() wants to **store the physical address of the mapped physical memory into the vm_pgoff of the VMA**); installing PTEs later on with a fault handler (as panthor does) is not supported in private mappings, and so if you try to fault in such a mapping, vmf_insert_pfn_prot() splats when it hits a BUG() check. Fix it by clearing the VM_MAYWRITE flag (userspace writing to the FLUSH_ID doesn't make sense) and requiring VM_SHARED (copy-on-write semantics for the FLUSH_ID don't make sense). Reproducers for both scenarios are in the notes of my patch on the mailing list; I tested that these bugs exist on a Rock 5B machine. Note that I only compile-tested the patch, I haven't tested it; I don't have a working kernel build setup for the test machine yet. Please test it before applying it. Cc: stable(a)vger.kernel.org Fixes: 5fe909cae118 ("drm/panthor: Add the device logical block") Signed-off-by: Jann Horn <jannh(a)google.com> --- First testcase (can write to the FLUSH_ID): ``` typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) int main(void) { int fd = SYSCHK(open(GPU_PATH, O_RDWR)); // sanity-check that PROT_WRITE+MAP_SHARED fails void *mmap_write_res = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET); if (mmap_write_res == MAP_FAILED) { perror("mmap() with PROT_WRITE+MAP_SHARED failed as expected"); } else { errx(1, "mmap() with PROT_WRITE+MAP_SHARED worked???"); } // make a PROT_READ+MAP_SHARED mapping, and upgrade it to writable void *mmio_page = SYSCHK(mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, fd, DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET)); SYSCHK(mprotect(mmio_page, 0x1000, PROT_READ|PROT_WRITE)); volatile uint32_t *flush_counter = (volatile uint32_t*)mmio_page; uint32_t last_old = -1; while (1) { uint32_t old_val = *flush_counter; *flush_counter = 1111; uint32_t new_val = *flush_counter; if (old_val != last_old) printf("flush counter: old=%u, new=%u\n", old_val, new_val); last_old = old_val; } } ``` Second testcase (triggers BUG() splat): ``` typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) int main(void) { int fd = SYSCHK(open(GPU_PATH, O_RDWR)); // make a PROT_READ+**MAP_PRIVATE** mapping void *ptr = SYSCHK(mmap(NULL, 0x1000, PROT_READ, MAP_PRIVATE, fd, DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET)); // trigger a read fault *(volatile char *)ptr; } ``` The second testcase splats like this: ``` [ 2918.411814] ------------[ cut here ]------------ [ 2918.411857] kernel BUG at mm/memory.c:2220! [ 2918.411955] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [...] [ 2918.416147] CPU: 3 PID: 2934 Comm: private_user_fl Tainted: G O 6.1.43-19-rk2312 #428a0a5e6 [ 2918.417043] Hardware name: Radxa ROCK 5B (DT) [ 2918.417464] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2918.418119] pc : vmf_insert_pfn_prot+0x40/0xe4 [ 2918.418567] lr : panthor_mmio_vm_fault+0xb0/0x12c [panthor] [...] [ 2918.425746] Call trace: [ 2918.425972] vmf_insert_pfn_prot+0x40/0xe4 [ 2918.426342] __do_fault+0x38/0x7c [ 2918.426648] __handle_mm_fault+0x404/0x6dc [ 2918.427018] handle_mm_fault+0x13c/0x18c [ 2918.427374] do_page_fault+0x194/0x33c [ 2918.427716] do_translation_fault+0x60/0x7c [ 2918.428095] do_mem_abort+0x44/0x90 [ 2918.428410] el0_da+0x40/0x68 [ 2918.428685] el0t_64_sync_handler+0x9c/0xf8 [ 2918.429067] el0t_64_sync+0x174/0x178 ``` --- drivers/gpu/drm/panthor/panthor_device.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/panthor/panthor_device.c b/drivers/gpu/drm/panthor/panthor_device.c index 4082c8f2951dfdace7f73a24d6fe34e9e7f920eb..6fbff516c1c1f047fcb4dee17b87d8263616dc0c 100644 --- a/drivers/gpu/drm/panthor/panthor_device.c +++ b/drivers/gpu/drm/panthor/panthor_device.c @@ -390,11 +390,15 @@ int panthor_device_mmap_io(struct panthor_device *ptdev, struct vm_area_struct * { u64 offset = (u64)vma->vm_pgoff << PAGE_SHIFT; + if ((vma->vm_flags & VM_SHARED) == 0) + return -EINVAL; + switch (offset) { case DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET: if (vma->vm_end - vma->vm_start != PAGE_SIZE || (vma->vm_flags & (VM_WRITE | VM_EXEC))) return -EINVAL; + vm_flags_clear(vma, VM_MAYWRITE); break; --- base-commit: d78f0ee0406803cda8801fd5201746ccf89e5e4a change-id: 20241104-panthor-flush-page-fixes-fe4202bb18c0 -- Jann Horn <jannh(a)google.com>

7 months, 2 weeks

4
5
0 0

Re: [PATCH 6.11 000/249] 6.11.7-rc2 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

7 months, 2 weeks

1
0
0 0

[PATCH v2 1/8] perf jevents: fix breakage when do perf stat on system metric

by Ian Rogers

From: Xu Yang <xu.yang_2(a)nxp.com> When do perf stat on sys metric, perf tool output nothing now: $ perf stat -a -M imx95_ddr_read.all -I 1000 $ This command runs on an arm64 machine and the Soc has one DDR hw pmu except one armv8_cortex_a55 pmu. Their maps show as follows: const struct pmu_events_map pmu_events_map[] = { { .arch = "arm64", .cpuid = "0x00000000410fd050", .event_table = { .pmus = pmu_events__arm_cortex_a55, .num_pmus = ARRAY_SIZE(pmu_events__arm_cortex_a55) }, .metric_table = { .pmus = NULL, .num_pmus = 0 } }, static const struct pmu_sys_events pmu_sys_event_tables[] = { { .event_table = { .pmus = pmu_events__freescale_imx95_sys, .num_pmus = ARRAY_SIZE(pmu_events__freescale_imx95_sys) }, .metric_table = { .pmus = pmu_metrics__freescale_imx95_sys, .num_pmus = ARRAY_SIZE(pmu_metrics__freescale_imx95_sys) }, .name = "pmu_events__freescale_imx95_sys", }, Currently, pmu_metrics_table__find() will return NULL when only do perf stat on sys metric. Then parse_groups() will never be called to parse sys metric_name, finally perf tool will exit directly. This should be a common problem. To fix the issue, this will keep the logic before commit f20c15d13f01 ("perf pmu-events: Remember the perf_events_map for a PMU") to return a empty metric table rather than a NULL pointer. This should be fine since the removed part just check if the table match provided metric_name. Without these code, the code in parse_groups() will also check the validity of metrci_name too. Fixes: f20c15d13f01 ("perf pmu-events: Remember the perf_events_map for a PMU") Cc: stable(a)vger.kernel.org Signed-off-by: Xu Yang <xu.yang_2(a)nxp.com> Acked-by: Ian Rogers <irogers(a)google.com> Signed-off-by: Ian Rogers <irogers(a)google.com> --- tools/perf/pmu-events/empty-pmu-events.c | 12 +----------- tools/perf/pmu-events/jevents.py | 12 +----------- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/tools/perf/pmu-events/empty-pmu-events.c b/tools/perf/pmu-events/empty-pmu-events.c index 2b7516946ded..b8719dab264d 100644 --- a/tools/perf/pmu-events/empty-pmu-events.c +++ b/tools/perf/pmu-events/empty-pmu-events.c @@ -585,17 +585,7 @@ const struct pmu_metrics_table *perf_pmu__find_metrics_table(struct perf_pmu *pm if (!map) return NULL; - if (!pmu) - return &map->metric_table; - - for (size_t i = 0; i < map->metric_table.num_pmus; i++) { - const struct pmu_table_entry *table_pmu = &map->metric_table.pmus[i]; - const char *pmu_name = &big_c_string[table_pmu->pmu_name.offset]; - - if (pmu__name_match(pmu, pmu_name)) - return &map->metric_table; - } - return NULL; + return &map->metric_table; } const struct pmu_events_table *find_core_events_table(const char *arch, const char *cpuid) diff --git a/tools/perf/pmu-events/jevents.py b/tools/perf/pmu-events/jevents.py index 6e71b09dbc2a..70f4fd5395fb 100755 --- a/tools/perf/pmu-events/jevents.py +++ b/tools/perf/pmu-events/jevents.py @@ -1101,17 +1101,7 @@ const struct pmu_metrics_table *perf_pmu__find_metrics_table(struct perf_pmu *pm if (!map) return NULL; - if (!pmu) - return &map->metric_table; - - for (size_t i = 0; i < map->metric_table.num_pmus; i++) { - const struct pmu_table_entry *table_pmu = &map->metric_table.pmus[i]; - const char *pmu_name = &big_c_string[table_pmu->pmu_name.offset]; - - if (pmu__name_match(pmu, pmu_name)) - return &map->metric_table; - } - return NULL; + return &map->metric_table; } const struct pmu_events_table *find_core_events_table(const char *arch, const char *cpuid) -- 2.47.0.199.ga7371fff76-goog

7 months, 2 weeks

1
0
0 0

[PATCH] [SCSI] esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_vda_ioctl()

by Qiu-ji Chen

In line 1854 of the file esas2r_ioctl.c, the function esas2r_process_vda_ioctl() is called with the parameter vi being assigned the value of a->vda_buffer. On line 1892, a->vda_buffer is stored in DMA memory with the statement a->vda_buffer = dma_alloc_coherent(&a->pcid->dev, ..., indicating that the parameter vi passed to the function is also stored in DMA memory. This suggests that the parameter vi could be altered at any time by malicious hardware. If vi’s value is changed after the first conditional check if (vi->function >= vercnt), it is likely that an array out-of-bounds access could occur in the subsequent check if (vi->version > esas2r_vdaioctl_versions[vi_function]), leading to serious issues. To fix this issue, we will store the value of vi->function in a local variable to ensure that the subsequent checks remain valid. Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> Cc: stable(a)vger.kernel.org Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver") --- drivers/scsi/esas2r/esas2r_vda.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/esas2r/esas2r_vda.c b/drivers/scsi/esas2r/esas2r_vda.c index 30028e56df63..48af8c05b01d 100644 --- a/drivers/scsi/esas2r/esas2r_vda.c +++ b/drivers/scsi/esas2r/esas2r_vda.c @@ -70,16 +70,17 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a, u32 datalen = 0; struct atto_vda_sge *firstsg = NULL; u8 vercnt = (u8)ARRAY_SIZE(esas2r_vdaioctl_versions); + u8 vi_function = vi->function; vi->status = ATTO_STS_SUCCESS; vi->vda_status = RS_PENDING; - if (vi->function >= vercnt) { + if (vi_function >= vercnt) { vi->status = ATTO_STS_INV_FUNC; return false; } - if (vi->version > esas2r_vdaioctl_versions[vi->function]) { + if (vi->version > esas2r_vdaioctl_versions[vi_function]) { vi->status = ATTO_STS_INV_VERSION; return false; } @@ -89,14 +90,14 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a, return false; } - if (vi->function != VDA_FUNC_SCSI) + if (vi_function != VDA_FUNC_SCSI) clear_vda_request(rq); - rq->vrq->scsi.function = vi->function; + rq->vrq->scsi.function = vi_function; rq->interrupt_cb = esas2r_complete_vda_ioctl; rq->interrupt_cx = vi; - switch (vi->function) { + switch (vi_function) { case VDA_FUNC_FLASH: if (vi->cmd.flash.sub_func != VDA_FLASH_FREAD -- 2.34.1

7 months, 2 weeks

2
1
0 0

Re: Kernel 6.11 breaks power-profiles-daemon on NixOS unstable

by me＠meirisoda.online

Upgrading to kernel version 6.11 breaks the ability to switch between power modes on KDE Plasma 6.2.2 and NixOS 24.11 (unstable). I am using a ROG Zephyrus 14 GA401 with a 4060. I thought it may be Nvidia acting up so I've tried: Re-enabling power-profiles-daemon in my NixOS configuration (did not fix the issues) Disabling supergfxctl on NixOS configuration (did not fix the issue) Switching between nvidia latest and beta (did not fix the issue) Switching back to kernel version 6.10 fixes the issue. Since 6.10 is considered EOL upstream, I had to manually switch back to a specific commit hash to get 6.10 to work. Hoping this gets fixed on 6.11. Thank you, soda Sent with Proton Mail secure email.

7 months, 2 weeks

2
1
0 0

[PATCH v2 6.11.y 1/2] rcu/kvfree: Add kvfree_rcu_barrier() API

by Suren Baghdasaryan

From: Uladzislau Rezki <urezki(a)gmail.com> commit 3c5d61ae919cc377c71118ccc76fa6e8518023f8 upstream. Add a kvfree_rcu_barrier() function. It waits until all in-flight pointers are freed over RCU machinery. It does not wait any GP completion and it is within its right to return immediately if there are no outstanding pointers. This function is useful when there is a need to guarantee that a memory is fully freed before destroying memory caches. For example, during unloading a kernel module. Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> --- Changes since v1 [1]: - Added SOB, per Greg KH [1] https://lore.kernel.org/all/20241021171003.2907935-1-surenb@google.com/ include/linux/rcutiny.h | 5 ++ include/linux/rcutree.h | 1 + kernel/rcu/tree.c | 109 +++++++++++++++++++++++++++++++++++++--- 3 files changed, 107 insertions(+), 8 deletions(-) diff --git a/include/linux/rcutiny.h b/include/linux/rcutiny.h index d9ac7b136aea..522123050ff8 100644 --- a/include/linux/rcutiny.h +++ b/include/linux/rcutiny.h @@ -111,6 +111,11 @@ static inline void __kvfree_call_rcu(struct rcu_head *head, void *ptr) kvfree(ptr); } +static inline void kvfree_rcu_barrier(void) +{ + rcu_barrier(); +} + #ifdef CONFIG_KASAN_GENERIC void kvfree_call_rcu(struct rcu_head *head, void *ptr); #else diff --git a/include/linux/rcutree.h b/include/linux/rcutree.h index 254244202ea9..58e7db80f3a8 100644 --- a/include/linux/rcutree.h +++ b/include/linux/rcutree.h @@ -35,6 +35,7 @@ static inline void rcu_virt_note_context_switch(void) void synchronize_rcu_expedited(void); void kvfree_call_rcu(struct rcu_head *head, void *ptr); +void kvfree_rcu_barrier(void); void rcu_barrier(void); void rcu_momentary_dyntick_idle(void); diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c index e641cc681901..be00aac5f4e7 100644 --- a/kernel/rcu/tree.c +++ b/kernel/rcu/tree.c @@ -3584,18 +3584,15 @@ kvfree_rcu_drain_ready(struct kfree_rcu_cpu *krcp) } /* - * This function is invoked after the KFREE_DRAIN_JIFFIES timeout. + * Return: %true if a work is queued, %false otherwise. */ -static void kfree_rcu_monitor(struct work_struct *work) +static bool +kvfree_rcu_queue_batch(struct kfree_rcu_cpu *krcp) { - struct kfree_rcu_cpu *krcp = container_of(work, - struct kfree_rcu_cpu, monitor_work.work); unsigned long flags; + bool queued = false; int i, j; - // Drain ready for reclaim. - kvfree_rcu_drain_ready(krcp); - raw_spin_lock_irqsave(&krcp->lock, flags); // Attempt to start a new batch. @@ -3634,11 +3631,27 @@ static void kfree_rcu_monitor(struct work_struct *work) // be that the work is in the pending state when // channels have been detached following by each // other. - queue_rcu_work(system_wq, &krwp->rcu_work); + queued = queue_rcu_work(system_wq, &krwp->rcu_work); } } raw_spin_unlock_irqrestore(&krcp->lock, flags); + return queued; +} + +/* + * This function is invoked after the KFREE_DRAIN_JIFFIES timeout. + */ +static void kfree_rcu_monitor(struct work_struct *work) +{ + struct kfree_rcu_cpu *krcp = container_of(work, + struct kfree_rcu_cpu, monitor_work.work); + + // Drain ready for reclaim. + kvfree_rcu_drain_ready(krcp); + + // Queue a batch for a rest. + kvfree_rcu_queue_batch(krcp); // If there is nothing to detach, it means that our job is // successfully done here. In case of having at least one @@ -3859,6 +3872,86 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr) } EXPORT_SYMBOL_GPL(kvfree_call_rcu); +/** + * kvfree_rcu_barrier - Wait until all in-flight kvfree_rcu() complete. + * + * Note that a single argument of kvfree_rcu() call has a slow path that + * triggers synchronize_rcu() following by freeing a pointer. It is done + * before the return from the function. Therefore for any single-argument + * call that will result in a kfree() to a cache that is to be destroyed + * during module exit, it is developer's responsibility to ensure that all + * such calls have returned before the call to kmem_cache_destroy(). + */ +void kvfree_rcu_barrier(void) +{ + struct kfree_rcu_cpu_work *krwp; + struct kfree_rcu_cpu *krcp; + bool queued; + int i, cpu; + + /* + * Firstly we detach objects and queue them over an RCU-batch + * for all CPUs. Finally queued works are flushed for each CPU. + * + * Please note. If there are outstanding batches for a particular + * CPU, those have to be finished first following by queuing a new. + */ + for_each_possible_cpu(cpu) { + krcp = per_cpu_ptr(&krc, cpu); + + /* + * Check if this CPU has any objects which have been queued for a + * new GP completion. If not(means nothing to detach), we are done + * with it. If any batch is pending/running for this "krcp", below + * per-cpu flush_rcu_work() waits its completion(see last step). + */ + if (!need_offload_krc(krcp)) + continue; + + while (1) { + /* + * If we are not able to queue a new RCU work it means: + * - batches for this CPU are still in flight which should + * be flushed first and then repeat; + * - no objects to detach, because of concurrency. + */ + queued = kvfree_rcu_queue_batch(krcp); + + /* + * Bail out, if there is no need to offload this "krcp" + * anymore. As noted earlier it can run concurrently. + */ + if (queued || !need_offload_krc(krcp)) + break; + + /* There are ongoing batches. */ + for (i = 0; i < KFREE_N_BATCHES; i++) { + krwp = &(krcp->krw_arr[i]); + flush_rcu_work(&krwp->rcu_work); + } + } + } + + /* + * Now we guarantee that all objects are flushed. + */ + for_each_possible_cpu(cpu) { + krcp = per_cpu_ptr(&krc, cpu); + + /* + * A monitor work can drain ready to reclaim objects + * directly. Wait its completion if running or pending. + */ + cancel_delayed_work_sync(&krcp->monitor_work); + + for (i = 0; i < KFREE_N_BATCHES; i++) { + krwp = &(krcp->krw_arr[i]); + flush_rcu_work(&krwp->rcu_work); + } + } +} +EXPORT_SYMBOL_GPL(kvfree_rcu_barrier); + static unsigned long kfree_rcu_shrink_count(struct shrinker *shrink, struct shrink_control *sc) { base-commit: 163b38476c50d64b89c1dfdf4fd57a368b6ebbec -- 2.47.0.199.ga7371fff76-goog

7 months, 2 weeks

2
4
0 0

[RFC] PCI: Fix the issue of link speed downgrade after link retraining

by Jinhui Guo

The link speed is downgraded to 2.5 GT/s when a Samsung NVMe device is hotplugged into a Intel PCIe root port [8086:0db0]. ``` +-[0000:3c]-+-00.0 Intel Corporation Ice Lake Memory Map/VT-d | ... | +02.0-[3d]----00.0 Samsung Electronics Co Ltd Device a80e ``` Some printing information can be obtained when the issue emerges. "Card present" is reported twice via external interrupts due to a slight tremor when the Samsung NVMe device is plugged in. The failure of the link activation for the first time leads to the link speed of the root port being mistakenly downgraded to 2.5G/s. ``` [ 8223.419682] pcieport 0000:3d:02.0: pciehp: Slot(1): Card present [ 8224.449714] pcieport 0000:3d:02.0: broken device, retraining non-functional downstream link at 2.5GT/s [ 8225.518723] pcieport 0000:3d:02.0: pciehp: Slot(1): Card present [ 8225.518726] pcieport 0000:3d:02.0: pciehp: Slot(1): Link up ``` To avoid wrongly setting the link speed to 2.5GT/s, only allow specific pcie devices to perform link retrain. Fixes: a89c82249c37 ("PCI: Work around PCIe link training failures") Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> --- drivers/pci/quirks.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index dccb60c1d9cc..59858156003b 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -91,7 +91,8 @@ int pcie_failed_link_retrain(struct pci_dev *dev) int ret = -ENOTTY; if (!pci_is_pcie(dev) || !pcie_downstream_port(dev) || - !pcie_cap_has_lnkctl2(dev) || !dev->link_active_reporting) + !pcie_cap_has_lnkctl2(dev) || !dev->link_active_reporting || + !pci_match_id(ids, dev)) return ret; pcie_capability_read_word(dev, PCI_EXP_LNKCTL2, &lnkctl2); @@ -119,8 +120,7 @@ int pcie_failed_link_retrain(struct pci_dev *dev) } if ((lnksta & PCI_EXP_LNKSTA_DLLLA) && - (lnkctl2 & PCI_EXP_LNKCTL2_TLS) == PCI_EXP_LNKCTL2_TLS_2_5GT && - pci_match_id(ids, dev)) { + (lnkctl2 & PCI_EXP_LNKCTL2_TLS) == PCI_EXP_LNKCTL2_TLS_2_5GT) { u32 lnkcap; pci_info(dev, "removing 2.5GT/s downstream link speed restriction\n"); -- 2.20.1

7 months, 2 weeks

2
1
0 0

[PATCH v2] [SCSI] esas2r: fix possible array out-of-bounds caused by bad DMA value in esas2r_process_vda_ioctl()

by Qiu-ji Chen

In line 1854 of the file esas2r_ioctl.c, the function esas2r_process_vda_ioctl() is called with the parameter vi being assigned the value of a->vda_buffer. On line 1892, a->vda_buffer is stored in DMA memory with the statement a->vda_buffer = dma_alloc_coherent(&a->pcid->dev, ..., indicating that the parameter vi passed to the function is also stored in DMA memory. This suggests that the parameter vi could be altered at any time by malicious hardware. If vi’s value is changed after the first conditional check if (vi->function >= vercnt), it is likely that an array out-of-bounds access could occur in the subsequent check if (vi->version > esas2r_vdaioctl_versions[vi_function]), leading to serious issues. To fix this issue, we will store the value of vi->function in a local variable to ensure that the subsequent checks remain valid. Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> Cc: stable(a)vger.kernel.org Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver") --- V2: Changed the incorrect patch title --- drivers/scsi/esas2r/esas2r_vda.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/esas2r/esas2r_vda.c b/drivers/scsi/esas2r/esas2r_vda.c index 30028e56df63..48af8c05b01d 100644 --- a/drivers/scsi/esas2r/esas2r_vda.c +++ b/drivers/scsi/esas2r/esas2r_vda.c @@ -70,16 +70,17 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a, u32 datalen = 0; struct atto_vda_sge *firstsg = NULL; u8 vercnt = (u8)ARRAY_SIZE(esas2r_vdaioctl_versions); + u8 vi_function = vi->function; vi->status = ATTO_STS_SUCCESS; vi->vda_status = RS_PENDING; - if (vi->function >= vercnt) { + if (vi_function >= vercnt) { vi->status = ATTO_STS_INV_FUNC; return false; } - if (vi->version > esas2r_vdaioctl_versions[vi->function]) { + if (vi->version > esas2r_vdaioctl_versions[vi_function]) { vi->status = ATTO_STS_INV_VERSION; return false; } @@ -89,14 +90,14 @@ bool esas2r_process_vda_ioctl(struct esas2r_adapter *a, return false; } - if (vi->function != VDA_FUNC_SCSI) + if (vi_function != VDA_FUNC_SCSI) clear_vda_request(rq); - rq->vrq->scsi.function = vi->function; + rq->vrq->scsi.function = vi_function; rq->interrupt_cb = esas2r_complete_vda_ioctl; rq->interrupt_cx = vi; - switch (vi->function) { + switch (vi_function) { case VDA_FUNC_FLASH: if (vi->cmd.flash.sub_func != VDA_FLASH_FREAD -- 2.34.1

7 months, 2 weeks

2
1
0 0

[PATCH v2] mm: fix a possible null pointer dereference in setup_zone_pageset()

by Qiu-ji Chen

The function call alloc_percpu() returns a pointer to the memory address, but it hasn't been checked. Our static analysis tool indicates that null pointer dereference may exist in pointer zone->per_cpu_pageset. It is always safe to judge the null pointer before use. Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> Cc: stable(a)vger.kernel.org Fixes: 9420f89db2dd ("mm: move most of core MM initialization to mm/mm_init.c") --- V2: Fixed the incorrect code logic. Thanks David Hildenbrand for helpful suggestion. --- mm/page_alloc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 8afab64814dc..7c8a74fd02d6 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -5703,8 +5703,14 @@ void __meminit setup_zone_pageset(struct zone *zone) /* Size may be 0 on !SMP && !NUMA */ if (sizeof(struct per_cpu_zonestat) > 0) zone->per_cpu_zonestats = alloc_percpu(struct per_cpu_zonestat); + if (!zone->per_cpu_zonestats) + return; zone->per_cpu_pageset = alloc_percpu(struct per_cpu_pages); + if (!zone->per_cpu_pageset) { + free_percpu(zone->per_cpu_zonestats); + return; + } for_each_possible_cpu(cpu) { struct per_cpu_pages *pcp; struct per_cpu_zonestat *pzstats; -- 2.34.1

7 months, 2 weeks

2
3
0 0

[PATCH] arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint

by Mark Rutland

SMCCCv1.3 added a hint bit which callers can set in an SMCCC function ID (AKA "FID") to indicate that it is acceptable for the SMCCC implementation to discard SVE and/or SME state over a specific SMCCC call. The kernel support for using this hint is broken and SMCCC calls may clobber the SVE and/or SME state of arbitrary tasks, though FPSIMD state is unaffected. The kernel support is intended to use the hint when there is no SVE or SME state to save, and to do this it checks whether TIF_FOREIGN_FPSTATE is set or TIF_SVE is clear in assembly code: | ldr <flags>, [<current_task>, #TSK_TI_FLAGS] | tbnz <flags>, #TIF_FOREIGN_FPSTATE, 1f // Any live FP state? | tbnz <flags>, #TIF_SVE, 2f // Does that state include SVE? | | 1: orr <fid>, <fid>, ARM_SMCCC_1_3_SVE_HINT | 2: | << SMCCC call using FID >> This is not safe as-is: (1) SMCCC calls can be made in a preemptible context and preemption can result in TIF_FOREIGN_FPSTATE being set or cleared at arbitrary points in time. Thus checking for TIF_FOREIGN_FPSTATE provides no guarantee. (2) TIF_FOREIGN_FPSTATE only indicates that the live FP/SVE/SME state in the CPU does not belong to the current task, and does not indicate that clobbering this state is acceptable. When the live CPU state is clobbered it is necessary to update fpsimd_last_state.st to ensure that a subsequent context switch will reload FP/SVE/SME state from memory rather than consuming the clobbered state. This and the SMCCC call itself must happen in a critical section with preemption disabled to avoid races. (3) Live SVE/SME state can exist with TIF_SVE clear (e.g. with only TIF_SME set), and checking TIF_SVE alone is insufficient. Remove the broken support for the SMCCCv1.3 SVE saving hint. This is effectively a revert of commits: * cfa7ff959a789a95 ("arm64: smccc: Support SMCCC v1.3 SVE register saving hint") * a7c3acca53801e10 ("arm64: smccc: Save lr before calling __arm_smccc_sve_check()") ... leaving behind the ARM_SMCCC_VERSION_1_3 and ARM_SMCCC_1_3_SVE_HINT definitions, since these are simply definitions from the SMCCC specification, and the latter is used in KVM via ARM_SMCCC_CALL_HINTS. If we want to bring this back in future, we'll probably want to handle this logic in C where we can use all the usual FPSIMD/SVE/SME helper functions, and that'll likely require some rework of the SMCCC code and/or its callers. Fixes: cfa7ff959a789a95 ("arm64: smccc: Support SMCCC v1.3 SVE register saving hint") Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kernel/smccc-call.S | 35 +++------------------------------- drivers/firmware/smccc/smccc.c | 4 ---- include/linux/arm-smccc.h | 32 +++---------------------------- 3 files changed, 6 insertions(+), 65 deletions(-) diff --git a/arch/arm64/kernel/smccc-call.S b/arch/arm64/kernel/smccc-call.S index 487381164ff6b..2def9d0dd3ddb 100644 --- a/arch/arm64/kernel/smccc-call.S +++ b/arch/arm64/kernel/smccc-call.S @@ -7,48 +7,19 @@ #include <asm/asm-offsets.h> #include <asm/assembler.h> -#include <asm/thread_info.h> - -/* - * If we have SMCCC v1.3 and (as is likely) no SVE state in - * the registers then set the SMCCC hint bit to say there's no - * need to preserve it. Do this by directly adjusting the SMCCC - * function value which is already stored in x0 ready to be called. - */ -SYM_FUNC_START(__arm_smccc_sve_check) - - ldr_l x16, smccc_has_sve_hint - cbz x16, 2f - - get_current_task x16 - ldr x16, [x16, #TSK_TI_FLAGS] - tbnz x16, #TIF_FOREIGN_FPSTATE, 1f // Any live FP state? - tbnz x16, #TIF_SVE, 2f // Does that state include SVE? - -1: orr x0, x0, ARM_SMCCC_1_3_SVE_HINT - -2: ret -SYM_FUNC_END(__arm_smccc_sve_check) -EXPORT_SYMBOL(__arm_smccc_sve_check) .macro SMCCC instr - stp x29, x30, [sp, #-16]! - mov x29, sp -alternative_if ARM64_SVE - bl __arm_smccc_sve_check -alternative_else_nop_endif \instr #0 - ldr x4, [sp, #16] + ldr x4, [sp] stp x0, x1, [x4, #ARM_SMCCC_RES_X0_OFFS] stp x2, x3, [x4, #ARM_SMCCC_RES_X2_OFFS] - ldr x4, [sp, #24] + ldr x4, [sp, #8] cbz x4, 1f /* no quirk structure */ ldr x9, [x4, #ARM_SMCCC_QUIRK_ID_OFFS] cmp x9, #ARM_SMCCC_QUIRK_QCOM_A6 b.ne 1f str x6, [x4, ARM_SMCCC_QUIRK_STATE_OFFS] -1: ldp x29, x30, [sp], #16 - ret +1: ret .endm /* diff --git a/drivers/firmware/smccc/smccc.c b/drivers/firmware/smccc/smccc.c index d670635914ecb..a74600d9f2d72 100644 --- a/drivers/firmware/smccc/smccc.c +++ b/drivers/firmware/smccc/smccc.c @@ -16,7 +16,6 @@ static u32 smccc_version = ARM_SMCCC_VERSION_1_0; static enum arm_smccc_conduit smccc_conduit = SMCCC_CONDUIT_NONE; bool __ro_after_init smccc_trng_available = false; -u64 __ro_after_init smccc_has_sve_hint = false; s32 __ro_after_init smccc_soc_id_version = SMCCC_RET_NOT_SUPPORTED; s32 __ro_after_init smccc_soc_id_revision = SMCCC_RET_NOT_SUPPORTED; @@ -28,9 +27,6 @@ void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit) smccc_conduit = conduit; smccc_trng_available = smccc_probe_trng(); - if (IS_ENABLED(CONFIG_ARM64_SVE) && - smccc_version >= ARM_SMCCC_VERSION_1_3) - smccc_has_sve_hint = true; if ((smccc_version >= ARM_SMCCC_VERSION_1_2) && (smccc_conduit != SMCCC_CONDUIT_NONE)) { diff --git a/include/linux/arm-smccc.h b/include/linux/arm-smccc.h index f59099a213d0d..67f6fdf2e7cd8 100644 --- a/include/linux/arm-smccc.h +++ b/include/linux/arm-smccc.h @@ -315,8 +315,6 @@ u32 arm_smccc_get_version(void); void __init arm_smccc_version_init(u32 version, enum arm_smccc_conduit conduit); -extern u64 smccc_has_sve_hint; - /** * arm_smccc_get_soc_id_version() * @@ -414,15 +412,6 @@ struct arm_smccc_quirk { } state; }; -/** - * __arm_smccc_sve_check() - Set the SVE hint bit when doing SMC calls - * - * Sets the SMCCC hint bit to indicate if there is live state in the SVE - * registers, this modifies x0 in place and should never be called from C - * code. - */ -asmlinkage unsigned long __arm_smccc_sve_check(unsigned long x0); - /** * __arm_smccc_smc() - make SMC calls * @a0-a7: arguments passed in registers 0 to 7 @@ -490,20 +479,6 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, #endif -/* nVHE hypervisor doesn't have a current thread so needs separate checks */ -#if defined(CONFIG_ARM64_SVE) && !defined(__KVM_NVHE_HYPERVISOR__) - -#define SMCCC_SVE_CHECK ALTERNATIVE("nop \n", "bl __arm_smccc_sve_check \n", \ - ARM64_SVE) -#define smccc_sve_clobbers "x16", "x30", "cc", - -#else - -#define SMCCC_SVE_CHECK -#define smccc_sve_clobbers - -#endif - #define __constraint_read_2 "r" (arg0) #define __constraint_read_3 __constraint_read_2, "r" (arg1) #define __constraint_read_4 __constraint_read_3, "r" (arg2) @@ -574,12 +549,11 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, register unsigned long r3 asm("r3"); \ CONCATENATE(__declare_arg_, \ COUNT_ARGS(__VA_ARGS__))(__VA_ARGS__); \ - asm volatile(SMCCC_SVE_CHECK \ - inst "\n" : \ + asm volatile(inst "\n" : \ "=r" (r0), "=r" (r1), "=r" (r2), "=r" (r3) \ : CONCATENATE(__constraint_read_, \ COUNT_ARGS(__VA_ARGS__)) \ - : smccc_sve_clobbers "memory"); \ + : "memory"); \ if (___res) \ *___res = (typeof(*___res)){r0, r1, r2, r3}; \ } while (0) @@ -628,7 +602,7 @@ asmlinkage void __arm_smccc_hvc(unsigned long a0, unsigned long a1, asm ("" : \ : CONCATENATE(__constraint_read_, \ COUNT_ARGS(__VA_ARGS__)) \ - : smccc_sve_clobbers "memory"); \ + : "memory"); \ if (___res) \ ___res->a0 = SMCCC_RET_NOT_SUPPORTED; \ } while (0) -- 2.30.2

7 months, 2 weeks

3
2
0 0

[PATCH] arm64: Kconfig: Make SME depend on BROKEN for now

by Mark Rutland

Although support for SME was merged in v5.19, we've since uncovered a number of issues with the implementation, including issues which might corrupt the FPSIMD/SVE/SME state of arbitrary tasks. While there are patches to address some of these issues, ongoing review has highlighted additional functional problems, and more time is necessary to analyse and fix these. For now, mark SME as BROKEN in the hope that we can fix things properly in the near future. As SME is an OPTIONAL part of ARMv9.2+, and there is very little extant hardware, this should not adversely affect the vast majority of users. Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> # 5.19 --- arch/arm64/Kconfig | 1 + 1 file changed, 1 insertion(+) Catalin, Will, if we take this, the minimal set of other fixes necessary for now is: * "arm64/sve: Discard stale CPU state when handling SVE traps" https://lore.kernel.org/linux-arm-kernel/20241030-arm64-fpsimd-foreign-flus… https://lore.kernel.org/linux-arm-kernel/ZypuQNhWHKut8mLl@J2N7QTR9R3.cambri… (already queued by Will in for-next/fixes) * "arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint" https://lore.kernel.org/linux-arm-kernel/20241106160448.2712997-1-mark.rutl… Mark. diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 3e29b44d2d7bd..14cc81e154ee2 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -2213,6 +2213,7 @@ config ARM64_SME bool "ARM Scalable Matrix Extension support" default y depends on ARM64_SVE + depends on BROKEN help The Scalable Matrix Extension (SME) is an extension to the AArch64 execution state which utilises a substantial subset of the SVE -- 2.30.2

7 months, 2 weeks

4
3
0 0

[PATCH] mm: fix a possible null pointer dereference in setup_zone_pageset()

by Qiu-ji Chen

The function call alloc_percpu() returns a pointer to the memory address, but it hasn't been checked. Our static analysis tool indicates that null pointer dereference may exist in pointer zone->per_cpu_pageset. It is always safe to judge the null pointer before use. Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> Cc: stable(a)vger.kernel.org Fixes: 9420f89db2dd ("mm: move most of core MM initialization to mm/mm_init.c") --- mm/page_alloc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 8afab64814dc..5deae1193dc3 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -5703,8 +5703,14 @@ void __meminit setup_zone_pageset(struct zone *zone) /* Size may be 0 on !SMP && !NUMA */ if (sizeof(struct per_cpu_zonestat) > 0) zone->per_cpu_zonestats = alloc_percpu(struct per_cpu_zonestat); + if (!zone->per_cpu_pageset) + return; zone->per_cpu_pageset = alloc_percpu(struct per_cpu_pages); + if (!zone->per_cpu_pageset) { + free_percpu(zone->per_cpu_pageset); + return; + } for_each_possible_cpu(cpu) { struct per_cpu_pages *pcp; struct per_cpu_zonestat *pzstats; -- 2.34.1

7 months, 2 weeks

2
1
0 0

[PATCH v3 2/3] dt-bindings: display: adi,adv7533: Drop single lane support

by Biju Das

As per [1], ADV7535/7533 support only 2-, 3-, or 4-lane. Drop unsupported 1-lane from bindings. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- v3: * New patch. --- .../devicetree/bindings/display/bridge/adi,adv7533.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml index df20a3c9c744..ec89115c74e4 100644 --- a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml +++ b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml @@ -90,7 +90,7 @@ properties: adi,dsi-lanes: description: Number of DSI data lanes connected to the DSI host. $ref: /schemas/types.yaml#/definitions/uint32 - enum: [ 1, 2, 3, 4 ] + enum: [ 2, 3, 4 ] "#sound-dai-cells": const: 0 -- 2.43.0

7 months, 2 weeks

4
5
0 0

[PATCH v3 3/3] drm: adv7511: Drop dsi single lane support

by Biju Das

As per [1], ADV7535/7533 support only 2-, 3-, or 4-lane. Drop unsupported 1-lane. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v3: - Updated commit header and description - Updated fixes tag - Dropped single lane support Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index de55d687245a..ec360f8b7509 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -173,7 +173,7 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); - if (num_lanes < 1 || num_lanes > 4) + if (num_lanes < 2 || num_lanes > 4) return -EINVAL; adv->num_dsi_lanes = num_lanes; -- 2.43.0

7 months, 2 weeks

2
2
0 0

[PATCH v3 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

by Biju Das

The host_node pointer assigned and freed in adv7533_parse_dt() and later adv7533_attach_dsi() uses the same. Fix this issue by freeing the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..de55d687245a 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -143,6 +143,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) }; host = of_find_mipi_dsi_host_by_node(adv->host_node); + of_node_put(adv->host_node); if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); @@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); -- 2.43.0

7 months, 2 weeks

3
3
0 0

[PATCH] usb: xhci: quirk for data loss in ISOC transfers

by Raju Rangoju

During the High-Speed Isochronous Audio transfers, xHCI controller on certain AMD platforms experiences momentary data loss. This results in Missed Service Errors (MSE) being generated by the xHCI. The root cause of the MSE is attributed to the ISOC OUT endpoint being omitted from scheduling. This can happen either when an IN endpoint with a 64ms service interval is pre-scheduled prior to the ISOC OUT endpoint or when the interval of the ISOC OUT endpoint is shorter than that of the IN endpoint. Consequently, the OUT service is neglected when an IN endpoint with a service interval exceeding 32ms is scheduled concurrently (every 64ms in this scenario). This issue is particularly seen on certain older AMD platforms. To mitigate this problem, it is recommended to adjust the service interval of the IN endpoint to exceed 32ms (interval 8). This adjustment ensures that the OUT endpoint will not be bypassed, even if a smaller interval value is utilized. Cc: stable(a)vger.kernel.org Signed-off-by: Raju Rangoju <Raju.Rangoju(a)amd.com> --- drivers/usb/host/xhci-mem.c | 5 +++++ drivers/usb/host/xhci-pci.c | 14 ++++++++++++++ drivers/usb/host/xhci.h | 1 + 3 files changed, 20 insertions(+) diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index d2900197a49e..4892bb9afa6e 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1426,6 +1426,11 @@ int xhci_endpoint_init(struct xhci_hcd *xhci, /* Periodic endpoint bInterval limit quirk */ if (usb_endpoint_xfer_int(&ep->desc) || usb_endpoint_xfer_isoc(&ep->desc)) { + if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_9) && + usb_endpoint_xfer_int(&ep->desc) && + interval >= 9) { + interval = 8; + } if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_7) && udev->speed >= USB_SPEED_HIGH && interval >= 7) { diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index cb07cee9ed0c..a078e2e5517d 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -284,6 +284,20 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) if (pdev->vendor == PCI_VENDOR_ID_NEC) xhci->quirks |= XHCI_NEC_HOST; + if (pdev->vendor == PCI_VENDOR_ID_AMD && + (pdev->device == 0x13ed || + pdev->device == 0x13ee || + pdev->device == 0x148c || + pdev->device == 0x15d4 || + pdev->device == 0x15d5 || + pdev->device == 0x15e0 || + pdev->device == 0x15e1 || + pdev->device == 0x15e5)) + xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9; + + if (pdev->vendor == PCI_VENDOR_ID_ATI && pdev->device == 0x7316) + xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9; + if (pdev->vendor == PCI_VENDOR_ID_AMD && xhci->hci_version == 0x96) xhci->quirks |= XHCI_AMD_0x96_HOST; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index f0fb696d5619..fa69f7ac09b5 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1624,6 +1624,7 @@ struct xhci_hcd { #define XHCI_ZHAOXIN_HOST BIT_ULL(46) #define XHCI_WRITE_64_HI_LO BIT_ULL(47) #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) +#define XHCI_LIMIT_ENDPOINT_INTERVAL_9 BIT_ULL(49) unsigned int num_active_eps; unsigned int limit_active_eps; -- 2.34.1

7 months, 2 weeks

4
5
0 0

FAILED: Patch "posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone" failed to apply to v6.6-stable tree

by Sasha Levin

The patch below does not apply to the v6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From b5413156bad91dc2995a5c4eab1b05e56914638a Mon Sep 17 00:00:00 2001 From: Benjamin Segall <bsegall(a)google.com> Date: Fri, 25 Oct 2024 18:35:35 -0700 Subject: [PATCH] posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone When cloning a new thread, its posix_cputimers are not inherited, and are cleared by posix_cputimers_init(). However, this does not clear the tick dependency it creates in tsk->tick_dep_mask, and the handler does not reach the code to clear the dependency if there were no timers to begin with. Thus if a thread has a cputimer running before clone/fork, all descendants will prevent nohz_full unless they create a cputimer of their own. Fix this by entirely clearing the tick_dep_mask in copy_process(). (There is currently no inherited state that needs a tick dependency) Process-wide timers do not have this problem because fork does not copy signal_struct as a baseline, it creates one from scratch. Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model") Signed-off-by: Ben Segall <bsegall(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com --- include/linux/tick.h | 8 ++++++++ kernel/fork.c | 2 ++ 2 files changed, 10 insertions(+) diff --git a/include/linux/tick.h b/include/linux/tick.h index 72744638c5b0f..99c9c5a7252aa 100644 --- a/include/linux/tick.h +++ b/include/linux/tick.h @@ -251,12 +251,19 @@ static inline void tick_dep_set_task(struct task_struct *tsk, if (tick_nohz_full_enabled()) tick_nohz_dep_set_task(tsk, bit); } + static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { if (tick_nohz_full_enabled()) tick_nohz_dep_clear_task(tsk, bit); } + +static inline void tick_dep_init_task(struct task_struct *tsk) +{ + atomic_set(&tsk->tick_dep_mask, 0); +} + static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { @@ -290,6 +297,7 @@ static inline void tick_dep_set_task(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { } +static inline void tick_dep_init_task(struct task_struct *tsk) { } static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_signal(struct signal_struct *signal, diff --git a/kernel/fork.c b/kernel/fork.c index 89ceb4a68af25..6fa9fe62e01e3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -105,6 +105,7 @@ #include <linux/rseq.h> #include <uapi/linux/pidfd.h> #include <linux/pidfs.h> +#include <linux/tick.h> #include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -2292,6 +2293,7 @@ __latent_entropy struct task_struct *copy_process( acct_clear_integrals(p); posix_cputimers_init(&p->posix_cputimers); + tick_dep_init_task(p); p->io_context = NULL; audit_set_context(p, NULL); -- 2.43.0

7 months, 2 weeks

2
1
0 0

FAILED: Patch "posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone" failed to apply to v5.15-stable tree

by Sasha Levin

The patch below does not apply to the v5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From b5413156bad91dc2995a5c4eab1b05e56914638a Mon Sep 17 00:00:00 2001 From: Benjamin Segall <bsegall(a)google.com> Date: Fri, 25 Oct 2024 18:35:35 -0700 Subject: [PATCH] posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone When cloning a new thread, its posix_cputimers are not inherited, and are cleared by posix_cputimers_init(). However, this does not clear the tick dependency it creates in tsk->tick_dep_mask, and the handler does not reach the code to clear the dependency if there were no timers to begin with. Thus if a thread has a cputimer running before clone/fork, all descendants will prevent nohz_full unless they create a cputimer of their own. Fix this by entirely clearing the tick_dep_mask in copy_process(). (There is currently no inherited state that needs a tick dependency) Process-wide timers do not have this problem because fork does not copy signal_struct as a baseline, it creates one from scratch. Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model") Signed-off-by: Ben Segall <bsegall(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com --- include/linux/tick.h | 8 ++++++++ kernel/fork.c | 2 ++ 2 files changed, 10 insertions(+) diff --git a/include/linux/tick.h b/include/linux/tick.h index 72744638c5b0f..99c9c5a7252aa 100644 --- a/include/linux/tick.h +++ b/include/linux/tick.h @@ -251,12 +251,19 @@ static inline void tick_dep_set_task(struct task_struct *tsk, if (tick_nohz_full_enabled()) tick_nohz_dep_set_task(tsk, bit); } + static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { if (tick_nohz_full_enabled()) tick_nohz_dep_clear_task(tsk, bit); } + +static inline void tick_dep_init_task(struct task_struct *tsk) +{ + atomic_set(&tsk->tick_dep_mask, 0); +} + static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { @@ -290,6 +297,7 @@ static inline void tick_dep_set_task(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { } +static inline void tick_dep_init_task(struct task_struct *tsk) { } static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_signal(struct signal_struct *signal, diff --git a/kernel/fork.c b/kernel/fork.c index 89ceb4a68af25..6fa9fe62e01e3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -105,6 +105,7 @@ #include <linux/rseq.h> #include <uapi/linux/pidfd.h> #include <linux/pidfs.h> +#include <linux/tick.h> #include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -2292,6 +2293,7 @@ __latent_entropy struct task_struct *copy_process( acct_clear_integrals(p); posix_cputimers_init(&p->posix_cputimers); + tick_dep_init_task(p); p->io_context = NULL; audit_set_context(p, NULL); -- 2.43.0

7 months, 2 weeks

2
1
0 0

FAILED: Patch "posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone" failed to apply to v5.10-stable tree

by Sasha Levin

The patch below does not apply to the v5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From b5413156bad91dc2995a5c4eab1b05e56914638a Mon Sep 17 00:00:00 2001 From: Benjamin Segall <bsegall(a)google.com> Date: Fri, 25 Oct 2024 18:35:35 -0700 Subject: [PATCH] posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone When cloning a new thread, its posix_cputimers are not inherited, and are cleared by posix_cputimers_init(). However, this does not clear the tick dependency it creates in tsk->tick_dep_mask, and the handler does not reach the code to clear the dependency if there were no timers to begin with. Thus if a thread has a cputimer running before clone/fork, all descendants will prevent nohz_full unless they create a cputimer of their own. Fix this by entirely clearing the tick_dep_mask in copy_process(). (There is currently no inherited state that needs a tick dependency) Process-wide timers do not have this problem because fork does not copy signal_struct as a baseline, it creates one from scratch. Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model") Signed-off-by: Ben Segall <bsegall(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com --- include/linux/tick.h | 8 ++++++++ kernel/fork.c | 2 ++ 2 files changed, 10 insertions(+) diff --git a/include/linux/tick.h b/include/linux/tick.h index 72744638c5b0f..99c9c5a7252aa 100644 --- a/include/linux/tick.h +++ b/include/linux/tick.h @@ -251,12 +251,19 @@ static inline void tick_dep_set_task(struct task_struct *tsk, if (tick_nohz_full_enabled()) tick_nohz_dep_set_task(tsk, bit); } + static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { if (tick_nohz_full_enabled()) tick_nohz_dep_clear_task(tsk, bit); } + +static inline void tick_dep_init_task(struct task_struct *tsk) +{ + atomic_set(&tsk->tick_dep_mask, 0); +} + static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { @@ -290,6 +297,7 @@ static inline void tick_dep_set_task(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { } +static inline void tick_dep_init_task(struct task_struct *tsk) { } static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_signal(struct signal_struct *signal, diff --git a/kernel/fork.c b/kernel/fork.c index 89ceb4a68af25..6fa9fe62e01e3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -105,6 +105,7 @@ #include <linux/rseq.h> #include <uapi/linux/pidfd.h> #include <linux/pidfs.h> +#include <linux/tick.h> #include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -2292,6 +2293,7 @@ __latent_entropy struct task_struct *copy_process( acct_clear_integrals(p); posix_cputimers_init(&p->posix_cputimers); + tick_dep_init_task(p); p->io_context = NULL; audit_set_context(p, NULL); -- 2.43.0

7 months, 2 weeks

2
1
0 0

FAILED: Patch "posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone" failed to apply to v5.4-stable tree

by Sasha Levin

The patch below does not apply to the v5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From b5413156bad91dc2995a5c4eab1b05e56914638a Mon Sep 17 00:00:00 2001 From: Benjamin Segall <bsegall(a)google.com> Date: Fri, 25 Oct 2024 18:35:35 -0700 Subject: [PATCH] posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone When cloning a new thread, its posix_cputimers are not inherited, and are cleared by posix_cputimers_init(). However, this does not clear the tick dependency it creates in tsk->tick_dep_mask, and the handler does not reach the code to clear the dependency if there were no timers to begin with. Thus if a thread has a cputimer running before clone/fork, all descendants will prevent nohz_full unless they create a cputimer of their own. Fix this by entirely clearing the tick_dep_mask in copy_process(). (There is currently no inherited state that needs a tick dependency) Process-wide timers do not have this problem because fork does not copy signal_struct as a baseline, it creates one from scratch. Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model") Signed-off-by: Ben Segall <bsegall(a)google.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Frederic Weisbecker <frederic(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com --- include/linux/tick.h | 8 ++++++++ kernel/fork.c | 2 ++ 2 files changed, 10 insertions(+) diff --git a/include/linux/tick.h b/include/linux/tick.h index 72744638c5b0f..99c9c5a7252aa 100644 --- a/include/linux/tick.h +++ b/include/linux/tick.h @@ -251,12 +251,19 @@ static inline void tick_dep_set_task(struct task_struct *tsk, if (tick_nohz_full_enabled()) tick_nohz_dep_set_task(tsk, bit); } + static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { if (tick_nohz_full_enabled()) tick_nohz_dep_clear_task(tsk, bit); } + +static inline void tick_dep_init_task(struct task_struct *tsk) +{ + atomic_set(&tsk->tick_dep_mask, 0); +} + static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { @@ -290,6 +297,7 @@ static inline void tick_dep_set_task(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_task(struct task_struct *tsk, enum tick_dep_bits bit) { } +static inline void tick_dep_init_task(struct task_struct *tsk) { } static inline void tick_dep_set_signal(struct task_struct *tsk, enum tick_dep_bits bit) { } static inline void tick_dep_clear_signal(struct signal_struct *signal, diff --git a/kernel/fork.c b/kernel/fork.c index 89ceb4a68af25..6fa9fe62e01e3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -105,6 +105,7 @@ #include <linux/rseq.h> #include <uapi/linux/pidfd.h> #include <linux/pidfs.h> +#include <linux/tick.h> #include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -2292,6 +2293,7 @@ __latent_entropy struct task_struct *copy_process( acct_clear_integrals(p); posix_cputimers_init(&p->posix_cputimers); + tick_dep_init_task(p); p->io_context = NULL; audit_set_context(p, NULL); -- 2.43.0

7 months, 2 weeks

2
1
0 0

[PATCH 2/9] serial: sh-sci: Check if TX data was written to device in .tx_empty()

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> On the Renesas RZ/G3S, when doing suspend to RAM, the uart_suspend_port() is called. The uart_suspend_port() calls 3 times the struct uart_port::ops::tx_empty() before shutting down the port. According to the documentation, the struct uart_port::ops::tx_empty() API tests whether the transmitter FIFO and shifter for the port is empty. The Renesas RZ/G3S SCIFA IP reports the number of data units stored in the transmit FIFO through the FDR (FIFO Data Count Register). The data units in the FIFOs are written in the shift register and transmitted from there. The TEND bit in the Serial Status Register reports if the data was transmitted from the shift register. In the previous code, in the tx_empty() API implemented by the sh-sci driver, it is considered that the TX is empty if the hardware reports the TEND bit set and the number of data units in the FIFO is zero. According to the HW manual, the TEND bit has the following meaning: 0: Transmission is in the waiting state or in progress. 1: Transmission is completed. It has been noticed that when opening the serial device w/o using it and then switch to a power saving mode, the tx_empty() call in the uart_port_suspend() function fails, leading to the "Unable to drain transmitter" message being printed on the console. This is because the TEND=0 if nothing has been transmitted and the FIFOs are empty. As the TEND=0 has double meaning (waiting state, in progress) we can't determined the scenario described above. Add a software workaround for this. This sets a variable if any data has been sent on the serial console (when using PIO) or if the DMA callback has been called (meaning something has been transmitted). Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- drivers/tty/serial/sh-sci.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index df523c744423..8e2d534401fa 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -153,6 +153,7 @@ struct sci_port { int rx_trigger; struct timer_list rx_fifo_timer; int rx_fifo_timeout; + atomic_t first_time_tx; u16 hscif_tot; bool has_rtscts; @@ -850,6 +851,7 @@ static void sci_transmit_chars(struct uart_port *port) { struct tty_port *tport = &port->state->port; unsigned int stopped = uart_tx_stopped(port); + struct sci_port *s = to_sci_port(port); unsigned short status; unsigned short ctrl; int count; @@ -885,6 +887,7 @@ static void sci_transmit_chars(struct uart_port *port) } sci_serial_out(port, SCxTDR, c); + atomic_set(&s->first_time_tx, 1); port->icount.tx++; } while (--count > 0); @@ -1241,6 +1244,8 @@ static void sci_dma_tx_complete(void *arg) if (kfifo_len(&tport->xmit_fifo) < WAKEUP_CHARS) uart_write_wakeup(port); + atomic_set(&s->first_time_tx, 1); + if (!kfifo_is_empty(&tport->xmit_fifo)) { s->cookie_tx = 0; schedule_work(&s->work_tx); @@ -2076,6 +2081,10 @@ static unsigned int sci_tx_empty(struct uart_port *port) { unsigned short status = sci_serial_in(port, SCxSR); unsigned short in_tx_fifo = sci_txfill(port); + struct sci_port *s = to_sci_port(port); + + if (!atomic_read(&s->first_time_tx)) + return TIOCSER_TEMT; return (status & SCxSR_TEND(port)) && !in_tx_fifo ? TIOCSER_TEMT : 0; } @@ -2247,6 +2256,7 @@ static int sci_startup(struct uart_port *port) dev_dbg(port->dev, "%s(%d)\n", __func__, port->line); + atomic_set(&s->first_time_tx, 0); sci_request_dma(port); ret = sci_request_irq(s); @@ -2267,6 +2277,7 @@ static void sci_shutdown(struct uart_port *port) dev_dbg(port->dev, "%s(%d)\n", __func__, port->line); s->autorts = false; + atomic_set(&s->first_time_tx, 0); mctrl_gpio_disable_ms(to_sci_port(port)->gpios); uart_port_lock_irqsave(port, &flags); -- 2.39.2

7 months, 2 weeks

3
2
0 0

[PATCH] media: videobuf2-core: copy vb planes unconditionally

by Tudor Ambarus

Copy the relevant data from userspace to the vb->planes unconditionally as it's possible some of the fields may have changed after the buffer has been validated. Keep the dma_buf_put(planes[plane].dbuf) calls in the first `if (!reacquired)` case, in order to be close to the plane validation code where the buffers were got in the first place. Cc: stable(a)vger.kernel.org Fixes: 95af7c00f35b ("media: videobuf2-core: release all planes first in __prepare_dmabuf()") Signed-off-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> --- .../media/common/videobuf2/videobuf2-core.c | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index f07dc53a9d06..c0cc441b5164 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -1482,18 +1482,23 @@ static int __prepare_dmabuf(struct vb2_buffer *vb) } vb->planes[plane].dbuf_mapped = 1; } + } else { + for (plane = 0; plane < vb->num_planes; ++plane) + dma_buf_put(planes[plane].dbuf); + } - /* - * Now that everything is in order, copy relevant information - * provided by userspace. - */ - for (plane = 0; plane < vb->num_planes; ++plane) { - vb->planes[plane].bytesused = planes[plane].bytesused; - vb->planes[plane].length = planes[plane].length; - vb->planes[plane].m.fd = planes[plane].m.fd; - vb->planes[plane].data_offset = planes[plane].data_offset; - } + /* + * Now that everything is in order, copy relevant information + * provided by userspace. + */ + for (plane = 0; plane < vb->num_planes; ++plane) { + vb->planes[plane].bytesused = planes[plane].bytesused; + vb->planes[plane].length = planes[plane].length; + vb->planes[plane].m.fd = planes[plane].m.fd; + vb->planes[plane].data_offset = planes[plane].data_offset; + } + if (reacquired) { /* * Call driver-specific initialization on the newly acquired buffer, * if provided. @@ -1503,9 +1508,6 @@ static int __prepare_dmabuf(struct vb2_buffer *vb) dprintk(q, 1, "buffer initialization failed\n"); goto err_put_vb2_buf; } - } else { - for (plane = 0; plane < vb->num_planes; ++plane) - dma_buf_put(planes[plane].dbuf); } ret = call_vb_qop(vb, buf_prepare, vb); -- 2.47.0.199.ga7371fff76-goog

7 months, 2 weeks

4
3
0 0

[PATCH 4.19 000/350] 4.19.323-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.323 release. There are 350 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 08 Nov 2024 12:02:47 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.323-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.323-rc1 Jeongjun Park <aha310510(a)gmail.com> vt: prevent kernel-infoleak in con_font_get() Jeongjun Park <aha310510(a)gmail.com> mm: shmem: fix data-race in shmem_getattr() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of checked flag Edward Adam Davis <eadavis(a)qq.com> ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential deadlock with newly created symlinks Ville Syrjälä <ville.syrjala(a)linux.intel.com> wifi: iwlegacy: Clear stale interrupts before resuming device Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> wifi: ath10k: Fix memory leak in management tx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "driver core: Fix uevent_show() vs driver detach race" Faisal Hassan <quic_faisalh(a)quicinc.com> xhci: Fix Link TRB DMA in command ring stopped completion event Zijun Hu <quic_zijuhu(a)quicinc.com> usb: phy: Fix API devm_usb_put_phy() can not release the phy Zongmin Zhou <zhouzongmin(a)kylinos.cn> usbip: tools: Fix detach_port() invalid port error path Dimitri Sivanich <sivanich(a)hpe.com> misc: sgi-gru: Don't disable preemption in GRU driver Daniel Palmer <daniel(a)0x0f.com> net: amd: mvme147: Fix probe banner message Xiongfeng Wang <wangxiongfeng2(a)huawei.com> firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Benoît Monin <benoit.monin(a)gmx.fr> net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Xin Long <lucien.xin(a)gmail.com> net: support ip generic csum processing in skb_csum_hwoffload_help Byeonguk Jeong <jungbu2855(a)gmail.com> bpf: Fix out-of-bounds write in trie_get_next_key() Pedro Tammela <pctammela(a)mojatatu.com> net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Pablo Neira Ayuso <pablo(a)netfilter.org> gtp: allow -1 to be specified as file description from userspace Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> gtp: simplify error handling code in 'gtp_encap_enable()' Wander Lairson Costa <wander(a)redhat.com> igb: Disable threaded IRQ for igb_msix_other Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Xiu Jianfeng <xiujianfeng(a)huawei.com> cgroup: Fix potential overflow issue when checking max_depth Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: core: Stop processing of pending events if controller is halted Yu Chen <chenyu56(a)huawei.com> usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc Marek Szyprowski <m.szyprowski(a)samsung.com> usb: dwc3: remove generic PHY calibrate() calls Sabrina Dubroca <sd(a)queasysnail.net> xfrm: validate new SA's prefixlen using SA family when sel.family is unset junhua huang <huang.junhua(a)zte.com.cn> arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Paul Moore <paul(a)paul-moore.com> selinux: improve error checking in sel_write_load() Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Biju Das <biju.das(a)bp.renesas.com> dt-bindings: power: Add r8a774b1 SYSC power domain definitions Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Gianfranco Trad <gianf.trad(a)gmail.com> udf: fix uninit-value use in udf_get_fileshortad Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: gaccess: Check if guest address is in memslot Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Cleanup access to guest pages Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor access address range check Janis Schoetterl-Glausch <scgl(a)linux.ibm.com> KVM: s390: gaccess: Refactor gpa and length calculation Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels junhua huang <huang.junhua(a)zte.com.cn> arm64:uprobe fix the uprobe SWBP_INSN in big-endian Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Andrey Skvortsov <andrej.skvortzov(a)gmail.com> clk: Fix slab-out-of-bounds error in devm_clk_release() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> clk: Fix pointer casting to prevent oops in devm_clk_release() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: propagate directory read errors from nilfs_find_entry() Zhang Rui <rui.zhang(a)intel.com> x86/apic: Always explicitly disarm TSC-deadline timer Takashi Iwai <tiwai(a)suse.de> parport: Proper fix for array out-of-bounds access Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN920C04 MBIM compositions Benjamin B. Frost <benjamin(a)geanix.com> USB: serial: option: add support for Quectel EG916Q-GL Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix incorrect stream context type macro Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 Aaron Thompson <dev(a)aaront.org> Bluetooth: Remove debugfs directory on module init failure Emil Gedenryd <emil.gedenryd(a)axis.com> iio: light: opt3001: add missing full-scale range value Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig Nikolay Kuratov <kniv(a)yandex-team.ru> drm/vmwgfx: Handle surface check failure correctly Jim Mattson <jmattson(a)google.com> x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET Michael Mueller <mimu(a)linux.ibm.com> KVM: s390: Change virtual to physical address access in diag 0x258 handler Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> s390/sclp_vt220: Convert newlines to CRLF instead of LFCR Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Fix out-of-bound access Breno Leitao <leitao(a)debian.org> KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: fix uninitialized variable WangYuli <wangyuli(a)uniontech.com> PCI: Add function 0 DMA alias quirk for Glenfly Arise chip Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix simulate_ldr*_literal() Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Remove broken LDR (literal) uprobe support Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: Fix missing timespec64 check in pc_clock_settime() Anastasia Kovaleva <a.kovaleva(a)yadro.com> net: Fix an unsafe loop on the list Icenowy Zheng <uwu(a)icenowy.me> usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip Jose Alberto Reguero <jose.alberto.reguero(a)gmail.com> usb: xhci: Fix problem with xhci resume from suspend Oliver Neukum <oneukum(a)suse.com> Revert "usb: yurex: Replace snprintf() with the safer scnprintf() variant" Wade Wang <wade.wang(a)hp.com> HID: plantronics: Workaround for an unexcepted opposite volume key Oliver Neukum <oneukum(a)suse.com> CDC-NCM: avoid overflow in sanity checking j.nixdorf(a)avm.de <j.nixdorf(a)avm.de> net: ipv6: ensure we call ipv6_mc_down() at most once Eric Dumazet <edumazet(a)google.com> ppp: fix ppp_async_encode() illegal access Rosen Penev <rosenp(a)gmail.com> net: ibm: emac: mal: fix wrong goto Mohamed Khalfella <mkhalfella(a)purestorage.com> igb: Do not bring the device up after non-fatal error Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Use devm_clk api to manage clock source Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> clk: Provide new devm_clk helpers for prepared and enabled clocks Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> clk: generalize devm_clk_get() a bit Phil Edworthy <phil.edworthy(a)renesas.com> clk: Add (devm_)clk_get_optional() functions Billy Tsai <billy_tsai(a)aspeedtech.com> gpio: aspeed: Add the flush write to ensure the write complete. Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change Andy Roulin <aroulin(a)nvidia.com> netfilter: br_netfilter: fix panic with metadata_dst skb Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe Dan Carpenter <dan.carpenter(a)linaro.org> SUNRPC: Fix integer overflow in decode_rc_list() Chuck Lever <chuck.lever(a)oracle.com> NFS: Remove print_overflow_msg() Andrey Shumilin <shum.sdl(a)nppct.ru> fbdev: sisfb: Fix strbuf array overflow Zijun Hu <quic_zijuhu(a)quicinc.com> driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute Zhu Jun <zhujun2(a)cmss.chinamobile.com> tools/iio: Add memory allocation failure check for trigger_name Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: udc: enable suspend interrupt after usb reset Yunke Cao <yunkec(a)chromium.org> media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() Alex Williamson <alex.williamson(a)redhat.com> PCI: Mark Creative Labs EMU20k2 INTx masking as broken Hans de Goede <hdegoede(a)redhat.com> i2c: i801: Use a different adapter-name for IDF adapters Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> clk: bcm: bcm53573: fix OF node leak in init Daniel Jordan <daniel.m.jordan(a)oracle.com> ktest.pl: Avoid false positives with grub2 skip regex Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_sf: Remove WARN_ON_ONCE statements Wojciech Gładysz <wojciech.gladysz(a)infogain.com> ext4: nested locking for xattr inode Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Add cond_resched() to cmm_alloc/free_pages() Heiko Carstens <hca(a)linux.ibm.com> s390/facility: Disable compile time optimization for decompressor code Tao Chen <chen.dylane(a)gmail.com> bpf: Check percpu map value size first Mathias Krause <minipli(a)grsecurity.net> Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal Michael S. Tsirkin <mst(a)redhat.com> virtio_console: fix misc probe bugs Rob Clark <robdclark(a)chromium.org> drm/crtc: fix uninitialized variable use even harder Sean Paul <seanpaul(a)chromium.org> drm: Move drm_mode_setcrtc() local re-init to failure path Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Remove precision vsnprintf() check from print event Linus Walleij <linus.walleij(a)linaro.org> net: ethernet: cortina: Drop TSO support zhanchengbin <zhanchengbin1(a)huawei.com> ext4: fix inode tree inconsistency caused by ENOMEM Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Fix possible crash when unregistering a battery hook Armin Wolf <W_Armin(a)gmx.de> ACPI: battery: Simplify battery hook locking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> rtc: at91sam9: fix OF node leak in probe() error path Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: at91sam9: drop platform_data support NeilBrown <neilb(a)suse.de> nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Arnd Bergmann <arnd(a)arndb.de> nfsd: use ktime_get_seconds() for timestamps Oleg Nesterov <oleg(a)redhat.com> uprobes: fix kernel info leak via "[uprobes]" vma Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Expand speculative SSBS workaround once more Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-N3 definitions Anshuman Khandual <anshuman.khandual(a)arm.com> arm64: Add Cortex-715 CPU part definition Baokun Li <libaokun1(a)huawei.com> ext4: update orig_path in ext4_find_extent() Baokun Li <libaokun1(a)huawei.com> ext4: fix slab-use-after-free in ext4_split_extent_at() Theodore Ts'o <tytso(a)mit.edu> ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: davinci: fix lazy disable Filipe Manana <fdmanana(a)suse.com> btrfs: wait for fixup workers before stopping cleaner kthread during umount Nuno Sa <nuno.sa(a)analog.com> Input: adp5589-keys - fix adp5589_gpio_get_value() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: fallback to realpath if symlink's pathname does not exist Barnabás Czémán <barnabas.czeman(a)mainlining.org> iio: magnetometer: ak8975: Fix reading for ak099xx sensors Zheng Wang <zyytlz.wz(a)163.com> media: venus: fix use after free bug in venus_remove due to race condition Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Sebastian Reichel <sebastian.reichel(a)collabora.com> clk: rockchip: fix error for unknown clocks Chun-Yi Lee <joeyli.kernel(a)gmail.com> aoe: fix the potential use-after-free problem in more places Jisheng Zhang <jszhang(a)kernel.org> riscv: define ILLEGAL_POINTER_VALUE for 64bit Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Julian Sun <sunjunchao2870(a)gmail.com> ocfs2: fix null-ptr-deref when journal load failed. Lizhi Xu <lizhi.xu(a)windriver.com> ocfs2: remove unreasonable unlock in ocfs2_read_blocks Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: cancel dqi_sync_work before freeing oinfo Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> ocfs2: reserve space for inline xattr before attaching reflink tree Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: fix uninit-value in ocfs2_get_block() Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the la space leak when unmounting an ocfs2 volume Baokun Li <libaokun1(a)huawei.com> jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Andrew Jones <ajones(a)ventanamicro.com> of/irq: Support #msi-cells=<0> in of_msi_get_domain Helge Deller <deller(a)kernel.org> parisc: Fix 64-bit userspace syscall path Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Baokun Li <libaokun1(a)huawei.com> ext4: fix double brelse() the buffer of the extents path Baokun Li <libaokun1(a)huawei.com> ext4: aovid use-after-free in ext4_ext_insert_extent() Luis Henriques (SUSE) <luis.henriques(a)linux.dev> ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Baokun Li <libaokun1(a)huawei.com> ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Edward Adam Davis <eadavis(a)qq.com> ext4: no need to continue when the number of entries is 1 Jaroslav Kysela <perex(a)perex.cz> ALSA: core: add isascii() check to card ID generator Helge Deller <deller(a)gmx.de> parisc: Fix itlb miss handler for 64-bit programs Luo Gengkun <luogengkun(a)huaweicloud.com> perf/core: Fix small negative period being ignored Jinjie Ruan <ruanjinjie(a)huawei.com> spi: bcm63xx: Fix module autoloading Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Wait for TX empty to avoid missed TX NAKs Christophe Leroy <christophe.leroy(a)csgroup.eu> selftests: vDSO: fix vDSO symbols lookup for powerpc64 Yifei Liu <yifei.l.liu(a)oracle.com> selftests: breakpoints: use remaining time to check if suspend succeed Ben Dooks <ben.dooks(a)codethink.co.uk> spi: s3c64xx: fix timeout counters in flush_fifo Artem Sadovnikov <ancowi69(a)gmail.com> ext4: fix i_data_sem unlock order in ext4_ind_migrate() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: ext4_search_dir should return a proper error Geert Uytterhoeven <geert+renesas(a)glider.be> of/irq: Refer to actual buffer size in of_irq_parse_one() Geert Uytterhoeven <geert+renesas(a)glider.be> drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Kees Cook <kees(a)kernel.org> scsi: aacraid: Rearrange order of struct aac_srb_unit Matthew Brost <matthew.brost(a)intel.com> drm/printer: Allow NULL data in devcoredump printer Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix index out of bounds in degamma hardware format translation Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check stream before comparing them Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> jfs: Fix uninit-value access of new_ea in ea_buffer Edward Adam Davis <eadavis(a)qq.com> jfs: check if leafidx greater than num leaves per dmap tree Edward Adam Davis <eadavis(a)qq.com> jfs: Fix uaf in dbFreeBits Remington Brasga <rbrasga(a)uci.edu> jfs: UBSAN: shift-out-of-bounds in dbFindBits Damien Le Moal <dlemoal(a)kernel.org> ata: sata_sil: Rename sil_blacklist to sil_quirks Andrew Davis <afd(a)ti.com> power: reset: brcmstb: Do not go into infinite loop if reset fails Kaixin Wang <kxwang23(a)m.fudan.edu.cn> fbdev: pxafb: Fix possible use after free in pxafb_task() Takashi Iwai <tiwai(a)suse.de> ALSA: hdsp: Break infinite MIDI input flush loop Takashi Iwai <tiwai(a)suse.de> ALSA: asihpi: Fix potential OOB array access Thomas Gleixner <tglx(a)linutronix.de> signal: Replace BUG_ON()s Gustavo A. R. Silva <gustavoars(a)kernel.org> wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Aleksandrs Vinarskis <alex.vinarskis(a)gmail.com> ACPICA: iasl: handle empty connection_node Jason Xing <kernelxing(a)tencent.com> tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Ido Schimmel <idosch(a)nvidia.com> ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR). Simon Horman <horms(a)kernel.org> net: mvpp2: Increase size of queue_name buffer Simon Horman <horms(a)kernel.org> tipc: guard against string buffer overrun Pei Xiao <xiaopei01(a)kylinos.cn> ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: EC: Do not release locks during operation region accesses Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Armin Wolf <W_Armin(a)gmx.de> ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_mdio: fix OF node leak in probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> net: hisilicon: hip04: fix OF node leak in probe() Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Dmitry Kandybka <d.kandybka(a)gmail.com> wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Jann Horn <jannh(a)google.com> f2fs: Require FMODE_WRITE for atomic write ioctls Takashi Iwai <tiwai(a)suse.de> ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Takashi Iwai <tiwai(a)suse.de> ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Xin Long <lucien.xin(a)gmail.com> sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Anton Danilov <littlesmilingcloud(a)gmail.com> ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Eric Dumazet <edumazet(a)google.com> net: add more sanity checks to qdisc_pkt_len_init() Eric Dumazet <edumazet(a)google.com> net: avoid potential underflow in qdisc_pkt_len_init() with UFO Aleksander Jan Bajkowski <olek2(a)wp.pl> net: ethernet: lantiq_etop: fix memory disclosure Prashant Malani <pmalani(a)chromium.org> r8152: Factor out OOB link list waits Eric Dumazet <edumazet(a)google.com> netfilter: nf_tables: prevent nf_skb_duplicated corruption Phil Sutter <phil(a)nwl.cc> netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Xiubo Li <xiubli(a)redhat.com> ceph: remove the incorrect Fw reference check when dirtying pages Stefan Wahren <wahrenst(a)gmx.net> mailbox: bcm2835: Fix timeout during suspend mode Liao Chen <liaochen4(a)huawei.com> mailbox: rockchip: fix a typo in module autoloading Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> usb: yurex: Fix inconsistent locking bug in yurex_read() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> i2c: isch: Add missed 'else' Tommy Huang <tommy_huang(a)aspeedtech.com> i2c: aspeed: Update the stop sw state when the bus recovery occurs Ma Ke <make24(a)iscas.ac.cn> pps: add an error check in parport_attach Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pps: remove usage of the deprecated ida_simple_xx() API Oliver Neukum <oneukum(a)suse.com> USB: misc: yurex: fix race between read and write Lee Jones <lee(a)kernel.org> usb: yurex: Replace snprintf() with the safer scnprintf() variant Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix soc_dev leak during device remove Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: realview: fix memory leak during device remove Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler Thomas Gleixner <tglx(a)linutronix.de> PCI: xilinx-nwl: Use irq_data_get_irq_chip_data() Li Lingfeng <lilingfeng3(a)huawei.com> nfs: fix memory leak in error path of nfs4_do_reclaim Mickaël Salaün <mic(a)digikod.net> fs: Fix file_set_fowner LSM hook inconsistencies Julian Sun <sunjunchao2870(a)gmail.com> vfs: fix race between evice_inodes() and find_inode()&iput() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: avoid potential int overflow in sanity_check_area_boundary() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> f2fs: prevent possible int overflow in dir_block_index() Thomas Weißschuh <linux(a)weissschuh.net> ACPI: sysfs: validate return type of _STR method Mikhail Lobanov <m.lobanov(a)rosalinux.ru> drbd: Add NULL check for net_conf to prevent dereference in state validation Qiu-ji Chen <chenqiuji666(a)gmail.com> drbd: Fix atomicity violation in drbd_uuid_set_bm() Florian Fainelli <florian.fainelli(a)broadcom.com> tty: rp2: Fix reset with non forgiving PCIe host bridges Jann Horn <jannh(a)google.com> firmware_loader: Block path traversal Oliver Neukum <oneukum(a)suse.com> USB: misc: cypress_cy7c63: check for short transfer Oliver Neukum <oneukum(a)suse.com> USB: appledisplay: close race between probe and completion handler Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soc: versatile: integrator: fix OF node leak in probe() error path Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Remove *.orig pattern from .gitignore Hailey Mothershead <hailmo(a)amazon.com> crypto: aead,cipher - zeroize key buffer after use Simon Horman <horms(a)kernel.org> netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS Youssef Samir <quic_yabdulra(a)quicinc.com> net: qrtr: Update packets cloning when broadcasting Josh Hunt <johunt(a)akamai.com> tcp: check skb is non-NULL in tcp_rto_delta_us() Eric Dumazet <edumazet(a)google.com> tcp: introduce tcp_skb_timestamp_us() helper Kaixin Wang <kxwang23(a)m.fudan.edu.cn> net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition Eric Dumazet <edumazet(a)google.com> netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() Suzuki K Poulose <suzuki.poulose(a)arm.com> coresight: tmc: sg: Do not leak sg_table Chao Yu <chao(a)kernel.org> f2fs: reduce expensive checkpoint trigger frequency Chao Yu <chao(a)kernel.org> f2fs: remove unneeded check condition in __f2fs_setxattr() Chao Yu <chao(a)kernel.org> f2fs: fix to update i_ctime in __f2fs_setxattr() Yonggil Song <yonggil.song(a)samsung.com> f2fs: fix typo Chao Yu <yuchao0(a)huawei.com> f2fs: enhance to update i_mode and acl atomically in f2fs_setattr() Guoqing Jiang <guoqing.jiang(a)linux.dev> nfsd: call cache_put if xdr_reserve_space returns NULL Jinjie Ruan <ruanjinjie(a)huawei.com> ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() Mikhail Lobanov <m.lobanov(a)rosalinux.ru> RDMA/cxgb4: Added NULL check for lookup_atid Wang Jianzheng <wangjianzheng(a)vivo.com> pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function Yangtao Li <frank.li(a)vivo.com> pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource() David Lechner <dlechner(a)baylibre.com> clk: ti: dra7-atl: Fix leak of of_nodes Yang Yingliang <yangyingliang(a)huawei.com> pinctrl: single: fix missing error code in pcs_probe() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency Sean Anderson <sean.anderson(a)linux.dev> PCI: xilinx-nwl: Fix register misspelling Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Junlin Li <make24(a)iscas.ac.cn> drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Jonas Karlman <jonas(a)kwiboo.se> clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 Ian Rogers <irogers(a)google.com> perf time-utils: Fix 32-bit nsec parsing Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time Yang Jihong <yangjihong(a)bytedance.com> perf sched timehist: Fix missing free of session in perf_sched__timehist() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential oob read in nilfs_btree_check_delete() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: determine empty node blocks as corrupted Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: avoid OOB when system.data xattr changes underneath the filesystem Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: return error on ext4_find_inline_entry Kemeng Shi <shikemeng(a)huaweicloud.com> ext4: avoid negative min_clusters in find_group_orlov() Jiawei Ye <jiawei.ye(a)foxmail.com> smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso yangerkun <yangerkun(a)huawei.com> ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard Mauricio Faria de Oliveira <mfo(a)canonical.com> jbd2: introduce/export functions jbd2_journal_submit|finish_inode_data_buffers() Chen Yu <yu.c.chen(a)intel.com> kthread: fix task state in kthread worker if being frozen Rob Clark <robdclark(a)chromium.org> kthread: add kthread_work tracepoints Lasse Collin <lasse.collin(a)tukaani.org> xz: cleanup CRC32 edits from 2018 Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix error compiling test_lru_map.c Juergen Gross <jgross(a)suse.com> xen/swiotlb: add alignment check for dma buffers Juergen Gross <jgross(a)suse.com> xen/swiotlb: simplify range_straddles_page_boundary() Juergen Gross <jgross(a)suse.com> xen: use correct end address of kernel for conflict checking Sherry Yang <sherry.yang(a)oracle.com> drm/msm: fix %s null argument error Wolfram Sang <wsa+renesas(a)sang-engineering.com> ipmi: docs: don't advertise deprecated sysfs entries Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: fix races in preemption evaluation stage Vladimir Lypak <vladimir.lypak(a)gmail.com> drm/msm/a5xx: properly clear preemption records on resume Jeongjun Park <aha310510(a)gmail.com> jfs: fix out-of-bounds in dbNextAG() and diAlloc() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets Alex Bee <knaerzche(a)gmail.com> drm/rockchip: vop: Allow 4096px width scaling Alex Deucher <alexander.deucher(a)amd.com> drm/radeon: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/radeon: Replace one-element array with flexible-array member Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: properly handle vbios fake edid sizing Paulo Miguel Almeida <paulo.miguel.almeida.rodenas(a)gmail.com> drm/amdgpu: Replace one-element array with flexible-array member Matteo Croce <mcroce(a)redhat.com> drm/amd: fix typo Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/stm: Fix an error handling path in stm_drm_platform_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() Artur Weber <aweber.kernel(a)gmail.com> power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense Yuntao Liu <liuyuntao12(a)huawei.com> hwmon: (ntc_thermistor) fix module autoloading Mirsad Todorovac <mtodorovac69(a)gmail.com> mtd: slram: insert break after errors in parsing the map Guenter Roeck <linux(a)roeck-us.net> hwmon: (max16065) Fix overflows seen when writing limits Ankit Agrawal <agrawal.ag.ankit(a)gmail.com> clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: berlin: fix OF node leak in probe() error path Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: versatile: fix OF node leak in CPUs prepare Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ Ma Ke <make24(a)iscas.ac.cn> spi: ppc4xx: handle irq_of_parse_and_map() errors Yu Kuai <yukuai3(a)huawei.com> block, bfq: don't break merge chain in bfq_split_bfqq() Yu Kuai <yukuai3(a)huawei.com> block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix possible UAF for bfqq->bic with merge chain Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btusb: Fix not handling ZPL/short-transfer Kuniyuki Iwashima <kuniyu(a)amazon.com> can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). Dmitry Antipov <dmantipov(a)yandex.ru> wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire Toke Høiland-Jørgensen <toke(a)redhat.com> wifi: ath9k: Remove error checks when creating debugfs entries Minjie Du <duminjie(a)vivo.com> wifi: ath9k: fix parameter check in ath9k_init_debug() Aleksandr Mishin <amishin(a)t-argos.ru> ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() Junhao Xie <bigfoot(a)classfun.cn> USB: serial: pl2303: add device id for Macrosilicon MS3020 Hagar Hemdan <hagarhem(a)amazon.com> gpio: prevent potential speculation leaks in gpio_device_get_desc() Ferry Meng <mengferry(a)linux.alibaba.com> ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() Ferry Meng <mengferry(a)linux.alibaba.com> ocfs2: add bounds checking to ocfs2_xattr_find_entry() Michael Kelley <mhklinux(a)outlook.com> x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency Liao Chen <liaochen4(a)huawei.com> spi: bcm63xx: Enable module autoloading Liao Chen <liaochen4(a)huawei.com> ASoC: tda7419: fix module autoloading Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead Daniel Gabay <daniel.gabay(a)intel.com> wifi: iwlwifi: mvm: fix iwl_mvm_max_scan_ie_fw_cmd_room() Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Ensure tx descriptor updates are visible Mike Rapoport <rppt(a)kernel.org> microblaze: don't treat zero reserved memory regions as error Thomas Blocher <thomas.blocher(a)ek-dev.de> pinctrl: at91: make it work with current gpiolib Hongbo Li <lihongbo22(a)huawei.com> ASoC: allow module autoloading for table db1200_pids Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> selftests/kcmp: remove call to ksft_set_plan() Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> selftests/vm: remove call to ksft_set_plan() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Eran Ben Elisha <eranbe(a)mellanox.com> net/mlx5: Update the list of the PCI supported devices Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Aleksandr Mishin <amishin(a)t-argos.ru> staging: iio: frequency: ad9834: Validate frequency parameter value Beniamin Bia <biabeniamin(a)gmail.com> staging: iio: frequency: ad9833: Load clock using clock framework Beniamin Bia <biabeniamin(a)gmail.com> staging: iio: frequency: ad9833: Get frequency value statically ------------- Diffstat: .gitignore | 1 - Documentation/IPMI.txt | 2 +- Documentation/arm64/silicon-errata.txt | 2 + Documentation/driver-model/devres.txt | 1 + Makefile | 4 +- arch/arm/mach-realview/platsmp-dt.c | 1 + arch/arm64/Kconfig | 2 + arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 +- arch/arm64/include/asm/cputype.h | 4 + arch/arm64/include/asm/uprobes.h | 12 +- arch/arm64/kernel/cpu_errata.c | 2 + arch/arm64/kernel/probes/decode-insn.c | 16 +- arch/arm64/kernel/probes/simulate-insn.c | 18 +- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/microblaze/mm/init.c | 5 - arch/parisc/kernel/entry.S | 6 +- arch/parisc/kernel/syscall.S | 14 +- arch/riscv/Kconfig | 5 + arch/s390/include/asm/facility.h | 6 +- arch/s390/kernel/perf_cpum_sf.c | 12 +- arch/s390/kvm/diag.c | 2 +- arch/s390/kvm/gaccess.c | 162 +++++--- arch/s390/kvm/gaccess.h | 14 +- arch/s390/mm/cmm.c | 18 +- arch/x86/include/asm/cpufeatures.h | 3 +- arch/x86/kernel/apic/apic.c | 14 +- arch/x86/kernel/cpu/mshyperv.c | 1 + arch/x86/xen/setup.c | 2 +- block/bfq-iosched.c | 13 +- crypto/aead.c | 3 +- crypto/cipher.c | 3 +- drivers/acpi/acpica/dbconvert.c | 2 + drivers/acpi/acpica/exprep.c | 3 + drivers/acpi/acpica/psargs.c | 47 +++ drivers/acpi/battery.c | 28 +- drivers/acpi/button.c | 11 + drivers/acpi/device_sysfs.c | 5 +- drivers/acpi/ec.c | 55 ++- drivers/acpi/pmic/tps68470_pmic.c | 6 +- drivers/ata/sata_sil.c | 12 +- drivers/base/bus.c | 6 +- drivers/base/core.c | 13 +- drivers/base/firmware_loader/main.c | 30 ++ drivers/base/module.c | 4 - drivers/block/aoe/aoecmd.c | 13 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_state.c | 2 +- drivers/bluetooth/btusb.c | 10 +- drivers/char/virtio_console.c | 18 +- drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +- drivers/clk/clk-devres.c | 115 +++++- drivers/clk/rockchip/clk-rk3228.c | 2 +- drivers/clk/rockchip/clk.c | 3 +- drivers/clk/ti/clk-dra7-atl.c | 1 + drivers/clocksource/timer-qcom.c | 7 +- drivers/firmware/arm_sdei.c | 2 +- drivers/gpio/gpio-aspeed.c | 4 +- drivers/gpio/gpio-davinci.c | 8 +- drivers/gpio/gpiolib.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 26 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 + .../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 + drivers/gpu/drm/amd/include/atombios.h | 4 +- drivers/gpu/drm/drm_crtc.c | 17 +- drivers/gpu/drm/drm_print.c | 13 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 26 +- drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/radeon/atombios.h | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 62 +-- drivers/gpu/drm/radeon/r100.c | 70 ++-- drivers/gpu/drm/radeon/radeon_atombios.c | 26 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 +- drivers/gpu/drm/stm/drv.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-plantronics.c | 23 ++ drivers/hwmon/max16065.c | 5 +- drivers/hwmon/ntc_thermistor.c | 1 + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- drivers/i2c/busses/i2c-aspeed.c | 16 +- drivers/i2c/busses/i2c-i801.c | 9 +- drivers/i2c/busses/i2c-isch.c | 3 +- drivers/i2c/busses/i2c-xiic.c | 19 +- drivers/iio/adc/Kconfig | 2 + .../iio/common/hid-sensors/hid-sensor-trigger.c | 2 +- drivers/iio/dac/Kconfig | 1 + drivers/iio/light/opt3001.c | 4 + drivers/iio/magnetometer/ak8975.c | 32 +- drivers/infiniband/core/iwcm.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- drivers/infiniband/hw/cxgb4/cm.c | 14 +- drivers/input/keyboard/adp5589-keys.c | 13 +- drivers/input/rmi4/rmi_driver.c | 6 +- drivers/mailbox/bcm2835-mailbox.c | 3 +- drivers/mailbox/rockchip-mailbox.c | 2 +- drivers/media/common/videobuf2/videobuf2-core.c | 8 +- drivers/media/dvb-frontends/rtl2830.c | 2 +- drivers/media/dvb-frontends/rtl2832.c | 2 +- drivers/media/platform/qcom/venus/core.c | 1 + drivers/misc/sgi-gru/grukservices.c | 2 - drivers/misc/sgi-gru/grumain.c | 4 - drivers/misc/sgi-gru/grutlbpurge.c | 2 - drivers/mtd/devices/slram.c | 2 + drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 +- drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/amd/mvme147.c | 7 +- drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/cortina/gemini.c | 15 +- drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/faraday/ftgmac100.c | 26 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- drivers/net/ethernet/hisilicon/hip04_eth.c | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 + drivers/net/ethernet/hisilicon/hns_mdio.c | 1 + drivers/net/ethernet/i825xx/sun3_82586.c | 1 + drivers/net/ethernet/ibm/emac/mal.c | 2 +- drivers/net/ethernet/intel/igb/igb_main.c | 6 +- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/lantiq_etop.c | 4 +- drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 + drivers/net/ethernet/seeq/ether3.c | 2 + drivers/net/gtp.c | 27 +- drivers/net/hyperv/netvsc_drv.c | 30 ++ drivers/net/macsec.c | 18 - drivers/net/phy/vitesse.c | 14 - drivers/net/ppp/ppp_async.c | 2 +- drivers/net/usb/cdc_ncm.c | 8 +- drivers/net/usb/ipheth.c | 5 +- drivers/net/usb/r8152.c | 73 +--- drivers/net/usb/usbnet.c | 3 +- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 + drivers/net/wireless/ath/ath9k/debug.c | 6 +- drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +- drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 - drivers/net/wireless/intel/iwlegacy/common.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 8 +- drivers/net/wireless/marvell/mwifiex/fw.h | 2 +- drivers/net/wireless/marvell/mwifiex/scan.c | 3 +- drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- drivers/of/irq.c | 38 +- drivers/parport/procfs.c | 22 +- drivers/pci/controller/pcie-xilinx-nwl.c | 24 +- drivers/pci/quirks.c | 6 + drivers/pinctrl/mvebu/pinctrl-dove.c | 45 +- drivers/pinctrl/pinctrl-at91.c | 5 +- drivers/pinctrl/pinctrl-single.c | 3 +- drivers/power/reset/brcmstb-reboot.c | 3 - drivers/power/supply/max17042_battery.c | 5 +- drivers/pps/clients/pps_parport.c | 14 +- drivers/reset/reset-berlin.c | 3 +- drivers/rtc/Kconfig | 2 +- drivers/rtc/rtc-at91sam9.c | 45 +- drivers/s390/char/sclp_vt220.c | 4 +- drivers/scsi/aacraid/aacraid.h | 2 +- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 +- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-bcm63xx.c | 2 + drivers/spi/spi-ppc4xx.c | 7 +- drivers/spi/spi-s3c64xx.c | 4 +- drivers/staging/iio/frequency/ad9834.c | 54 +-- drivers/staging/iio/frequency/ad9834.h | 28 -- drivers/tty/serial/rp2.c | 2 +- drivers/tty/vt/vt.c | 2 +- drivers/usb/chipidea/udc.c | 8 +- drivers/usb/dwc3/core.c | 49 ++- drivers/usb/dwc3/core.h | 11 +- drivers/usb/dwc3/gadget.c | 11 - drivers/usb/host/xhci-pci.c | 5 + drivers/usb/host/xhci-ring.c | 16 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/misc/appledisplay.c | 15 +- drivers/usb/misc/cypress_cy7c63.c | 4 + drivers/usb/misc/yurex.c | 5 +- drivers/usb/phy/phy.c | 2 +- drivers/usb/serial/option.c | 8 + drivers/usb/serial/pl2303.c | 1 + drivers/usb/serial/pl2303.h | 4 + drivers/usb/storage/unusual_devs.h | 11 + drivers/usb/typec/class.c | 3 + drivers/video/fbdev/hpfb.c | 1 + drivers/video/fbdev/pxafb.c | 1 + drivers/video/fbdev/sis/sis_main.c | 2 +- drivers/xen/swiotlb-xen.c | 40 +- fs/btrfs/disk-io.c | 11 + fs/ceph/addr.c | 1 - fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 70 +++- fs/ext4/ialloc.c | 2 + fs/ext4/inline.c | 35 +- fs/ext4/inode.c | 11 +- fs/ext4/mballoc.c | 10 +- fs/ext4/migrate.c | 2 +- fs/ext4/move_extent.c | 1 - fs/ext4/namei.c | 14 +- fs/ext4/xattr.c | 4 +- fs/f2fs/acl.c | 23 +- fs/f2fs/dir.c | 3 +- fs/f2fs/f2fs.h | 4 +- fs/f2fs/file.c | 24 +- fs/f2fs/super.c | 4 +- fs/f2fs/xattr.c | 29 +- fs/fat/namei_vfat.c | 2 +- fs/fcntl.c | 14 +- fs/inode.c | 4 + fs/jbd2/checkpoint.c | 14 +- fs/jbd2/commit.c | 36 +- fs/jbd2/journal.c | 2 + fs/jfs/jfs_discard.c | 11 +- fs/jfs/jfs_dmap.c | 11 +- fs/jfs/jfs_imap.c | 2 +- fs/jfs/xattr.c | 2 + fs/lockd/clnt4xdr.c | 14 - fs/lockd/clntxdr.c | 14 - fs/nfs/callback_xdr.c | 61 ++- fs/nfs/nfs2xdr.c | 84 ++-- fs/nfs/nfs3xdr.c | 163 +++----- fs/nfs/nfs42xdr.c | 21 +- fs/nfs/nfs4state.c | 1 + fs/nfs/nfs4xdr.c | 451 ++++++--------------- fs/nfsd/nfs4callback.c | 13 - fs/nfsd/nfs4idmap.c | 13 +- fs/nfsd/nfs4state.c | 15 +- fs/nilfs2/btree.c | 12 +- fs/nilfs2/dir.c | 50 +-- fs/nilfs2/namei.c | 42 +- fs/nilfs2/nilfs.h | 2 +- fs/nilfs2/page.c | 7 +- fs/ocfs2/aops.c | 5 +- fs/ocfs2/buffer_head_io.c | 4 +- fs/ocfs2/file.c | 8 + fs/ocfs2/journal.c | 7 +- fs/ocfs2/localalloc.c | 19 + fs/ocfs2/quota_local.c | 8 +- fs/ocfs2/refcounttree.c | 26 +- fs/ocfs2/xattr.c | 38 +- fs/udf/inode.c | 9 +- include/drm/drm_print.h | 54 ++- include/dt-bindings/power/r8a774b1-sysc.h | 26 ++ include/linux/clk.h | 145 +++++++ include/linux/jbd2.h | 4 + include/linux/pci_ids.h | 2 + include/net/sock.h | 2 + include/net/tcp.h | 27 +- include/trace/events/f2fs.h | 3 +- include/trace/events/sched.h | 84 ++++ include/uapi/linux/cec.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 +- kernel/bpf/arraymap.c | 3 + kernel/bpf/hashtab.c | 3 + kernel/bpf/lpm_trie.c | 2 +- kernel/cgroup/cgroup.c | 4 +- kernel/events/core.c | 6 +- kernel/events/uprobes.c | 2 +- kernel/kthread.c | 19 +- kernel/signal.c | 11 +- kernel/time/posix-clock.c | 3 + kernel/trace/trace_output.c | 6 +- lib/xz/xz_crc32.c | 2 +- lib/xz/xz_private.h | 4 - mm/shmem.c | 2 + net/bluetooth/af_bluetooth.c | 1 + net/bluetooth/bnep/core.c | 3 +- net/bluetooth/rfcomm/sock.c | 2 - net/bridge/br_netfilter_hooks.c | 5 + net/can/bcm.c | 4 +- net/core/dev.c | 29 +- net/ipv4/devinet.c | 6 +- net/ipv4/fib_frontend.c | 2 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/netfilter/nf_dup_ipv4.c | 7 +- net/ipv4/tcp_input.c | 24 +- net/ipv4/tcp_ipv4.c | 5 +- net/ipv4/tcp_output.c | 2 +- net/ipv4/tcp_rate.c | 17 +- net/ipv4/tcp_recovery.c | 5 +- net/ipv6/addrconf.c | 8 +- net/ipv6/netfilter/nf_dup_ipv6.c | 7 +- net/ipv6/netfilter/nf_reject_ipv6.c | 14 +- net/mac80211/cfg.c | 3 +- net/mac80211/iface.c | 17 +- net/mac80211/key.c | 42 +- net/netfilter/nf_conntrack_netlink.c | 7 +- net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nft_payload.c | 3 + net/netlink/af_netlink.c | 3 +- net/qrtr/qrtr.c | 2 +- net/sched/sch_api.c | 2 +- net/sctp/socket.c | 4 +- net/tipc/bearer.c | 8 +- net/wireless/nl80211.c | 3 +- net/wireless/scan.c | 6 +- net/wireless/sme.c | 3 +- net/xfrm/xfrm_user.c | 6 +- scripts/kconfig/merge_config.sh | 2 + security/selinux/selinuxfs.c | 31 +- security/smack/smackfs.c | 2 +- security/tomoyo/domain.c | 9 +- sound/core/init.c | 14 +- sound/pci/asihpi/hpimsgx.c | 2 +- sound/pci/hda/hda_generic.c | 4 +- sound/pci/hda/patch_conexant.c | 24 +- sound/pci/hda/patch_realtek.c | 38 +- sound/pci/rme9652/hdsp.c | 6 +- sound/pci/rme9652/hdspm.c | 6 +- sound/soc/au1x/db1200.c | 1 + sound/soc/codecs/tda7419.c | 1 + tools/iio/iio_generic_buffer.c | 4 + tools/perf/builtin-sched.c | 8 +- tools/perf/util/time-utils.c | 4 +- tools/testing/ktest/ktest.pl | 2 +- tools/testing/selftests/bpf/test_lru_map.c | 3 +- .../breakpoints/step_after_suspend_test.c | 5 +- tools/testing/selftests/kcmp/kcmp_test.c | 1 - tools/testing/selftests/vDSO/parse_vdso.c | 3 +- tools/testing/selftests/vm/compaction_test.c | 2 - tools/usb/usbip/src/usbip_detach.c | 1 + virt/kvm/kvm_main.c | 5 +- 326 files changed, 2648 insertions(+), 1791 deletions(-)

7 months, 2 weeks

5
356
0 0

[PATCH v2 0/2] powerpc: Prepare for clang's per-task stack protector support

by Nathan Chancellor

This series prepares the powerpc Kconfig and Kbuild files for clang's per-task stack protector support. clang requires '-mstack-protector-guard-offset' to always be passed with the other '-mstack-protector-guard' flags, which does not always happen with the powerpc implementation, unlike arm, arm64, and riscv implementations. This series brings powerpc in line with those other architectures, which allows clang's support to work right away when it is merged. Additionally, there is one other fix needed for the Kconfig test to work correctly when targeting 32-bit. I have tested this series in QEMU against LKDTM's REPORT_STACK_CANARY with ppc64le_guest_defconfig and pmac32_defconfig built with a toolchain that contains Keith's in-progress pull request, which should land for LLVM 20: https://github.com/llvm/llvm-project/pull/110928 --- Changes in v2: - Combined patch 1 and 3, as they are fixing the same test for similar reasons; adjust commit message accordingly (Christophe) - Moved stack protector guard flags on one line in Makefile (Christophe) - Add 'Cc: stable' targeting 6.1 and newer for the sake of simplicity, as it is the oldest stable release where this series applies cleanly (folks who want it on earlier releases can request or perform a backport separately). - Pick up Keith's Reviewed-by and Tested-by on both patches. - Add a blurb to commit message of patch 1 explaining why clang's register selection behavior differs from GCC. - Link to v1: https://lore.kernel.org/r/20241007-powerpc-fix-stackprotector-test-clang-v1… --- Nathan Chancellor (2): powerpc: Fix stack protector Kconfig test for clang powerpc: Adjust adding stack protector flags to KBUILD_CLAGS for clang arch/powerpc/Kconfig | 4 ++-- arch/powerpc/Makefile | 13 ++++--------- 2 files changed, 6 insertions(+), 11 deletions(-) --- base-commit: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b change-id: 20241004-powerpc-fix-stackprotector-test-clang-84e67ed82f62 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

7 months, 2 weeks

2
3
0 0

[for 6.11 PATCH] RISC-V: disallow gcc + rust builds

by Conor Dooley

From: Conor Dooley <conor.dooley(a)microchip.com> commit 33549fcf37ec461f398f0a41e1c9948be2e5aca4 upstream During the discussion before supporting rust on riscv, it was decided not to support gcc yet, due to differences in extension handling compared to llvm (only the version of libclang matching the c compiler is supported). Recently Jason Montleon reported [1] that building with gcc caused build issues, due to unsupported arguments being passed to libclang. After some discussion between myself and Miguel, it is better to disable gcc + rust builds to match the original intent, and subsequently support it when an appropriate set of extensions can be deduced from the version of libclang. Closes: https://lore.kernel.org/all/20240917000848.720765-2-jmontleo@redhat.com/ [1] Link: https://lore.kernel.org/all/20240926-battering-revolt-6c6a7827413e@spud/ [2] Fixes: 70a57b247251a ("RISC-V: enable building 64-bit kernels with rust support") Cc: stable(a)vger.kernel.org Reported-by: Jason Montleon <jmontleo(a)redhat.com> Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> Acked-by: Miguel Ojeda <ojeda(a)kernel.org> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Link: https://lore.kernel.org/r/20241001-playlist-deceiving-16ece2f440f5@spud Signed-off-by: Palmer Dabbelt <palmer(a)rivosinc.com> Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> --- Documentation/rust/arch-support.rst | 2 +- arch/riscv/Kconfig | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/rust/arch-support.rst b/Documentation/rust/arch-support.rst index 750ff371570a..54be7ddf3e57 100644 --- a/Documentation/rust/arch-support.rst +++ b/Documentation/rust/arch-support.rst @@ -17,7 +17,7 @@ Architecture Level of support Constraints ============= ================ ============================================== ``arm64`` Maintained Little Endian only. ``loongarch`` Maintained \- -``riscv`` Maintained ``riscv64`` only. +``riscv`` Maintained ``riscv64`` and LLVM/Clang only. ``um`` Maintained \- ``x86`` Maintained ``x86_64`` only. ============= ================ ============================================== diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index d11c2479d8e1..6651a5cbdc27 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -172,7 +172,7 @@ config RISCV select HAVE_REGS_AND_STACK_ACCESS_API select HAVE_RETHOOK if !XIP_KERNEL select HAVE_RSEQ - select HAVE_RUST if 64BIT + select HAVE_RUST if 64BIT && CC_IS_CLANG select HAVE_SAMPLE_FTRACE_DIRECT select HAVE_SAMPLE_FTRACE_DIRECT_MULTI select HAVE_STACKPROTECTOR -- 2.45.2

7 months, 2 weeks

2
1
0 0

[PATCH net 0/6] Make TCP-MD5-diag slightly less broken

by Dmitry Safonov via B4 Relay

My original intent was to replace the last non-upstream Arista's TCP-AO piece. That is per-netns procfs seqfile which lists AO keys. In my view an acceptable upstream alternative would be TCP-AO-diag uAPI. So, I started by looking and reviewing TCP-MD5-diag code. And straight away I saw a bunch of issues: 1. Similarly to TCP_MD5SIG_EXT, which doesn't check tcpm_flags for unknown flags and so being non-extendable setsockopt(), the same way tcp_diag_put_md5sig() dumps md5 keys in an array of tcp_diag_md5sig, which makes it ABI non-extendable structure as userspace can't tolerate any new members in it. 2. Inet-diag allocates netlink message for sockets in inet_diag_dump_one_icsk(), which uses a TCP-diag callback .idiag_get_aux_size(), that pre-calculates the needed space for TCP-diag related information. But as neither socket lock nor rcu_readlock() are held between allocation and the actual TCP info filling, the TCP-related space requirement may change before reaching tcp_diag_put_md5sig(). I.e., the number of TCP-MD5 keys on a socket. Thankfully, TCP-MD5-diag won't overwrite the skb, but will return EMSGSIZE, triggering WARN_ON() in inet_diag_dump_one_icsk(). 3. Inet-diag "do" request* can create skb of any message required size. But "dump" request* the skb size, since d35c99ff77ec ("netlink: do not enter direct reclaim from netlink_dump()") is limited by 32 KB. Having in mind that sizeof(struct tcp_diag_md5sig) = 100 bytes, dumps for sockets that have more than 327 keys are going to fail (not counting other diag infos, which lower this limit futher). That is much lower than the number of TCP-MD5 keys that can be allocated on a socket with the current default optmem_max limit (128Kb). So, then I went and written selftests for TCP-MD5-diag and besides confirming that (2) and (3) are not theoretical issues, I also discovered another issues, that I didn't notice on code inspection: 4. nlattr::nla_len is __u16, which limits the largest netlink attibute by 64Kb or by 655 tcp_diag_md5sig keys in the diag array. What happens de-facto is that the netlink attribute gets u16 overflow, breaking the userspace parsing - RTA_NEXT(), that should point to the next attribute, points into the middle of md5 keys array. In this patch set issues (2) and (4) are addressed. (2) by not returning EMSGSIZE when the dump raced with modifying TCP-MD5 keys on a socket, but mark the dump inconsistent by setting NLM_F_DUMP_INTR nlmsg flag. Which changes uAPI in situations where previously kernel did WARN() and errored the dump. (4) by artificially limiting the maximum attribute size by U16_MAX - 1. In order to remove the new limit from (4) solution, my plan is to convert the dump of TCP-MD5 keys from an array to NL_ATTR_TYPE_NESTED_ARRAY (or alike), which should also address (1). And for (3), it's needed to teach tcp-diag how-to remember not only socket on which previous recvmsg() stopped, but potentially TCP-MD5 key as well. I plan in the next part of patch set address (3), (1) and the new limit for (4), together with adding new TCP-AO-diag. * Terminology from Documentation/userspace-api/netlink/intro.rst Signed-off-by: Dmitry Safonov <0x7f454c46(a)gmail.com> --- Dmitry Safonov (6): net/diag: Do not race on dumping MD5 keys with adding new MD5 keys net/diag: Warn only once on EMSGSIZE net/diag: Pre-allocate optional info only if requested net/diag: Always pre-allocate tcp_ulp info net/diag: Limit TCP-MD5-diag array by max attribute length net/netlink: Correct the comment on netlink message max cap include/linux/inet_diag.h | 3 +- include/net/tcp.h | 1 - net/ipv4/inet_diag.c | 87 ++++++++++++++++++++++++++++++++++++++--------- net/ipv4/tcp_diag.c | 69 ++++++++++++++++++------------------- net/mptcp/diag.c | 20 ----------- net/netlink/af_netlink.c | 4 +-- net/tls/tls_main.c | 17 --------- 7 files changed, 109 insertions(+), 92 deletions(-) --- base-commit: 2e1b3cc9d7f790145a80cb705b168f05dab65df2 change-id: 20241106-tcp-md5-diag-prep-2f0dcf371d90 Best regards, -- Dmitry Safonov <0x7f454c46(a)gmail.com>

7 months, 2 weeks

2
2
0 0

[PATCH 6.1 0/1] cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value

by Anastasia Belova

NULL-dereference is possible in amd_pstate_adjust_perf in 6.1 stable release. The problem has been fixed by the following upstream patch that was adapted to 6.1. The patch couldn't be applied clearly but the changes made are minor. Found by Linux Verification Center (linuxtesting.org) with SVACE.

7 months, 2 weeks

2
3
0 0

[PATCH] irqchip/gic-v3: Force propagation of the active state with a read-back

by Marc Zyngier

Christoffer reports that on some implementations, writing to GICR_ISACTIVER0 (and similar GICD registers) can race badly with a guest issuing a deactivation of that interrupt via the system register interface. There are multiple reasons to this: - we use an early write-acknoledgement memory type (nGnRE), meaning that the write may only have made it as far as some interconnect by the time the store is considered "done" - the GIC itself is allowed to buffer the write until it decides to take it into account (as long as it is in finite time) The effects are that the activation may not have taken effect by the time we enter the guest, forcing an immediate exit, or that a guest deactivation occurs before the interrupt is active, doing nothing. In order to guarantee that the write to the ISACTIVER register has taken effect, read back from it, forcing the interconnect to propagate the write, and the GIC to process the write before returning the read. Reported-by: Christoffer Dall <christoffer.dall(a)arm.com> Acked-by: Christoffer Dall <christoffer.dall(a)arm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/irqchip/irq-gic-v3.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c index ce87205e3e823..8b6159f4cdafa 100644 --- a/drivers/irqchip/irq-gic-v3.c +++ b/drivers/irqchip/irq-gic-v3.c @@ -524,6 +524,13 @@ static int gic_irq_set_irqchip_state(struct irq_data *d, } gic_poke_irq(d, reg); + + /* + * Force read-back to guarantee that the active state has taken + * effect, and won't race with a guest-driven deactivation. + */ + if (reg == GICD_ISACTIVER) + gic_peek_irq(d, reg); return 0; } -- 2.39.2

7 months, 2 weeks

2
1
0 0

[PATCH] arm64/ptrace: Zero FPMR on streaming mode entry/exit

by Mark Brown

When FPMR and SME are both present then entering and exiting streaming mode clears FPMR in the same manner as it clears the V/Z and P registers. Since entering and exiting streaming mode via ptrace is expected to have the same effect as doing so via SMSTART/SMSTOP it should clear FPMR too but this was missed when FPMR support was added. Add the required reset of FPMR. Since changing the vector length resets SVCR a SME vector length change implemented via a write to ZA can trigger an exit of streaming mode and we need to check when writing to ZA as well. Fixes: 4035c22ef7d4 ("arm64/ptrace: Expose FPMR via ptrace") Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kernel/ptrace.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index b756578aeaeea1d3250276734520e3eaae8a671d..f242df53de2992bf8a3fd51710d6653fe82f7779 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -876,6 +876,7 @@ static int sve_set_common(struct task_struct *target, const void *kbuf, const void __user *ubuf, enum vec_type type) { + u64 old_svcr = target->thread.svcr; int ret; struct user_sve_header header; unsigned int vq; @@ -903,8 +904,6 @@ static int sve_set_common(struct task_struct *target, /* Enter/exit streaming mode */ if (system_supports_sme()) { - u64 old_svcr = target->thread.svcr; - switch (type) { case ARM64_VEC_SVE: target->thread.svcr &= ~SVCR_SM_MASK; @@ -1003,6 +1002,10 @@ static int sve_set_common(struct task_struct *target, start, end); out: + /* If we entered or exited streaming mode then reset FPMR */ + if ((target->thread.svcr & SVCR_SM) != (old_svcr & SVCR_SM)) + target->thread.uw.fpmr = 0; + fpsimd_flush_task_state(target); return ret; } @@ -1099,6 +1102,7 @@ static int za_set(struct task_struct *target, unsigned int pos, unsigned int count, const void *kbuf, const void __user *ubuf) { + u64 old_svcr = target->thread.svcr; int ret; struct user_za_header header; unsigned int vq; @@ -1175,6 +1179,10 @@ static int za_set(struct task_struct *target, target->thread.svcr |= SVCR_ZA_MASK; out: + /* If we entered or exited streaming mode then reset FPMR */ + if ((target->thread.svcr & SVCR_SM) != (old_svcr & SVCR_SM)) + target->thread.uw.fpmr = 0; + fpsimd_flush_task_state(target); return ret; } --- base-commit: 8e929cb546ee42c9a61d24fae60605e9e3192354 change-id: 20241106-arm64-ptrace-fpmr-sm-45390f592574 Best regards, -- Mark Brown <broonie(a)kernel.org>

7 months, 2 weeks

1
0
0 0

+ ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: fix UBSAN warning in ocfs2_verify_volume() has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Dmitry Antipov <dmantipov(a)yandex.ru> Subject: ocfs2: fix UBSAN warning in ocfs2_verify_volume() Date: Wed, 6 Nov 2024 12:21:00 +0300 Syzbot has reported the following splat triggered by UBSAN: UBSAN: shift-out-of-bounds in fs/ocfs2/super.c:2336:10 shift exponent 32768 is too large for 32-bit type 'int' CPU: 2 UID: 0 PID: 5255 Comm: repro Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x241/0x360 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __asan_memset+0x23/0x50 ? lockdep_init_map_type+0xa1/0x910 __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 ocfs2_fill_super+0xf9c/0x5750 ? __pfx_ocfs2_fill_super+0x10/0x10 ? __pfx_validate_chain+0x10/0x10 ? __pfx_validate_chain+0x10/0x10 ? validate_chain+0x11e/0x5920 ? __lock_acquire+0x1384/0x2050 ? __pfx_validate_chain+0x10/0x10 ? string+0x26a/0x2b0 ? widen_string+0x3a/0x310 ? string+0x26a/0x2b0 ? bdev_name+0x2b1/0x3c0 ? pointer+0x703/0x1210 ? __pfx_pointer+0x10/0x10 ? __pfx_format_decode+0x10/0x10 ? __lock_acquire+0x1384/0x2050 ? vsnprintf+0x1ccd/0x1da0 ? snprintf+0xda/0x120 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_lock+0x14f/0x370 ? __pfx_snprintf+0x10/0x10 ? set_blocksize+0x1f9/0x360 ? sb_set_blocksize+0x98/0xf0 ? setup_bdev_super+0x4e6/0x5d0 mount_bdev+0x20c/0x2d0 ? __pfx_ocfs2_fill_super+0x10/0x10 ? __pfx_mount_bdev+0x10/0x10 ? vfs_parse_fs_string+0x190/0x230 ? __pfx_vfs_parse_fs_string+0x10/0x10 legacy_get_tree+0xf0/0x190 ? __pfx_ocfs2_mount+0x10/0x10 vfs_get_tree+0x92/0x2b0 do_new_mount+0x2be/0xb40 ? __pfx_do_new_mount+0x10/0x10 __se_sys_mount+0x2d6/0x3c0 ? __pfx___se_sys_mount+0x10/0x10 ? do_syscall_64+0x100/0x230 ? __x64_sys_mount+0x20/0xc0 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f37cae96fda Code: 48 8b 0d 51 ce 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e ce 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff6c1aa228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fff6c1aa240 RCX: 00007f37cae96fda RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 00007fff6c1aa240 RBP: 0000000000000004 R08: 00007fff6c1aa280 R09: 0000000000000000 R10: 00000000000008c0 R11: 0000000000000206 R12: 00000000000008c0 R13: 00007fff6c1aa280 R14: 0000000000000003 R15: 0000000001000000 </TASK> For a really damaged superblock, the value of 'i_super.s_blocksize_bits' may exceed the maximum possible shift for an underlying 'int'. So add an extra check whether the aforementioned field represents the valid block size, which is 512 bytes, 1K, 2K, or 4K. Link: https://lkml.kernel.org/r/20241106092100.2661330-1-dmantipov@yandex.ru Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Reported-by: syzbot+56f7cd1abe4b8e475180(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=56f7cd1abe4b8e475180 Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/super.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/fs/ocfs2/super.c~ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume +++ a/fs/ocfs2/super.c @@ -2319,6 +2319,7 @@ static int ocfs2_verify_volume(struct oc struct ocfs2_blockcheck_stats *stats) { int status = -EAGAIN; + u32 blksz_bits; if (memcmp(di->i_signature, OCFS2_SUPER_BLOCK_SIGNATURE, strlen(OCFS2_SUPER_BLOCK_SIGNATURE)) == 0) { @@ -2333,11 +2334,15 @@ static int ocfs2_verify_volume(struct oc goto out; } status = -EINVAL; - if ((1 << le32_to_cpu(di->id2.i_super.s_blocksize_bits)) != blksz) { + /* Acceptable block sizes are 512 bytes, 1K, 2K and 4K. */ + blksz_bits = le32_to_cpu(di->id2.i_super.s_blocksize_bits); + if (blksz_bits < 9 || blksz_bits > 12) { mlog(ML_ERROR, "found superblock with incorrect block " - "size: found %u, should be %u\n", - 1 << le32_to_cpu(di->id2.i_super.s_blocksize_bits), - blksz); + "size bits: found %u, should be 9, 10, 11, or 12\n", + blksz_bits); + } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) { + mlog(ML_ERROR, "found superblock with incorrect block " + "size: found %u, should be %u\n", 1 << blksz_bits, blksz); } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) != OCFS2_MAJOR_REV_LEVEL || le16_to_cpu(di->id2.i_super.s_minor_rev_level) != _ Patches currently in -mm which might be from dmantipov(a)yandex.ru are ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch ocfs2-fix-uninitialized-value-in-ocfs2_file_read_iter.patch

7 months, 2 weeks

1
0
0 0

+ nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Date: Thu, 7 Nov 2024 01:07:33 +0900 When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty() may cause a NULL pointer dereference, or a general protection fault when KASAN is enabled. This happens because, since the tracepoint was added in mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure. In the current implementation, nilfs_grab_buffer(), which grabs a buffer to read (or create) a block of metadata, including b-tree node blocks, does not set the block device, but instead does so only if the buffer is not in the "uptodate" state for each of its caller block reading functions. However, if the uptodate flag is set on a folio/page, and the buffer heads are detached from it by try_to_free_buffers(), and new buffer heads are then attached by create_empty_buffers(), the uptodate flag may be restored to each buffer without the block device being set to bh->b_bdev, and mark_buffer_dirty() may be called later in that state, resulting in the bug mentioned above. Fix this issue by making nilfs_grab_buffer() always set the block device of the super block structure to the buffer head, regardless of the state of the buffer's uptodate flag. Link: https://lkml.kernel.org/r/20241106160811.3316-3-konishi.ryusuke@gmail.com Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Ubisectech Sirius <bugreport(a)valiantsec.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/btnode.c | 2 -- fs/nilfs2/gcinode.c | 4 +--- fs/nilfs2/mdt.c | 1 - fs/nilfs2/page.c | 1 + 4 files changed, 2 insertions(+), 6 deletions(-) --- a/fs/nilfs2/btnode.c~nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint +++ a/fs/nilfs2/btnode.c @@ -68,7 +68,6 @@ nilfs_btnode_create_block(struct address goto failed; } memset(bh->b_data, 0, i_blocksize(inode)); - bh->b_bdev = inode->i_sb->s_bdev; bh->b_blocknr = blocknr; set_buffer_mapped(bh); set_buffer_uptodate(bh); @@ -133,7 +132,6 @@ int nilfs_btnode_submit_block(struct add goto found; } set_buffer_mapped(bh); - bh->b_bdev = inode->i_sb->s_bdev; bh->b_blocknr = pblocknr; /* set block address for read */ bh->b_end_io = end_buffer_read_sync; get_bh(bh); --- a/fs/nilfs2/gcinode.c~nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint +++ a/fs/nilfs2/gcinode.c @@ -83,10 +83,8 @@ int nilfs_gccache_submit_read_data(struc goto out; } - if (!buffer_mapped(bh)) { - bh->b_bdev = inode->i_sb->s_bdev; + if (!buffer_mapped(bh)) set_buffer_mapped(bh); - } bh->b_blocknr = pbn; bh->b_end_io = end_buffer_read_sync; get_bh(bh); --- a/fs/nilfs2/mdt.c~nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint +++ a/fs/nilfs2/mdt.c @@ -89,7 +89,6 @@ static int nilfs_mdt_create_block(struct if (buffer_uptodate(bh)) goto failed_bh; - bh->b_bdev = sb->s_bdev; err = nilfs_mdt_insert_new_block(inode, block, bh, init_block); if (likely(!err)) { get_bh(bh); --- a/fs/nilfs2/page.c~nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint +++ a/fs/nilfs2/page.c @@ -63,6 +63,7 @@ struct buffer_head *nilfs_grab_buffer(st folio_put(folio); return NULL; } + bh->b_bdev = inode->i_sb->s_bdev; return bh; } _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch

7 months, 2 weeks

1
0
0 0

+ nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Date: Thu, 7 Nov 2024 01:07:32 +0900 Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints". This series fixes null pointer dereference bugs that occur when using nilfs2 and two block-related tracepoints. This patch (of 2): It has been reported that when using "block:block_touch_buffer" tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a NULL pointer dereference, or a general protection fault when KASAN is enabled. This happens because since the tracepoint was added in touch_buffer(), it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure. In the current implementation, the block_device structure is set after the function returns to the caller. Here, touch_buffer() is used to mark the folio/page that owns the buffer head as accessed, but the common search helper for folio/page used by the caller function was optimized to mark the folio/page as accessed when it was reimplemented a long time ago, eliminating the need to call touch_buffer() here in the first place. So this solves the issue by eliminating the touch_buffer() call itself. Link: https://lkml.kernel.org/r/20241106160811.3316-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20241106160811.3316-2-konishi.ryusuke@gmail.com Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: Ubisectech Sirius <bugreport(a)valiantsec.com> Closes: https://lkml.kernel.org/r/86bd3013-887e-4e38-960f-ca45c657f032.bugreport@va… Reported-by: syzbot+9982fb8d18eba905abe2(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9982fb8d18eba905abe2 Tested-by: syzbot+9982fb8d18eba905abe2(a)syzkaller.appspotmail.com Cc: Tejun Heo <tj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/page.c | 1 - 1 file changed, 1 deletion(-) --- a/fs/nilfs2/page.c~nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint +++ a/fs/nilfs2/page.c @@ -39,7 +39,6 @@ static struct buffer_head *__nilfs_get_f first_block = (unsigned long)index << (PAGE_SHIFT - blkbits); bh = get_nth_bh(bh, block - first_block); - touch_buffer(bh); wait_on_buffer(bh); return bh; } _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch

7 months, 2 weeks

1
0
0 0

+ mm-page_alloc-move-mlocked-flag-clearance-into-free_pages_prepare.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: page_alloc: move mlocked flag clearance into free_pages_prepare() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-page_alloc-move-mlocked-flag-clearance-into-free_pages_prepare.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Roman Gushchin <roman.gushchin(a)linux.dev> Subject: mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Date: Wed, 6 Nov 2024 19:53:54 +0000 Syzbot reported a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.5.504 pfn:61f45 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline] kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e page last free pid 8399 tgid 8399 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686 folios_put_refs+0x76c/0x860 mm/swap.c:1007 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465 exit_mmap+0x496/0xc40 mm/mmap.c:1926 __mmput+0x115/0x390 kernel/fork.c:1348 exit_mm+0x220/0x310 kernel/exit.c:571 do_exit+0x9b2/0x28e0 kernel/exit.c:926 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 bad_page+0x176/0x1d0 mm/page_alloc.c:501 free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638 kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline] kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386 kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __ia32_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 ia32_sys_call+0x2624/0x2630 arch/x86/include/generated/asm/syscalls_32.h:253 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf745d579 Code: Unable to access opcode bytes at 0xf745d54f. RSP: 002b:00000000f75afd6c EFLAGS: 00000206 ORIG_RAX: 00000000000000fc RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 00000000ffffff9c RDI: 00000000f744cff4 RBP: 00000000f717ae61 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> The problem was originally introduced by commit b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance"): it was focused on handling pagecache and anonymous memory and wasn't suitable for lower level get_page()/free_page() API's used for example by KVM, as with this reproducer. Fix it by moving the mlocked flag clearance down to free_page_prepare(). The bug itself if fairly old and harmless (aside from generating these warnings), aside from a small memory leak - "bad" pages are stopped from being allocated again. Link: https://lkml.kernel.org/r/20241106195354.270757-1-roman.gushchin@linux.dev Fixes: b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Reported-by: syzbot+e985d3026c4fd041578e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6729f475.050a0220.701a.0019.GAE@google.com Acked-by: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 15 +++++++++++++++ mm/swap.c | 14 -------------- 2 files changed, 15 insertions(+), 14 deletions(-) --- a/mm/page_alloc.c~mm-page_alloc-move-mlocked-flag-clearance-into-free_pages_prepare +++ a/mm/page_alloc.c @@ -1048,6 +1048,7 @@ __always_inline bool free_pages_prepare( bool skip_kasan_poison = should_skip_kasan_poison(page); bool init = want_init_on_free(); bool compound = PageCompound(page); + struct folio *folio = page_folio(page); VM_BUG_ON_PAGE(PageTail(page), page); @@ -1057,6 +1058,20 @@ __always_inline bool free_pages_prepare( if (memcg_kmem_online() && PageMemcgKmem(page)) __memcg_kmem_uncharge_page(page, order); + /* + * In rare cases, when truncation or holepunching raced with + * munlock after VM_LOCKED was cleared, Mlocked may still be + * found set here. This does not indicate a problem, unless + * "unevictable_pgs_cleared" appears worryingly large. + */ + if (unlikely(folio_test_mlocked(folio))) { + long nr_pages = folio_nr_pages(folio); + + __folio_clear_mlocked(folio); + zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); + count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); + } + if (unlikely(PageHWPoison(page)) && !order) { /* Do not let hwpoison pages hit pcplists/buddy */ reset_page_owner(page, order); --- a/mm/swap.c~mm-page_alloc-move-mlocked-flag-clearance-into-free_pages_prepare +++ a/mm/swap.c @@ -78,20 +78,6 @@ static void __page_cache_release(struct lruvec_del_folio(*lruvecp, folio); __folio_clear_lru_flags(folio); } - - /* - * In rare cases, when truncation or holepunching raced with - * munlock after VM_LOCKED was cleared, Mlocked may still be - * found set here. This does not indicate a problem, unless - * "unevictable_pgs_cleared" appears worryingly large. - */ - if (unlikely(folio_test_mlocked(folio))) { - long nr_pages = folio_nr_pages(folio); - - __folio_clear_mlocked(folio); - zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); - count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); - } } /* _ Patches currently in -mm which might be from roman.gushchin(a)linux.dev are signal-restore-the-override_rlimit-logic.patch mm-page_alloc-move-mlocked-flag-clearance-into-free_pages_prepare.patch

7 months, 2 weeks

1
0
0 0

[PATCH v3] mm: page_alloc: move mlocked flag clearance into free_pages_prepare()

by Roman Gushchin

Syzbot reported a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.5.504 pfn:61f45 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline] kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e page last free pid 8399 tgid 8399 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686 folios_put_refs+0x76c/0x860 mm/swap.c:1007 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465 exit_mmap+0x496/0xc40 mm/mmap.c:1926 __mmput+0x115/0x390 kernel/fork.c:1348 exit_mm+0x220/0x310 kernel/exit.c:571 do_exit+0x9b2/0x28e0 kernel/exit.c:926 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 bad_page+0x176/0x1d0 mm/page_alloc.c:501 free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638 kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline] kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386 kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __ia32_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 ia32_sys_call+0x2624/0x2630 arch/x86/include/generated/asm/syscalls_32.h:253 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf745d579 Code: Unable to access opcode bytes at 0xf745d54f. RSP: 002b:00000000f75afd6c EFLAGS: 00000206 ORIG_RAX: 00000000000000fc RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 00000000ffffff9c RDI: 00000000f744cff4 RBP: 00000000f717ae61 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> The problem was originally introduced by commit b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance"): it was handling focused on handling pagecache and anonymous memory and wasn't suitable for lower level get_page()/free_page() API's used for example by KVM, as with this reproducer. Fix it by moving the mlocked flag clearance down to free_page_prepare(). The bug itself if fairly old and harmless (aside from generating these warnings), aside from a small memory leak - "bad" pages are stopped from being allocated again. Reported-by: syzbot+e985d3026c4fd041578e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6729f475.050a0220.701a.0019.GAE@google.com Fixes: b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Acked-by: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sean Christopherson <seanjc(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> --- mm/page_alloc.c | 15 +++++++++++++++ mm/swap.c | 14 -------------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 47048b39b8ca..371d1c6c1fc7 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -1048,6 +1048,7 @@ __always_inline bool free_pages_prepare(struct page *page, bool skip_kasan_poison = should_skip_kasan_poison(page); bool init = want_init_on_free(); bool compound = PageCompound(page); + struct folio *folio = page_folio(page); VM_BUG_ON_PAGE(PageTail(page), page); @@ -1057,6 +1058,20 @@ __always_inline bool free_pages_prepare(struct page *page, if (memcg_kmem_online() && PageMemcgKmem(page)) __memcg_kmem_uncharge_page(page, order); + /* + * In rare cases, when truncation or holepunching raced with + * munlock after VM_LOCKED was cleared, Mlocked may still be + * found set here. This does not indicate a problem, unless + * "unevictable_pgs_cleared" appears worryingly large. + */ + if (unlikely(folio_test_mlocked(folio))) { + long nr_pages = folio_nr_pages(folio); + + __folio_clear_mlocked(folio); + zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); + count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); + } + if (unlikely(PageHWPoison(page)) && !order) { /* Do not let hwpoison pages hit pcplists/buddy */ reset_page_owner(page, order); diff --git a/mm/swap.c b/mm/swap.c index 638a3f001676..10decd9dffa1 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -78,20 +78,6 @@ static void __page_cache_release(struct folio *folio, struct lruvec **lruvecp, lruvec_del_folio(*lruvecp, folio); __folio_clear_lru_flags(folio); } - - /* - * In rare cases, when truncation or holepunching raced with - * munlock after VM_LOCKED was cleared, Mlocked may still be - * found set here. This does not indicate a problem, unless - * "unevictable_pgs_cleared" appears worryingly large. - */ - if (unlikely(folio_test_mlocked(folio))) { - long nr_pages = folio_nr_pages(folio); - - __folio_clear_mlocked(folio); - zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); - count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); - } } /* -- 2.47.0.199.ga7371fff76-goog

7 months, 2 weeks

1
0
0 0

[PATCH v3] arm64/signal: Avoid corruption of SME state when entering signal handler

by Mark Brown

We intend that signal handlers are entered with PSTATE.{SM,ZA}={0,0}. The logic for this in setup_return() manipulates the saved state and live CPU state in an unsafe manner, and consequently, when a task enters a signal handler: * The task entering the signal handler might not have its PSTATE.{SM,ZA} bits cleared, and other register state that is affected by changes to PSTATE.{SM,ZA} might not be zeroed as expected. * An unrelated task might have its PSTATE.{SM,ZA} bits cleared unexpectedly, potentially zeroing other register state that is affected by changes to PSTATE.{SM,ZA}. Tasks which do not set PSTATE.{SM,ZA} (i.e. those only using plain FPSIMD or non-streaming SVE) are not affected, as there is no resulting change to PSTATE.{SM,ZA}. Consider for example two tasks on one CPU: A: Begins signal entry in kernel mode, is preempted prior to SMSTOP. B: Using SM and/or ZA in userspace with register state current on the CPU, is preempted. A: Scheduled in, no register state changes made as in kernel mode. A: Executes SMSTOP, modifying live register state. A: Scheduled out. B: Scheduled in, fpsimd_thread_switch() sees the register state on the CPU is tracked as being that for task B so the state is not reloaded prior to returning to userspace. Task B is now running with SM and ZA incorrectly cleared. Fix this by: * Checking TIF_FOREIGN_FPSTATE, and only updating the saved or live state as appropriate. * Using {get,put}_cpu_fpsimd_context() to ensure mutual exclusion against other code which manipulates this state. To allow their use, the logic is moved into a new fpsimd_enter_sighandler() helper in fpsimd.c. This race has been observed intermittently with fp-stress, especially with preempt disabled, commonly but not exclusively reporting "Bad SVCR: 0". While we're at it also fix a discrepancy between in register and in memory entries. When operating on the register state we issue a SMSTOP, exiting streaming mode if we were in it. This clears the V/Z and P register and FPMR but nothing else. The in memory version clears all the user FPSIMD state including FPCR and FPSR but does not clear FPMR. Add the clear of FPMR and limit the existing memset() to only cover the vregs, preserving the state of FPCR and FPSR like SMSTOP does. Fixes: 40a8e87bb3285 ("arm64/sme: Disable ZA and streaming mode when handling signals") Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- Changes in v3: - Fix the in memory update to follow the behaviour of the SMSTOP we issue when updating in registers. - Link to v2: https://lore.kernel.org/r/20241030-arm64-fp-sme-sigentry-v2-1-43ce805d1b20@… Changes in v2: - Commit message tweaks. - Flush the task state when updating in memory to ensure we reload. - Link to v1: https://lore.kernel.org/r/20241023-arm64-fp-sme-sigentry-v1-1-249ff7ec3ad0@… --- arch/arm64/include/asm/fpsimd.h | 1 + arch/arm64/kernel/fpsimd.c | 39 +++++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/signal.c | 19 +------------------ 3 files changed, 41 insertions(+), 18 deletions(-) diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h index f2a84efc361858d4deda99faf1967cc7cac386c1..09af7cfd9f6c2cec26332caa4c254976e117b1bf 100644 --- a/arch/arm64/include/asm/fpsimd.h +++ b/arch/arm64/include/asm/fpsimd.h @@ -76,6 +76,7 @@ extern void fpsimd_load_state(struct user_fpsimd_state *state); extern void fpsimd_thread_switch(struct task_struct *next); extern void fpsimd_flush_thread(void); +extern void fpsimd_enter_sighandler(void); extern void fpsimd_signal_preserve_current_state(void); extern void fpsimd_preserve_current_state(void); extern void fpsimd_restore_current_state(void); diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index 77006df20a75aee7c991cf116b6d06bfe953d1a4..10c8efd1c5ce83f4ea4025b213111ab9519263b1 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1693,6 +1693,45 @@ void fpsimd_signal_preserve_current_state(void) sve_to_fpsimd(current); } +/* + * Called by the signal handling code when preparing current to enter + * a signal handler. Currently this only needs to take care of exiting + * streaming mode and clearing ZA on SME systems. + */ +void fpsimd_enter_sighandler(void) +{ + if (!system_supports_sme()) + return; + + get_cpu_fpsimd_context(); + + if (test_thread_flag(TIF_FOREIGN_FPSTATE)) { + /* + * Exiting streaming mode zeros the V/Z and P + * registers and FPMR. Zero FPMR and the V registers, + * marking the state as FPSIMD only to force a clear + * of the remaining bits during reload if needed. + */ + if (current->thread.svcr & SVCR_SM_MASK) { + memset(&current->thread.uw.fpsimd_state.vregs, 0, + sizeof(current->thread.uw.fpsimd_state.vregs)); + current->thread.uw.fpmr = 0; + current->thread.fp_type = FP_STATE_FPSIMD; + } + + current->thread.svcr &= ~(SVCR_ZA_MASK | + SVCR_SM_MASK); + + /* Ensure any copies on other CPUs aren't reused */ + fpsimd_flush_task_state(current); + } else { + /* The register state is current, just update it. */ + sme_smstop(); + } + + put_cpu_fpsimd_context(); +} + /* * Called by KVM when entering the guest. */ diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 5619869475304776fc005fe24a385bf86bfdd253..fe07d0bd9f7978d73973f07ce38b7bdd7914abb2 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -1218,24 +1218,7 @@ static void setup_return(struct pt_regs *regs, struct k_sigaction *ka, /* TCO (Tag Check Override) always cleared for signal handlers */ regs->pstate &= ~PSR_TCO_BIT; - /* Signal handlers are invoked with ZA and streaming mode disabled */ - if (system_supports_sme()) { - /* - * If we were in streaming mode the saved register - * state was SVE but we will exit SM and use the - * FPSIMD register state - flush the saved FPSIMD - * register state in case it gets loaded. - */ - if (current->thread.svcr & SVCR_SM_MASK) { - memset(&current->thread.uw.fpsimd_state, 0, - sizeof(current->thread.uw.fpsimd_state)); - current->thread.fp_type = FP_STATE_FPSIMD; - } - - current->thread.svcr &= ~(SVCR_ZA_MASK | - SVCR_SM_MASK); - sme_smstop(); - } + fpsimd_enter_sighandler(); if (system_supports_poe()) write_sysreg_s(POR_EL0_INIT, SYS_POR_EL0); --- base-commit: 8e929cb546ee42c9a61d24fae60605e9e3192354 change-id: 20241023-arm64-fp-sme-sigentry-a2bd7187e71b Best regards, -- Mark Brown <broonie(a)kernel.org>

7 months, 2 weeks

1
0
0 0

[PATCH] perf/x86/intel: Fix bitmask of OCR and FRONTEND events for LNC

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> The released OCR and FRONTEND events utilized more bits on Lunar Lake p-core. The corresponding mask in the extra_regs has to be extended to unblock the extra bits. Add a dedicated intel_lnc_extra_regs. Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support") Reported-by: Andi Kleen <ak(a)linux.intel.com> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/events/intel/core.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index bb284aff7bfd..a347b4323256 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -429,6 +429,16 @@ static struct event_constraint intel_lnc_event_constraints[] = { EVENT_CONSTRAINT_END }; +static struct extra_reg intel_lnc_extra_regs[] __read_mostly = { + INTEL_UEVENT_EXTRA_REG(0x012a, MSR_OFFCORE_RSP_0, 0xfffffffffffull, RSP_0), + INTEL_UEVENT_EXTRA_REG(0x012b, MSR_OFFCORE_RSP_1, 0xfffffffffffull, RSP_1), + INTEL_UEVENT_PEBS_LDLAT_EXTRA_REG(0x01cd), + INTEL_UEVENT_EXTRA_REG(0x02c6, MSR_PEBS_FRONTEND, 0x9, FE), + INTEL_UEVENT_EXTRA_REG(0x03c6, MSR_PEBS_FRONTEND, 0x7fff1f, FE), + INTEL_UEVENT_EXTRA_REG(0x40ad, MSR_PEBS_FRONTEND, 0xf, FE), + INTEL_UEVENT_EXTRA_REG(0x04c2, MSR_PEBS_FRONTEND, 0x8, FE), + EVENT_EXTRA_END +}; EVENT_ATTR_STR(mem-loads, mem_ld_nhm, "event=0x0b,umask=0x10,ldlat=3"); EVENT_ATTR_STR(mem-loads, mem_ld_snb, "event=0xcd,umask=0x1,ldlat=3"); @@ -6422,7 +6432,7 @@ static __always_inline void intel_pmu_init_lnc(struct pmu *pmu) intel_pmu_init_glc(pmu); hybrid(pmu, event_constraints) = intel_lnc_event_constraints; hybrid(pmu, pebs_constraints) = intel_lnc_pebs_event_constraints; - hybrid(pmu, extra_regs) = intel_rwc_extra_regs; + hybrid(pmu, extra_regs) = intel_lnc_extra_regs; } static __always_inline void intel_pmu_init_skt(struct pmu *pmu) -- 2.38.1

7 months, 2 weeks

1
0
0 0

[PATCH 6.1.y 5.15.y 5.10.y] net: do not delay dst_entries_add() in dst_release()

by Abdelkareem Abdelsaamad

From: Eric Dumazet <edumazet(a)google.com> commit ac888d58869bb99753e7652be19a151df9ecb35d upstream. dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels. Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()") Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnk… Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Tested-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Tested-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Xin Long <lucien.xin(a)gmail.com> Cc: Steffen Klassert <steffen.klassert(a)secunet.com> Reviewed-by: Xin Long <lucien.xin(a)gmail.com> Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [Conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t reference counting") is not in the tree] Signed-off-by: Abdelkareem Abdelsaamad <kareemem(a)amazon.com> --- net/core/dst.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/net/core/dst.c b/net/core/dst.c index 453ec8aafc4a..5bb143857336 100644 --- a/net/core/dst.c +++ b/net/core/dst.c @@ -109,9 +109,6 @@ struct dst_entry *dst_destroy(struct dst_entry * dst) child = xdst->child; } #endif - if (!(dst->flags & DST_NOCOUNT)) - dst_entries_add(dst->ops, -1); - if (dst->ops->destroy) dst->ops->destroy(dst); if (dst->dev) @@ -162,6 +159,12 @@ void dst_dev_put(struct dst_entry *dst) } EXPORT_SYMBOL(dst_dev_put); +static void dst_count_dec(struct dst_entry *dst) +{ + if (!(dst->flags & DST_NOCOUNT)) + dst_entries_add(dst->ops, -1); +} + void dst_release(struct dst_entry *dst) { if (dst) { @@ -171,8 +174,10 @@ void dst_release(struct dst_entry *dst) if (WARN_ONCE(newrefcnt < 0, "dst_release underflow")) net_warn_ratelimited("%s: dst:%p refcnt:%d\n", __func__, dst, newrefcnt); - if (!newrefcnt) + if (!newrefcnt){ + dst_count_dec(dst); call_rcu(&dst->rcu_head, dst_destroy_rcu); + } } } EXPORT_SYMBOL(dst_release); @@ -186,8 +191,10 @@ void dst_release_immediate(struct dst_entry *dst) if (WARN_ONCE(newrefcnt < 0, "dst_release_immediate underflow")) net_warn_ratelimited("%s: dst:%p refcnt:%d\n", __func__, dst, newrefcnt); - if (!newrefcnt) + if (!newrefcnt){ + dst_count_dec(dst); dst_destroy(dst); + } } } EXPORT_SYMBOL(dst_release_immediate); -- 2.40.1

7 months, 2 weeks

1
0
0 0

[PATCH 22/31] ASoC: da7213: Populate max_register to regmap_config

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> On the Renesas RZ/G3S SMARC Carrier II board having a DA7212 codec (using da7213 driver) connected to one SSIF-2 available on the Renesas RZ/G3S SoC it has been discovered that using the runtime PM API for suspend/resume (as will be proposed in the following commits) leads to the codec not being propertly initialized after resume. This is because w/o max_register populated to regmap_config the regcache_rbtree_sync() breaks on base_reg > max condition and the regcache_sync_block() call is skipped. Fixes: ef5c2eba2412 ("ASoC: codecs: Add da7213 codec") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- sound/soc/codecs/da7213.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/codecs/da7213.c b/sound/soc/codecs/da7213.c index f3ef6fb55304..486db60bf2dd 100644 --- a/sound/soc/codecs/da7213.c +++ b/sound/soc/codecs/da7213.c @@ -2136,6 +2136,7 @@ static const struct regmap_config da7213_regmap_config = { .reg_bits = 8, .val_bits = 8, + .max_register = DA7213_TONE_GEN_OFF_PER, .reg_defaults = da7213_reg_defaults, .num_reg_defaults = ARRAY_SIZE(da7213_reg_defaults), .volatile_reg = da7213_volatile_register, -- 2.39.2

7 months, 2 weeks

4
3
0 0

[PATCH 6.11.y 1/2] rcu/kvfree: Add kvfree_rcu_barrier() API

by Suren Baghdasaryan

From: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> From: Uladzislau Rezki <urezki(a)gmail.com> commit 3c5d61ae919cc377c71118ccc76fa6e8518023f8 upstream. Add a kvfree_rcu_barrier() function. It waits until all in-flight pointers are freed over RCU machinery. It does not wait any GP completion and it is within its right to return immediately if there are no outstanding pointers. This function is useful when there is a need to guarantee that a memory is fully freed before destroying memory caches. For example, during unloading a kernel module. Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> --- include/linux/rcutiny.h | 5 ++ include/linux/rcutree.h | 1 + kernel/rcu/tree.c | 109 +++++++++++++++++++++++++++++++++++++--- 3 files changed, 107 insertions(+), 8 deletions(-) diff --git a/include/linux/rcutiny.h b/include/linux/rcutiny.h index d9ac7b136aea..522123050ff8 100644 --- a/include/linux/rcutiny.h +++ b/include/linux/rcutiny.h @@ -111,6 +111,11 @@ static inline void __kvfree_call_rcu(struct rcu_head *head, void *ptr) kvfree(ptr); } +static inline void kvfree_rcu_barrier(void) +{ + rcu_barrier(); +} + #ifdef CONFIG_KASAN_GENERIC void kvfree_call_rcu(struct rcu_head *head, void *ptr); #else diff --git a/include/linux/rcutree.h b/include/linux/rcutree.h index 254244202ea9..58e7db80f3a8 100644 --- a/include/linux/rcutree.h +++ b/include/linux/rcutree.h @@ -35,6 +35,7 @@ static inline void rcu_virt_note_context_switch(void) void synchronize_rcu_expedited(void); void kvfree_call_rcu(struct rcu_head *head, void *ptr); +void kvfree_rcu_barrier(void); void rcu_barrier(void); void rcu_momentary_dyntick_idle(void); diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c index e641cc681901..be00aac5f4e7 100644 --- a/kernel/rcu/tree.c +++ b/kernel/rcu/tree.c @@ -3584,18 +3584,15 @@ kvfree_rcu_drain_ready(struct kfree_rcu_cpu *krcp) } /* - * This function is invoked after the KFREE_DRAIN_JIFFIES timeout. + * Return: %true if a work is queued, %false otherwise. */ -static void kfree_rcu_monitor(struct work_struct *work) +static bool +kvfree_rcu_queue_batch(struct kfree_rcu_cpu *krcp) { - struct kfree_rcu_cpu *krcp = container_of(work, - struct kfree_rcu_cpu, monitor_work.work); unsigned long flags; + bool queued = false; int i, j; - // Drain ready for reclaim. - kvfree_rcu_drain_ready(krcp); - raw_spin_lock_irqsave(&krcp->lock, flags); // Attempt to start a new batch. @@ -3634,11 +3631,27 @@ static void kfree_rcu_monitor(struct work_struct *work) // be that the work is in the pending state when // channels have been detached following by each // other. - queue_rcu_work(system_wq, &krwp->rcu_work); + queued = queue_rcu_work(system_wq, &krwp->rcu_work); } } raw_spin_unlock_irqrestore(&krcp->lock, flags); + return queued; +} + +/* + * This function is invoked after the KFREE_DRAIN_JIFFIES timeout. + */ +static void kfree_rcu_monitor(struct work_struct *work) +{ + struct kfree_rcu_cpu *krcp = container_of(work, + struct kfree_rcu_cpu, monitor_work.work); + + // Drain ready for reclaim. + kvfree_rcu_drain_ready(krcp); + + // Queue a batch for a rest. + kvfree_rcu_queue_batch(krcp); // If there is nothing to detach, it means that our job is // successfully done here. In case of having at least one @@ -3859,6 +3872,86 @@ void kvfree_call_rcu(struct rcu_head *head, void *ptr) } EXPORT_SYMBOL_GPL(kvfree_call_rcu); +/** + * kvfree_rcu_barrier - Wait until all in-flight kvfree_rcu() complete. + * + * Note that a single argument of kvfree_rcu() call has a slow path that + * triggers synchronize_rcu() following by freeing a pointer. It is done + * before the return from the function. Therefore for any single-argument + * call that will result in a kfree() to a cache that is to be destroyed + * during module exit, it is developer's responsibility to ensure that all + * such calls have returned before the call to kmem_cache_destroy(). + */ +void kvfree_rcu_barrier(void) +{ + struct kfree_rcu_cpu_work *krwp; + struct kfree_rcu_cpu *krcp; + bool queued; + int i, cpu; + + /* + * Firstly we detach objects and queue them over an RCU-batch + * for all CPUs. Finally queued works are flushed for each CPU. + * + * Please note. If there are outstanding batches for a particular + * CPU, those have to be finished first following by queuing a new. + */ + for_each_possible_cpu(cpu) { + krcp = per_cpu_ptr(&krc, cpu); + + /* + * Check if this CPU has any objects which have been queued for a + * new GP completion. If not(means nothing to detach), we are done + * with it. If any batch is pending/running for this "krcp", below + * per-cpu flush_rcu_work() waits its completion(see last step). + */ + if (!need_offload_krc(krcp)) + continue; + + while (1) { + /* + * If we are not able to queue a new RCU work it means: + * - batches for this CPU are still in flight which should + * be flushed first and then repeat; + * - no objects to detach, because of concurrency. + */ + queued = kvfree_rcu_queue_batch(krcp); + + /* + * Bail out, if there is no need to offload this "krcp" + * anymore. As noted earlier it can run concurrently. + */ + if (queued || !need_offload_krc(krcp)) + break; + + /* There are ongoing batches. */ + for (i = 0; i < KFREE_N_BATCHES; i++) { + krwp = &(krcp->krw_arr[i]); + flush_rcu_work(&krwp->rcu_work); + } + } + } + + /* + * Now we guarantee that all objects are flushed. + */ + for_each_possible_cpu(cpu) { + krcp = per_cpu_ptr(&krc, cpu); + + /* + * A monitor work can drain ready to reclaim objects + * directly. Wait its completion if running or pending. + */ + cancel_delayed_work_sync(&krcp->monitor_work); + + for (i = 0; i < KFREE_N_BATCHES; i++) { + krwp = &(krcp->krw_arr[i]); + flush_rcu_work(&krwp->rcu_work); + } + } +} +EXPORT_SYMBOL_GPL(kvfree_rcu_barrier); + static unsigned long kfree_rcu_shrink_count(struct shrinker *shrink, struct shrink_control *sc) { base-commit: 17365d66f1c6aa6bf4f4cb9842f5edeac027bcfb -- 2.47.0.105.g07ac214952-goog

7 months, 2 weeks

2
6
0 0

hid-pidff.c: null-pointer deref if optional HID reports are not present

by Nolan Nicholson

Hello, (This is my first time reporting a Linux bug; please accept my apologies for any mistakes in the process.) When initializing a HID PID device, hid-pidff.c checks for eight required HID reports and five optional reports. If the eight required reports are present, the hid_pidff_init() function then attempts to find the necessary fields in each required or optional report, using the pidff_find_fields() function. However, if any of the five optional reports is not present, pidff_find_fields() will trigger a null-pointer dereference. I recently implemented the descriptors for a USB HID device with PID force-feedback capability. After implementing the required report descriptors but not the optional ones, I got an OOPS from the pidff_find_fields function. I saved the OOPS from my Ubuntu installation, and have attached it here. I later reproduced the issue on 6.11.6. I was able to work around the issue by having my device present all of the optional report descriptors as well as all of the required ones. Thank you, Nolan Nicholson

7 months, 2 weeks

3
2
0 0

[PATCH 0/2] arm64/fp: Fix missing invalidation when working with in memory FP state

by Mark Brown

Mark Rutland identified a repeated pattern where we update the in memory floating point state for tasks but do not invalidate the tracking of the last CPU that the task's state was loaded on, meaning that we can incorrectly fail to load the state from memory due to the checking in fpsimd_thread_switch(). When we change the in-memory state we need to also invalidate the last CPU information so that the state is corretly identified as needing to be reloaded from memory. This series adds the missing invalidations. Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Mark Brown (2): arm64/sve: Flush foreign register state in sve_init_regs() arm64/sme: Flush foreign register state in do_sme_acc() arch/arm64/kernel/fpsimd.c | 3 +++ 1 file changed, 3 insertions(+) --- base-commit: 8e929cb546ee42c9a61d24fae60605e9e3192354 change-id: 20241030-arm64-fpsimd-foreign-flush-6913aa24cd9b Best regards, -- Mark Brown <broonie(a)kernel.org>

7 months, 2 weeks

3
4
0 0

[PATCH v5 0/6] phy: core: Fix bugs for several APIs and simplify an API

by Zijun Hu

This patch series is to fix bugs for below APIs: devm_phy_put() devm_of_phy_provider_unregister() devm_phy_destroy() phy_get() of_phy_get() devm_phy_get() devm_of_phy_get() devm_of_phy_get_by_index() And simplify below API: of_phy_simple_xlate(). Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v5: - s/Fixed/Fix s/case/cause for commit message based on Johan's reminder - Remove unrelated change about code style for patch 4/6 suggested by Johan - Link to v4: https://lore.kernel.org/r/20241102-phy_core_fix-v4-0-4f06439f61b1@quicinc.c… Changes in v4: - Correct commit message for patch 6/6 - Link to v3: https://lore.kernel.org/r/20241030-phy_core_fix-v3-0-19b97c3ec917@quicinc.c… Changes in v3: - Correct commit message based on Johan's suggestions for patches 1/6-3/6. - Use goto label solution suggested by Johan for patch 4/6, also correct commit message and remove the inline comment for it. - Link to v2: https://lore.kernel.org/r/20241024-phy_core_fix-v2-0-fc0c63dbfcf3@quicinc.c… Changes in v2: - Correct title, commit message, and inline comments. - Link to v1: https://lore.kernel.org/r/20241020-phy_core_fix-v1-0-078062f7da71@quicinc.c… --- Zijun Hu (6): phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Simplify API of_phy_simple_xlate() implementation drivers/phy/phy-core.c | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) --- base-commit: e70d2677ef4088d59158739d72b67ac36d1b132b change-id: 20241020-phy_core_fix-e3ad65db98f7 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

7 months, 2 weeks

2
7
0 0

[PATCH v4 0/6] phy: core: Fix bugs for several APIs and simplify an API

by Zijun Hu

This patch series is to fix bugs for below APIs: devm_phy_put() devm_of_phy_provider_unregister() devm_phy_destroy() phy_get() of_phy_get() devm_phy_get() devm_of_phy_get() devm_of_phy_get_by_index() And simplify below API: of_phy_simple_xlate(). Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- Changes in v4: - Correct commit message for patch 6/6 - Link to v3: https://lore.kernel.org/r/20241030-phy_core_fix-v3-0-19b97c3ec917@quicinc.c… Changes in v3: - Correct commit message based on Johan's suggestions for patches 1/6-3/6. - Use goto label solution suggested by Johan for patch 4/6, also correct commit message and remove the inline comment for it. - Link to v2: https://lore.kernel.org/r/20241024-phy_core_fix-v2-0-fc0c63dbfcf3@quicinc.c… Changes in v2: - Correct title, commit message, and inline comments. - Link to v1: https://lore.kernel.org/r/20241020-phy_core_fix-v1-0-078062f7da71@quicinc.c… --- Zijun Hu (6): phy: core: Fix that API devm_phy_put() fails to release the phy phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider phy: core: Fix that API devm_phy_destroy() fails to destroy the phy phy: core: Fix an OF node refcount leakage in _of_phy_get() phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup() phy: core: Simplify API of_phy_simple_xlate() implementation drivers/phy/phy-core.c | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) --- base-commit: e70d2677ef4088d59158739d72b67ac36d1b132b change-id: 20241020-phy_core_fix-e3ad65db98f7 Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

7 months, 2 weeks

3
12
0 0

Re: [PATCH 6.11 000/245] 6.11.7-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

7 months, 2 weeks

1
0
0 0

[PATCH can v3] can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation

by Marc Kleine-Budde

Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") introduced mcp251xfd_get_tef_len() to get the number of unhandled transmit events from the Transmit Event FIFO (TEF). As the TEF has no head pointer, the driver uses the TX FIFO's tail pointer instead, assuming that send frames are completed. However the check for the TEF being full was not correct. This leads to the driver stop working if the TEF is full. Fix the TEF full check by assuming that if, from the driver's point of view, there are no free TX buffers in the chip and the TX FIFO is empty, all messages must have been sent and the TEF must therefore be full. Reported-by: Sven Schuchmann <schuchmann(a)schleissheimer.de> Closes: https://patch.msgid.link/FR3P281MB155216711EFF900AD9791B7ED9692@FR3P281MB15… Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") Tested-by: Sven Schuchmann <schuchmann(a)schleissheimer.de> Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- Changes in v3: - add proper patch description - added Sven's Tested-by - Link to v2: https://patch.msgid.link/20241025-mcp251xfd-fix-length-calculation-v2-1-ea5… Changes in v2: - mcp251xfd_tx_fifo_sta_empty(): fix check if TX-FIFO is empty - Link to RFC: https://patch.msgid.link/20241001-mcp251xfd-fix-length-calculation-v1-1-598… --- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c index f732556d233a7be3b43f6f08e0b8f25732190104..d3ac865933fdf6c4ecdd80ad4d7accbff51eb0f8 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c @@ -16,9 +16,9 @@ #include "mcp251xfd.h" -static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta) +static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) { - return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF); + return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; } static inline int @@ -122,7 +122,11 @@ mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p) if (err) return err; - if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) { + /* If the chip says the TX-FIFO is empty, but there are no TX + * buffers free in the ring, we assume all have been sent. + */ + if (mcp251xfd_tx_fifo_sta_empty(fifo_sta) && + mcp251xfd_get_tx_free(tx_ring) == 0) { *len_p = tx_ring->obj_num; return 0; } --- base-commit: 5ccdcdf186aec6b9111845fd37e1757e9b413e2f change-id: 20241001-mcp251xfd-fix-length-calculation-09b6cc10aeb0 Best regards, -- Marc Kleine-Budde <mkl(a)pengutronix.de>

7 months, 2 weeks

2
1
0 0

[PATCH] wacom: Interpret tilt data from Intuos Pro BT as signed values

by Gerecke, Jason

From: Jason Gerecke <jason.gerecke(a)wacom.com> The tilt data contained in the Bluetooth packets of an Intuos Pro are supposed to be interpreted as signed values. Simply casting the values to type `char` is not guaranteed to work since it is implementation- defined whether it is signed or unsigned. At least one user has noticed the data being reported incorrectly on their system. To ensure that the data is interpreted properly, we specifically cast to `signed char` instead. Link: https://github.com/linuxwacom/input-wacom/issues/445 Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") CC: stable(a)vger.kernel.org # 4.11+ Signed-off-by: Jason Gerecke <jason.gerecke(a)wacom.com> --- drivers/hid/wacom_wac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c index 413606bdf476..5a599c90e7a2 100644 --- a/drivers/hid/wacom_wac.c +++ b/drivers/hid/wacom_wac.c @@ -1353,9 +1353,9 @@ static void wacom_intuos_pro2_bt_pen(struct wacom_wac *wacom) rotation -= 1800; input_report_abs(pen_input, ABS_TILT_X, - (char)frame[7]); + (signed char)frame[7]); input_report_abs(pen_input, ABS_TILT_Y, - (char)frame[8]); + (signed char)frame[8]); input_report_abs(pen_input, ABS_Z, rotation); input_report_abs(pen_input, ABS_WHEEL, get_unaligned_le16(&frame[11])); -- 2.47.0

7 months, 2 weeks

2
1
0 0

FAILED: Patch "io_uring/rw: fix missing NOWAIT check for O_DIRECT start write" failed to apply to v5.10-stable tree

by Sasha Levin

The patch below does not apply to the v5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 1d60d74e852647255bd8e76f5a22dc42531e4389 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 31 Oct 2024 08:05:44 -0600 Subject: [PATCH] io_uring/rw: fix missing NOWAIT check for O_DIRECT start write When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write: task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963 with the attempting freezer stuck trying to grab the rwsem: task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress. Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user. Cc: stable(a)vger.kernel.org # 5.10+ Reported-by: Peter Mann <peter.mann(a)sh.cz> Link: https://lore.kernel.org/io-uring/38c94aec-81c9-4f62-b44e-1d87f5597644@sh.cz Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- io_uring/rw.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/io_uring/rw.c b/io_uring/rw.c index 354c4e175654c..155938f100931 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -1014,6 +1014,25 @@ int io_read_mshot(struct io_kiocb *req, unsigned int issue_flags) return IOU_OK; } +static bool io_kiocb_start_write(struct io_kiocb *req, struct kiocb *kiocb) +{ + struct inode *inode; + bool ret; + + if (!(req->flags & REQ_F_ISREG)) + return true; + if (!(kiocb->ki_flags & IOCB_NOWAIT)) { + kiocb_start_write(kiocb); + return true; + } + + inode = file_inode(kiocb->ki_filp); + ret = sb_start_write_trylock(inode->i_sb); + if (ret) + __sb_writers_release(inode->i_sb, SB_FREEZE_WRITE); + return ret; +} + int io_write(struct io_kiocb *req, unsigned int issue_flags) { bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK; @@ -1051,8 +1070,8 @@ int io_write(struct io_kiocb *req, unsigned int issue_flags) if (unlikely(ret)) return ret; - if (req->flags & REQ_F_ISREG) - kiocb_start_write(kiocb); + if (unlikely(!io_kiocb_start_write(req, kiocb))) + return -EAGAIN; kiocb->ki_flags |= IOCB_WRITE; if (likely(req->file->f_op->write_iter)) -- 2.43.0

7 months, 2 weeks

2
1
0 0

Stable backport (was "Re: PROBLEM: io_uring hang causing uninterruptible sleep state on 6.6.59")

by Jens Axboe

On 11/3/24 5:06 PM, Jens Axboe wrote: > On 11/3/24 5:01 PM, Keith Busch wrote: >> On Sun, Nov 03, 2024 at 04:53:27PM -0700, Jens Axboe wrote: >>> On 11/3/24 4:47 PM, Andrew Marshall wrote: >>>> I identified f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e as the likely >>>> problematic commit simply by browsing git log. As indicated above; >>>> reverting that atop 6.6.59 results in success. Since it is passing on >>>> 6.11.6, I suspect there is some missing backport to 6.6.x, or some >>>> other semantic merge conflict. Unfortunately I do not have a compact, >>>> minimal reproducer, but can provide my large one (it is testing a >>>> larger build process in a VM) if needed?there are some additional >>>> details in the above-linked downstream bug report, though. I hope that >>>> having identified the problematic commit is enough for someone with >>>> more context to go off of. Happy to provide more information if >>>> needed. >>> >>> Don't worry about not having a reproducer, having the backport commit >>> pin pointed will do just fine. I'll take a look at this. >> >> I think stable is missing: >> >> 6b231248e97fc3 ("io_uring: consolidate overflow flushing") > > I think you need to go back further than that, this one already > unconditionally holds ->uring_lock around overflow flushing... Took a look, it's this one: commit 8d09a88ef9d3cb7d21d45c39b7b7c31298d23998 Author: Pavel Begunkov <asml.silence(a)gmail.com> Date: Wed Apr 10 02:26:54 2024 +0100 io_uring: always lock __io_cqring_overflow_flush Greg/stable, can you pick this one for 6.6-stable? It picks cleanly. For 6.1, which is the other stable of that age that has the backport, the attached patch will do the trick. With that, I believe it should be sorted. Hopefully that can make 6.6.60 and 6.1.116. -- Jens Axboe

7 months, 2 weeks

3
5
0 0

FAILED: Patch "RISC-V: disallow gcc + rust builds" failed to apply to v6.11-stable tree

by Sasha Levin

The patch below does not apply to the v6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 33549fcf37ec461f398f0a41e1c9948be2e5aca4 Mon Sep 17 00:00:00 2001 From: Conor Dooley <conor.dooley(a)microchip.com> Date: Tue, 1 Oct 2024 12:28:13 +0100 Subject: [PATCH] RISC-V: disallow gcc + rust builds During the discussion before supporting rust on riscv, it was decided not to support gcc yet, due to differences in extension handling compared to llvm (only the version of libclang matching the c compiler is supported). Recently Jason Montleon reported [1] that building with gcc caused build issues, due to unsupported arguments being passed to libclang. After some discussion between myself and Miguel, it is better to disable gcc + rust builds to match the original intent, and subsequently support it when an appropriate set of extensions can be deduced from the version of libclang. Closes: https://lore.kernel.org/all/20240917000848.720765-2-jmontleo@redhat.com/ [1] Link: https://lore.kernel.org/all/20240926-battering-revolt-6c6a7827413e@spud/ [2] Fixes: 70a57b247251a ("RISC-V: enable building 64-bit kernels with rust support") Cc: stable(a)vger.kernel.org Reported-by: Jason Montleon <jmontleo(a)redhat.com> Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> Acked-by: Miguel Ojeda <ojeda(a)kernel.org> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Link: https://lore.kernel.org/r/20241001-playlist-deceiving-16ece2f440f5@spud Signed-off-by: Palmer Dabbelt <palmer(a)rivosinc.com> --- Documentation/rust/arch-support.rst | 2 +- arch/riscv/Kconfig | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/rust/arch-support.rst b/Documentation/rust/arch-support.rst index 750ff371570a0..54be7ddf3e57a 100644 --- a/Documentation/rust/arch-support.rst +++ b/Documentation/rust/arch-support.rst @@ -17,7 +17,7 @@ Architecture Level of support Constraints ============= ================ ============================================== ``arm64`` Maintained Little Endian only. ``loongarch`` Maintained \- -``riscv`` Maintained ``riscv64`` only. +``riscv`` Maintained ``riscv64`` and LLVM/Clang only. ``um`` Maintained \- ``x86`` Maintained ``x86_64`` only. ============= ================ ============================================== diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 62545946ecf43..f4c570538d55b 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -177,7 +177,7 @@ config RISCV select HAVE_REGS_AND_STACK_ACCESS_API select HAVE_RETHOOK if !XIP_KERNEL select HAVE_RSEQ - select HAVE_RUST if RUSTC_SUPPORTS_RISCV + select HAVE_RUST if RUSTC_SUPPORTS_RISCV && CC_IS_CLANG select HAVE_SAMPLE_FTRACE_DIRECT select HAVE_SAMPLE_FTRACE_DIRECT_MULTI select HAVE_STACKPROTECTOR -- 2.43.0

7 months, 2 weeks

2
1
0 0

[PATCH v5] media: uvcvideo: Fix crash during unbind if gpio unit is in use

by Ricardo Ribalda

We used the wrong device for the device managed functions. We used the usb device, when we should be using the interface device. If we unbind the driver from the usb interface, the cleanup functions are never called. In our case, the IRQ is never disabled. If an IRQ is triggered, it will try to access memory sections that are already free, causing an OOPS. We cannot use the function devm_request_threaded_irq here. The devm_* clean functions are called after the main structure is released by uvc_delete. Luckily this bug has small impact, as it is only affected by devices with gpio units and the user has to unbind the device, a disconnect will not trigger this error. Cc: stable(a)vger.kernel.org Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT") Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v5: - Revert non refcount, that belongs to a different set - Move cleanup to a different function - Link to v4: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v4-0-410e548f097a@chromiu… Changes in v4: Thanks Laurent. - Remove refcounted cleaup to support devres. - Link to v3: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v3-1-c0959c8906d3@chromiu… Changes in v3: Thanks Sakari. - Rename variable to initialized. - Other CodeStyle. - Link to v2: https://lore.kernel.org/r/20241105-uvc-crashrmmod-v2-1-547ce6a6962e@chromiu… Changes in v2: Thanks to Laurent. - The main structure is not allocated with devres so there is a small period of time where we can get an irq with the structure free. Do not use devres for the IRQ. - Link to v1: https://lore.kernel.org/r/20241031-uvc-crashrmmod-v1-1-059fe593b1e6@chromiu… --- drivers/media/usb/uvc/uvc_driver.c | 27 ++++++++++++++++++++------- drivers/media/usb/uvc/uvcvideo.h | 1 + 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index a96f6ca0889f..aa937f07b6b5 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1295,14 +1295,14 @@ static int uvc_gpio_parse(struct uvc_device *dev) struct gpio_desc *gpio_privacy; int irq; - gpio_privacy = devm_gpiod_get_optional(&dev->udev->dev, "privacy", + gpio_privacy = devm_gpiod_get_optional(&dev->intf->dev, "privacy", GPIOD_IN); if (IS_ERR_OR_NULL(gpio_privacy)) return PTR_ERR_OR_ZERO(gpio_privacy); irq = gpiod_to_irq(gpio_privacy); if (irq < 0) - return dev_err_probe(&dev->udev->dev, irq, + return dev_err_probe(&dev->intf->dev, irq, "No IRQ for privacy GPIO\n"); unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, @@ -1329,15 +1329,27 @@ static int uvc_gpio_parse(struct uvc_device *dev) static int uvc_gpio_init_irq(struct uvc_device *dev) { struct uvc_entity *unit = dev->gpio_unit; + int ret; if (!unit || unit->gpio.irq < 0) return 0; - return devm_request_threaded_irq(&dev->udev->dev, unit->gpio.irq, NULL, - uvc_gpio_irq, - IRQF_ONESHOT | IRQF_TRIGGER_FALLING | - IRQF_TRIGGER_RISING, - "uvc_privacy_gpio", dev); + ret = request_threaded_irq(unit->gpio.irq, NULL, uvc_gpio_irq, + IRQF_ONESHOT | IRQF_TRIGGER_FALLING | + IRQF_TRIGGER_RISING, + "uvc_privacy_gpio", dev); + + unit->gpio.initialized = !ret; + + return ret; +} + +static void uvc_gpio_cleanup(struct uvc_device *dev) +{ + if (!dev->gpio_unit || !dev->gpio_unit->gpio.initialized) + return; + + free_irq(dev->gpio_unit->gpio.irq, dev); } /* ------------------------------------------------------------------------ @@ -1982,6 +1994,7 @@ static void uvc_unregister_video(struct uvc_device *dev) if (media_devnode_is_registered(dev->mdev.devnode)) media_device_unregister(&dev->mdev); #endif + uvc_gpio_cleanup(dev); } int uvc_register_video_device(struct uvc_device *dev, diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 07f9921d83f2..965a789ed03e 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -234,6 +234,7 @@ struct uvc_entity { u8 *bmControls; struct gpio_desc *gpio_privacy; int irq; + bool initialized; } gpio; }; --- base-commit: c7ccf3683ac9746b263b0502255f5ce47f64fe0a change-id: 20241031-uvc-crashrmmod-666de3fc9141 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

7 months, 2 weeks

2
1
0 0

[PATCH 6.1] kselftest/arm64: Initialise current at build time in signal tests

by Mahmoud Adam

From: Mark Brown <broonie(a)kernel.org> upstream 6e4b4f0eca88e47def703f90a403fef5b96730d5 commit. When building with clang the toolchain refuses to link the signals testcases since the assembly code has a reference to current which has no initialiser so is placed in the BSS: /tmp/signals-af2042.o: in function `fake_sigreturn': <unknown>:51:(.text+0x40): relocation truncated to fit: R_AARCH64_LD_PREL_LO19 against symbol `current' defined in .bss section in /tmp/test_signals-ec1160.o Since the first statement in main() initialises current we may as well fix this by moving the initialisation to build time so the variable doesn't end up in the BSS. Signed-off-by: Mark Brown <broonie(a)kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers(a)google.com> Link: https://lore.kernel.org/r/20230111-arm64-kselftest-clang-v1-4-89c69d377727@… Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Mahmoud Adam <mngyadam(a)amazon.com> --- since 6.1.113 we see these compilations issues reported in the patch description, this upstream patch fixes the issue, and it's a clean backport. tools/testing/selftests/arm64/signal/test_signals.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/testing/selftests/arm64/signal/test_signals.c b/tools/testing/selftests/arm64/signal/test_signals.c index 416b1ff431998..00051b40d71ea 100644 --- a/tools/testing/selftests/arm64/signal/test_signals.c +++ b/tools/testing/selftests/arm64/signal/test_signals.c @@ -12,12 +12,10 @@ #include "test_signals.h" #include "test_signals_utils.h" -struct tdescr *current; +struct tdescr *current = &tde; int main(int argc, char *argv[]) { - current = &tde; - ksft_print_msg("%s :: %s\n", current->name, current->descr); if (test_setup(current) && test_init(current)) { test_run(current); -- 2.40.1

7 months, 2 weeks

1
0
0 0

FAILED: Patch "ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3" failed to apply to v6.1-stable tree

by Sasha Levin

The patch below does not apply to the v6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 0b04fbe886b4274c8e5855011233aaa69fec6e75 Mon Sep 17 00:00:00 2001 From: Christoffer Sandberg <cs(a)tuxedo.de> Date: Tue, 29 Oct 2024 16:16:52 +0100 Subject: [PATCH] ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg <cs(a)tuxedo.de> Signed-off-by: Werner Sembach <wse(a)tuxedocomputers.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 7f4926194e50f..e06a6fdc0bab7 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10750,6 +10750,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1558, 0x1404, "Clevo N150CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x2624, "Clevo L240TU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -- 2.43.0

7 months, 2 weeks

2
4
0 0

FAILED: patch "[PATCH] mm: migrate: fix getting incorrect page mapping during page" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d1adb25df7111de83b64655a80b5a135adbded61 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110617-blame-taekwondo-ba51@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d1adb25df7111de83b64655a80b5a135adbded61 Mon Sep 17 00:00:00 2001 From: Baolin Wang <baolin.wang(a)linux.alibaba.com> Date: Fri, 15 Dec 2023 20:07:52 +0800 Subject: [PATCH] mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction. Link: https://lkml.kernel.org/r/e60b17a88afc38cb32f84c3e30837ec70b343d2b.17026417… Fixes: 64c8902ed441 ("migrate_pages: split unmap_and_move() to _unmap() and _move()") Signed-off-by: Baolin Wang <baolin.wang(a)linux.alibaba.com> Reviewed-by: "Huang, Ying" <ying.huang(a)intel.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Xu Yu <xuyu(a)linux.alibaba.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate.c b/mm/migrate.c index 397f2a6e34cb..bad3039d165e 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -1025,38 +1025,31 @@ static int move_to_new_folio(struct folio *dst, struct folio *src, } /* - * To record some information during migration, we use some unused - * fields (mapping and private) of struct folio of the newly allocated - * destination folio. This is safe because nobody is using them - * except us. + * To record some information during migration, we use unused private + * field of struct folio of the newly allocated destination folio. + * This is safe because nobody is using it except us. */ -union migration_ptr { - struct anon_vma *anon_vma; - struct address_space *mapping; -}; - enum { PAGE_WAS_MAPPED = BIT(0), PAGE_WAS_MLOCKED = BIT(1), + PAGE_OLD_STATES = PAGE_WAS_MAPPED | PAGE_WAS_MLOCKED, }; static void __migrate_folio_record(struct folio *dst, - unsigned long old_page_state, + int old_page_state, struct anon_vma *anon_vma) { - union migration_ptr ptr = { .anon_vma = anon_vma }; - dst->mapping = ptr.mapping; - dst->private = (void *)old_page_state; + dst->private = (void *)anon_vma + old_page_state; } static void __migrate_folio_extract(struct folio *dst, int *old_page_state, struct anon_vma **anon_vmap) { - union migration_ptr ptr = { .mapping = dst->mapping }; - *anon_vmap = ptr.anon_vma; - *old_page_state = (unsigned long)dst->private; - dst->mapping = NULL; + unsigned long private = (unsigned long)dst->private; + + *anon_vmap = (struct anon_vma *)(private & ~PAGE_OLD_STATES); + *old_page_state = private & PAGE_OLD_STATES; dst->private = NULL; }

7 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] block: fix queue limits checks in blk_rq_map_user_bvec for" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x be0e822bb3f5259c7f9424ba97e8175211288813 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110618-voicing-yield-48ff@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be0e822bb3f5259c7f9424ba97e8175211288813 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch(a)lst.de> Date: Mon, 28 Oct 2024 10:07:48 +0100 Subject: [PATCH] block: fix queue limits checks in blk_rq_map_user_bvec for real blk_rq_map_user_bvec currently only has ad-hoc checks for queue limits, and the last fix to it enabled valid NVMe I/O to pass, but also allowed invalid one for drivers that set a max_segment_size or seg_boundary limit. Fix it once for all by using the bio_split_rw_at helper from the I/O path that indicates if and where a bio would be have to be split to adhere to the queue limits, and it returns a positive value, turn that into -EREMOTEIO to retry using the copy path. Fixes: 2ff949441802 ("block: fix sanity checks in blk_rq_map_user_bvec") Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20241028090840.446180-1-hch@lst.de Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/block/blk-map.c b/block/blk-map.c index 6ef2ec1f7d78..b5fd1d857461 100644 --- a/block/blk-map.c +++ b/block/blk-map.c @@ -561,55 +561,33 @@ EXPORT_SYMBOL(blk_rq_append_bio); /* Prepare bio for passthrough IO given ITER_BVEC iter */ static int blk_rq_map_user_bvec(struct request *rq, const struct iov_iter *iter) { - struct request_queue *q = rq->q; - size_t nr_iter = iov_iter_count(iter); - size_t nr_segs = iter->nr_segs; - struct bio_vec *bvecs, *bvprvp = NULL; - const struct queue_limits *lim = &q->limits; - unsigned int nsegs = 0, bytes = 0; + const struct queue_limits *lim = &rq->q->limits; + unsigned int max_bytes = lim->max_hw_sectors << SECTOR_SHIFT; + unsigned int nsegs; struct bio *bio; - size_t i; + int ret; - if (!nr_iter || (nr_iter >> SECTOR_SHIFT) > queue_max_hw_sectors(q)) - return -EINVAL; - if (nr_segs > queue_max_segments(q)) + if (!iov_iter_count(iter) || iov_iter_count(iter) > max_bytes) return -EINVAL; - /* no iovecs to alloc, as we already have a BVEC iterator */ + /* reuse the bvecs from the iterator instead of allocating new ones */ bio = blk_rq_map_bio_alloc(rq, 0, GFP_KERNEL); - if (bio == NULL) + if (!bio) return -ENOMEM; - bio_iov_bvec_set(bio, (struct iov_iter *)iter); - blk_rq_bio_prep(rq, bio, nr_segs); - /* loop to perform a bunch of sanity checks */ - bvecs = (struct bio_vec *)iter->bvec; - for (i = 0; i < nr_segs; i++) { - struct bio_vec *bv = &bvecs[i]; - - /* - * If the queue doesn't support SG gaps and adding this - * offset would create a gap, fallback to copy. - */ - if (bvprvp && bvec_gap_to_prev(lim, bvprvp, bv->bv_offset)) { - blk_mq_map_bio_put(bio); - return -EREMOTEIO; - } - /* check full condition */ - if (nsegs >= nr_segs || bytes > UINT_MAX - bv->bv_len) - goto put_bio; - if (bytes + bv->bv_len > nr_iter) - break; - - nsegs++; - bytes += bv->bv_len; - bvprvp = bv; + /* check that the data layout matches the hardware restrictions */ + ret = bio_split_rw_at(bio, lim, &nsegs, max_bytes); + if (ret) { + /* if we would have to split the bio, copy instead */ + if (ret > 0) + ret = -EREMOTEIO; + blk_mq_map_bio_put(bio); + return ret; } + + blk_rq_bio_prep(rq, bio, nsegs); return 0; -put_bio: - blk_mq_map_bio_put(bio); - return -EINVAL; } /**

7 months, 2 weeks

1
0
0 0

[tip: perf/core] perf/x86/intel/pt: Fix buffer full but size is 0 case

by tip-bot2 for Adrian Hunter

The following commit has been merged into the perf/core branch of tip: Commit-ID: 5b590160d2cf776b304eb054afafea2bd55e3620 Gitweb: https://git.kernel.org/tip/5b590160d2cf776b304eb054afafea2bd55e3620 Author: Adrian Hunter <adrian.hunter(a)intel.com> AuthorDate: Tue, 22 Oct 2024 18:59:07 +03:00 Committer: Peter Zijlstra <peterz(a)infradead.org> CommitterDate: Tue, 05 Nov 2024 12:55:43 +01:00 perf/x86/intel/pt: Fix buffer full but size is 0 case If the trace data buffer becomes full, a truncated flag [T] is reported in PERF_RECORD_AUX. In some cases, the size reported is 0, even though data must have been added to make the buffer full. That happens when the buffer fills up from empty to full before the Intel PT driver has updated the buffer position. Then the driver calculates the new buffer position before calculating the data size. If the old and new positions are the same, the data size is reported as 0, even though it is really the whole buffer size. Fix by detecting when the buffer position is wrapped, and adjust the data size calculation accordingly. Example Use a very small buffer size (8K) and observe the size of truncated [T] data. Before the fix, it is possible to see records of 0 size. Before: $ perf record -m,8K -e intel_pt// uname Linux [ perf record: Woken up 2 times to write data ] [ perf record: Captured and wrote 0.105 MB perf.data ] $ perf script -D --no-itrace | grep AUX | grep -F '[T]' Warning: AUX data lost 2 times out of 3! 5 19462712368111 0x19710 [0x40]: PERF_RECORD_AUX offset: 0 size: 0 flags: 0x1 [T] 5 19462712700046 0x19ba8 [0x40]: PERF_RECORD_AUX offset: 0x170 size: 0xe90 flags: 0x1 [T] After: $ perf record -m,8K -e intel_pt// uname Linux [ perf record: Woken up 3 times to write data ] [ perf record: Captured and wrote 0.040 MB perf.data ] $ perf script -D --no-itrace | grep AUX | grep -F '[T]' Warning: AUX data lost 2 times out of 3! 1 113720802995 0x4948 [0x40]: PERF_RECORD_AUX offset: 0 size: 0x2000 flags: 0x1 [T] 1 113720979812 0x6b10 [0x40]: PERF_RECORD_AUX offset: 0x2000 size: 0x2000 flags: 0x1 [T] Fixes: 52ca9ced3f70 ("perf/x86/intel/pt: Add Intel PT PMU driver") Signed-off-by: Adrian Hunter <adrian.hunter(a)intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/20241022155920.17511-2-adrian.hunter@intel.com --- arch/x86/events/intel/pt.c | 11 ++++++++--- arch/x86/events/intel/pt.h | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index fd4670a..a087bc0 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -828,11 +828,13 @@ static void pt_buffer_advance(struct pt_buffer *buf) buf->cur_idx++; if (buf->cur_idx == buf->cur->last) { - if (buf->cur == buf->last) + if (buf->cur == buf->last) { buf->cur = buf->first; - else + buf->wrapped = true; + } else { buf->cur = list_entry(buf->cur->list.next, struct topa, list); + } buf->cur_idx = 0; } } @@ -846,8 +848,11 @@ static void pt_buffer_advance(struct pt_buffer *buf) static void pt_update_head(struct pt *pt) { struct pt_buffer *buf = perf_get_aux(&pt->handle); + bool wrapped = buf->wrapped; u64 topa_idx, base, old; + buf->wrapped = false; + if (buf->single) { local_set(&buf->data_size, buf->output_off); return; @@ -865,7 +870,7 @@ static void pt_update_head(struct pt *pt) } else { old = (local64_xchg(&buf->head, base) & ((buf->nr_pages << PAGE_SHIFT) - 1)); - if (base < old) + if (base < old || (base == old && wrapped)) base += buf->nr_pages << PAGE_SHIFT; local_add(base - old, &buf->data_size); diff --git a/arch/x86/events/intel/pt.h b/arch/x86/events/intel/pt.h index f5e46c0..a1b6c04 100644 --- a/arch/x86/events/intel/pt.h +++ b/arch/x86/events/intel/pt.h @@ -65,6 +65,7 @@ struct pt_pmu { * @head: logical write offset inside the buffer * @snapshot: if this is for a snapshot/overwrite counter * @single: use Single Range Output instead of ToPA + * @wrapped: buffer advance wrapped back to the first topa table * @stop_pos: STOP topa entry index * @intr_pos: INT topa entry index * @stop_te: STOP topa entry pointer @@ -82,6 +83,7 @@ struct pt_buffer { local64_t head; bool snapshot; bool single; + bool wrapped; long stop_pos, intr_pos; struct topa_entry *stop_te, *intr_te; void **data_pages;

7 months, 2 weeks

1
0
0 0

[PATCH 33/33] usb: xhci: Avoid queuing redundant Stop Endpoint commands

by Mathias Nyman

From: Michal Pecio <michal.pecio(a)gmail.com> Stop Endpoint command on an already stopped endpoint fails and may be misinterpreted as a known hardware bug by the completion handler. This results in an unnecessary delay with repeated retries of the command. Avoid queuing this command when endpoint state flags indicate that it's stopped or halted and the command will fail. If commands are pending on the endpoint, their completion handlers will process cancelled TDs so it's done. In case of waiting for external operations like clearing TT buffer, the endpoint is stopped and cancelled TDs can be processed now. This eliminates practically all unnecessary retries because an endpoint with pending URBs is maintained in Running state by the driver, unless aforementioned commands or other operations are pending on it. This is guaranteed by xhci_ring_ep_doorbell() and by the fact that it is called every time any of those operations completes. The only known exceptions are hardware bugs (the endpoint never starts at all) and Stream Protocol errors not associated with any TRB, which cause an endpoint reset not followed by restart. Sounds like a bug. Generally, these retries are only expected to happen when the endpoint fails to start for unknown/no reason, which is a worse problem itself, and fixing the bug eliminates the retries too. All cases were tested and found to work as expected. SET_DEQ_PENDING was produced by patching uvcvideo to unlink URBs in 100us intervals, which then runs into this case very often. EP_HALTED was produced by restarting 'cat /dev/ttyUSB0' on a serial dongle with broken cable. EP_CLEARING_TT by the same, with the dongle on an external hub. Fixes: fd9d55d190c0 ("xhci: retry Stop Endpoint on buggy NEC controllers") CC: stable(a)vger.kernel.org Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 13 +++++++++++++ drivers/usb/host/xhci.c | 19 +++++++++++++++---- drivers/usb/host/xhci.h | 1 + 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 55be03be2374..4cf5363875c7 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1076,6 +1076,19 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) return 0; } +/* + * Erase queued TDs from transfer ring(s) and give back those the xHC didn't + * stop on. If necessary, queue commands to move the xHC off cancelled TDs it + * stopped on. Those will be given back later when the commands complete. + * + * Call under xhci->lock on a stopped endpoint. + */ +void xhci_process_cancelled_tds(struct xhci_virt_ep *ep) +{ + xhci_invalidate_cancelled_tds(ep); + xhci_giveback_invalidated_tds(ep); +} + /* * Returns the TD the endpoint ring halted on. * Only call for non-running rings without streams. diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 4977ada0a19e..5ebde8cae4fc 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1756,10 +1756,21 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) } } - /* Queue a stop endpoint command, but only if this is - * the first cancellation to be handled. - */ - if (!(ep->ep_state & EP_STOP_CMD_PENDING)) { + /* These completion handlers will sort out cancelled TDs for us */ + if (ep->ep_state & (EP_STOP_CMD_PENDING | EP_HALTED | SET_DEQ_PENDING)) { + xhci_dbg(xhci, "Not queuing Stop Endpoint on slot %d ep %d in state 0x%x\n", + urb->dev->slot_id, ep_index, ep->ep_state); + goto done; + } + + /* In this case no commands are pending but the endpoint is stopped */ + if (ep->ep_state & EP_CLEARING_TT) { + /* and cancelled TDs can be given back right away */ + xhci_dbg(xhci, "Invalidating TDs instantly on slot %d ep %d in state 0x%x\n", + urb->dev->slot_id, ep_index, ep->ep_state); + xhci_process_cancelled_tds(ep); + } else { + /* Otherwise, queue a new Stop Endpoint command */ command = xhci_alloc_command(xhci, false, GFP_ATOMIC); if (!command) { ret = -ENOMEM; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 6dd3138b2380..4914f0a10cff 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1922,6 +1922,7 @@ void inc_deq(struct xhci_hcd *xhci, struct xhci_ring *ring); unsigned int count_trbs(u64 addr, u64 len); int xhci_stop_endpoint_sync(struct xhci_hcd *xhci, struct xhci_virt_ep *ep, int suspend, gfp_t gfp_flags); +void xhci_process_cancelled_tds(struct xhci_virt_ep *ep); /* xHCI roothub code */ void xhci_set_link_state(struct xhci_hcd *xhci, struct xhci_port *port, -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH 32/33] usb: xhci: Fix TD invalidation under pending Set TR Dequeue

by Mathias Nyman

From: Michal Pecio <michal.pecio(a)gmail.com> xhci_invalidate_cancelled_tds() may not work correctly if the hardware is modifying endpoint or stream contexts at the same time by executing a Set TR Dequeue command. And even if it worked, it would be unable to queue Set TR Dequeue for the next stream, failing to clear xHC cache. On stream endpoints, a chain of Set TR Dequeue commands may take some time to execute and we may want to cancel more TDs during this time. Currently this leads to Stop Endpoint completion handler calling this function without testing for SET_DEQ_PENDING, which will trigger the aforementioned problems when it happens. On all endpoints, a halt condition causes Reset Endpoint to be queued and an error status given to the class driver, which may unlink more URBs in response. Stop Endpoint is queued and its handler may execute concurrently with Set TR Dequeue queued by Reset Endpoint handler. (Reset Endpoint handler calls this function too, but there seems to be no possibility of it running concurrently with Set TR Dequeue). Fix xhci_invalidate_cancelled_tds() to work correctly under a pending Set TR Dequeue. Bail out of the function when SET_DEQ_PENDING is set, then make the completion handler call the function again and also call xhci_giveback_invalidated_tds(), which needs to be called next. This seems to fix another potential bug, where the handler would call xhci_invalidate_cancelled_tds(), which may clear some deferred TDs if a sanity check fails, and the TDs wouldn't be given back promptly. Said sanity check seems to be wrong and prone to false positives when the endpoint halts, but fixing it is beyond the scope of this change, besides ensuring that cleared TDs are given back properly. Fixes: 5ceac4402f5d ("xhci: Handle TD clearing for multiple streams case") CC: stable(a)vger.kernel.org Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index dd23596ccd84..55be03be2374 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -980,6 +980,13 @@ static int xhci_invalidate_cancelled_tds(struct xhci_virt_ep *ep) unsigned int slot_id = ep->vdev->slot_id; int err; + /* + * This is not going to work if the hardware is changing its dequeue + * pointers as we look at them. Completion handler will call us later. + */ + if (ep->ep_state & SET_DEQ_PENDING) + return 0; + xhci = ep->xhci; list_for_each_entry_safe(td, tmp_td, &ep->cancelled_td_list, cancelled_td_list) { @@ -1367,7 +1374,6 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, struct xhci_slot_ctx *slot_ctx; struct xhci_stream_ctx *stream_ctx; struct xhci_td *td, *tmp_td; - bool deferred = false; ep_index = TRB_TO_EP_INDEX(le32_to_cpu(trb->generic.field[3])); stream_id = TRB_TO_STREAM_ID(le32_to_cpu(trb->generic.field[2])); @@ -1471,8 +1477,6 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, xhci_dbg(ep->xhci, "%s: Giveback cancelled URB %p TD\n", __func__, td->urb); xhci_td_cleanup(ep->xhci, td, ep_ring, td->status); - } else if (td->cancel_status == TD_CLEARING_CACHE_DEFERRED) { - deferred = true; } else { xhci_dbg(ep->xhci, "%s: Keep cancelled URB %p TD as cancel_status is %d\n", __func__, td->urb, td->cancel_status); @@ -1483,11 +1487,15 @@ static void xhci_handle_cmd_set_deq(struct xhci_hcd *xhci, int slot_id, ep->queued_deq_seg = NULL; ep->queued_deq_ptr = NULL; - if (deferred) { - /* We have more streams to clear */ + /* Check for deferred or newly cancelled TDs */ + if (!list_empty(&ep->cancelled_td_list)) { xhci_dbg(ep->xhci, "%s: Pending TDs to clear, continuing with invalidation\n", __func__); xhci_invalidate_cancelled_tds(ep); + /* Try to restart the endpoint if all is done */ + ring_doorbell_for_active_rings(xhci, slot_id, ep_index); + /* Start giving back any TDs invalidated above */ + xhci_giveback_invalidated_tds(ep); } else { /* Restart any rings with pending URBs */ xhci_dbg(ep->xhci, "%s: All TDs cleared, ring doorbell\n", __func__); -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH 31/33] usb: xhci: Limit Stop Endpoint retries

by Mathias Nyman

From: Michal Pecio <michal.pecio(a)gmail.com> Some host controllers fail to atomically transition an endpoint to the Running state on a doorbell ring and enter a hidden "Restarting" state, which looks very much like Stopped, with the important difference that it will spontaneously transition to Running anytime soon. A Stop Endpoint command queued in the Restarting state typically fails with Context State Error and the completion handler sees the Endpoint Context State as either still Stopped or already Running. Even a case of Halted was observed, when an error occurred right after the restart. The Halted state is already recovered from by resetting the endpoint. The Running state is handled by retrying Stop Endpoint. The Stopped state was recognized as a problem on NEC controllers and worked around also by retrying, because the endpoint soon restarts and then stops for good. But there is a risk: the command may fail if the endpoint is "stopped for good" already, and retries will fail forever. The possibility of this was not realized at the time, but a number of cases were discovered later and reproduced. Some proved difficult to deal with, and it is outright impossible to predict if an endpoint may fail to ever start at all due to a hardware bug. One such bug (albeit on ASM3142, not on NEC) was found to be reliably triggered simply by toggling an AX88179 NIC up/down in a tight loop for a few seconds. An endless retries storm is quite nasty. Besides putting needless load on the xHC and CPU, it causes URBs never to be given back, paralyzing the device and connection/disconnection logic for the whole bus if the device is unplugged. User processes waiting for URBs become unkillable, drivers and kworker threads lock up and xhci_hcd cannot be reloaded. For peace of mind, impose a timeout on Stop Endpoint retries in this case. If they don't succeed in 100ms, consider the endpoint stopped permanently for some reason and just give back the unlinked URBs. This failure case is rare already and work is under way to make it rarer. Start this work today by also handling one simple case of race with Reset Endpoint, because it costs just two lines to implement. Fixes: fd9d55d190c0 ("xhci: retry Stop Endpoint on buggy NEC controllers") CC: stable(a)vger.kernel.org Signed-off-by: Michal Pecio <michal.pecio(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 28 ++++++++++++++++++++++++---- drivers/usb/host/xhci.c | 2 ++ drivers/usb/host/xhci.h | 1 + 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index c9c0c4a7588a..dd23596ccd84 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -52,6 +52,7 @@ * endpoint rings; it generates events on the event ring for these. */ +#include <linux/jiffies.h> #include <linux/scatterlist.h> #include <linux/slab.h> #include <linux/dma-mapping.h> @@ -1158,16 +1159,35 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, return; case EP_STATE_STOPPED: /* - * NEC uPD720200 sometimes sets this state and fails with - * Context Error while continuing to process TRBs. - * Be conservative and trust EP_CTX_STATE on other chips. + * Per xHCI 4.6.9, Stop Endpoint command on a Stopped + * EP is a Context State Error, and EP stays Stopped. + * + * But maybe it failed on Halted, and somebody ran Reset + * Endpoint later. EP state is now Stopped and EP_HALTED + * still set because Reset EP handler will run after us. + */ + if (ep->ep_state & EP_HALTED) + break; + /* + * On some HCs EP state remains Stopped for some tens of + * us to a few ms or more after a doorbell ring, and any + * new Stop Endpoint fails without aborting the restart. + * This handler may run quickly enough to still see this + * Stopped state, but it will soon change to Running. + * + * Assume this bug on unexpected Stop Endpoint failures. + * Keep retrying until the EP starts and stops again, on + * chips where this is known to help. Wait for 100ms. */ if (!(xhci->quirks & XHCI_NEC_HOST)) break; + if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) + break; fallthrough; case EP_STATE_RUNNING: /* Race, HW handled stop ep cmd before ep was running */ - xhci_dbg(xhci, "Stop ep completion ctx error, ep is running\n"); + xhci_dbg(xhci, "Stop ep completion ctx error, ctx_state %d\n", + GET_EP_CTX_STATE(ep_ctx)); command = xhci_alloc_command(xhci, false, GFP_ATOMIC); if (!command) { diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index bc477cf99805..4977ada0a19e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -8,6 +8,7 @@ * Some code borrowed from the Linux EHCI driver. */ +#include <linux/jiffies.h> #include <linux/pci.h> #include <linux/iommu.h> #include <linux/iopoll.h> @@ -1764,6 +1765,7 @@ static int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) ret = -ENOMEM; goto done; } + ep->stop_time = jiffies; ep->ep_state |= EP_STOP_CMD_PENDING; xhci_queue_stop_endpoint(xhci, command, urb->dev->slot_id, ep_index, 0); diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index a0e992c3db0d..6dd3138b2380 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -691,6 +691,7 @@ struct xhci_virt_ep { /* Bandwidth checking storage */ struct xhci_bw_info bw_info; struct list_head bw_endpoint_list; + unsigned long stop_time; /* Isoch Frame ID checking storage */ int next_frame_id; /* Use new Isoch TRB layout needed for extended TBC support */ -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH 20/33] xhci: Don't perform Soft Retry for Etron xHCI host

by Mathias Nyman

From: Kuangyi Chiang <ki.chiang65(a)gmail.com> Since commit f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors"), unplugging USB device while enumeration results in errors like this: [ 364.855321] xhci_hcd 0000:0b:00.0: ERROR Transfer event for disabled endpoint slot 5 ep 2 [ 364.864622] xhci_hcd 0000:0b:00.0: @0000002167656d70 67f03000 00000021 0c000000 05038001 [ 374.934793] xhci_hcd 0000:0b:00.0: Abort failed to stop command ring: -110 [ 374.958793] xhci_hcd 0000:0b:00.0: xHCI host controller not responding, assume dead [ 374.967590] xhci_hcd 0000:0b:00.0: HC died; cleaning up [ 374.973984] xhci_hcd 0000:0b:00.0: Timeout while waiting for configure endpoint command Seems that Etorn xHCI host can not perform Soft Retry correctly, apply XHCI_NO_SOFT_RETRY quirk to disable Soft Retry and then issue is gone. This patch depends on commit a4a251f8c235 ("usb: xhci: do not perform Soft Retry for some xHCI hosts"). Fixes: f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-pci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index 4b8c93e59d6d..0d49d9c390c1 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -399,6 +399,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_ETRON_HOST; xhci->quirks |= XHCI_RESET_ON_RESUME; xhci->quirks |= XHCI_BROKEN_STREAMS; + xhci->quirks |= XHCI_NO_SOFT_RETRY; } if (pdev->vendor == PCI_VENDOR_ID_RENESAS && -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH 19/33] xhci: Fix control transfer error on Etron xHCI host

by Mathias Nyman

From: Kuangyi Chiang <ki.chiang65(a)gmail.com> Performing a stability stress test on a USB3.0 2.5G ethernet adapter results in errors like this: [ 91.441469] r8152 2-3:1.0 eth3: get_registers -71 [ 91.458659] r8152 2-3:1.0 eth3: get_registers -71 [ 91.475911] r8152 2-3:1.0 eth3: get_registers -71 [ 91.493203] r8152 2-3:1.0 eth3: get_registers -71 [ 91.510421] r8152 2-3:1.0 eth3: get_registers -71 The r8152 driver will periodically issue lots of control-IN requests to access the status of ethernet adapter hardware registers during the test. This happens when the xHCI driver enqueue a control TD (which cross over the Link TRB between two ring segments, as shown) in the endpoint zero's transfer ring. Seems the Etron xHCI host can not perform this TD correctly, causing the USB transfer error occurred, maybe the upper driver retry that control-IN request can solve problem, but not all drivers do this. | | ------- | TRB | Setup Stage ------- | TRB | Link ------- ------- | TRB | Data Stage ------- | TRB | Status Stage ------- | | To work around this, the xHCI driver should enqueue a No Op TRB if next available TRB is the Link TRB in the ring segment, this can prevent the Setup and Data Stage TRB to be breaked by the Link TRB. Check if the XHCI_ETRON_HOST quirk flag is set before invoking the workaround in xhci_queue_ctrl_tx(). Fixes: d0e96f5a71a0 ("USB: xhci: Control transfer support.") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index f62b243d0fc4..517df97ef496 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -3733,6 +3733,20 @@ int xhci_queue_ctrl_tx(struct xhci_hcd *xhci, gfp_t mem_flags, if (!urb->setup_packet) return -EINVAL; + if ((xhci->quirks & XHCI_ETRON_HOST) && + urb->dev->speed >= USB_SPEED_SUPER) { + /* + * If next available TRB is the Link TRB in the ring segment then + * enqueue a No Op TRB, this can prevent the Setup and Data Stage + * TRB to be breaked by the Link TRB. + */ + if (trb_is_link(ep_ring->enqueue + 1)) { + field = TRB_TYPE(TRB_TR_NOOP) | ep_ring->cycle_state; + queue_trb(xhci, ep_ring, false, 0, 0, + TRB_INTR_TARGET(0), field); + } + } + /* 1 TRB for setup, 1 for status */ num_trbs = 2; /* -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH 18/33] xhci: Don't issue Reset Device command to Etron xHCI host

by Mathias Nyman

From: Kuangyi Chiang <ki.chiang65(a)gmail.com> Sometimes the hub driver does not recognize the USB device connected to the external USB2.0 hub when the system resumes from S4. After the SetPortFeature(PORT_RESET) request is completed, the hub driver calls the HCD reset_device callback, which will issue a Reset Device command and free all structures associated with endpoints that were disabled. This happens when the xHCI driver issue a Reset Device command to inform the Etron xHCI host that the USB device associated with a device slot has been reset. Seems that the Etron xHCI host can not perform this command correctly, affecting the USB device. To work around this, the xHCI driver should obtain a new device slot with reference to commit 651aaf36a7d7 ("usb: xhci: Handle USB transaction error on address command"), which is another way to inform the Etron xHCI host that the USB device has been reset. Add a new XHCI_ETRON_HOST quirk flag to invoke the workaround in xhci_discover_or_reset_device(). Fixes: 2a8f82c4ceaf ("USB: xhci: Notify the xHC when a device is reset.") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-pci.c | 1 + drivers/usb/host/xhci.c | 19 +++++++++++++++++++ drivers/usb/host/xhci.h | 1 + 3 files changed, 21 insertions(+) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index db3c7e738213..4b8c93e59d6d 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -396,6 +396,7 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) if (pdev->vendor == PCI_VENDOR_ID_ETRON && (pdev->device == PCI_DEVICE_ID_EJ168 || pdev->device == PCI_DEVICE_ID_EJ188)) { + xhci->quirks |= XHCI_ETRON_HOST; xhci->quirks |= XHCI_RESET_ON_RESUME; xhci->quirks |= XHCI_BROKEN_STREAMS; } diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index aa8c877f47ac..ae16253b53fb 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -3733,6 +3733,8 @@ void xhci_free_device_endpoint_resources(struct xhci_hcd *xhci, xhci->num_active_eps); } +static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev); + /* * This submits a Reset Device Command, which will set the device state to 0, * set the device address to 0, and disable all the endpoints except the default @@ -3803,6 +3805,23 @@ static int xhci_discover_or_reset_device(struct usb_hcd *hcd, SLOT_STATE_DISABLED) return 0; + if (xhci->quirks & XHCI_ETRON_HOST) { + /* + * Obtaining a new device slot to inform the xHCI host that + * the USB device has been reset. + */ + ret = xhci_disable_slot(xhci, udev->slot_id); + xhci_free_virt_device(xhci, udev->slot_id); + if (!ret) { + ret = xhci_alloc_dev(hcd, udev); + if (ret == 1) + ret = 0; + else + ret = -EINVAL; + } + return ret; + } + trace_xhci_discover_or_reset_device(slot_ctx); xhci_dbg(xhci, "Resetting device with slot ID %u\n", slot_id); diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index d3b250c736b8..a0204e10486d 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1631,6 +1631,7 @@ struct xhci_hcd { #define XHCI_ZHAOXIN_HOST BIT_ULL(46) #define XHCI_WRITE_64_HI_LO BIT_ULL(47) #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) +#define XHCI_ETRON_HOST BIT_ULL(49) unsigned int num_active_eps; unsigned int limit_active_eps; -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH 17/33] xhci: Combine two if statements for Etron xHCI host

by Mathias Nyman

From: Kuangyi Chiang <ki.chiang65(a)gmail.com> Combine two if statements, because these hosts have the same quirk flags applied. [Mathias: has stable tag because other fixes in series depend on this] Fixes: 91f7a1524a92 ("xhci: Apply broken streams quirk to Etron EJ188 xHCI host") Cc: <stable(a)vger.kernel.org> Signed-off-by: Kuangyi Chiang <ki.chiang65(a)gmail.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-pci.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c index 7803ff1f1c9f..db3c7e738213 100644 --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -394,12 +394,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; if (pdev->vendor == PCI_VENDOR_ID_ETRON && - pdev->device == PCI_DEVICE_ID_EJ168) { - xhci->quirks |= XHCI_RESET_ON_RESUME; - xhci->quirks |= XHCI_BROKEN_STREAMS; - } - if (pdev->vendor == PCI_VENDOR_ID_ETRON && - pdev->device == PCI_DEVICE_ID_EJ188) { + (pdev->device == PCI_DEVICE_ID_EJ168 || + pdev->device == PCI_DEVICE_ID_EJ188)) { xhci->quirks |= XHCI_RESET_ON_RESUME; xhci->quirks |= XHCI_BROKEN_STREAMS; } -- 2.25.1

7 months, 2 weeks

1
0
0 0

[PATCH] drm/tegra: fix a possible null pointer dereference

by Qiu-ji Chen

In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference. Fixes: b7e0b04ae450 ("drm/tegra: Convert to using __drm_atomic_helper_crtc_reset() for reset.") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/gpu/drm/tegra/dc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index be61c9d1a4f0..1ed30853bd9e 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -1388,7 +1388,10 @@ static void tegra_crtc_reset(struct drm_crtc *crtc) if (crtc->state) tegra_crtc_atomic_destroy_state(crtc, crtc->state); - __drm_atomic_helper_crtc_reset(crtc, &state->base); + if (state) + __drm_atomic_helper_crtc_reset(crtc, &state->base); + else + __drm_atomic_helper_crtc_reset(crtc, NULL); } static struct drm_crtc_state * -- 2.34.1

7 months, 2 weeks

1
0
0 0

[PATCH 06/31] ASoC: sh: rz-ssi: Terminate all the DMA transactions

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> In case of full duplex the 1st closed stream doesn't benefit from the dmaengine_terminate_async(). Call it after the companion stream is closed. Fixes: 26ac471c5354 ("ASoC: sh: rz-ssi: Add SSI DMAC support") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- sound/soc/renesas/rz-ssi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sound/soc/renesas/rz-ssi.c b/sound/soc/renesas/rz-ssi.c index 6efd017aaa7f..2d8721156099 100644 --- a/sound/soc/renesas/rz-ssi.c +++ b/sound/soc/renesas/rz-ssi.c @@ -415,8 +415,12 @@ static int rz_ssi_stop(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm) rz_ssi_reg_mask_setl(ssi, SSICR, SSICR_TEN | SSICR_REN, 0); /* Cancel all remaining DMA transactions */ - if (rz_ssi_is_dma_enabled(ssi)) - dmaengine_terminate_async(strm->dma_ch); + if (rz_ssi_is_dma_enabled(ssi)) { + if (ssi->playback.dma_ch) + dmaengine_terminate_async(ssi->playback.dma_ch); + if (ssi->capture.dma_ch) + dmaengine_terminate_async(ssi->capture.dma_ch); + } rz_ssi_set_idle(ssi); -- 2.39.2

7 months, 2 weeks

1
0
0 0

Default profile performance issue on Navi 3x

by Mario Limonciello

Hi, A performance issue on AMD Navi3x dGPUs in 6.10.y and 6.11.y has been improved by patches that landed in 6.12-rc. Can you please bring these 3 patches back to 6.11.y to help performance there as well? commit b932d5ad9257 ("drm/amdgpu/swsmu: fix ordering for setting workload_mask") commit ec1aab7816b0 ("drm/amdgpu/swsmu: default to fullscreen 3D profile for dGPUs") commit 7c210ca5a2d7 ("drm/amdgpu: handle default profile on on devices without fullscreen 3D") Thanks!

7 months, 2 weeks

2
1
0 0

Request to backport "ASoC: Intel: mtl-match: Add cs42l43_l0 cs35l56_l23 for MTL"

by Liao, Bard

Hi, commit 84b22af29ff6 ("ASoC: Intel: mtl-match: Add cs42l43_l0 cs35l56_l23 for MTL") upstream. The commit added cs42l43 on SoundWire link 0 and cs35l56 on SoundWire link 2 and 3 configuration support on Intel Meteor Lake support. Audio will not work without this commit if the laptop use the given audio configuration. I wish this commit can be applied to kernel 6.8. It can be applied and built cleanly on it. Thanks, Bard

7 months, 2 weeks

2
2
0 0

[PATCH 6.6 v2] SUNRPC: Remove BUG_ON call sites

by Dominique Martinet

From: Chuck Lever <chuck.lever(a)oracle.com> [ Upstream commit 789ce196a31dd13276076762204bee87df893e53 ] There is no need to take down the whole system for these assertions. I'd rather not attempt a heroic save here, as some bug has occurred that has left the transport data structures in an unknown state. Just warn and then leak the left-over resources. Acked-by: Christian Brauner <brauner(a)kernel.org> Reviewed-by: NeilBrown <neilb(a)suse.de> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> --- v2: resend with signoff properly set as requested v1: https://lkml.kernel.org/r/20241102065203.13291-1-asmadeus@codewreck.org net/sunrpc/svc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index 029c49065016..b43dc8409b1f 100644 --- a/net/sunrpc/svc.c +++ b/net/sunrpc/svc.c @@ -577,11 +577,12 @@ svc_destroy(struct kref *ref) timer_shutdown_sync(&serv->sv_temptimer); /* - * The last user is gone and thus all sockets have to be destroyed to - * the point. Check this. + * Remaining transports at this point are not expected. */ - BUG_ON(!list_empty(&serv->sv_permsocks)); - BUG_ON(!list_empty(&serv->sv_tempsocks)); + WARN_ONCE(!list_empty(&serv->sv_permsocks), + "SVC: permsocks remain for %s\n", serv->sv_program->pg_name); + WARN_ONCE(!list_empty(&serv->sv_tempsocks), + "SVC: tempsocks remain for %s\n", serv->sv_program->pg_name); cache_clean_deferred(serv); -- 2.46.1

7 months, 2 weeks

2
1
0 0

[PATCH v2] mtd: spi-nor: winbond: fix w25q128 regression

by Linus Walleij

From: Michael Walle <mwalle(a)kernel.org> Upstream commit d35df77707bf5ae1221b5ba1c8a88cf4fcdd4901 ("mtd: spi-nor: winbond: fix w25q128 regression") however the code has changed a lot after v6.6 so the patch did not apply to v6.6 or v6.1 which still has the problem. This patch fixes the issue in the way of the old API and has been tested on hardware. Please apply it for v6.1 and v6.6. Commit 83e824a4a595 ("mtd: spi-nor: Correct flags for Winbond w25q128") removed the flags for non-SFDP devices. It was assumed that it wasn't in use anymore. This wasn't true. Add the no_sfdp_flags as well as the size again. We add the additional flags for dual and quad read because they have been reported to work properly by Hartmut using both older and newer versions of this flash, the similar flashes with 64Mbit and 256Mbit already have these flags and because it will (luckily) trigger our legacy SFDP parsing, so newer versions with SFDP support will still get the parameters from the SFDP tables. Reported-by: Hartmut Birr <e9hack(a)gmail.com> Closes: https://lore.kernel.org/r/CALxbwRo_-9CaJmt7r7ELgu+vOcgk=xZcGHobnKf=oT2=u4d4… Fixes: 83e824a4a595 ("mtd: spi-nor: Correct flags for Winbond w25q128") Reviewed-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Michael Walle <mwalle(a)kernel.org> Acked-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> Reviewed-by: Esben Haabendal <esben(a)geanix.com> Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Link: https://lore.kernel.org/r/20240621120929.2670185-1-mwalle@kernel.org [Backported to v6.6 - vastly different due to upstream changes] Reviewed-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> --- This fix backported to stable v6.6 and v6.1 after reports from OpenWrt users: https://github.com/openwrt/openwrt/issues/16796 --- Changes in v2: - Use the right upstream committ ID (dunno what happened) - Put the commit ID on top on the desired format. - Link to v1: https://lore.kernel.org/r/20241028-v6-6-v1-1-991446d71bb7@linaro.org --- drivers/mtd/spi-nor/winbond.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/spi-nor/winbond.c b/drivers/mtd/spi-nor/winbond.c index cd99c9a1c568..95dd28b9bf14 100644 --- a/drivers/mtd/spi-nor/winbond.c +++ b/drivers/mtd/spi-nor/winbond.c @@ -120,9 +120,10 @@ static const struct flash_info winbond_nor_parts[] = { NO_SFDP_FLAGS(SECT_4K) }, { "w25q80bl", INFO(0xef4014, 0, 64 * 1024, 16) NO_SFDP_FLAGS(SECT_4K) }, - { "w25q128", INFO(0xef4018, 0, 0, 0) - PARSE_SFDP - FLAGS(SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB) }, + { "w25q128", INFO(0xef4018, 0, 64 * 1024, 256) + FLAGS(SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB) + NO_SFDP_FLAGS(SECT_4K | SPI_NOR_DUAL_READ | + SPI_NOR_QUAD_READ) }, { "w25q256", INFO(0xef4019, 0, 64 * 1024, 512) NO_SFDP_FLAGS(SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) .fixups = &w25q256_fixups }, --- base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa change-id: 20241027-v6-6-7ed05eaccb22 Best regards, -- Linus Walleij <linus.walleij(a)linaro.org>

7 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] LoongArch: Fix build errors due to backported TIMENS

by Huacai Chen

Commit eb3710efffce1dcff83761db4615f91d93aabfcb ("LoongArch: Add support to clone a time namespace") backports the TIMENS support for LoongArch (corresponding upstream commit aa5e65dc0818bbf676bf06927368ec46867778fd) but causes build errors: CC arch/loongarch/kernel/vdso.o arch/loongarch/kernel/vdso.c: In function ‘vvar_fault’: arch/loongarch/kernel/vdso.c:54:36: error: implicit declaration of function ‘find_timens_vvar_page’ [-Werror=implicit-function-declaration] 54 | struct page *timens_page = find_timens_vvar_page(vma); | ^~~~~~~~~~~~~~~~~~~~~ arch/loongarch/kernel/vdso.c:54:36: warning: initialization of ‘struct page *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] arch/loongarch/kernel/vdso.c: In function ‘vdso_join_timens’: arch/loongarch/kernel/vdso.c:143:25: error: implicit declaration of function ‘zap_vma_pages’; did you mean ‘zap_vma_ptes’? [-Werror=implicit-function-declaration] 143 | zap_vma_pages(vma); | ^~~~~~~~~~~~~ | zap_vma_ptes cc1: some warnings being treated as errors Because in 6.1.y we should define find_timens_vvar_page() by ourselves and use zap_page_range() instead of zap_vma_pages(), so fix it. Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/vdso.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/arch/loongarch/kernel/vdso.c b/arch/loongarch/kernel/vdso.c index 59aa9dd466e8..64eb5386e7b2 100644 --- a/arch/loongarch/kernel/vdso.c +++ b/arch/loongarch/kernel/vdso.c @@ -40,6 +40,8 @@ static struct page *vdso_pages[] = { NULL }; struct vdso_data *vdso_data = generic_vdso_data.data; struct vdso_pcpu_data *vdso_pdata = loongarch_vdso_data.vdata.pdata; +static struct page *find_timens_vvar_page(struct vm_area_struct *vma); + static int vdso_mremap(const struct vm_special_mapping *sm, struct vm_area_struct *new_vma) { current->mm->context.vdso = (void *)(new_vma->vm_start); @@ -139,13 +141,37 @@ int vdso_join_timens(struct task_struct *task, struct time_namespace *ns) mmap_read_lock(mm); for_each_vma(vmi, vma) { + unsigned long size = vma->vm_end - vma->vm_start; + if (vma_is_special_mapping(vma, &vdso_info.data_mapping)) - zap_vma_pages(vma); + zap_page_range(vma, vma->vm_start, size); } mmap_read_unlock(mm); return 0; } + +static struct page *find_timens_vvar_page(struct vm_area_struct *vma) +{ + if (likely(vma->vm_mm == current->mm)) + return current->nsproxy->time_ns->vvar_page; + + /* + * VM_PFNMAP | VM_IO protect .fault() handler from being called + * through interfaces like /proc/$pid/mem or + * process_vm_{readv,writev}() as long as there's no .access() + * in special_mapping_vmops. + * For more details check_vma_flags() and __access_remote_vm() + */ + WARN(1, "vvar_page accessed remotely"); + + return NULL; +} +#else +static struct page *find_timens_vvar_page(struct vm_area_struct *vma) +{ + return NULL; +} #endif static unsigned long vdso_base(void) -- 2.43.5

7 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: don't install PMD mappings when THPs are disabled by the" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2b0f922323ccfa76219bcaacd35cd50aeaa13592 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024101842-empty-espresso-c8a3@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2b0f922323ccfa76219bcaacd35cd50aeaa13592 Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Fri, 11 Oct 2024 12:24:45 +0200 Subject: [PATCH] mm: don't install PMD mappings when THPs are disabled by the hw/process/vma We (or rather, readahead logic :) ) might be allocating a THP in the pagecache and then try mapping it into a process that explicitly disabled THP: we might end up installing PMD mappings. This is a problem for s390x KVM, which explicitly remaps all PMD-mapped THPs to be PTE-mapped in s390_enable_sie()->thp_split_mm(), before starting the VM. For example, starting a VM backed on a file system with large folios supported makes the VM crash when the VM tries accessing such a mapping using KVM. Is it also a problem when the HW disabled THP using TRANSPARENT_HUGEPAGE_UNSUPPORTED? At least on x86 this would be the case without X86_FEATURE_PSE. In the future, we might be able to do better on s390x and only disallow PMD mappings -- what s390x and likely TRANSPARENT_HUGEPAGE_UNSUPPORTED really wants. For now, fix it by essentially performing the same check as would be done in __thp_vma_allowable_orders() or in shmem code, where this works as expected, and disallow PMD mappings, making us fallback to PTE mappings. Link: https://lkml.kernel.org/r/20241011102445.934409-3-david@redhat.com Fixes: 793917d997df ("mm/readahead: Add large folio readahead") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: Leo Fu <bfu(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Cc: Thomas Huth <thuth(a)redhat.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Janosch Frank <frankja(a)linux.ibm.com> Cc: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index c0869a962ddd..30feedabc932 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -4920,6 +4920,15 @@ vm_fault_t do_set_pmd(struct vm_fault *vmf, struct page *page) pmd_t entry; vm_fault_t ret = VM_FAULT_FALLBACK; + /* + * It is too late to allocate a small folio, we already have a large + * folio in the pagecache: especially s390 KVM cannot tolerate any + * PMD mappings, but PTE-mapped THP are fine. So let's simply refuse any + * PMD mappings if THPs are disabled. + */ + if (thp_disabled_by_hw() || vma_thp_disabled(vma, vma->vm_flags)) + return ret; + if (!thp_vma_suitable_order(vma, haddr, PMD_ORDER)) return ret;

7 months, 2 weeks

4
10
0 0

[PATCH V4] wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures

by Guilherme G. Piccoli

Syzkaller reported a hung task with uevent_show() on stack trace. That specific issue was addressed by another commit [0], but even with that fix applied (for example, running v6.12-rc5) we face another type of hung task that comes from the same reproducer [1]. By investigating that, we could narrow it to the following path: (a) Syzkaller emulates a Realtek USB WiFi adapter using raw-gadget and dummy_hcd infrastructure. (b) During the probe of rtl8192cu, the driver ends-up performing an efuse read procedure (which is related to EEPROM load IIUC), and here lies the issue: the function read_efuse() calls read_efuse_byte() many times, as loop iterations depending on the efuse size (in our example, 512 in total). This procedure for reading efuse bytes relies in a loop that performs an I/O read up to *10k* times in case of failures. We measured the time of the loop inside read_efuse_byte() alone, and in this reproducer (which involves the dummy_hcd emulation layer), it takes 15 seconds each. As a consequence, we have the driver stuck in its probe routine for big time, exposing a stack trace like below if we attempt to reboot the system, for example: task:kworker/0:3 state:D stack:0 pid:662 tgid:662 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: __schedule+0xe22/0xeb6 schedule_timeout+0xe7/0x132 __wait_for_common+0xb5/0x12e usb_start_wait_urb+0xc5/0x1ef ? usb_alloc_urb+0x95/0xa4 usb_control_msg+0xff/0x184 _usbctrl_vendorreq_sync+0xa0/0x161 _usb_read_sync+0xb3/0xc5 read_efuse_byte+0x13c/0x146 read_efuse+0x351/0x5f0 efuse_read_all_map+0x42/0x52 rtl_efuse_shadow_map_update+0x60/0xef rtl_get_hwinfo+0x5d/0x1c2 rtl92cu_read_eeprom_info+0x10a/0x8d5 ? rtl92c_read_chip_version+0x14f/0x17e rtl_usb_probe+0x323/0x851 usb_probe_interface+0x278/0x34b really_probe+0x202/0x4a4 __driver_probe_device+0x166/0x1b2 driver_probe_device+0x2f/0xd8 [...] We propose hereby to drastically reduce the attempts of doing the I/O reads in case of failures, restricted to USB devices (given that they're inherently slower than PCIe ones). By retrying up to 10 times (instead of 10000), we got reponsiveness in the reproducer, while seems reasonable to believe that there's no sane USB device implementation in the field requiring this amount of retries at every I/O read in order to properly work. Based on that assumption, it'd be good to have it backported to stable but maybe not since driver implementation (the 10k number comes from day 0), perhaps up to 6.x series makes sense. [0] Commit 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race") [1] A note about that: this syzkaller report presents multiple reproducers that differs by the type of emulated USB device. For this specific case, check the entry from 2024/08/08 06:23 in the list of crashes; the C repro is available at https://syzkaller.appspot.com/text?tag=ReproC&x=1521fc83980000. Cc: stable(a)vger.kernel.org # v6.1+ Reported-by: syzbot+edd9fe0d3a65b14588d5(a)syzkaller.appspotmail.com Tested-by: Bitterblue Smith <rtl8821cerfe2(a)gmail.com> Signed-off-by: Guilherme G. Piccoli <gpiccoli(a)igalia.com> --- V4: - Changed the if conditional to check if device is of USB type, instead of PCI type - thanks Ping-Ke Shih. - Re-addded the Bitterblue Smith's Tested-by tag, which I forgot in V3 xD V3 link: https://lore.kernel.org/r/20241031155731.1253259-1-gpiccoli@igalia.com/ drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtlwifi/efuse.c b/drivers/net/wireless/realtek/rtlwifi/efuse.c index 82cf5fb5175f..6518e77b89f5 100644 --- a/drivers/net/wireless/realtek/rtlwifi/efuse.c +++ b/drivers/net/wireless/realtek/rtlwifi/efuse.c @@ -162,10 +162,19 @@ void efuse_write_1byte(struct ieee80211_hw *hw, u16 address, u8 value) void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) { struct rtl_priv *rtlpriv = rtl_priv(hw); + u16 max_attempts = 10000; u32 value32; u8 readbyte; u16 retry; + /* + * In case of USB devices, transfer speeds are limited, hence + * efuse I/O reads could be (way) slower. So, decrease (a lot) + * the read attempts in case of failures. + */ + if (rtlpriv->rtlhal.interface == INTF_USB) + max_attempts = 10; + rtl_write_byte(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL] + 1, (_offset & 0xff)); readbyte = rtl_read_byte(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL] + 2); @@ -178,7 +187,7 @@ void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) retry = 0; value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); - while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < 10000)) { + while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < max_attempts)) { value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); retry++; -- 2.46.2

7 months, 2 weeks

2
1
0 0

FAILED: Patch "nilfs2: fix kernel bug due to missing clearing of checked flag" failed to apply to v6.6-stable tree

by Sasha Levin

The patch below does not apply to the v6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 41e192ad2779cae0102879612dfe46726e4396aa Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Fri, 18 Oct 2024 04:33:10 +0900 Subject: [PATCH] nilfs2: fix kernel bug due to missing clearing of checked flag Syzbot reported that in directory operations after nilfs2 detects filesystem corruption and degrades to read-only, __block_write_begin_int(), which is called to prepare block writes, may fail the BUG_ON check for accesses exceeding the folio/page size, triggering a kernel bug. This was found to be because the "checked" flag of a page/folio was not cleared when it was discarded by nilfs2's own routine, which causes the sanity check of directory entries to be skipped when the directory page/folio is reloaded. So, fix that. This was necessary when the use of nilfs2's own page discard routine was applied to more than just metadata files. Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+d6ca2daf692c7a82f959(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/page.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c index 5436eb0424bd1..10def4b559956 100644 --- a/fs/nilfs2/page.c +++ b/fs/nilfs2/page.c @@ -401,6 +401,7 @@ void nilfs_clear_folio_dirty(struct folio *folio) folio_clear_uptodate(folio); folio_clear_mappedtodisk(folio); + folio_clear_checked(folio); head = folio_buffers(folio); if (head) { -- 2.43.0

7 months, 2 weeks

3
2
0 0

[PATCH 6.6] SUNRPC: Remove BUG_ON call sites

by Dominique Martinet

From: Chuck Lever <chuck.lever(a)oracle.com> [ Upstream commit 789ce196a31dd13276076762204bee87df893e53 ] There is no need to take down the whole system for these assertions. I'd rather not attempt a heroic save here, as some bug has occurred that has left the transport data structures in an unknown state. Just warn and then leak the left-over resources. Acked-by: Christian Brauner <brauner(a)kernel.org> Reviewed-by: NeilBrown <neilb(a)suse.de> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- I've hit this BUG at home when restarting the nfs-server service and while that didn't bring the whole system down it did kill a thread with the nfsd_mutex lock held, making exportfs & other related commands all hang in unkillable state trying to grab the lock. So this is purely selfish so that this won't happen again next time I upgrade :-) I'd like to say I have any idea why the bug hit on that 6.6.42 (the sv_permsocks one did) and help with the underlying issue, but I honestly didn't do anything fancy and don't have anything interesting in logs (except the bug itself, happy to forward it if someone cares); would have been possible to debug this if I had a crash dump but it's not setup on this machine and just having this down to WARN if probably good enough... Cheers, net/sunrpc/svc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c index 029c49065016..b43dc8409b1f 100644 --- a/net/sunrpc/svc.c +++ b/net/sunrpc/svc.c @@ -577,11 +577,12 @@ svc_destroy(struct kref *ref) timer_shutdown_sync(&serv->sv_temptimer); /* - * The last user is gone and thus all sockets have to be destroyed to - * the point. Check this. + * Remaining transports at this point are not expected. */ - BUG_ON(!list_empty(&serv->sv_permsocks)); - BUG_ON(!list_empty(&serv->sv_tempsocks)); + WARN_ONCE(!list_empty(&serv->sv_permsocks), + "SVC: permsocks remain for %s\n", serv->sv_program->pg_name); + WARN_ONCE(!list_empty(&serv->sv_tempsocks), + "SVC: tempsocks remain for %s\n", serv->sv_program->pg_name); cache_clean_deferred(serv); -- 2.46.1

7 months, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] mm: shmem: fix data-race in shmem_getattr()" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x d949d1d14fa281ace388b1de978e8f2cd52875cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110553-blaming-ammonium-3ec5@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 From: Jeongjun Park <aha310510(a)gmail.com> Date: Mon, 9 Sep 2024 21:35:58 +0900 Subject: [PATCH] mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index c5adb987b23c..4ba1d00fabda 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,7 +1166,9 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); + inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); + inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

7 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: shmem: fix data-race in shmem_getattr()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x d949d1d14fa281ace388b1de978e8f2cd52875cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110551-frosty-diploma-2492@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 From: Jeongjun Park <aha310510(a)gmail.com> Date: Mon, 9 Sep 2024 21:35:58 +0900 Subject: [PATCH] mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index c5adb987b23c..4ba1d00fabda 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,7 +1166,9 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); + inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); + inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

7 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: shmem: fix data-race in shmem_getattr()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x d949d1d14fa281ace388b1de978e8f2cd52875cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110550-excretory-dig-7bda@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 From: Jeongjun Park <aha310510(a)gmail.com> Date: Mon, 9 Sep 2024 21:35:58 +0900 Subject: [PATCH] mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index c5adb987b23c..4ba1d00fabda 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,7 +1166,9 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); + inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); + inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

7 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: shmem: fix data-race in shmem_getattr()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x d949d1d14fa281ace388b1de978e8f2cd52875cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110549-slate-undrilled-d94c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 From: Jeongjun Park <aha310510(a)gmail.com> Date: Mon, 9 Sep 2024 21:35:58 +0900 Subject: [PATCH] mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index c5adb987b23c..4ba1d00fabda 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,7 +1166,9 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); + inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); + inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

7 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: shmem: fix data-race in shmem_getattr()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d949d1d14fa281ace388b1de978e8f2cd52875cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024110547-snooper-saint-e58c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 From: Jeongjun Park <aha310510(a)gmail.com> Date: Mon, 9 Sep 2024 21:35:58 +0900 Subject: [PATCH] mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index c5adb987b23c..4ba1d00fabda 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,7 +1166,9 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); + inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); + inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

7 months, 2 weeks

2
1
0 0

[PATCH V3] vp_vdpa: fix id_table array not null terminated error

by Xiaoguang Wang

Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory. Fixes: ffbda8e9df10 ("vdpa/vp_vdpa : add vdpa tool support in vp_vdpa") Cc: stable(a)vger.kernel.org Suggested-by: Parav Pandit <parav(a)nvidia.com> Signed-off-by: Angus Chen <angus.chen(a)jaguarmicro.com> Signed-off-by: Xiaoguang Wang <lege.wang(a)jaguarmicro.com> --- V3: Use array assignment style for mdev_id. V2: Use kcalloc() api. --- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/vdpa/virtio_pci/vp_vdpa.c b/drivers/vdpa/virtio_pci/vp_vdpa.c index ac4ab22f7d8b..16380764275e 100644 --- a/drivers/vdpa/virtio_pci/vp_vdpa.c +++ b/drivers/vdpa/virtio_pci/vp_vdpa.c @@ -612,7 +612,11 @@ static int vp_vdpa_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto mdev_err; } - mdev_id = kzalloc(sizeof(struct virtio_device_id), GFP_KERNEL); + /* + * id_table should be a null terminated array, so allocate one additional + * entry here, see vdpa_mgmtdev_get_classes(). + */ + mdev_id = kcalloc(2, sizeof(struct virtio_device_id), GFP_KERNEL); if (!mdev_id) { err = -ENOMEM; goto mdev_id_err; @@ -632,8 +636,8 @@ static int vp_vdpa_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto probe_err; } - mdev_id->device = mdev->id.device; - mdev_id->vendor = mdev->id.vendor; + mdev_id[0].device = mdev->id.device; + mdev_id[0].vendor = mdev->id.vendor; mgtdev->id_table = mdev_id; mgtdev->max_supported_vqs = vp_modern_get_num_queues(mdev); mgtdev->supported_features = vp_modern_get_features(mdev); -- 2.40.1

7 months, 2 weeks

3
2
0 0

[PATCH v2] mm/slab: fix warning caused by duplicate kmem_cache creation in kmem_buckets_create

by Koichiro Den

Commit b035f5a6d852 ("mm: slab: reduce the kmalloc() minimum alignment if DMA bouncing possible") reduced ARCH_KMALLOC_MINALIGN to 8 on arm64. However, with KASAN_HW_TAGS enabled, arch_slab_minalign() becomes 16. This causes kmalloc_caches[*][8] to be aliased to kmalloc_caches[*][16], resulting in kmem_buckets_create() attempting to create a kmem_cache for size 16 twice. This duplication triggers warnings on boot: [ 2.325108] ------------[ cut here ]------------ [ 2.325135] kmem_cache of name 'memdup_user-16' already exists [ 2.325783] WARNING: CPU: 0 PID: 1 at mm/slab_common.c:107 __kmem_cache_create_args+0xb8/0x3b0 [ 2.327957] Modules linked in: [ 2.328550] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5mm-unstable-arm64+ #12 [ 2.328683] Hardware name: QEMU QEMU Virtual Machine, BIOS 2024.02-2 03/11/2024 [ 2.328790] pstate: 61000009 (nZCv daif -PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2.328911] pc : __kmem_cache_create_args+0xb8/0x3b0 [ 2.328930] lr : __kmem_cache_create_args+0xb8/0x3b0 [ 2.328942] sp : ffff800083d6fc50 [ 2.328961] x29: ffff800083d6fc50 x28: f2ff0000c1674410 x27: ffff8000820b0598 [ 2.329061] x26: 000000007fffffff x25: 0000000000000010 x24: 0000000000002000 [ 2.329101] x23: ffff800083d6fce8 x22: ffff8000832222e8 x21: ffff800083222388 [ 2.329118] x20: f2ff0000c1674410 x19: f5ff0000c16364c0 x18: ffff800083d80030 [ 2.329135] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 2.329152] x14: 0000000000000000 x13: 0a73747369786520 x12: 79646165726c6120 [ 2.329169] x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : 0000000000000000 [ 2.329194] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 2.329210] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.329226] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 2.329291] Call trace: [ 2.329407] __kmem_cache_create_args+0xb8/0x3b0 [ 2.329499] kmem_buckets_create+0xfc/0x320 [ 2.329526] init_user_buckets+0x34/0x78 [ 2.329540] do_one_initcall+0x64/0x3c8 [ 2.329550] kernel_init_freeable+0x26c/0x578 [ 2.329562] kernel_init+0x3c/0x258 [ 2.329574] ret_from_fork+0x10/0x20 [ 2.329698] ---[ end trace 0000000000000000 ]--- [ 2.403704] ------------[ cut here ]------------ [ 2.404716] kmem_cache of name 'msg_msg-16' already exists [ 2.404801] WARNING: CPU: 2 PID: 1 at mm/slab_common.c:107 __kmem_cache_create_args+0xb8/0x3b0 [ 2.404842] Modules linked in: [ 2.404971] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.12.0-rc5mm-unstable-arm64+ #12 [ 2.405026] Tainted: [W]=WARN [ 2.405043] Hardware name: QEMU QEMU Virtual Machine, BIOS 2024.02-2 03/11/2024 [ 2.405057] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.405079] pc : __kmem_cache_create_args+0xb8/0x3b0 [ 2.405100] lr : __kmem_cache_create_args+0xb8/0x3b0 [ 2.405111] sp : ffff800083d6fc50 [ 2.405115] x29: ffff800083d6fc50 x28: fbff0000c1674410 x27: ffff8000820b0598 [ 2.405135] x26: 000000000000ffd0 x25: 0000000000000010 x24: 0000000000006000 [ 2.405153] x23: ffff800083d6fce8 x22: ffff8000832222e8 x21: ffff800083222388 [ 2.405169] x20: fbff0000c1674410 x19: fdff0000c163d6c0 x18: ffff800083d80030 [ 2.405185] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 2.405201] x14: 0000000000000000 x13: 0a73747369786520 x12: 79646165726c6120 [ 2.405217] x11: 656820747563205b x10: 2d2d2d2d2d2d2d2d x9 : 0000000000000000 [ 2.405233] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 2.405248] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.405271] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 2.405287] Call trace: [ 2.405293] __kmem_cache_create_args+0xb8/0x3b0 [ 2.405305] kmem_buckets_create+0xfc/0x320 [ 2.405315] init_msg_buckets+0x34/0x78 [ 2.405326] do_one_initcall+0x64/0x3c8 [ 2.405337] kernel_init_freeable+0x26c/0x578 [ 2.405348] kernel_init+0x3c/0x258 [ 2.405360] ret_from_fork+0x10/0x20 [ 2.405370] ---[ end trace 0000000000000000 ]--- To address this, alias kmem_cache for sizes smaller than min alignment to the aligned sized kmem_cache, as done with the default system kmalloc bucket. Cc: <stable(a)vger.kernel.org> # 6.11.x Fixes: b32801d1255b ("mm/slab: Introduce kmem_buckets_create() and family") Signed-off-by: Koichiro Den <koichiro.den(a)gmail.com> --- Changes in v2: - Simplify by just reusing calculated aligned size stored in the default kmalloc_caches --- mm/slab_common.c | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 3d26c257ed8b..db6ffe53c23e 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -380,8 +380,11 @@ kmem_buckets *kmem_buckets_create(const char *name, slab_flags_t flags, unsigned int usersize, void (*ctor)(void *)) { + unsigned long mask = 0; + unsigned int idx; kmem_buckets *b; - int idx; + + BUILD_BUG_ON(ARRAY_SIZE(kmalloc_caches[KMALLOC_NORMAL]) > BITS_PER_LONG); /* * When the separate buckets API is not built in, just return @@ -403,7 +406,7 @@ kmem_buckets *kmem_buckets_create(const char *name, slab_flags_t flags, for (idx = 0; idx < ARRAY_SIZE(kmalloc_caches[KMALLOC_NORMAL]); idx++) { char *short_size, *cache_name; unsigned int cache_useroffset, cache_usersize; - unsigned int size; + unsigned int size, aligned_idx; if (!kmalloc_caches[KMALLOC_NORMAL][idx]) continue; @@ -416,10 +419,6 @@ kmem_buckets *kmem_buckets_create(const char *name, slab_flags_t flags, if (WARN_ON(!short_size)) goto fail; - cache_name = kasprintf(GFP_KERNEL, "%s-%s", name, short_size + 1); - if (WARN_ON(!cache_name)) - goto fail; - if (useroffset >= size) { cache_useroffset = 0; cache_usersize = 0; @@ -427,18 +426,29 @@ kmem_buckets *kmem_buckets_create(const char *name, slab_flags_t flags, cache_useroffset = useroffset; cache_usersize = min(size - cache_useroffset, usersize); } - (*b)[idx] = kmem_cache_create_usercopy(cache_name, size, - 0, flags, cache_useroffset, - cache_usersize, ctor); - kfree(cache_name); - if (WARN_ON(!(*b)[idx])) - goto fail; + + aligned_idx = __kmalloc_index(size, false); + if (!(*b)[aligned_idx]) { + cache_name = kasprintf(GFP_KERNEL, "%s-%s", name, short_size + 1); + if (WARN_ON(!cache_name)) + goto fail; + (*b)[aligned_idx] = kmem_cache_create_usercopy(cache_name, size, + 0, flags, cache_useroffset, + cache_usersize, ctor); + if (WARN_ON(!(*b)[aligned_idx])) { + kfree(cache_name); + goto fail; + } + set_bit(aligned_idx, &mask); + } + if (idx != aligned_idx) + (*b)[idx] = (*b)[aligned_idx]; } return b; fail: - for (idx = 0; idx < ARRAY_SIZE(kmalloc_caches[KMALLOC_NORMAL]); idx++) + for_each_set_bit(idx, &mask, ARRAY_SIZE(kmalloc_caches[KMALLOC_NORMAL])) kmem_cache_destroy((*b)[idx]); kmem_cache_free(kmem_buckets_cache, b); -- 2.43.0

7 months, 2 weeks

3
3
0 0

[PATCH net 0/2] mptcp: pm: fix wrong perm and sock kfree

by Matthieu Baerts (NGI0)

Two small fixes related to the MPTCP path-manager: - Patch 1: remove an accidental restriction to admin users to list MPTCP endpoints. A regression from v6.7. - Patch 2: correctly use sock_kfree_s() instead of kfree() in the userspace PM. A fix for another fix introduced in v6.4 and backportable up to v5.19. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Geliang Tang (1): mptcp: use sock_kfree_s instead of kfree Matthieu Baerts (NGI0) (1): mptcp: no admin perm to list endpoints Documentation/netlink/specs/mptcp_pm.yaml | 1 - net/mptcp/mptcp_pm_gen.c | 1 - net/mptcp/pm_userspace.c | 3 ++- 3 files changed, 2 insertions(+), 3 deletions(-) --- base-commit: 5ccdcdf186aec6b9111845fd37e1757e9b413e2f change-id: 20241104-net-mptcp-misc-6-12-34ca759f78ee Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

7 months, 2 weeks

2
3
0 0

[PATCH v2] mm: page_alloc: move mlocked flag clearance into free_pages_prepare()

by Roman Gushchin

Syzbot reported a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.0.15 pfn:1137bb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8881137bb870 pfn:0x1137bb flags: 0x400000000080000(mlocked|node=0|zone=1) raw: 0400000000080000 0000000000000000 dead000000000122 0000000000000000 raw: ffff8881137bb870 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 3005, tgid 3004 (syz.0.15), ts 61546 608067, free_ts 61390082085 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x3008/0x31f0 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x7b0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x630 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5500 [inline] kvm_dev_ioctl+0x13bb/0x2320 virt/kvm/kvm_main.c:5542 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x69/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e page last free pid 951 tgid 951 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0xcb1/0xf00 mm/page_alloc.c:2638 vfree+0x181/0x2e0 mm/vmalloc.c:3361 delayed_vfree_work+0x56/0x80 mm/vmalloc.c:3282 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa5c/0x17a0 kernel/workqueue.c:3310 worker_thread+0xa2b/0xf70 kernel/workqueue.c:3391 kthread+0x2df/0x370 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 A reproducer is available here: https://syzkaller.appspot.com/x/repro.c?x=1437939f980000 The problem was originally introduced by commit b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance"): it was handling focused on handling pagecache and anonymous memory and wasn't suitable for lower level get_page()/free_page() API's used for example by KVM, as with this reproducer. Fix it by moving the mlocked flag clearance down to free_page_prepare(). The bug itself if fairly old and harmless (aside from generating these warnings). Closes: https://syzkaller.appspot.com/x/report.txt?x=169a47d0580000 Fixes: b109b87050df ("mm/munlock: replace clear_page_mlock() by final clearance") Signed-off-by: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: <stable(a)vger.kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> --- mm/page_alloc.c | 15 +++++++++++++++ mm/swap.c | 14 -------------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index bc55d39eb372..7535d78862ab 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -1044,6 +1044,7 @@ __always_inline bool free_pages_prepare(struct page *page, bool skip_kasan_poison = should_skip_kasan_poison(page); bool init = want_init_on_free(); bool compound = PageCompound(page); + struct folio *folio = page_folio(page); VM_BUG_ON_PAGE(PageTail(page), page); @@ -1053,6 +1054,20 @@ __always_inline bool free_pages_prepare(struct page *page, if (memcg_kmem_online() && PageMemcgKmem(page)) __memcg_kmem_uncharge_page(page, order); + /* + * In rare cases, when truncation or holepunching raced with + * munlock after VM_LOCKED was cleared, Mlocked may still be + * found set here. This does not indicate a problem, unless + * "unevictable_pgs_cleared" appears worryingly large. + */ + if (unlikely(folio_test_mlocked(folio))) { + long nr_pages = folio_nr_pages(folio); + + __folio_clear_mlocked(folio); + zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); + count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); + } + if (unlikely(PageHWPoison(page)) && !order) { /* Do not let hwpoison pages hit pcplists/buddy */ reset_page_owner(page, order); diff --git a/mm/swap.c b/mm/swap.c index 835bdf324b76..7cd0f4719423 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -78,20 +78,6 @@ static void __page_cache_release(struct folio *folio, struct lruvec **lruvecp, lruvec_del_folio(*lruvecp, folio); __folio_clear_lru_flags(folio); } - - /* - * In rare cases, when truncation or holepunching raced with - * munlock after VM_LOCKED was cleared, Mlocked may still be - * found set here. This does not indicate a problem, unless - * "unevictable_pgs_cleared" appears worryingly large. - */ - if (unlikely(folio_test_mlocked(folio))) { - long nr_pages = folio_nr_pages(folio); - - __folio_clear_mlocked(folio); - zone_stat_mod_folio(folio, NR_MLOCK, -nr_pages); - count_vm_events(UNEVICTABLE_PGCLEARED, nr_pages); - } } /* -- 2.47.0.105.g07ac214952-goog

7 months, 2 weeks

6
17
0 0

FAILED: Patch "ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 0b04fbe886b4274c8e5855011233aaa69fec6e75 Mon Sep 17 00:00:00 2001 From: Christoffer Sandberg <cs(a)tuxedo.de> Date: Tue, 29 Oct 2024 16:16:52 +0100 Subject: [PATCH] ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg <cs(a)tuxedo.de> Signed-off-by: Werner Sembach <wse(a)tuxedocomputers.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 7f4926194e50f..e06a6fdc0bab7 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10750,6 +10750,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1558, 0x1404, "Clevo N150CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x2624, "Clevo L240TU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35"" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 1b6063a57754eae5705753c01e78dc268b989038 Mon Sep 17 00:00:00 2001 From: Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> Date: Fri, 11 Oct 2024 11:12:19 -0400 Subject: [PATCH] Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35" This reverts commit 9dad21f910fc ("drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35") [why & how] The offending commit exposes a hang with lid close/open behavior. Both issues seem to be related to ODM 2:1 mode switching, so there is another issue generic to that sequence that needs to be investigated. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 68bf95317ebf2cfa7105251e4279e951daceefb7) Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c index 11c904ae29586..c4c52173ef224 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c @@ -303,6 +303,7 @@ void build_unoptimized_policy_settings(enum dml_project_id project, struct dml_m if (project == dml_project_dcn35 || project == dml_project_dcn351) { policy->DCCProgrammingAssumesScanDirectionUnknownFinal = false; + policy->EnhancedPrefetchScheduleAccelerationFinal = 0; policy->AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter_if_possible; /*new*/ policy->UseOnlyMaxPrefetchModes = 1; } -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "thunderbolt: Honor TMU requirements in the domain when setting TMU mode" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 3cea8af2d1a9ae5869b47c3dabe3b20f331f3bbd Mon Sep 17 00:00:00 2001 From: Gil Fine <gil.fine(a)linux.intel.com> Date: Thu, 10 Oct 2024 17:29:42 +0300 Subject: [PATCH] thunderbolt: Honor TMU requirements in the domain when setting TMU mode Currently, when configuring TMU (Time Management Unit) mode of a given router, we take into account only its own TMU requirements ignoring other routers in the domain. This is problematic if the router we are configuring has lower TMU requirements than what is already configured in the domain. In the scenario below, we have a host router with two USB4 ports: A and B. Port A connected to device router #1 (which supports CL states) and existing DisplayPort tunnel, thus, the TMU mode is HiFi uni-directional. 1. Initial topology [Host] A/ / [Device #1] / Monitor 2. Plug in device #2 (that supports CL states) to downstream port B of the host router [Host] A/ B\ / \ [Device #1] [Device #2] / Monitor The TMU mode on port B and port A will be configured to LowRes which is not what we want and will cause monitor to start flickering. To address this we first scan the domain and search for any router configured to HiFi uni-directional mode, and if found, configure TMU mode of the given router to HiFi uni-directional as well. Cc: stable(a)vger.kernel.org Signed-off-by: Gil Fine <gil.fine(a)linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg(a)linux.intel.com> --- drivers/thunderbolt/tb.c | 48 +++++++++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c index 10e719dd837ce..4f777788e9179 100644 --- a/drivers/thunderbolt/tb.c +++ b/drivers/thunderbolt/tb.c @@ -288,6 +288,24 @@ static void tb_increase_tmu_accuracy(struct tb_tunnel *tunnel) device_for_each_child(&sw->dev, NULL, tb_increase_switch_tmu_accuracy); } +static int tb_switch_tmu_hifi_uni_required(struct device *dev, void *not_used) +{ + struct tb_switch *sw = tb_to_switch(dev); + + if (sw && tb_switch_tmu_is_enabled(sw) && + tb_switch_tmu_is_configured(sw, TB_SWITCH_TMU_MODE_HIFI_UNI)) + return 1; + + return device_for_each_child(dev, NULL, + tb_switch_tmu_hifi_uni_required); +} + +static bool tb_tmu_hifi_uni_required(struct tb *tb) +{ + return device_for_each_child(&tb->dev, NULL, + tb_switch_tmu_hifi_uni_required) == 1; +} + static int tb_enable_tmu(struct tb_switch *sw) { int ret; @@ -302,12 +320,30 @@ static int tb_enable_tmu(struct tb_switch *sw) ret = tb_switch_tmu_configure(sw, TB_SWITCH_TMU_MODE_MEDRES_ENHANCED_UNI); if (ret == -EOPNOTSUPP) { - if (tb_switch_clx_is_enabled(sw, TB_CL1)) - ret = tb_switch_tmu_configure(sw, - TB_SWITCH_TMU_MODE_LOWRES); - else - ret = tb_switch_tmu_configure(sw, - TB_SWITCH_TMU_MODE_HIFI_BI); + if (tb_switch_clx_is_enabled(sw, TB_CL1)) { + /* + * Figure out uni-directional HiFi TMU requirements + * currently in the domain. If there are no + * uni-directional HiFi requirements we can put the TMU + * into LowRes mode. + * + * Deliberately skip bi-directional HiFi links + * as these work independently of other links + * (and they do not allow any CL states anyway). + */ + if (tb_tmu_hifi_uni_required(sw->tb)) + ret = tb_switch_tmu_configure(sw, + TB_SWITCH_TMU_MODE_HIFI_UNI); + else + ret = tb_switch_tmu_configure(sw, + TB_SWITCH_TMU_MODE_LOWRES); + } else { + ret = tb_switch_tmu_configure(sw, TB_SWITCH_TMU_MODE_HIFI_BI); + } + + /* If not supported, fallback to bi-directional HiFi */ + if (ret == -EOPNOTSUPP) + ret = tb_switch_tmu_configure(sw, TB_SWITCH_TMU_MODE_HIFI_BI); } if (ret) return ret; -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "gpiolib: fix debugfs newline separators" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 3e8b7238b427e05498034c240451af5f5495afda Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Mon, 28 Oct 2024 13:49:58 +0100 Subject: [PATCH] gpiolib: fix debugfs newline separators The gpiolib debugfs interface exports a list of all gpio chips in a system and the state of their pins. The gpio chip sections are supposed to be separated by a newline character, but a long-standing bug prevents the separator from being included when output is generated in multiple sessions, making the output inconsistent and hard to read. Make sure to only suppress the newline separator at the beginning of the file as intended. Fixes: f9c4a31f6150 ("gpiolib: Use seq_file's iterator interface") Cc: stable(a)vger.kernel.org # 3.7 Cc: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Link: https://lore.kernel.org/r/20241028125000.24051-2-johan+linaro@kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index d5952ab7752c2..e27488a90bc97 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4926,6 +4926,8 @@ static void *gpiolib_seq_start(struct seq_file *s, loff_t *pos) return NULL; s->private = priv; + if (*pos > 0) + priv->newline = true; priv->idx = srcu_read_lock(&gpio_devices_srcu); list_for_each_entry_srcu(gdev, &gpio_devices, list, -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "mei: use kvmalloc for read buffer" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 4adf613e01bf99e1739f6ff3e162ad5b7d578d1a Mon Sep 17 00:00:00 2001 From: Alexander Usyskin <alexander.usyskin(a)intel.com> Date: Tue, 15 Oct 2024 15:31:57 +0300 Subject: [PATCH] mei: use kvmalloc for read buffer Read buffer is allocated according to max message size, reported by the firmware and may reach 64K in systems with pxp client. Contiguous 64k allocation may fail under memory pressure. Read buffer is used as in-driver message storage and not required to be contiguous. Use kvmalloc to allow kernel to allocate non-contiguous memory. Fixes: 3030dc056459 ("mei: add wrapper for queuing control commands.") Cc: stable <stable(a)kernel.org> Reported-by: Rohit Agarwal <rohiagar(a)chromium.org> Closes: https://lore.kernel.org/all/20240813084542.2921300-1-rohiagar@chromium.org/ Tested-by: Brian Geffon <bgeffon(a)google.com> Signed-off-by: Alexander Usyskin <alexander.usyskin(a)intel.com> Acked-by: Tomas Winkler <tomasw(a)gmail.com> Link: https://lore.kernel.org/r/20241015123157.2337026-1-alexander.usyskin@intel.… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/misc/mei/client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c index 9d090fa07516f..be011cef12e5d 100644 --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -321,7 +321,7 @@ void mei_io_cb_free(struct mei_cl_cb *cb) return; list_del(&cb->list); - kfree(cb->buf.data); + kvfree(cb->buf.data); kfree(cb->ext_hdr); kfree(cb); } @@ -497,7 +497,7 @@ struct mei_cl_cb *mei_cl_alloc_cb(struct mei_cl *cl, size_t length, if (length == 0) return cb; - cb->buf.data = kmalloc(roundup(length, MEI_SLOT_SIZE), GFP_KERNEL); + cb->buf.data = kvmalloc(roundup(length, MEI_SLOT_SIZE), GFP_KERNEL); if (!cb->buf.data) { mei_io_cb_free(cb); return NULL; -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 6bd301819f8f69331a55ae2336c8b111fc933f3d Mon Sep 17 00:00:00 2001 From: Zicheng Qu <quzicheng(a)huawei.com> Date: Tue, 22 Oct 2024 13:43:54 +0000 Subject: [PATCH] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() In the ad9832_write_frequency() function, clk_get_rate() might return 0. This can lead to a division by zero when calling ad9832_calc_freqreg(). The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect against the case when fout is 0. The ad9832_write_frequency() function is called from ad9832_write(), and fout is derived from a text buffer, which can contain any value. Link: https://lore.kernel.org/all/2024100904-CVE-2024-47663-9bdc@gregkh/ Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver") Cc: stable(a)vger.kernel.org Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> Reviewed-by: Nuno Sa <nuno.sa(a)analog.com> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://patch.msgid.link/20241022134354.574614-1-quzicheng@huawei.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/staging/iio/frequency/ad9832.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/staging/iio/frequency/ad9832.c b/drivers/staging/iio/frequency/ad9832.c index 6c390c4eb26de..492612e8f8bad 100644 --- a/drivers/staging/iio/frequency/ad9832.c +++ b/drivers/staging/iio/frequency/ad9832.c @@ -129,12 +129,15 @@ static unsigned long ad9832_calc_freqreg(unsigned long mclk, unsigned long fout) static int ad9832_write_frequency(struct ad9832_state *st, unsigned int addr, unsigned long fout) { + unsigned long clk_freq; unsigned long regval; - if (fout > (clk_get_rate(st->mclk) / 2)) + clk_freq = clk_get_rate(st->mclk); + + if (!clk_freq || fout > (clk_freq / 2)) return -EINVAL; - regval = ad9832_calc_freqreg(clk_get_rate(st->mclk), fout); + regval = ad9832_calc_freqreg(clk_freq, fout); st->freq_data[0] = cpu_to_be16((AD9832_CMD_FRE8BITSW << CMD_SHIFT) | (addr << ADD_SHIFT) | -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "nilfs2: fix kernel bug due to missing clearing of checked flag" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 41e192ad2779cae0102879612dfe46726e4396aa Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Date: Fri, 18 Oct 2024 04:33:10 +0900 Subject: [PATCH] nilfs2: fix kernel bug due to missing clearing of checked flag Syzbot reported that in directory operations after nilfs2 detects filesystem corruption and degrades to read-only, __block_write_begin_int(), which is called to prepare block writes, may fail the BUG_ON check for accesses exceeding the folio/page size, triggering a kernel bug. This was found to be because the "checked" flag of a page/folio was not cleared when it was discarded by nilfs2's own routine, which causes the sanity check of directory entries to be skipped when the directory page/folio is reloaded. So, fix that. This was necessary when the use of nilfs2's own page discard routine was applied to more than just metadata files. Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+d6ca2daf692c7a82f959(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959 Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/page.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c index 5436eb0424bd1..10def4b559956 100644 --- a/fs/nilfs2/page.c +++ b/fs/nilfs2/page.c @@ -401,6 +401,7 @@ void nilfs_clear_folio_dirty(struct folio *folio) folio_clear_uptodate(folio); folio_clear_mappedtodisk(folio); + folio_clear_checked(folio); head = folio_buffers(folio); if (head) { -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "ALSA: hda/realtek: Limit internal Mic boost on Dell platform" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 78e7be018784934081afec77f96d49a2483f9188 Mon Sep 17 00:00:00 2001 From: Kailang Yang <kailang(a)realtek.com> Date: Fri, 18 Oct 2024 13:53:24 +0800 Subject: [PATCH] ALSA: hda/realtek: Limit internal Mic boost on Dell platform Dell want to limit internal Mic boost on all Dell platform. Signed-off-by: Kailang Yang <kailang(a)realtek.com> Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/561fc5f5eff04b6cbd79ed173cd1c1db@realtek.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/pci/hda/patch_realtek.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 3567b14b52b7c..784ac058418fc 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -7521,6 +7521,7 @@ enum { ALC286_FIXUP_SONY_MIC_NO_PRESENCE, ALC269_FIXUP_PINCFG_NO_HP_TO_LINEOUT, ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC269_FIXUP_DELL1_LIMIT_INT_MIC_BOOST, ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, ALC269_FIXUP_DELL3_MIC_NO_PRESENCE, ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, @@ -7555,6 +7556,7 @@ enum { ALC255_FIXUP_ACER_MIC_NO_PRESENCE, ALC255_FIXUP_ASUS_MIC_NO_PRESENCE, ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC255_FIXUP_DELL1_LIMIT_INT_MIC_BOOST, ALC255_FIXUP_DELL2_MIC_NO_PRESENCE, ALC255_FIXUP_HEADSET_MODE, ALC255_FIXUP_HEADSET_MODE_NO_HP_MIC, @@ -8114,6 +8116,12 @@ static const struct hda_fixup alc269_fixups[] = { .chained = true, .chain_id = ALC269_FIXUP_HEADSET_MODE }, + [ALC269_FIXUP_DELL1_LIMIT_INT_MIC_BOOST] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc269_fixup_limit_int_mic_boost, + .chained = true, + .chain_id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE + }, [ALC269_FIXUP_DELL2_MIC_NO_PRESENCE] = { .type = HDA_FIXUP_PINS, .v.pins = (const struct hda_pintbl[]) { @@ -8394,6 +8402,12 @@ static const struct hda_fixup alc269_fixups[] = { .chained = true, .chain_id = ALC255_FIXUP_HEADSET_MODE }, + [ALC255_FIXUP_DELL1_LIMIT_INT_MIC_BOOST] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc269_fixup_limit_int_mic_boost, + .chained = true, + .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE + }, [ALC255_FIXUP_DELL2_MIC_NO_PRESENCE] = { .type = HDA_FIXUP_PINS, .v.pins = (const struct hda_pintbl[]) { @@ -11076,6 +11090,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { {.id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, .name = "dell-headset-dock"}, {.id = ALC269_FIXUP_DELL3_MIC_NO_PRESENCE, .name = "dell-headset3"}, {.id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, .name = "dell-headset4"}, + {.id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE_QUIET, .name = "dell-headset4-quiet"}, {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"}, {.id = ALC283_FIXUP_SENSE_COMBO_JACK, .name = "alc283-sense-combo"}, {.id = ALC292_FIXUP_TPT440_DOCK, .name = "tpt440-dock"}, @@ -11630,16 +11645,16 @@ static const struct snd_hda_pin_quirk alc269_fallback_pin_fixup_tbl[] = { SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, {0x19, 0x40000000}, {0x1b, 0x40000000}), - SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE, + SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE_QUIET, {0x19, 0x40000000}, {0x1b, 0x40000000}), SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, {0x19, 0x40000000}, {0x1a, 0x40000000}), - SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_LIMIT_INT_MIC_BOOST, {0x19, 0x40000000}, {0x1a, 0x40000000}), - SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB, + SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC269_FIXUP_DELL1_LIMIT_INT_MIC_BOOST, {0x19, 0x40000000}, {0x1a, 0x40000000}), SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC2XX_FIXUP_HEADSET_MIC, -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "ALSA: usb-audio: Add quirks for Dell WD19 dock" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 4413665dd6c528b31284119e3571c25f371e1c36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= <jan(a)jschaer.ch> Date: Tue, 29 Oct 2024 23:12:49 +0100 Subject: [PATCH] ALSA: usb-audio: Add quirks for Dell WD19 dock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The WD19 family of docks has the same audio chipset as the WD15. This change enables jack detection on the WD19. We don't need the dell_dock_mixer_init quirk for the WD19. It is only needed because of the dell_alc4020_map quirk for the WD15 in mixer_maps.c, which disables the volume controls. Even for the WD15, this quirk was apparently only needed when the dock firmware was not updated. Signed-off-by: Jan Schär <jan(a)jschaer.ch> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20241029221249.15661-1-jan@jschaer.ch Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/usb/mixer_quirks.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c index 2a9594f34dac6..6456e87e2f397 100644 --- a/sound/usb/mixer_quirks.c +++ b/sound/usb/mixer_quirks.c @@ -4042,6 +4042,9 @@ int snd_usb_mixer_apply_create_quirk(struct usb_mixer_interface *mixer) break; err = dell_dock_mixer_init(mixer); break; + case USB_ID(0x0bda, 0x402e): /* Dell WD19 dock */ + err = dell_dock_mixer_create(mixer); + break; case USB_ID(0x2a39, 0x3fd2): /* RME ADI-2 Pro */ case USB_ID(0x2a39, 0x3fd3): /* RME ADI-2 DAC */ -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From aec8e6bf839101784f3ef037dcdb9432c3f32343 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng <chengzhihao1(a)huawei.com> Date: Mon, 21 Oct 2024 22:02:15 +0800 Subject: [PATCH] btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details: 1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV): / btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file) 3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF ! Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device(). Fixes: 142388194191 ("btrfs: do not background blkdev_put()") CC: stable(a)vger.kernel.org # 4.19+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=219408 Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> --- fs/btrfs/volumes.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 8f340ad1d9384..eb51b609190fb 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -1105,6 +1105,7 @@ static void btrfs_close_one_device(struct btrfs_device *device) if (device->bdev) { fs_devices->open_devices--; device->bdev = NULL; + device->bdev_file = NULL; } clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); btrfs_destroy_dev_zone_info(device); -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "riscv: vdso: Prevent the compiler from inserting calls to memset()" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From bf40167d54d55d4b54d0103713d86a8638fb9290 Mon Sep 17 00:00:00 2001 From: Alexandre Ghiti <alexghiti(a)rivosinc.com> Date: Wed, 16 Oct 2024 10:36:24 +0200 Subject: [PATCH] riscv: vdso: Prevent the compiler from inserting calls to memset() The compiler is smart enough to insert a call to memset() in riscv_vdso_get_cpus(), which generates a dynamic relocation. So prevent this by using -fno-builtin option. Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") Cc: stable(a)vger.kernel.org Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> Reviewed-by: Guo Ren <guoren(a)kernel.org> Link: https://lore.kernel.org/r/20241016083625.136311-2-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt <palmer(a)rivosinc.com> --- arch/riscv/kernel/vdso/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile index 960feb1526caa..3f1c4b2d0b064 100644 --- a/arch/riscv/kernel/vdso/Makefile +++ b/arch/riscv/kernel/vdso/Makefile @@ -18,6 +18,7 @@ obj-vdso = $(patsubst %, %.o, $(vdso-syms)) note.o ccflags-y := -fno-stack-protector ccflags-y += -DDISABLE_BRANCH_PROFILING +ccflags-y += -fno-builtin ifneq ($(c-gettimeofday-y),) CFLAGS_vgettimeofday.o += -fPIC -include $(c-gettimeofday-y) -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "mm: shmem: fix data-race in shmem_getattr()" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From d949d1d14fa281ace388b1de978e8f2cd52875cf Mon Sep 17 00:00:00 2001 From: Jeongjun Park <aha310510(a)gmail.com> Date: Mon, 9 Sep 2024 21:35:58 +0900 Subject: [PATCH] mm: shmem: fix data-race in shmem_getattr() I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x2755ae53 -> 0x27ee44d3 Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior. Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough. Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race. Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/shmem.c b/mm/shmem.c index c5adb987b23cf..4ba1d00fabdaa 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,7 +1166,9 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); + inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); + inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE; -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1" failed to apply to v4.19-stable tree

by Sasha Levin

The patch below does not apply to the v4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From e49370d769e71456db3fbd982e95bab8c69f73e8 Mon Sep 17 00:00:00 2001 From: Christoffer Sandberg <cs(a)tuxedo.de> Date: Tue, 29 Oct 2024 16:16:53 +0100 Subject: [PATCH] ALSA: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg <cs(a)tuxedo.de> Signed-off-by: Werner Sembach <wse(a)tuxedocomputers.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20241029151653.80726-2-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index e06a6fdc0bab7..571fa8a6c9e12 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -11008,6 +11008,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1d05, 0x115c, "TongFang GMxTGxx", ALC269_FIXUP_NO_SHUTUP), SND_PCI_QUIRK(0x1d05, 0x121b, "TongFang GMxAGxx", ALC269_FIXUP_NO_SHUTUP), SND_PCI_QUIRK(0x1d05, 0x1387, "TongFang GMxIXxx", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1d05, 0x1409, "TongFang GMxIXxx", ALC2XX_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1d17, 0x3288, "Haier Boyue G42", ALC269VC_FIXUP_ACER_VCOPPERBOX_PINS), SND_PCI_QUIRK(0x1d72, 0x1602, "RedmiBook", ALC255_FIXUP_XIAOMI_HEADSET_MIC), SND_PCI_QUIRK(0x1d72, 0x1701, "XiaomiNotebook Pro", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE), -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3" failed to apply to v5.4-stable tree

by Sasha Levin

The patch below does not apply to the v5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 0b04fbe886b4274c8e5855011233aaa69fec6e75 Mon Sep 17 00:00:00 2001 From: Christoffer Sandberg <cs(a)tuxedo.de> Date: Tue, 29 Oct 2024 16:16:52 +0100 Subject: [PATCH] ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 Quirk is needed to enable headset microphone on missing pin 0x19. Signed-off-by: Christoffer Sandberg <cs(a)tuxedo.de> Signed-off-by: Werner Sembach <wse(a)tuxedocomputers.com> Cc: <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 7f4926194e50f..e06a6fdc0bab7 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10750,6 +10750,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x1558, 0x1404, "Clevo N150CU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x2624, "Clevo L240TU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC), SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35"" failed to apply to v5.4-stable tree

by Sasha Levin

The patch below does not apply to the v5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 1b6063a57754eae5705753c01e78dc268b989038 Mon Sep 17 00:00:00 2001 From: Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> Date: Fri, 11 Oct 2024 11:12:19 -0400 Subject: [PATCH] Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35" This reverts commit 9dad21f910fc ("drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35") [why & how] The offending commit exposes a hang with lid close/open behavior. Both issues seem to be related to ODM 2:1 mode switching, so there is another issue generic to that sequence that needs to be investigated. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Ovidiu Bunea <Ovidiu.Bunea(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 68bf95317ebf2cfa7105251e4279e951daceefb7) Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c index 11c904ae29586..c4c52173ef224 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c @@ -303,6 +303,7 @@ void build_unoptimized_policy_settings(enum dml_project_id project, struct dml_m if (project == dml_project_dcn35 || project == dml_project_dcn351) { policy->DCCProgrammingAssumesScanDirectionUnknownFinal = false; + policy->EnhancedPrefetchScheduleAccelerationFinal = 0; policy->AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter_if_possible; /*new*/ policy->UseOnlyMaxPrefetchModes = 1; } -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "thunderbolt: Honor TMU requirements in the domain when setting TMU mode" failed to apply to v5.4-stable tree

by Sasha Levin

The patch below does not apply to the v5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 3cea8af2d1a9ae5869b47c3dabe3b20f331f3bbd Mon Sep 17 00:00:00 2001 From: Gil Fine <gil.fine(a)linux.intel.com> Date: Thu, 10 Oct 2024 17:29:42 +0300 Subject: [PATCH] thunderbolt: Honor TMU requirements in the domain when setting TMU mode Currently, when configuring TMU (Time Management Unit) mode of a given router, we take into account only its own TMU requirements ignoring other routers in the domain. This is problematic if the router we are configuring has lower TMU requirements than what is already configured in the domain. In the scenario below, we have a host router with two USB4 ports: A and B. Port A connected to device router #1 (which supports CL states) and existing DisplayPort tunnel, thus, the TMU mode is HiFi uni-directional. 1. Initial topology [Host] A/ / [Device #1] / Monitor 2. Plug in device #2 (that supports CL states) to downstream port B of the host router [Host] A/ B\ / \ [Device #1] [Device #2] / Monitor The TMU mode on port B and port A will be configured to LowRes which is not what we want and will cause monitor to start flickering. To address this we first scan the domain and search for any router configured to HiFi uni-directional mode, and if found, configure TMU mode of the given router to HiFi uni-directional as well. Cc: stable(a)vger.kernel.org Signed-off-by: Gil Fine <gil.fine(a)linux.intel.com> Signed-off-by: Mika Westerberg <mika.westerberg(a)linux.intel.com> --- drivers/thunderbolt/tb.c | 48 +++++++++++++++++++++++++++++++++++----- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c index 10e719dd837ce..4f777788e9179 100644 --- a/drivers/thunderbolt/tb.c +++ b/drivers/thunderbolt/tb.c @@ -288,6 +288,24 @@ static void tb_increase_tmu_accuracy(struct tb_tunnel *tunnel) device_for_each_child(&sw->dev, NULL, tb_increase_switch_tmu_accuracy); } +static int tb_switch_tmu_hifi_uni_required(struct device *dev, void *not_used) +{ + struct tb_switch *sw = tb_to_switch(dev); + + if (sw && tb_switch_tmu_is_enabled(sw) && + tb_switch_tmu_is_configured(sw, TB_SWITCH_TMU_MODE_HIFI_UNI)) + return 1; + + return device_for_each_child(dev, NULL, + tb_switch_tmu_hifi_uni_required); +} + +static bool tb_tmu_hifi_uni_required(struct tb *tb) +{ + return device_for_each_child(&tb->dev, NULL, + tb_switch_tmu_hifi_uni_required) == 1; +} + static int tb_enable_tmu(struct tb_switch *sw) { int ret; @@ -302,12 +320,30 @@ static int tb_enable_tmu(struct tb_switch *sw) ret = tb_switch_tmu_configure(sw, TB_SWITCH_TMU_MODE_MEDRES_ENHANCED_UNI); if (ret == -EOPNOTSUPP) { - if (tb_switch_clx_is_enabled(sw, TB_CL1)) - ret = tb_switch_tmu_configure(sw, - TB_SWITCH_TMU_MODE_LOWRES); - else - ret = tb_switch_tmu_configure(sw, - TB_SWITCH_TMU_MODE_HIFI_BI); + if (tb_switch_clx_is_enabled(sw, TB_CL1)) { + /* + * Figure out uni-directional HiFi TMU requirements + * currently in the domain. If there are no + * uni-directional HiFi requirements we can put the TMU + * into LowRes mode. + * + * Deliberately skip bi-directional HiFi links + * as these work independently of other links + * (and they do not allow any CL states anyway). + */ + if (tb_tmu_hifi_uni_required(sw->tb)) + ret = tb_switch_tmu_configure(sw, + TB_SWITCH_TMU_MODE_HIFI_UNI); + else + ret = tb_switch_tmu_configure(sw, + TB_SWITCH_TMU_MODE_LOWRES); + } else { + ret = tb_switch_tmu_configure(sw, TB_SWITCH_TMU_MODE_HIFI_BI); + } + + /* If not supported, fallback to bi-directional HiFi */ + if (ret == -EOPNOTSUPP) + ret = tb_switch_tmu_configure(sw, TB_SWITCH_TMU_MODE_HIFI_BI); } if (ret) return ret; -- 2.43.0

7 months, 2 weeks

1
0
0 0

FAILED: Patch "gpiolib: fix debugfs newline separators" failed to apply to v5.4-stable tree

by Sasha Levin

The patch below does not apply to the v5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. Thanks, Sasha ------------------ original commit in Linus's tree ------------------ From 3e8b7238b427e05498034c240451af5f5495afda Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Mon, 28 Oct 2024 13:49:58 +0100 Subject: [PATCH] gpiolib: fix debugfs newline separators The gpiolib debugfs interface exports a list of all gpio chips in a system and the state of their pins. The gpio chip sections are supposed to be separated by a newline character, but a long-standing bug prevents the separator from being included when output is generated in multiple sessions, making the output inconsistent and hard to read. Make sure to only suppress the newline separator at the beginning of the file as intended. Fixes: f9c4a31f6150 ("gpiolib: Use seq_file's iterator interface") Cc: stable(a)vger.kernel.org # 3.7 Cc: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Link: https://lore.kernel.org/r/20241028125000.24051-2-johan+linaro@kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index d5952ab7752c2..e27488a90bc97 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -4926,6 +4926,8 @@ static void *gpiolib_seq_start(struct seq_file *s, loff_t *pos) return NULL; s->private = priv; + if (*pos > 0) + priv->newline = true; priv->idx = srcu_read_lock(&gpio_devices_srcu); list_for_each_entry_srcu(gdev, &gpio_devices, list, -- 2.43.0

7 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror